Subject: ipnat: Multiple interfaces and routing
To: None <tech-net@netbsd.org>
From: None <wysoft@extremecode.org>
List: tech-net
Date: 11/27/2005 13:46:50
I'm having a problem getting ipnat to do NAT for two internal interfaces
through one external. It looks to be a routing problem at this point, and
I'm stumped. Here's the situation:
/--mc0---192.168.2.0/24
[67.168.161.233]--ex0--[ipnat box]
\--tlp0--192.168.1.0/24
I'm trying to NAT for both 192.168 networks. 192.168.1 works just fine,
all traffic is routed correctly. However, anything on 192.168.2 appears to
get routed into oblivion before any outbound Internet traffic can pass
through the ipnat router. For example, pinging 192.168.2.1 (mc0's IP)
from a Solaris client will get a response from 67.168.161.233, instead of
192.168.2.1. If I run tcpdump on ex0, and try to ping 'google.com' from
192.168.2.2 (the Solaris client), I can see that the icmp echo messages
appear to be leaving through ex0, but no data is ever returned.
Fortunately, routing within the LAN seems to be fine. The two LAN subnets
can communicate with eachother just fine. I can telnet into 192.168.2.2
from anywhere in 192.168.1, and vice versa. Still, nothing coming from
192.168.2 ever gets NAT'ed properly.
The ipf/ipnat box is running 2.1/macppc. As far as ipf rules are
concerned, I'm allowing any and all traffic on both LAN interfaces, so
nothing should be getting blocked. Here is my ipnat.conf:
# Compensate for NAT-broken protocols
map ex0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map mc0 192.168.2.0/24 -> 0/32 proxy port ftp ftp/tcp
# Port redirections
#rdr ex0 0.0.0.0/0 port 6114 -> 192.168.1.106 port 6114 udp
# Essential mappings
map ex0 192.168.1.0/24 -> 67.168.161.233/32
map ex0 192.168.1.0/24 -> 67.168.161.233/32 portmap tcp/udp auto
map mc0 192.168.2.0/24 -> 67.168.161.233/32
map mc0 192.168.2.0/24 -> 67.168.161.233/32 portmap tcp/udp auto
I'd like to note that I've tried different variations of the "map"
command, none of which has made a difference so far.
Here's the routing table from the ipnat router:
Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default 67.168.161.1 UGS 2 417197 - ex0
67.168.161/24 link#2 UC 1 0 - ex0
67.168.161.1 00:0a:8b:6e:e0:55 UHLc 1 0 - ex0
67.168.161.233 127.0.0.1 UGHS 0 0 33196 lo0
127/8 127.0.0.1 UGRS 0 0 33196 lo0
127.0.0.1 127.0.0.1 UH 3 284 33196 lo0
192.168.1/24 link#1 UC 3 0 - tlp0
192.168.1.51 00:02:e3:21:c3:05 UHLc 1 12 - tlp0
192.168.1.121 00:90:4b:46:81:50 UHLc 3 653034 - tlp0
192.168.1.255 link#1 UHLc 2 193 - tlp0
192.168.2/24 link#3 UC 2 0 - mc0
192.168.2.1 00:05:02:38:98:61 UHLc 0 4 - lo0
192.168.2.2 08:00:20:7c:1b:51 UHLc 1 1 - mc0
And here is the routing table from the Solaris client that is having so
many issues:
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
192.168.2.0 192.168.2.2 U 1 2 le0
224.0.0.0 192.168.2.2 U 1 0 le0
default 192.168.2.1 UG 1 8
127.0.0.1 127.0.0.1 UH 1 0 lo0
Also, here's that interesting ping message from the Solaris box:
slowness:wysoft ~> ping -sn 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 67.168.161.233: icmp_seq=0. time=3. ms
Clients on 192.168.1 don't show this when pinging 192.168.1.1
Any help would be greatly appreciated. Let me know if there's more
information that I could give.