port-mac68k: IP-NAT? NOT!

Subject: IP-NAT? NOT!
To: None <port-mac68k@netbsd.org>
From: Christopher P. Gill <cpg@scs.howard.edu>
List: port-mac68k
Date: 08/09/1999 19:34:48
I'm hoping that those of you with functioning IP-NAT setups can give me a
hand.  I'm running NetBSD 1.4 GENERIC kernel on a Quadra 800 40/500+520.
When this is working, I'll have my sn0 Etherface connected to my ADSL
modem/bridge, and my ae0 Etherface (Asante' MacCon) to the uplink port of 
my local network hub.

Since it isn't, my ADSL box connects to my hub's uplink port, and
everything else is connected into the hub - including both the sn0 and ae0
Etherfaces of the Quadra.  This shouldn't affect testing, and hooking it
up the "right" way didn't work any better (only I couldn't reach the
internet from my other machines).

I can reach my Quadra's sn0 Etherface from the 'net - I've got a telnet
session to it running right now - and vice versa, so that's working fine. 
The ae0 port is configured in ifconfig.ae0 as:

inet	bouncer	netmask	255.255.255.0

...and in /etc/hosts as:

192.168.1.1	bouncer		bouncer.chrisgill.net


The sn0 Etherface is the primary one, configured in ifconfig.sn0 as:

inet	adsl-151	netmask	255.255.255.0

...and in /etc/hosts <real IP address/name omitted> as:

123.123.123.123          adsl-151	adsl-151.bellatlantic.net


I can telnet from a machine assigned to the 192.168.1 domain to the ae0
Etherface (192.168.1.1) - but not to anything outside that domain.  The
netatalk services on my ae0 Etherface show up on my Macs on the local
network.

My /etc/rc.conf has:

ipfilter=YES                                    # uses /etc/ipf.conf
ipnat=YES                                       # uses /etc/ipnat.conf

...and I'm starting ipnat from netstart.local.  Checks show that both are
running, and that IPFORWARDING is enabled in the kernel.  The ipf.conf
file exists with a size of 0 bytes, and the ipnat.conf file looks like:

map sn0 192.168.1.0/24 -> 123.123.123.123/32 portmap tcp/udp 10000:40000
map sn0 192.168.1.0/24 -> 123.123.123.123/32


My netstat results look normal (AFAIK), but my attempts at initiating
ipnat sessions just don't seem to work, even though ipnat -s gives:

adsl-151# ipnat -s
mapped  in      140     out     190
added   24      expired 24
inuse   0
rules   2


...and ipfstat gives:

adsl-151# ipfstat    
 input packets:         blocked 0 passed 20322 nomatch 13885 counted 0
output packets:         blocked 0 passed 10797 nomatch 6028 counted 0
 input packets logged:  blocked 0 passed 0
output packets logged:  blocked 0 passed 0
 packets logged:        input 0 output 0
 log failures:          input 0 output 0
fragment state(in):     kept 0  lost 0
fragment state(out):    kept 0  lost 0
packet state(in):       kept 0  lost 0
packet state(out):      kept 0  lost 0
ICMP replies:   0       TCP RSTs sent:  0
Result cache hits(in):  6437    (out):  4769
IN Pullups succeeded:   40      failed: 0
OUT Pullups succeeded:  0       failed: 0
Fastroute successes:    0       failures:       0
TCP cksum fails(in):    0       (out):  0
Packet log flags set: (0)
        none


If anyone has any ideas as to why IP-NAT isn't working for me, or needs
any other information to help trouble-shoot, please let me know.

/*======================================================================
"Don't die wondering..."                http://www.cldc.howard.edu/~cpg
                                              email: cpg@scs.howard.edu
chris out-              Christopher P. Gill
  peace.        C.L.D.C. Senior System Operator (Ret.)
======================================================================*/