netbsd-help: Re: confused about IPNAT

Subject: Re: confused about IPNAT
To: None <netbsd-help@NetBSD.org>
From: Mike M. Volokhov <mishka@intostroy.com>
List: netbsd-help
Date: 03/10/2006 17:43:00
On Fri, 10 Mar 2006 17:29:41 +0100, theo borm wrote:

> Hi,
> 
> I'm trying to set up a really simple system connected through an IPNAT 
> gateway to the internet, but somehow I can't get it to work anymore
> (I /have/ set up NAT a long time ago, and it used to work fine for me)
> 
> The gateway has two ethernet cards, both statically configured:
> 
> vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>          address: 00:11:2f:33:3e:1b
>          media: Ethernet autoselect (100baseTX full-duplex)
>          status: active
>          inet 192.168.41.254 netmask 0xffffff00 broadcast 192.168.41.255
>          inet6 fe80::211:2fff:fe33:3e1b%vr0 prefixlen 64 scopeid 0x2
> 
> rtk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>          address: 00:04:76:8b:fa:a7
>          media: Ethernet autoselect (100baseTX full-duplex)
>          status: active
>          inet 176.20.197.22 netmask 0xffffff00 broadcast 176.20.197.255
>          inet6 fe80::204:76ff:fe8b:faa7%rtk0 prefixlen 64 scopeid 0x1
> 
> It has my providers' default gateway configured:
> 
> Internet:
> Destination       Gateway            Flags
> default           176.20.197.254     UG
> localhost         127.0.0.1          UH
> 176.20.197.0/24   link#1             U
> 176.20.197.254    00:00:0c:07:ac:33  UH
> 192.168.41.0/24   link#2             U
> 192.168.41.1      00:11:2f:33:3e:34  UH
> 
> (plus some ip6 routes)
> 
> 
> The gateway machine works perfectly; it has full internet connectivity,
> can reach the outside world AND can be reached from the outside.
> 
> 
> The gateway uses the stock GENERIC kernel, coming straight off the 
> netbsd 3.0 install CD (it was a new install), and I enabled forwarding:
> # sysctl net.inet.ip.forwarding
> net.inet.ip.forwarding = 1
> 
> 
> subsequently I enabled ipf:
> # ipf -E
> (someone may want to update chapter 21.5.1 of the NetBSD guide; NAT 
> won't work at all if you dont do this)
> 
> 
> Just to be sure I did:
> # ipf -F a
> 
> 
> I have the following NAT setup:
> # ipnat -l
> List of active MAP/Redirect filters:
> map vr0 192.168.41.0/24 -> 176.20.197.22/32  portmap tcp/udp 20000:60000
> map vr0 192.168.41.0/24 -> 176.20.197.22/32
> 
> List of active sessions:
> 
[snip]
> Any clues what might be my problem?

Please use rtk0 in map rules. I.e.:

	map rtk0 92.168.41.0/24 -> 176.20.197.22/32

When packet passed through NAT box it goes the following way (I've
skipping binat and keep state IPF rules here; re-nat is a "NAT
replies"):

	--> if1 (rdr/re-nat (ipf-in  SYSTEM  ipf-out) nat) if2 -->

So you should always use outgoing interface for such purposes.

--
Kind regards,
Mishka.

P.S. This scheme helps a lot especially when you setting up mixed IPF/
IPNAT rules. Such you can see that outgoing filtering is performed
before the NAT and incoming filtering should be tuned on IP addresses
"recalculated" after NAT/RDR tables.