port-arm32: Re: Questions about Network Address Translation

Subject: Re: Questions about Network Address Translation
To: None <port-arm32@netbsd.org>
From: Ib-Michael Martinsen <imm@nethotel.dk>
List: port-arm32
Date: 02/14/1999 13:08:24
Mark Hayter was so kind to guide me in the right direction regarding
NAT. However his recommendation caused the following questions:

Mark Hayter writes:
 > 
 > You also need to ifconf the ethernet device twice using
 > the "alias" flag for the internal address.

I did that. And NetBSD did not complain about the alias. However
an 'ipconfig -a' does not show the alias. Is it not supposed to do so?

 > If you don't get better help in a couple of days, I can probably
 > remember to find my config files.

Maybe I need them :-)

 > You also need to build a kernel with the ipfilter code enabeled to get
 > this to work.

I managed to build a v1.3.2 kernel and although the rest of my
binaries are still v1.3alfa it seems to work, except for ipfstat
which gives the error

 ioctl(SIOCGETFS): Invalid argument

The man pages states that ipfstat is depending on the files
/dev/kmem
/vmunix

But /vmunix does not exist on my system. I tried to add it as
a symbolic link with the command

ln -s /netbsd /vmunix

but it does not matter. So maybe I did not build the kernel correct?

I took the RISCPC configuration and changed the following bits
among others:

diff RISCPC RPC			(RPC is my new kernel)
68,73c68,73
< #options      MROUTING        # IP multicast routing
< #options      NS              # XNS
< #options      NSIP            # XNS tunneling over IP
< #options      ISO,TPIP        # OSI
< #options      EON             # OSI tunneling over IP
< #options      CCITT,LLC,HDLC  # X.25
---
> options       MROUTING        # IP multicast routing
> options       NS              # XNS
> # options     NSIP            # XNS tunneling over IP
> # options     ISO,TPIP        # OSI
> # options     EON             # OSI tunneling over IP
> # options     CCITT,LLC,HDLC  # X.25
75c75
< #options      PFIL_HOOKS      # pfil(9) packet filter hooks
---
> options       PFIL_HOOKS      # pfil(9) packet filter hooks
232,235c233,236
< ie*   at podulebus?                   # Ether1 podules
< ea*   at podulebus?                   # Ether3 podules
< eb0   at podulebus?                   # EtherB network slot cards
< eh0   at podulebus?                   # EtherH network slot cards
---
> # ie* at podulebus?                   # Ether1 podules
> # ea* at podulebus?                   # Ether3 podules
> # eb0 at podulebus?                   # EtherB network slot cards
> # eh0 at podulebus?                   # EtherH network slot cards
243c244
< #pseudo-device        ipfilter 1              # ip filter
---
> pseudo-device ipfilter 1              # ip filter

Do I need to change any other network related parameters?


I need to have explained a few more things before I can get the NAT
to work, so here it comes:

ipf	is for firewall-like purposes blocking various packets?
ipnat	is for Network Address Translation?
ipfstat	is for showing statistics from ipf (and ipnat)?


My current setup and problems:

A Cable-modem connected to my ISP-gateway with address 192.168.89.254
A RiscPC with address 192.168.89.234 and alias 192.168.0.1
A WindowsPC with address 192.168.0.2

All devices are connected through a hub.

I have configured ipnat with the following parameters:

map em0 192.168.89.234/32 -> 192.168.0.1/32
map em0 192.168.0.1/32 -> 192.168.89.234/32

ipnat -lv shows

map em0 192.168.89.234/192.168.0.1 -> 192.168.0.1/0  portmap 43200:0
        0xf14c7830 0 0.0.0.0 0 0
map em0 192.168.0.1/192.168.89.234 -> 192.168.89.234/0  portmap 43200:0
        0xf14c7830 0 0.0.0.0 0 0

After adding alias 192.168.0.1 to the em0 interface it is
possible to ping the pc and the gateway from the RiscPC
and it is possible to ping 192.168.0.1 but not anything on
the 192.168.89 net from the PC. The gateway definition on
the PC is 192.168.0.1

When I look at the output from tcpdump on the RiscPC I do not
see any output when pinging the 192.168.0.1 and 192.168.89.234
from the pc. And 'ipnat -lv' does not show any active sessions.

This makes me think that the NAT is configured incorrectly
or the kernel is incorrect. Any comments?

With the above ipnat configuration, how does the NetBSD system
know that a packet from a RiscPC/NetBSD application to the internet
should not be translated to 192.168.0.1?

Why is the portmap 43200:0 parameter set up in the ipnat-parameters?

If I want to use a browser from the PC against the internet should
it be used with a special portnumber which is also mentioned in the
ipnat-parameters?


Phew, I guess that's it for now. I hope I did not waste to much
bandwith. I would have tried another list if it wasn't that some
of the configuration (at least to me) seems to have a lot to do
with the NetBSD/arm32 kernel.


Thank you for your time
-- 
Ib-Michael Martinsen		Email at work: imm.it@dsg.dk
Fidomail:      2:234/181.9	Email at home: imm@nethotel.dk

Running NetBSD/arm32 v1.3alfa on an Acorn RiscPC with a 202MHz StrongArm.