Subject: Re: need help making a gateway (LONG)
To: Andrew Gillham <>
From: David W. Talmage <>
List: netbsd-users
Date: 11/07/2000 08:20:56
Andrew Gillham wrote:
>David W. Talmage writes:
>> The box I want to use as a gateway refuses to pass packets from the ethernet
>> (ex0) to the outside world (ppp0).  I think I've done all of the things 
>> ...
>doing 'sysctl -a' and looking for "net.inet.ip.forwarding = 1".

Yes, I have that. sysctl net.inet.ip.forwarding
net.inet.ip.forwarding = 1

>With 'netstat -nr' do you actually have a default route in the routing

Yes.  So far, so good.

On the gateway, netstat -nr says:

Destination        Gateway            Flags     Refs     Use    Mtu  Interface
default        UGS        11     1149   1183  ppp0
10.0.2/24          link#1             UC          0        0   1500  ex0           00:10:5a:a4:1a:d8  UHL         0        6   1500  lo0           link#1             UHL         4    11653   1500  ex0
127                UGRS        0        0  33228  lo0          UH         15    29798  33228  lo0      UH          1        0   1183  ppp0

There was more for IPV6 but you don't need to see that, right?

On a non-gateway machine (, netstat -nr says:

Destination        Gateway            Flags     Refs     Use    Mtu  Interface
default             UGS         0      236   1500  ep0
10.0.2/24          link#15            UC          0        0   1500  ep0           link#15            UHL         2      506   1500  ep0           00:00:86:1b:83:d0  UHL         1        0   1500  lo0
127                UGRS        0        0  33228  lo0          UH          1        0  33228  lo0

>Can your local ethernet machines ping the address of ppp0?

No, they can't.  Using tcpdump to watch each interface for icmp traffic, I see 
the icmp echo requests on ex0 but not on ppp0.  It's the same answer, whether 
I ping or

When I terminate ping on a local machine, it tells me about 100% packet loss.

>Have you doublechecked your netmasks and the default route settings on
>the inside machines?  (pinging the address of ppp0 should prove this out)

The netmask for all inside machines is  All of them tell me 
that their ethernet is their default route, as above.

I've set up the gateway as a DNS.  All inside machines can and do use it for 
that.  I've verified that the gateway is giving them the answers to their DNS 

>If all else fails, post your configuration files.  I'm using 1.5_ALPHA for
>a ethernet/ppp/wireless router with no problems.

I'm prepared to discover or be shown an embarassing pilot error.  

Here's /etc/ppp/options:

asyncmap 0x00000000

ricochet is my ISP.  This is /etc/ppp/peers/ricochet:

tty00 57600
connect '/usr/sbin/chat -f /etc/ppp/chat.ricochet'
holdoff 30
mru 1500
mtu 1500

/etc/ppp/ip-up does the following when IP comes up:

if checkyesno ipnat && [ -f /etc/ipnat.conf ]; then
        if ! checkyesno ipfilter || [ ! -f /etc/ipf.conf ]; then
                ipf -y 
        ipnat -C -f /etc/ipnat.conf

I have the stock ipfilter and ipnat scripts in /etc/rc.d.  ipfilter=YES and 
ipnat=YES are set in /etc/rc.conf.

As a test, I pared down my /etc/ipf.conf to six rules (below).  It didn't change 

pass out quick on lo0
pass in  quick on lo0
pass out quick on ex0
pass in quick on ex0
pass out from any to any
pass in  from any to any

/etc/ipnat.conf is now empty.  It didn't give me better results.  No joy.  
When I first posted my problem, /etc/ipnat.conf contained this:

# Map the outgoing address of packets from the unroutable internal
# network to the outside world on ppp0 to the address given by the ISP.  
# "0/32" means "the address of the interface", ppp0 in this case
map ppp0 -> 0/32 proxy port ftp ftp/tcp
map ppp0 -> 0/32 portmap tcp/udp 40000:60000
map ppp0 -> 0/32

# These rules are for squid, the web cache.
# 0/32 is the address of the interface, ppp0 in this case.
# Redirect direct outside web traffic to local web server.
rdr ppp0 0/32 port 80 -> port 80 tcp

# Redirect local web traffic to Squid, the web cache
rdr ex0 port 80 -> port 8080 tcp

Do you really need my kernel configuration?  FWIW, the PCI ethernet card is 
"3Com 3c900B-TPO Ethernet (rev. 0x4)".  The modem is a Metricom Ricochet 
wireless job.


include "arch/i386/conf/std.i386"

#ident 		"GENERIC-$Revision: 1.305 $"

maxusers	32		# estimated number of users

# CPU support.  At least one is REQUIRED.
options 	I686_CPU

# CPU-related options.
options 	VM86		# virtual 8086 emulation
options 	USER_LDT	# user-settable LDT; used by WINE
# eliminate delay no-ops in I/O; recommended on all but very old machines
options 	DUMMY_NOPS

# Misc. i386-specific options
options 	XSERVER		# X server support in console drivers

# Standard system options

options 	UCONSOLE	# users can use TIOCCONS (for xconsole)
options 	INSECURE	# disable kernel security levels

options 	RTC_OFFSET=0	# hardware clock is this many mins. west of GMT
options 	NTP		# NTP phase/frequency locked loop

options 	KTRACE		# system call tracing via ktrace(1)

options 	SYSVMSG		# System V-like message queues
options 	SYSVSEM		# System V-like semaphores
options 	SYSVSHM		# System V-like memory sharing

options 	LKM		# loadable kernel modules

# Diagnostic/debugging support options
options 	DIAGNOSTIC	# cheap kernel consistency checks
options 	KMEMSTATS	# kernel memory statistics (vmstat -m)
options 	DDB		# in-kernel debugger
options 	DDB_HISTORY_SIZE=100	# enable history editing in DDB

# Compatibility options
options 	COMPAT_NOMID	# compatibility with 386BSD, BSDI, NetBSD 0.8,
options 	COMPAT_09	# NetBSD 0.9,
options 	COMPAT_10	# NetBSD 1.0,
options 	COMPAT_11	# NetBSD 1.1,
options 	COMPAT_12	# NetBSD 1.2,
options 	COMPAT_13	# NetBSD 1.3,
options 	COMPAT_14	# NetBSD 1.4,
options 	COMPAT_43	# and 4.3BSD
options 	COMPAT_386BSD_MBRPART # recognize old partition ID

options 	COMPAT_SVR4	# binary compatibility with SVR4
options 	COMPAT_IBCS2	# binary compatibility with SCO and ISC
options 	COMPAT_LINUX	# binary compatibility with Linux
options 	COMPAT_FREEBSD	# binary compatibility with FreeBSD

options 	COMPAT_AOUT	# binary compat for NetBSD a.out binaries

# File systems
file-system 	FFS		# UFS
file-system 	EXT2FS		# second extended file system (linux)
file-system 	LFS		# log-structured file system
file-system 	MFS		# memory file system
file-system 	NFS		# Network File System client
file-system 	NTFS		# Windows/NT file system (experimental)
file-system 	CD9660		# ISO 9660 + Rock Ridge file system
file-system 	MSDOSFS		# MS-DOS file system
file-system 	FDESC		# /dev/fd
file-system 	KERNFS		# /kern
file-system 	NULLFS		# loopback file system
file-system 	OVERLAY		# overlay file system
file-system 	PROCFS		# /proc

# File system options
options 	FFS_EI		# FFS Endian Independent support
options 	NFSSERVER	# Network File System server

# Pull in config fragments for kernel crypto.  This is required for
# options IPSEC etc. to work. If you want to run with IPSEC, uncomment
# one of these, based on whether you use crypto-us or crypto-intl, and
# adjust the prefixes as necessary.

#prefix ../crypto-us/sys
#cinclude "conf/files.crypto-us"

#prefix ../crypto-intl/sys
#cinclude "conf/files.crypto-intl"

# Networking options
options 	GATEWAY		# packet forwarding, enables option IPFORWARDING
options 	INET		# IP + ICMP + TCP + UDP
options 	INET6		# IPV6
options 	PPP_BSDCOMP	# BSD-Compress compression support for PPP
options 	PPP_DEFLATE	# Deflate compression support for PPP
options 	PPP_FILTER	# Active filter support for PPP (requires bpf)
options 	PFIL_HOOKS	# pfil(9) packet filter hooks
options 	IPFILTER_LOG	# ipmon(8) log support

# These options enable verbose messages for several subsystems.
# Warning, these may compile large string tables into the kernel!
options 	EISAVERBOSE	# verbose EISA device autoconfig messages
options 	PCIVERBOSE	# verbose PCI device autoconfig messages
options 	SCSIVERBOSE	# human readable SCSI error messages
options 	USBVERBOSE	# verbose USB device autoconfig messages

# wscons options
# builtin terminal emulations
options 	WSEMUL_VT100		# VT100 / VT220 emulation
# different kernel output - see dev/wscons/wsdisplayvar.h
# compatibility to other console drivers
options 	WSDISPLAY_COMPAT_PCVT		# emulate some ioctls
options 	WSDISPLAY_COMPAT_SYSCONS	# emulate some ioctls
options 	WSDISPLAY_COMPAT_USL		# VT handling
options 	WSDISPLAY_COMPAT_RAWKBD		# can get raw scancodes
# use a large software cursor that doesn't blink

# Kernel root file system and dump configuration.
config		netbsd	root on ? type ?

# Device configuration

mainbus0 at root

apm0	at mainbus0			# Advanced power management

# Basic Bus Support

# PCI bus support
pci*	at mainbus? bus ?
pci*	at pchb? bus ?
pci*	at ppb? bus ?

# PCI bridges
pchb*	at pci? dev ? function ?	# PCI-Host bridges
pceb*	at pci? dev ? function ?	# PCI-EISA bridges
pcib*	at pci? dev ? function ?	# PCI-ISA bridges
ppb*	at pci? dev ? function ?	# PCI-PCI bridges
# XXX 'puc's aren't really bridges, but there's no better place for them here
puc*	at pci? dev ? function ?	# PCI "universal" comm. cards

# EISA bus support
eisa*	at mainbus?
eisa*	at pceb?

# ISA bus support
isa*	at mainbus?
isa*	at pceb?
isa*	at pcib?

# ISA Plug-and-Play bus support
isapnp0	at isa?

# Coprocessor Support

# Math Coprocessor support
npx0	at isa? port 0xf0 irq 13	# x86 math coprocessor

# Console Devices

# wscons
pckbc0		at isa?			# pc keyboard controller
pckbd*		at pckbc?		# PC keyboard
# "opms" should not be enabled together with "pms" or "pmsi"
pms*		at pckbc?		# PS/2 mouse for wsmouse
vga0		at isa?
vga*		at pci?
pcdisplay0	at isa?			# CGA, MDA, EGA, HGA
wsdisplay*	at vga? console ?
wsdisplay*	at pcdisplay? console ?
wskbd* 		at pckbd? console ? mux 1
wsmouse*	at pms? mux 0

pcppi0	at isa?
sysbeep0	at pcppi?

# Serial Devices

# PCI serial interfaces
com*	at puc? port ?			# 16x50s on "universal" comm boards
cy*	at pci? dev ? function ?	# Cyclades Cyclom-Y serial boards

# ISA Plug-and-Play serial interfaces
com*	at isapnp?			# Modems and serial boards

# ISA serial interfaces
com0	at isa? port 0x3f8 irq 4	# Standard PC serial ports
com1	at isa? port 0x2f8 irq 3
com2	at isa? port 0x3e8 irq 5

# Parallel Printer Interfaces

# PCI parallel printer interfaces
lpt*	at puc? port ?			# || ports on "universal" comm boards

# ISA parallel printer interfaces
lpt0	at isa? port 0x378 irq 7	# standard PC parallel ports
lpt1	at isa? port 0x278
lpt2	at isa? port 0x3bc

# SCSI Controllers and Devices

# ISA Plug-and-Play SCSI controllers
aic*	at isapnp?			# Adaptec AHA-1520B

# ISA SCSI controllers
aic0	at isa? port 0x340 irq 11	# Adaptec 152[02] SCSI

# SCSI bus support
scsibus* at aic?

# SCSI devices
sd*	at scsibus? target ? lun ?	# SCSI disk drives
st*	at scsibus? target ? lun ?	# SCSI tape drives
cd*	at scsibus? target ? lun ?	# SCSI CD-ROM drives
ch*	at scsibus? target ? lun ?	# SCSI autochangers
ss*	at scsibus? target ? lun ?	# SCSI scanners
uk*	at scsibus? target ? lun ?	# SCSI unknown

# IDE and related devices
# PCI IDE controllers - see pciide(4) for supported hardware.
# The 0x0001 flag force the driver to use DMA, even if the driver doesn't know
# how to set up DMA modes for this chip. This may work, or may cause
# a machine hang with some controllers.
pciide* at pci ? dev ? function ? flags 0x0000

# ISA Plug-and-Play IDE controllers
wdc*	at isapnp? 

# ISA ST506, ESDI, and IDE controllers
# Use flags 0x01 if you want to try to use 32bits data I/O (the driver will
# fall back to 16bits I/O if 32bits I/O are not functional).
# Some controllers pass the initial 32bit test, but will fail later.
wdc0	at isa? port 0x1f0 irq 14 flags 0x00
wdc1	at isa? port 0x170 irq 15 flags 0x00

# IDE drives
# Flags are used only with controllers that support DMA operations
# and mode settings (e.g. some pciide controllers)
# The lowest order four bits (rightmost digit) of the flags define the PIO
# mode to use, the next set of four bits the DMA mode and the third set the
# UltraDMA mode. For each set of four bits, the 3 lower bits define the mode
# to use, and the last bit must be 1 for this setting to be used.
# For DMA and UDMA, 0xf (1111) means 'disable'.
# 0x0fac means 'use PIO mode 4, DMA mode 2, disable UltraDMA'.
# (0xc=1100, 0xa=1010, 0xf=1111)
# 0x0000 means "use whatever the drive claims to support".
wd*	at wdc? channel ? drive ? flags 0x0000
wd*	at pciide? channel ? drive ? flags 0x0000

# ATAPI bus support
atapibus* at wdc? channel ?
atapibus* at pciide? channel ?

# ATAPI devices
# flags have the same meaning as for IDE drives.
cd*	at atapibus? drive ? flags 0x0000	# ATAPI CD-ROM drives
sd*	at atapibus? drive ? flags 0x0000	# ATAPI disk drives
uk*	at atapibus? drive ? flags 0x0000	# ATAPI unknown

# Miscellaneous mass storage devices

# ISA floppy
fdc0	at isa? port 0x3f0 irq 6 drq 2	# standard PC floppy controllers
#fdc1	at isa? port 0x370 irq ? drq ?
fd*	at fdc? drive ?			# the drives themselves

# Network Interfaces

# PCI network interfaces
ex*	at pci? dev ? function ?	# 3Com 90x[B]

# USB Controller and Devices

# PCI USB controllers
uhci*	at pci?	dev ? function ?	# Universal Host Controller (Intel)
ohci*	at pci?	dev ? function ?	# Open Host Controller

# USB bus support
usb*	at uhci?
usb*	at ohci?

# USB Hubs
uhub*	at usb?
uhub*	at uhub? port ? configuration ? interface ?

# USB Mice
ums*	at uhub? port ? configuration ? interface ?
wsmouse*	at ums? mux 0

# USB Keyboards
ukbd*	at uhub? port ? configuration ? interface ?
wskbd*	at ukbd? console ? mux 1

# USB Generic HID devices
uhid*	at uhub? port ? configuration ? interface ?

# USB Printer
ulpt*	at uhub? port ? configuration ? interface ?

# USB Modem
umodem*	at uhub? port ? configuration ?
ucom*	at umodem?

# USB Mass Storage
umass*	at uhub? port ? configuration ? interface ?
scsibus* at umass? channel ?

# USB audio
#uaudio*	at uhub? port ? configuration ?

# USB Ethernet adapters
aue*	at uhub? port ?		# ADMtek AN986 Pegasus based adapters
cue*	at uhub? port ?		# CATC USB-EL1201A based adapters
kue*	at uhub? port ?		# Kawasaki LSI KL5KUSB101B based adapters

# USB Generic driver
ugen*	at uhub? port ?

# USB Handspring Visor
uvisor* at uhub? port ?
ucom* at uvisor?

# Pull in optional local configuration
include	"arch/i386/conf/GENERIC.local"

# Pseudo-Devices

# disk/mass storage pseudo-devices
pseudo-device	ccd		4	# concatenated/striped disk devices
pseudo-device	md		1	# memory disk device (ramdisk)
pseudo-device	vnd		4	# disk-like interface to files

# network pseudo-devices
pseudo-device	bpfilter	16	# Berkeley packet filter
pseudo-device	ipfilter		# IP filter (firewall) and NAT
pseudo-device	loop			# network loopback
pseudo-device	ppp		2	# Point-to-Point Protocol
pseudo-device	strip		2	# Starmode Radio IP (Metricom)
pseudo-device	tun		2	# network tunneling over tty
pseudo-device	gre		2	# generic L3 over IP tunnel
pseudo-device	ipip		2	# IP Encapsulation within IP (RFC 2003)
pseudo-device	gif		4	# IPv[46] over IPv[46] tunnel (RFC1933)

# miscellaneous pseudo-devices
pseudo-device	pty		64	# pseudo-terminals
# rnd works; RND_COM does not on port i386 yet.
pseudo-device	rnd			# /dev/random and in-kernel generator

# mouse & keyboard multiplexor pseudo-devices
pseudo-device	wsmux		2