tech-net: Re: stf(4) and NAT

Subject: Re: stf(4) and NAT
To: None <tech-net@netbsd.org>
From: Martijn van Buul <pino@dohd.org>
List: tech-net
Date: 11/22/2005 19:00:20
It occurred to me that Pavel Cahyna wrote in gmane.os.netbsd.devel.network:
> Now the problem is that you have only a private IPv4 adress (192.168.5.10)
> on the bridging box and only the cable modem has the public 85.145.84.197
> adress, so 6to4 won't work. I solved it with the following
> trick:
>
> # cat /etc/ipnat.conf                                               
> bimap ex0 85.145.84.197/32 -> 192.168.5.10/32 ipv6
>
> # /etc/rc.d/ipnat onestart
>
> # ifconfig lo0 inet 85.145.84.197 alias
>
> Now outgoing 6to4 should work. 

Unfortunately, it didn't. *removing* the ipnat rule (but keeping the
alias!) proved to be the key to the solution. But see below. 

> or incoming, you will have to convince the cable modem to forward all
> incoming packtets which don't match the established NAT states to
> 192.168.5.10 . Or at least the 6to4 packets. You
> probably already have that working.

Well, I thought I did, but apperently it's even more of a nasty hack than I
thought it was. What I did was create a NAT rule on the modem which would
rewrite the target address to 192.168.5.10, and made a firewall rule which
matched on any incoming packet with my external address as target address.
So far, so good. When I tried pinging myself using IPv4, it appeared to
be working just fine:

19:45:42.161209 IP toad.stack.nl > 192.168.5.10: icmp 64: echo request seq 0
19:45:42.161247 IP 192.168.5.10 > toad.stack.nl: icmp 64: echo reply seq 0
19:45:43.170912 IP toad.stack.nl > 192.168.5.10: icmp 64: echo request seq 256
19:45:43.170966 IP 192.168.5.10 > toad.stack.nl: icmp 64: echo reply seq 256
19:45:44.179926 IP toad.stack.nl > 192.168.5.10: icmp 64: echo request seq 512
19:45:44.179981 IP 192.168.5.10 > toad.stack.nl: icmp 64: echo reply seq 512
19:45:45.189991 IP toad.stack.nl > 192.168.5.10: icmp 64: echo request seq 768
19:45:45.190046 IP 192.168.5.10 > toad.stack.nl: icmp 64: echo reply seq 768

And toad.stack.nl happily received the ping replies. Same for TCP:

19:48:07.397963 IP toad.stack.nl.1566 > 192.168.5.10.ssh: . ack 1 win 57920 <nop,nop,timestamp 1703193250 0>
19:48:07.418243 IP 192.168.5.10.ssh > toad.stack.nl.1566: P 1:51(50) ack 1 win 33580 <nop,nop,timestamp 1 0>
19:48:07.449822 IP toad.stack.nl.1566 > 192.168.5.10.ssh: P 1:40(39) ack 51 win 57920 <nop,nop,timestamp 1703193255 1>
19:48:07.453194 IP 192.168.5.10.ssh > toad.stack.nl.1566: P 51:691(640) ack 40 win 33580 <nop,nop,timestamp 1 1703193255>

etcetera.

So I tried your 'paste back the original address' ipnat trick:

balthasar(58):/home/martijnb# ipnat -l
List of active MAP/Redirect filters:
bimap fxp0 85.145.84.197/32 -> 192.168.5.10/32 ipv6

List of active sessions:
balthasar(59):/home/martijnb#       

But no matter how hard I tried, none of my traffic managed to get through.

19:50:51.066242 IP 192.168.5.10 > 192.88.99.1: 2002:5591:54c5:1::1 > toad.stack.nl: icmp6: echo request seq 1
19:50:52.066257 IP 192.168.5.10 > 192.88.99.1: 2002:5591:54c5:1::1 > toad.stack.nl: icmp6: echo request seq 2
19:50:53.066270 IP 192.168.5.10 > 192.88.99.1: 2002:5591:54c5:1::1 > toad.stack.nl: icmp6: echo request seq 3

A ping in the other direction proved to be rather revealing

19:52:56.682343 IP 192.88.99.1 > s559154c5.adsl.wanadoo.nl: zen.stack.nl > 2002:5591:54c5:1::1: icmp6: echo request seq 1
19:52:56.682441 IP 192.168.5.10 > 192.88.99.1: 2002:5591:54c5:1::1 > zen.stack.nl: icmp6: echo reply seq 1
19:52:57.681777 IP 192.88.99.1 > s559154c5.adsl.wanadoo.nl: zen.stack.nl > 2002:5591:54c5:1::1: icmp6: echo request seq 2
19:52:57.681878 IP 192.168.5.10 > 192.88.99.1: 2002:5591:54c5:1::1 > zen.stack.nl: icmp6: echo reply seq 2

I was receiving the 6to4 traffic, but for some strange reason only known to 
$deity, the beloved Livebox decided to just forget about the whole address
translation business, and just dump it on the internal network. One can only
assume that it failed to map the 192.168.5.10 address back as well.

In a desperate mood of "Nothing ventured, nothing gained" I decided to remove
the ipnat entry, and presto: It works!

19:58:17.082925 IP s559154c5.adsl.wanadoo.nl > 192.88.99.1: 2002:5591:54c5:1::1 > toad.stack.nl: icmp6: echo request seq 11
19:58:17.126136 IP 192.88.99.1 > s559154c5.adsl.wanadoo.nl: toad.stack.nl > 2002:5591:54c5:1::1: icmp6: echo reply seq 11


Remember, this is on my internal network, *supposedly* 192.168.5.0/8, but 
apperently this doesn't matter much. Weird. One can only marvel at the 
wonders of the Linux network stack.

-- 
    Martijn van Buul - pino@dohd.org - http://www.stack.nl/~martijnb/
	 Geek code: G--  - Visit OuterSpace: mud.stack.nl 3333
 The most exciting phrase to hear in science, the one that heralds new
discoveries, is not 'Eureka!' (I found it!) but 'That's funny ...' Isaac Asimov