ipnat problem with two LAN networks

To: netbsd-users%NetBSD.org@localhost
Subject: ipnat problem with two LAN networks
From: Frank Wille <frank%phoenix.owl.de@localhost>
Date: Tue, 24 Jan 2012 13:55:58 +0100

Hi,

I have a problem with ipnat, when I try to make connections between two
different networks on the LAN. The configuration is like this:

                         The internet
                              |
                         [WAN-Router]
                              |
Network 192.168.0.0/24        |
------------------------[192.168.0.1]---[192.168.0.2]---[192.168.0.3]--------
                                               |
                                               |
Network 10.0.0.0/24                            |
------------------------------------------[10.0.0.1]------[10.0.0.2]---------

1. 192.168.0.1 is the gateway to the external WAN.
2. 192.168.0.2 (vr0) and 10.0.0.1 (fxp0) are two network cards in the
   same system (another gateway). This is the system where I am
   manipulating the ipf.conf and ipnat.conf tables.
3. The other two 192.168.0.3 and 10.0.0.2 are two normal workstations
   which try to connect to each other.

Without any ipnat tables the connection between 192.168.0.3 and 10.0.0.2
is possible (IP forwarding is enabled), but I need ipnat to allow systems
in the 10.0.0.0 net to have access to the internet. Only systems from
the 192.168.0.0/24 net can use the WAN router.

My simple ipnat.conf for this task looks like this (where vr0 is the
interface on the 192.168.0.0/24 net):
map vr0 10.0.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map vr0 10.0.0.0/24 -> 0/32 portmap tcp/udp 40000:60000
map vr0 10.0.0.0/24 -> 0/32

The ipf.conf has no special rules:
# block corrupt or dangerous packets
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
block in log quick from any to any with frag
block in log quick from any to any with opt lsrr
block in log quick from any to any with opt ssrr
# allow loopback
pass out quick on lo0 from any to any
pass in  quick on lo0 from any to any
# allow LAN
pass out quick on vr0 from any to any
pass in  quick on vr0 from any to any
pass out quick on fxp0 from any to any
pass in  quick on fxp0 from any to any

Now I have the problem that I can ping 10.0.0.2 from 192.168.0.3, but
no TCP connection is possible. tcpdump shows a connection to 10.0.0.2
but the reply is coming from 192.168.0.2, which I think is normal,
because of the NAT. But nothing happens.


My precise question is:
Is there any way to exclude connections between the 10.0.0.0 and the
192.168.0.3 network from NAT? I think this would solve the problem. Only
accesses from 10.0.0.0 to an address beyond the 192.168.0.0 network
should be NAT translated.

TIA

-- 
Frank Wille

Follow-Ups:
- Re: ipnat problem with two LAN networks
  - From: Ian Clark
- Re: ipnat problem with two LAN networks
  - From: Rhialto

Prev by Date: Re: Utility to redirect UDP packets
Next by Date: Re: ipnat problem with two LAN networks
Previous by Thread: additional telnetd exploits
Next by Thread: Re: ipnat problem with two LAN networks
Indexes:

Home | Main Index | Thread Index | Old Index