netbsd-users: Re: IPNAT Questions

Subject: Re: IPNAT Questions
To: None <wes@uia.net>
From: J. Buck Caldwell <buckaroo@igps.org>
List: netbsd-users
Date: 03/16/2000 16:01:11
Wes Zuber wrote:

> On Thu, 16 Mar 2000, you wrote:
> > So the IPNAT FAQ is showing up as lost on the NetBSD page, of course,
> > just when I decide to set up NAT. I'm trying to set up a NAT server in
> > the following environment, and would appreciate any help possible.
> >
> > NAT server is a i386 (most recent snapshot) box with ex0 on the Internet
> > and ex1 on the private network. ex0 is bound to 216.63.40.41, and
> > expects to route to a DSL modem at 216.63.40.46 (mask 255.255.255.248).
> > ex1 is bound at (currently) 192.168.0.251 (possibly moving to
> > 192.168.0.1 when going live). Also, there is a Cisco router sitting at
> > 192.168.0.250 that's routing several other networks (192.168.x.0/24,
> > where x is the site ID) over Frame Relay. Each of those sites also needs
> > access across this NAT server.
> >
> > So far, I've got:
> >
> > ipf.conf:
> > block in all
> > pass in all
> >
> > ipnat.conf:
> > map ex1 192.168.0.0/16 -> 216.63.40.41/32 portmap tcp/udp 20000:30000
>
> Try something like:
> map ex0 192.168.0.0/16 -> 216.63.40.41/32  proxy port ftp ftp/tcp
> map ex0 192.168.0.0/16 -> 216.63.40.41/32 portmap tcp/udp 20000:30000
> map ex0 192.168.0.0/16 -> 216.63.40.41/32
>
> Do a ipnat -CF to flush and ipnat -f /etc/ipnat.conf or whatever the filename
> is that contains the nat rules. The ftp stuff is so that users can use active
> transfer mode with ftp. If you leave it out then your users will have to use
> passive mode. Also use ipnat -l to make sure that the rules loaded up. You
> should start to see some active sessions as well.

That did the trick! I actually noticed just before I got your reply that I
proabably had the wrong interface on there, but your extra help has surely saved
the day. Many Thanks! Blessings upon you and your household!

> > Nothing works, however. I can ping the internal side, but nothing on the
> > external, no web traffic, nothing seems to pass. I've also tried
> > enabling net.inet.ip.forwarding, but that doesn't seem to do it. It does
> > allow me to ping the public side, but that's not meaningful.
> >
> > Last note - I'm running routed so the server exchanges RIP info with the
> > Cisco. Interesting side note - routed doesn't seem to load
> > automatically, even if it's set YES in rc.conf. Working on that.
>
> If you are only worried about a couple of routes then running RIP is not really
> needed. How about just adding a couple of statics. You can turn off routed
> (which I think is old) and just do something like:

Actually, I'd prefer to use RIP for now. There are going to end up being about 22
nodes on this frame cloud, and multiple routes between them. But thanks for the
info anyway.