netbsd-users: Re: NAT Rules Question

Subject: Re: NAT Rules Question
To: David Maxwell <david@vex.net>
From: J. Buck Caldwell <buckaroo@liveround.com>
List: netbsd-users
Date: 06/17/2003 12:08:47
David Maxwell wrote:

>On Tue, Jun 17, 2003 at 11:51:57AM -0500, J. Buck Caldwell wrote:
>  
>
>>I've got the routing down, and I'm working on the firewall rules. I'm 
>>not sure about the NAT rules, though. Here's my question:
>>
>>Say I've got a branch 192.168.3.0, with a sister branch 192.168.13.0. 
>>The 3.0 has a broadband connection. The 13.0 does not. There is a cisco 
>>router at 13.1 and 3.2, with an ip unnumbered connection between them 
>>over the T1. The 3.0 has a VPN IPSec tunnel to 0.0/24. How should my NAT 
>>rules look to provide NAT services for both the 13.0 and 3.0 network? 
>>Something like this, I'm assuming:
>>
>>map ex0 192.168.3.0/24 -> 0/32 proxy port ftp ftp/tcp
>>map ex0 192.168.3.0/24 -> 0/32 portmap tcp/udp auto
>>map ex0 192.168.3.0/24 -> 0/32
>>map ex0 192.168.13.0/24 -> 0/32 proxy port ftp ftp/tcp
>>map ex0 192.168.13.0/24 -> 0/32 portmap tcp/udp auto
>>map ex0 192.168.13.0/24 -> 0/32
>>    
>>
>
>That looks fine. Although, from your description, I don't see any reason
>why you couldn't just leave your 192.168.0.0/16 ruleset instead. It's a
>bit loose and sloppy to do so, but nothing should prevent it from
>working.
>  
>
My concern with that is that packets headed for, say, 192.168.5.0/24 
will get mangled or not pass through the VPN tunnel. Of course, I don't 
know the deep dark inner workings of NAT well enough. I suppose, since 
the packets will be outbound on gif[x] instead of ex0, they wouldn't get 
translated, am I right?

>(I read your description as a network with multiple islands, each island
>has a broadband node, and one or more VPN'd dialup networks behind it.
>Each island will have the class C for the main broadband site + one or
>more C's for each dialup network.)
>  
>
Essentially, yes, although the 'dialup' networks will be point-to-point 
T1s permanently attached. If you're interested in seeing a map, you can 
check out http://66.134.157.122/netmap.html. Each Bxx is a branch (or 
Corporate, B16).

>>Now the other possibility - to confuse things further - we're getting 
>>five static IPs at each broadband connection, I could have each /24 go 
>>out on a different address - can NAT use an aliased address? Can I 
>>configure ex0 with two 'public' IPs, then change the NAT rules to point 
>>the 3.0 network to one, and the 13.0 network at the alias address?
>>    
>>
>
>Yes, just replace 0/32 with the A.B.C.D/32 you want in each case, using
>the seperate mappings you wrote above.
>
As I thought. Thank you for replying!