netbsd-help: Re: Intermittent problem with NAT over a wireless connection

Subject: Re: Intermittent problem with NAT over a wireless connection
To: None <netbsd-help@netbsd.org>
From: Jason White <jdwhite@jdwhite.org>
List: netbsd-help
Date: 11/10/2005 18:58:31
On Fri, 04 Nov 2005 at 12:06, Christian von Kleist <cvk@zybx.com> wrote:
>My apartment complex provides free wireless internet access, so I use a
>wireless card in my NetBSD-based router to do NAT for my wired network.
>Everything is set up in a very straightforward manor: The router
>connects to the apartment complex's access point via wi0 (which is a
>PRISM-2.5-based card from Netgear) and does NAT using this simple
>ipnat.conf:
>
>/etc/ipnat.conf:
>
>map wi0 192.168.2.0/24 -> 0/32 portmap tcp/udp 40000:60000
>map wi0 192.168.2.0/24 -> 0/32
>
>(192.168.2.0/24 is my wired network)
>
>The IP of the apartment complex's AP is 192.168.0.1, so 192.168.0.1 is
>default route on my router (which is running HEAD from about two weeks ago).
>
>This is a simple setup that works just great...but only for about one to
>three days at a time. After a while, the NAT stops working, even though
>wi0 is still up and active.
[...]
>I can fix the problem once it occurs by deleting the default route and
>waiting approximately ten minutes. Then I add the route again and
>everything works perfectly! However, it fails again after about the
>same amount of time.
>
>I have discovered that the problem occurs more frequently when the
>connection is used heavily, and less frequently when it is used lightly.
>I can make it happen immediately by seeding two or three bittorrents.
>After a few hundred hosts connect, the NAT stops working within seconds.
>However, I can seed the same torrents at the same time on my iBook
>(using its wireless card to connect to the AP) and everything works
>perfectly!
>
>What could I be doing wrong? I would be very grateful for any insight
>on how to fix this problem or better diagnose it.

  I have experienced the same problem on two 2.0 machines which are wired, so 
I seriously doubt it has anything to do with wireless.  Like you, I have a 
simple NAT setup.  Works great, even seeding multiple torrents, but if I use 
gnutella the NAT portion will break within 1-3 hours.

  I believe this is because gnutella generates a *lot* of port forwardings in 
a short amount of time when it's searching for peers and ipf/ipnat simply 
runs out of memory to store port forwardings because they aren't expiring 
fast enough.  You might see a message about increasing NMBCLUSTERS via dmesg 
or in your system logs.  Googling for NMBCLUSTERS and ipnat yeilds several 
hits.  One page that may prove useful is 
http://www.phildev.net/ipf/IPFques.html -- especially question #25.

  Once the nat box gets in this broken state, I can still ssh in to it via 
the WAN interface, and can get to the internal machines from the nat box, but 
nat functionality is gone.

  I suspect that waiting 20 minutes causes the port forwardings to expire, 
freeing memory.  I havn't had time recently to revisit this problem, but I 
suspect that increasing NMBCLUSTERS may solve the problem.  It may, however, 
require adding memory to your nat box.

  My ipnat setup has been rock solid otherwise for over two years, except 
when I use gnutella for more than a few hours, so I think it's just a 
resource deficiency.

-Jason

-- 
Jason White (jdwhite@jdwhite.org)        http://www.jdwhite.org/~jdwhite
Jabber:jdwhite(jabber.org)                IRC:irc.netbsd.org/jdwhite
PGP KeyID: 0x5290E477/A8A2 3FDB AB33 98EB ED74  EDAA F538 9A30 5290 E477