Subject: Stumped on Aliases
To: None <email@example.com>
From: David A. Gatwood <firstname.lastname@example.org>
Date: 11/05/2000 15:15:25
First, let me say that I have a rather odd networking arrangement. I'm
on a university network, but I have a NetBSD box (mac68k, 1.4L) serving
as an ftp server and a masq box for my private network.
I have an airport base station and a network-attached (appletalk over
ethernet) inkjet printer. I need to be able to print from the airport to
the printer, but I don't want the airport to be able to access any of
the machines on the internal network via TCP/IP (other than ssh'ing into
the gateway and sshing to the internal network from there), for the
reason that the airport network is not a particularly secure medium....
For those reasons, I have a NetBSD box with four ethernet devices, sn0
(motherboard ethernet), and ae0-2. ae0 is dead, not sure if it's a bad
card, bad transceiver, or a driver bug. Thus, I effectively have sn0,
and ae1 & 2.
Next issue: I don't want any airport traffic to look like it's coming
from my regular machine, for liability reasons. (If somebody hacks it
and uses it for something illegal, I want to be able to say, "that
packet came from ae1... so it came from the wireless network, not from
my machines". :-)
For these reasons, I have my network configured as follows:
sn0: outside interface for 10.0.0.x machines and local fw traffic
ae1: outside interface for 192.168.0.x machines (airport)
ae2: internal network interface....
ae2's primary number is 10.0.0.1, with an alias of 192.168.0.1. You'l
note that the netmasks are all 255.255.255.0 just to make sure that
there aren't any subtleties there.
So basically, I'm trying to take two non-routable networks, using the
same NIC, and masquerade them out two external NICs. My rules are as
map sn0 10.0.0.0/24 -> 0/32 portmap tcp/udp 40000:60000
man sn0 10.0.0.0/24 -> 0/32
map ae1 192.168.0.0/24 ->0/32 portmap tcp/udp 20000:40000
map ae1 192.168.0.0/24 -> 0/32
Thus far, every attempt to do this has failed, resulting in one of the
networks (either 10.0.0.x or 192.168.0.x) being masqueraded correctly
and the other being routed, unmasqueraded, out one of the interfaces.
Which ruleset works and whcih fails seems to be completely random....
substituting the dynamically assigned addresses for the appropriate
interfaces instead of the 0.
making both of the two nets masquerade to the same outside address.
I've confirmed that both outgoing interfaces work corectly using
traceroutes out the appropriate interface. I've confirmed that all
machines involved can connect to the firewall itself. It's only the
NAT that is failing....
In short, I'm not able to get IP NAT to handle two source addresses on
the same network interface. This is with NetBSD 1.4L on mac68k.
Check out my weekly web comic: