Subject: Re: need help making a gateway (LONG)
To: Andrew Gillham <gillham@vaultron.com>
From: David W. Talmage <talmage@ricochet.net>
List: netbsd-users
Date: 11/07/2000 08:20:56
Andrew Gillham wrote:
>David W. Talmage writes:
>>
>> The box I want to use as a gateway refuses to pass packets from the ethernet
>
>> (ex0) to the outside world (ppp0). I think I've done all of the things
>> ...
>...
>doing 'sysctl -a' and looking for "net.inet.ip.forwarding = 1".
Yes, I have that.
talmage.madison.dynip.com% sysctl net.inet.ip.forwarding
net.inet.ip.forwarding = 1
>With 'netstat -nr' do you actually have a default route in the routing
>table?
Yes. So far, so good.
On the gateway, netstat -nr says:
Destination Gateway Flags Refs Use Mtu Interface
default 204.254.22.20 UGS 11 1149 1183 ppp0
10.0.2/24 link#1 UC 0 0 1500 ex0
10.0.2.1 00:10:5a:a4:1a:d8 UHL 0 6 1500 lo0
10.0.2.2 link#1 UHL 4 11653 1500 ex0
127 127.0.0.1 UGRS 0 0 33228 lo0
127.0.0.1 127.0.0.1 UH 15 29798 33228 lo0
204.254.22.20 204.254.22.19 UH 1 0 1183 ppp0
There was more for IPV6 but you don't need to see that, right?
On a non-gateway machine (10.0.2.2), netstat -nr says:
Destination Gateway Flags Refs Use Mtu Interface
default 10.0.2.2 UGS 0 236 1500 ep0
10.0.2/24 link#15 UC 0 0 1500 ep0
10.0.2.1 link#15 UHL 2 506 1500 ep0
10.0.2.2 00:00:86:1b:83:d0 UHL 1 0 1500 lo0
127 127.0.0.1 UGRS 0 0 33228 lo0
127.0.0.1 127.0.0.1 UH 1 0 33228 lo0
>Can your local ethernet machines ping the address of ppp0?
No, they can't. Using tcpdump to watch each interface for icmp traffic, I see
the icmp echo requests on ex0 but not on ppp0. It's the same answer, whether
I ping 204.205.22.19 or 204.205.22.20.
When I terminate ping on a local machine, it tells me about 100% packet loss.
>Have you doublechecked your netmasks and the default route settings on
>the inside machines? (pinging the address of ppp0 should prove this out)
The netmask for all inside machines is 255.255.255.0. All of them tell me
that their ethernet is their default route, as above.
I've set up the gateway as a DNS. All inside machines can and do use it for
that. I've verified that the gateway is giving them the answers to their DNS
queries.
>If all else fails, post your configuration files. I'm using 1.5_ALPHA for
>a ethernet/ppp/wireless router with no problems.
I'm prepared to discover or be shown an embarassing pilot error.
Here's /etc/ppp/options:
asyncmap 0x00000000
auth
crtscts
defaultroute
lock
modem
ricochet is my ISP. This is /etc/ppp/peers/ricochet:
tty00 57600
connect '/usr/sbin/chat -f /etc/ppp/chat.ricochet'
holdoff 30
mru 1500
mtu 1500
noauth
noipdefault
novj
persist
/etc/ppp/ip-up does the following when IP comes up:
if checkyesno ipnat && [ -f /etc/ipnat.conf ]; then
if ! checkyesno ipfilter || [ ! -f /etc/ipf.conf ]; then
ipf -y
fi
ipnat -C -f /etc/ipnat.conf
fi
I have the stock ipfilter and ipnat scripts in /etc/rc.d. ipfilter=YES and
ipnat=YES are set in /etc/rc.conf.
As a test, I pared down my /etc/ipf.conf to six rules (below). It didn't change
anything.
pass out quick on lo0
pass in quick on lo0
pass out quick on ex0
pass in quick on ex0
pass out from any to any
pass in from any to any
/etc/ipnat.conf is now empty. It didn't give me better results. No joy.
When I first posted my problem, /etc/ipnat.conf contained this:
#
# Map the outgoing address of packets from the unroutable internal
# network to the outside world on ppp0 to the address given by the ISP.
#
# "0/32" means "the address of the interface", ppp0 in this case
#
map ppp0 10.0.2.0/24 -> 0/32 proxy port ftp ftp/tcp
map ppp0 10.0.2.0/24 -> 0/32 portmap tcp/udp 40000:60000
map ppp0 10.0.2.0/24 -> 0/32
# These rules are for squid, the web cache.
#
# 0/32 is the address of the interface, ppp0 in this case.
#
#
# Redirect direct outside web traffic to local web server.
#
rdr ppp0 0/32 port 80 -> 127.0.0.1 port 80 tcp
#
# Redirect local web traffic to Squid, the web cache
#
rdr ex0 10.0.2.0/24 port 80 -> 127.0.0.1 port 8080 tcp
Do you really need my kernel configuration? FWIW, the PCI ethernet card is
"3Com 3c900B-TPO Ethernet (rev. 0x4)". The modem is a Metricom Ricochet
wireless job.
#
# MADISON
#
include "arch/i386/conf/std.i386"
#ident "GENERIC-$Revision: 1.305 $"
maxusers 32 # estimated number of users
# CPU support. At least one is REQUIRED.
options I686_CPU
# CPU-related options.
options VM86 # virtual 8086 emulation
options USER_LDT # user-settable LDT; used by WINE
# eliminate delay no-ops in I/O; recommended on all but very old machines
options DUMMY_NOPS
# Misc. i386-specific options
options XSERVER # X server support in console drivers
# Standard system options
options UCONSOLE # users can use TIOCCONS (for xconsole)
options INSECURE # disable kernel security levels
options RTC_OFFSET=0 # hardware clock is this many mins. west of GMT
options NTP # NTP phase/frequency locked loop
options KTRACE # system call tracing via ktrace(1)
options SYSVMSG # System V-like message queues
options SYSVSEM # System V-like semaphores
options SYSVSHM # System V-like memory sharing
options LKM # loadable kernel modules
# Diagnostic/debugging support options
options DIAGNOSTIC # cheap kernel consistency checks
options KMEMSTATS # kernel memory statistics (vmstat -m)
options DDB # in-kernel debugger
options DDB_HISTORY_SIZE=100 # enable history editing in DDB
# Compatibility options
options COMPAT_NOMID # compatibility with 386BSD, BSDI, NetBSD 0.8,
options COMPAT_09 # NetBSD 0.9,
options COMPAT_10 # NetBSD 1.0,
options COMPAT_11 # NetBSD 1.1,
options COMPAT_12 # NetBSD 1.2,
options COMPAT_13 # NetBSD 1.3,
options COMPAT_14 # NetBSD 1.4,
options COMPAT_43 # and 4.3BSD
options COMPAT_386BSD_MBRPART # recognize old partition ID
options COMPAT_SVR4 # binary compatibility with SVR4
options COMPAT_IBCS2 # binary compatibility with SCO and ISC
options COMPAT_LINUX # binary compatibility with Linux
options COMPAT_FREEBSD # binary compatibility with FreeBSD
options COMPAT_AOUT # binary compat for NetBSD a.out binaries
# File systems
file-system FFS # UFS
file-system EXT2FS # second extended file system (linux)
file-system LFS # log-structured file system
file-system MFS # memory file system
file-system NFS # Network File System client
file-system NTFS # Windows/NT file system (experimental)
file-system CD9660 # ISO 9660 + Rock Ridge file system
file-system MSDOSFS # MS-DOS file system
file-system FDESC # /dev/fd
file-system KERNFS # /kern
file-system NULLFS # loopback file system
file-system OVERLAY # overlay file system
file-system PROCFS # /proc
# File system options
options FFS_EI # FFS Endian Independent support
options NFSSERVER # Network File System server
# Pull in config fragments for kernel crypto. This is required for
# options IPSEC etc. to work. If you want to run with IPSEC, uncomment
# one of these, based on whether you use crypto-us or crypto-intl, and
# adjust the prefixes as necessary.
#prefix ../crypto-us/sys
#cinclude "conf/files.crypto-us"
#prefix
#prefix ../crypto-intl/sys
#cinclude "conf/files.crypto-intl"
#prefix
# Networking options
options GATEWAY # packet forwarding, enables option IPFORWARDING
options INET # IP + ICMP + TCP + UDP
options INET6 # IPV6
options PPP_BSDCOMP # BSD-Compress compression support for PPP
options PPP_DEFLATE # Deflate compression support for PPP
options PPP_FILTER # Active filter support for PPP (requires bpf)
options PFIL_HOOKS # pfil(9) packet filter hooks
options IPFILTER_LOG # ipmon(8) log support
# These options enable verbose messages for several subsystems.
# Warning, these may compile large string tables into the kernel!
options EISAVERBOSE # verbose EISA device autoconfig messages
options PCIVERBOSE # verbose PCI device autoconfig messages
options SCSIVERBOSE # human readable SCSI error messages
options USBVERBOSE # verbose USB device autoconfig messages
#
# wscons options
#
# builtin terminal emulations
options WSEMUL_VT100 # VT100 / VT220 emulation
# different kernel output - see dev/wscons/wsdisplayvar.h
options WS_KERNEL_FG=WSCOL_GREEN
# compatibility to other console drivers
options WSDISPLAY_COMPAT_PCVT # emulate some ioctls
options WSDISPLAY_COMPAT_SYSCONS # emulate some ioctls
options WSDISPLAY_COMPAT_USL # VT handling
options WSDISPLAY_COMPAT_RAWKBD # can get raw scancodes
# use a large software cursor that doesn't blink
options PCDISPLAY_SOFTCURSOR
# Kernel root file system and dump configuration.
config netbsd root on ? type ?
#
# Device configuration
#
mainbus0 at root
apm0 at mainbus0 # Advanced power management
# Basic Bus Support
# PCI bus support
pci* at mainbus? bus ?
pci* at pchb? bus ?
pci* at ppb? bus ?
# PCI bridges
pchb* at pci? dev ? function ? # PCI-Host bridges
pceb* at pci? dev ? function ? # PCI-EISA bridges
pcib* at pci? dev ? function ? # PCI-ISA bridges
ppb* at pci? dev ? function ? # PCI-PCI bridges
# XXX 'puc's aren't really bridges, but there's no better place for them here
puc* at pci? dev ? function ? # PCI "universal" comm. cards
# EISA bus support
eisa* at mainbus?
eisa* at pceb?
# ISA bus support
isa* at mainbus?
isa* at pceb?
isa* at pcib?
# ISA Plug-and-Play bus support
isapnp0 at isa?
# Coprocessor Support
# Math Coprocessor support
npx0 at isa? port 0xf0 irq 13 # x86 math coprocessor
# Console Devices
# wscons
pckbc0 at isa? # pc keyboard controller
pckbd* at pckbc? # PC keyboard
# "opms" should not be enabled together with "pms" or "pmsi"
pms* at pckbc? # PS/2 mouse for wsmouse
vga0 at isa?
vga* at pci?
pcdisplay0 at isa? # CGA, MDA, EGA, HGA
wsdisplay* at vga? console ?
wsdisplay* at pcdisplay? console ?
wskbd* at pckbd? console ? mux 1
wsmouse* at pms? mux 0
pcppi0 at isa?
sysbeep0 at pcppi?
# Serial Devices
# PCI serial interfaces
com* at puc? port ? # 16x50s on "universal" comm boards
cy* at pci? dev ? function ? # Cyclades Cyclom-Y serial boards
# ISA Plug-and-Play serial interfaces
com* at isapnp? # Modems and serial boards
# ISA serial interfaces
com0 at isa? port 0x3f8 irq 4 # Standard PC serial ports
com1 at isa? port 0x2f8 irq 3
com2 at isa? port 0x3e8 irq 5
# Parallel Printer Interfaces
# PCI parallel printer interfaces
lpt* at puc? port ? # || ports on "universal" comm boards
# ISA parallel printer interfaces
lpt0 at isa? port 0x378 irq 7 # standard PC parallel ports
lpt1 at isa? port 0x278
lpt2 at isa? port 0x3bc
# SCSI Controllers and Devices
# ISA Plug-and-Play SCSI controllers
aic* at isapnp? # Adaptec AHA-1520B
# ISA SCSI controllers
aic0 at isa? port 0x340 irq 11 # Adaptec 152[02] SCSI
# SCSI bus support
scsibus* at aic?
# SCSI devices
sd* at scsibus? target ? lun ? # SCSI disk drives
st* at scsibus? target ? lun ? # SCSI tape drives
cd* at scsibus? target ? lun ? # SCSI CD-ROM drives
ch* at scsibus? target ? lun ? # SCSI autochangers
ss* at scsibus? target ? lun ? # SCSI scanners
uk* at scsibus? target ? lun ? # SCSI unknown
# IDE and related devices
# PCI IDE controllers - see pciide(4) for supported hardware.
# The 0x0001 flag force the driver to use DMA, even if the driver doesn't know
# how to set up DMA modes for this chip. This may work, or may cause
# a machine hang with some controllers.
pciide* at pci ? dev ? function ? flags 0x0000
# ISA Plug-and-Play IDE controllers
wdc* at isapnp?
# ISA ST506, ESDI, and IDE controllers
# Use flags 0x01 if you want to try to use 32bits data I/O (the driver will
# fall back to 16bits I/O if 32bits I/O are not functional).
# Some controllers pass the initial 32bit test, but will fail later.
wdc0 at isa? port 0x1f0 irq 14 flags 0x00
wdc1 at isa? port 0x170 irq 15 flags 0x00
# IDE drives
# Flags are used only with controllers that support DMA operations
# and mode settings (e.g. some pciide controllers)
# The lowest order four bits (rightmost digit) of the flags define the PIO
# mode to use, the next set of four bits the DMA mode and the third set the
# UltraDMA mode. For each set of four bits, the 3 lower bits define the mode
# to use, and the last bit must be 1 for this setting to be used.
# For DMA and UDMA, 0xf (1111) means 'disable'.
# 0x0fac means 'use PIO mode 4, DMA mode 2, disable UltraDMA'.
# (0xc=1100, 0xa=1010, 0xf=1111)
# 0x0000 means "use whatever the drive claims to support".
wd* at wdc? channel ? drive ? flags 0x0000
wd* at pciide? channel ? drive ? flags 0x0000
# ATAPI bus support
atapibus* at wdc? channel ?
atapibus* at pciide? channel ?
# ATAPI devices
# flags have the same meaning as for IDE drives.
cd* at atapibus? drive ? flags 0x0000 # ATAPI CD-ROM drives
sd* at atapibus? drive ? flags 0x0000 # ATAPI disk drives
uk* at atapibus? drive ? flags 0x0000 # ATAPI unknown
# Miscellaneous mass storage devices
# ISA floppy
fdc0 at isa? port 0x3f0 irq 6 drq 2 # standard PC floppy controllers
#fdc1 at isa? port 0x370 irq ? drq ?
fd* at fdc? drive ? # the drives themselves
# Network Interfaces
# PCI network interfaces
ex* at pci? dev ? function ? # 3Com 90x[B]
# USB Controller and Devices
# PCI USB controllers
uhci* at pci? dev ? function ? # Universal Host Controller (Intel)
ohci* at pci? dev ? function ? # Open Host Controller
# USB bus support
usb* at uhci?
usb* at ohci?
# USB Hubs
uhub* at usb?
uhub* at uhub? port ? configuration ? interface ?
# USB Mice
ums* at uhub? port ? configuration ? interface ?
wsmouse* at ums? mux 0
# USB Keyboards
ukbd* at uhub? port ? configuration ? interface ?
wskbd* at ukbd? console ? mux 1
# USB Generic HID devices
uhid* at uhub? port ? configuration ? interface ?
# USB Printer
ulpt* at uhub? port ? configuration ? interface ?
# USB Modem
umodem* at uhub? port ? configuration ?
ucom* at umodem?
# USB Mass Storage
umass* at uhub? port ? configuration ? interface ?
scsibus* at umass? channel ?
# USB audio
#uaudio* at uhub? port ? configuration ?
# USB Ethernet adapters
aue* at uhub? port ? # ADMtek AN986 Pegasus based adapters
cue* at uhub? port ? # CATC USB-EL1201A based adapters
kue* at uhub? port ? # Kawasaki LSI KL5KUSB101B based adapters
# USB Generic driver
ugen* at uhub? port ?
# USB Handspring Visor
uvisor* at uhub? port ?
ucom* at uvisor?
# Pull in optional local configuration
include "arch/i386/conf/GENERIC.local"
# Pseudo-Devices
# disk/mass storage pseudo-devices
pseudo-device ccd 4 # concatenated/striped disk devices
pseudo-device md 1 # memory disk device (ramdisk)
pseudo-device vnd 4 # disk-like interface to files
# network pseudo-devices
pseudo-device bpfilter 16 # Berkeley packet filter
pseudo-device ipfilter # IP filter (firewall) and NAT
pseudo-device loop # network loopback
pseudo-device ppp 2 # Point-to-Point Protocol
pseudo-device strip 2 # Starmode Radio IP (Metricom)
pseudo-device tun 2 # network tunneling over tty
pseudo-device gre 2 # generic L3 over IP tunnel
pseudo-device ipip 2 # IP Encapsulation within IP (RFC 2003)
pseudo-device gif 4 # IPv[46] over IPv[46] tunnel (RFC1933)
# miscellaneous pseudo-devices
pseudo-device pty 64 # pseudo-terminals
# rnd works; RND_COM does not on port i386 yet.
pseudo-device rnd # /dev/random and in-kernel generator
# mouse & keyboard multiplexor pseudo-devices
pseudo-device wsmux 2