I've seen a few people asking how to do IP NAT (network address
translation), and having finally figured it out, I thought I'd share it.

Required:
* (I think) two network interfaces, which for most of us will be one
ethernet (ae0 or sn0) and a ppp link to an ISP (ppp0).
* A -current snapshot (970601 works for me) and a kernel with IPFILTER
options on, which I don't think the generic's have, although I haven't
checked.  (I'm sure everyone gets sick of hearing this, but if you're
taking this much on, you ought to be compiling custom kernels.  It's not
hard, and you don't have to know C, although it helps when troubleshooting
a bad sup day.)

First of all, you need to set up the local network numbers.  I use
192.168.1.1 for my NetBSD box, and (this is cool) you can set up the rest
of the hosts on the network to get their numbers from the NetBSD box via
DHCP if you like, but that's beyond the scope of this.  You can set it up
manually if that's too daunting.  (See the dhcpd man page, though, as it
makes it easier to put uninitiated users on the network if you can do it.)
The other hosts I set up as 192.168.1.2, 192.168.1.3, etc., up to 254.
Their gateway should be 192.168.1.1 (your NetBSD box's address).

Then, make the connection to your ISP via PPP, and that also is explained
very well in documents by Bill Studenmund and Paul Goyette (see the
HOW-TO's).

Now we give ipnat the rules it needs to translate.

(xxx.xxx.xxx.xxx is your real IP address, assigned by the ISP.  If you have
static IP, you can set this up when you boot, or before you connect at
least.  Something I haven't tried yet is using the loopback address, which
will allow you to do this automatically upon booting up.)

Put the following into a text file (I called mine /etc/nat.rules, you can
do what you like):

map ppp0 192.168.1.0/24 -> xxx.xxx.xxx.xxx/32 portmap tcp/udp 10000:65000
map ppp0 192.168.1.0/24 -> xxx.xxx.xxx.xxx/32

The first rule maps all TCP and UDP accesses from the local network to the
real IP address of the NetBSD box, but moves the port number up to the area
between 10000 and 65000.  The second rule handles everything else (like
ICMP pings).

Now, as root, type the command:

ipnat -f /etc/nat.rules

You can also put in a -v before the -f, if you want verbose mode on.

If it accepts it, then you're done!

If the clients on the local network still can't get outside, first have
them try pinging 192.168.1.1 (the "router").  If you can't ping it
successfully, you either have misconfigured the ethernet interface on the
NetBSD box, or your local network isn't functioning.

If Colin feels it's good enough, I would not be opposed to cleaning this
up, being more specific in some areas and more general in others, and
making this a HOW-TO for www.macbsd.com...?  Let me know also if something
in here is not correct.

-----------------------------------------------
I                                             I
I Charles Sebold, Pontifex Macintosh          I
I CWW Computers, Inc.                         I
I 2497A Adie Rd.                              I
I St. Louis, MO  63043                        I
I WWW:   http://bronte.macstore.com/pretender I
I                                             I
I            La compagnie c'est moi.          I
I                                             I
-----------------------------------------------