netbsd-help: Re: Help with ipnat.

Subject: Re: Help with ipnat.
To: Ricardo Ryoiti S. Junior <suga@netbsd.com.br>
From: Tld <tld@tld.digitalcurse.com>
List: netbsd-help
Date: 11/22/2002 19:49:54
Ricardo Ryoiti S. Junior wrote:
> 	Yes, that's the problem. HOwever, it was running before on linux,
> and the migration to NetBSD would then require another network card
> attached to the SAME network segment. :/
I hope you read the follow-ups where I wrote I was mistaken :)
Actually, you don't need any new card.

> 	I noticed that when one machine on the first segment tries to
> connect to another connected to the second segment, its IP gets NATed.
Yes, that's another problem.

You might use two very distinct addresses, one for external access and one 
for internal.
Let me try to explain `:)

Right now you do not have a way to know if a packet from the 192.168.0/24 
is to be NATted (to the external world) or not (to the other subnetwork, 
I'll assume 192.168.1/24 for semplicity). Of course, you do, but I know 
(maybe there is) of no way to tell NAT to avoid NATting certain packets.
What I suggest is to configure the (192.168.0/24) machines so that they use 
one IP address (192.168.0/24 may be just good) to talk to the other private 
network, and another (like, 10.0.0/24 or 192.168.255/24) that is going to 
be NATted for external access. This way NAT will be able to distinguish 
which packet goes where. Of course, you'd have to add appropriate NIC aliases.

How to configure the clients depends, of course, on the OS used. The basic 
idea is to add a NIC alias, set the default gateway to the server's 
NIC-address-for-machines-to-nat and a static permanent route to the other 
private network (via the server's address-for-internal-machines).
By the way, you don't want to have server's NIC-address-for-machines-to-NAT 
to be in the range to NAT.

I guess there is a faster/easier/smarter/whatever way to achieve similar 
results, but I don't have it right now `:) The docs mght help, I guess.
I know however the method above works, which is better than nothing... 
isn't it? :) If you decide to try this method, or have more questions about 
it, you might want to mail me personally instead of the list. Feel free to 
do so.

Greetings
-- 
--- TLD
"There is no Good, one thorough, there is no Evil, there is only Flesh"
   [Pinhead]