Subject: ipnat RDR doesn't work with multipath routing in KAME+NetBSD
To: None <,,>
From: Alicia da Conceicao <>
List: tech-net
Date: 10/28/2001 13:00:05

I've recently downloaded the KAME+NetBSD-1.52 kernel snapshot 20011022
from "", and easily compiled a new
kernel with Kame's multipath routing support (options RADIX_MPATH).

With Kame's multipath routing support, I can have multiple default
routes through different interfaces at the same time that work
prefectly for incoming connections to daemon services running on it.

Unfortunately IPFilter's IPNAT RDR for port forwarding does not work
through *BOTH* external interfaces.  Below is a copy of "netstat -nr":

Destination        Gateway            Flags     Refs     Use    Mtu  Interface
default        UGS         2     2689      -  ext1 =>
default        UGS         0        0      -  ext0
127/8              UGRS        0        0  33228  lo0          UH          4      106  33228  lo0
123.123.123/24     link#2             UC          1        0      -  ext0          UGHS        0      194  33228  lo0
231.231.231/24     link#3             UC          1        0      -  ext1          UGHS        0      194  33228  lo0
192.168/24         link#1             UC          3        0      -  int0      12:34:56:78:9a:bc  UHLc        1       14      -  int0

Note that ext0 & ext1 are my external interfaces, each with their own
default routes (gateways), and int0 is the internal interface to a
private lan.

ext0 (inet netmask 0xffffff00 gate
ext1 (inet netmask 0xffffff00 gate
int1 (inet     netmask 0xffffff00)

With a *BLANK* ipf.conf, and with an ipnat.conf configured to forward
incoming tcp connections to port 1234 onto the internal

rdr ext0 port 1234 -> port 1234 tcp
rdr ext1 port 1234 -> port 1234 tcp

This RDR redirection works for arbitrary incoming tcp connections
to port 1234, but does not work for
port 1234.  Note that if this KAME+NetBSD server is running a web
server on tcp port 80, then incoming web connections work to both &  In fact RDR only works for the
default external interface that is listed first in netstat, which
in this case is ext1, but can also be set to ext0.

Any ideas as to why RDR does not work for both external interfaces?
Note that my ipf.conf is blank with no keep state and no fast

Thank you in advance.