Subject: trouble with ipnat on NetBSD 1.5 (Sparc)
To: None <netbsd-users@netbsd.org>
From: Richard G. Roberto <rich@dedlegend.com>
List: netbsd-users
Date: 12/23/2001 11:46:13
Hi,

I hope this is the right list for this post. I did as much searching as
I could on the matter, but haven't found any help.

Here's my current situation. I run FreeBSD on my PC and connect to the
net over DSL. I just recently got a static IP, so I no longer have to
dial up or anything. I also want to get my kids connected to the net
over the same link when I dual boot them into windows, but then I won't
have any firewall protection.

So, instead of investing in black ice or something for NT, I decided to
put an old Sparc 4 to work as the firewall. I initially tried to port my
FreeBSD ipfw and natd configuration to ipf, but after hours of no luck,
I decided to take ipf out of the picture and concentrate on getting just
the NAT to work. I created an empty /etc/ipf.conf file, and an
/etc/ipnat.conf that looks like this:

map 10.1.1.0/24 -> 0/32

The trouble I'm having is the same trouble I had when I had ipf rules,
which is, tcp sessions start to work, then stop, and small udp
comunications are fine (dig works fine through the NAT, for example).

A tcpdump seems to indicate that the tcp session setup is just fine, and
the NAT works fine for that, but after the syn,ack,syn-ack exchange, the
outside IP (the NAT address) receives a packet from the remote host and
sends a RST to the remote host but the originating host is not a part of
this exchange. This is bizzarre. It seems as though the NAT table gets
screwed up or seomthing, possibly expiring sessions way too fast, but
when I do an ipnat -l, I get a list of what looks like should be the
correct NAT table, in tact.

This is on a Sparc4 70Mz machine with 32 MB RAM. I'm using the le0
device as the outside interface and a qe0 device as the inside
interface. They both have the same ehternet address, and I can't seem to
use ifconfig on NetBSD to change that. This used to be fine in the old
days, especially since these are on different "networks" (even though
I'm using the same switch), but I'm willing to change it if there is a
utility to do so under NetBSD.

Any help anyone can give would be greatly appreciated. I'm new to both
NetBSD and ipf/ipnat, so I'm quite willing to believe I'm doing
something wrong but don't know how to trouble shoot this any further.

Thanks in advance,

rgr