Subject: Re: Help with ipnat.
To: Tld <tld@tld.digitalcurse.com>
From: Andrew Brown <atatat@atatdot.net>
List: netbsd-help
Date: 11/23/2002 01:18:46 
>> 	I noticed that when one machine on the first segment tries to
>> connect to another connected to the second segment, its IP gets NATed.
>Yes, that's another problem.
>
>You might use two very distinct addresses, one for external access and one 
>for internal.
>Let me try to explain `:)
>
>Right now you do not have a way to know if a packet from the 192.168.0/24 
>is to be NATted (to the external world) or not (to the other subnetwork, 
>I'll assume 192.168.1/24 for semplicity). Of course, you do, but I know 
>(maybe there is) of no way to tell NAT to avoid NATting certain packets.
>What I suggest is to configure the (192.168.0/24) machines so that they use 
>one IP address (192.168.0/24 may be just good) to talk to the other private 
>network, and another (like, 10.0.0/24 or 192.168.255/24) that is going to 
>be NATted for external access. This way NAT will be able to distinguish 
>which packet goes where. Of course, you'd have to add appropriate NIC aliases.

you overcomplicate this.  i use several machines on one physical
network (admittedly there are a couple of hubs involved, but that's
beside the point), and one of the machines nats the rest to the cable
modem.  the cable modem is also plugged into one of the hubs.  like
this:

    ---+------+------+------+------+------+------+------+------+---
       |      |      |      |      |      |      |      |      |
      box    box    box     gw   modem   box    box    box    box

gw has two ip addresses:

	inet 24.90.21.24 netmask 0xfffff000 broadcast 255.255.255.255
	inet alias 192.168.0.132 netmask 0xffffff80 broadcast 192.168.0.255

and a ipnat.conf that looks like this:

	map ex0 from 192.168.0.128/25 to 192.168.0.128/25 -> 0.0.0.0/0
	map ex0 192.168.0.128/25 -> 0.0.0.0/32 proxy port ftp ftp/tcp
	map ex0 192.168.0.128/25 -> 0.0.0.0/32 portmap tcp/udp 1025:65000
	map ex0 192.168.0.128/25 -> 0.0.0.0/32

and that's it.  the trick is to nat the network to itself on the
gateway.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
werdna@squooshy.com       * "information is power -- share the wealth."