netbsd-users: Re: IPNAT Questions

Subject: Re: IPNAT Questions
To: J. Buck Caldwell <buckaroo@igps.org>
From: Wes Zuber <wes@uia.net>
List: netbsd-users
Date: 03/16/2000 13:39:49
On Thu, 16 Mar 2000, you wrote:
> So the IPNAT FAQ is showing up as lost on the NetBSD page, of course,
> just when I decide to set up NAT. I'm trying to set up a NAT server in
> the following environment, and would appreciate any help possible.
> 
> NAT server is a i386 (most recent snapshot) box with ex0 on the Internet
> and ex1 on the private network. ex0 is bound to 216.63.40.41, and
> expects to route to a DSL modem at 216.63.40.46 (mask 255.255.255.248).
> ex1 is bound at (currently) 192.168.0.251 (possibly moving to
> 192.168.0.1 when going live). Also, there is a Cisco router sitting at
> 192.168.0.250 that's routing several other networks (192.168.x.0/24,
> where x is the site ID) over Frame Relay. Each of those sites also needs
> access across this NAT server.
> 
> So far, I've got:
> 
> ipf.conf:
> block in all
> pass in all
> 
> ipnat.conf:
> map ex1 192.168.0.0/16 -> 216.63.40.41/32 portmap tcp/udp 20000:30000

Try something like:
map ex0 192.168.0.0/16 -> 216.63.40.41/32  proxy port ftp ftp/tcp
map ex0 192.168.0.0/16 -> 216.63.40.41/32 portmap tcp/udp 20000:30000
map ex0 192.168.0.0/16 -> 216.63.40.41/32

Do a ipnat -CF to flush and ipnat -f /etc/ipnat.conf or whatever the filename
is that contains the nat rules. The ftp stuff is so that users can use active
transfer mode with ftp. If you leave it out then your users will have to use
passive mode. Also use ipnat -l to make sure that the rules loaded up. You
should start to see some active sessions as well.

> Nothing works, however. I can ping the internal side, but nothing on the
> external, no web traffic, nothing seems to pass. I've also tried
> enabling net.inet.ip.forwarding, but that doesn't seem to do it. It does
> allow me to ping the public side, but that's not meaningful.
> 
> Last note - I'm running routed so the server exchanges RIP info with the
> Cisco. Interesting side note - routed doesn't seem to load
> automatically, even if it's set YES in rc.conf. Working on that.

If you are only worried about a couple of routes then running RIP is not really
needed. How about just adding a couple of statics. You can turn off routed
(which I think is old) and just do something like:

route add 192.168.x.0 netmask 255.255.255.0 192.168.x.253

253 being the gateway. 

--Wes