Subject: Stumped on Aliases
To: None <>
From: David A. Gatwood <>
List: tech-net
Date: 11/05/2000 15:15:25

  First, let me say that I have a rather odd networking arrangement.  I'm
  on a university network, but I have a NetBSD box (mac68k, 1.4L) serving
  as an ftp server and a masq box for my private network.

  I have an airport base station and a network-attached (appletalk over
  ethernet) inkjet printer. I need to be able to print from the airport to
  the printer, but I don't want the airport to be able to access any of
  the machines on the internal network via TCP/IP (other than ssh'ing into
  the gateway and sshing to the internal network from there), for the
  reason that the airport network is not a particularly secure medium....

  For those reasons, I have a NetBSD box with four ethernet devices, sn0
  (motherboard ethernet), and ae0-2.  ae0 is dead, not sure if it's a bad
  card, bad transceiver, or a driver bug.  Thus, I effectively have sn0,
  and ae1 & 2.

  Next issue: I don't want any airport traffic to look like it's coming
  from my regular machine, for liability reasons.  (If somebody hacks it
  and uses it for something illegal, I want to be able to say, "that
  packet came from ae1... so it came from the wireless network, not from
  my machines".  :-)

  For these reasons, I have my network configured as follows:

	sn0: outside interface for 10.0.0.x machines and local fw traffic
	ae0: dead
	ae1: outside interface for 192.168.0.x machines (airport)
	ae2: internal network interface....

  ae2's primary number is, with an alias of  You'l
  note that the netmasks are all just to make sure that
  there aren't any subtleties there.

  So basically, I'm trying to take two non-routable networks, using the
  same NIC, and masquerade them out two external NICs.  My rules are as

	map sn0 -> 0/32 portmap tcp/udp 40000:60000
	man sn0 -> 0/32
	map ae1 ->0/32 portmap tcp/udp 20000:40000
	map ae1 -> 0/32


  Thus far, every attempt to do this has failed, resulting in one of the
  networks (either 10.0.0.x or 192.168.0.x) being masqueraded correctly
  and the other being routed, unmasqueraded, out one of the interfaces.
  Which ruleset works and whcih fails seems to be completely random....


  substituting the dynamically assigned addresses for the appropriate
  interfaces instead of the 0.

  making both of the two nets masquerade to the same outside address.

  I've confirmed that both outgoing interfaces work corectly using
  traceroutes out the appropriate interface.  I've confirmed that all
  machines involved can connect to the firewall itself.  It's only the
  NAT that is failing....


  In short, I'm not able to get IP NAT to handle two source addresses on
  the same network interface.  This is with NetBSD 1.4L on mac68k.

Any ideas?

                    Check out my weekly web comic: