netbsd-help: Mysterious NAT behaviour

Subject: Mysterious NAT behaviour
To: None <netbsd-help@netbsd.org>
From: Jaap Boender <jaapb@kerguelen.org>
List: netbsd-help
Date: 11/05/2007 17:50:33
Hello list,

I've just upgraded my Alpha from NetBSD 3.1 to 4.0rc3 - it works well,
except for NAT: connecting to the Alpha is fine from both the 'inside'
and the 'outside' network, but connections from 'inside' to 'outside'
don't work.

More specifically, it seems as if NAT itself works; if I telnet to a
HTTP server somewhere I get a connection established, but that's it.
tcpdump also shows that some packets get translated, but after that, for
some reason, packets just don't arrive at their destination. Here's an
example of a tcpdump log:

[external NIC, 82.226.7.107 is my IP]
17:45:44.628697 IP 82.226.7.107.40041 > 145.58.30.133.80: S
3028053274:3028053274(0) win 49640 <mss 1460,nop,wscale
0,nop,nop,sackOK>
17:45:44.673278 IP 145.58.30.133.80 > 82.226.7.107.40041: S
388414347:388414347(0) ack 3028053275 win 5840 <mss
1460,nop,nop,sackOK,nop,wscale 7>
17:45:44.673897 IP 82.226.7.107.40041 > 145.58.30.133.80: . ack 1 win
49640
17:45:44.679654 IP 82.226.7.107.40041 > 145.58.30.133.80: P 1:177(176)
ack 1 win 49640
17:45:44.725528 IP 145.58.30.133.80 > 82.226.7.107.40041: . ack 177 win
54
17:45:44.726021 IP 145.58.30.133.80 > 82.226.7.107.40041: P 1:455(454)
ack 177 win 54
17:45:44.726040 IP 145.58.30.133.80 > 82.226.7.107.40041: F 455:455(0)
ack 177 win 54
17:45:44.726673 IP 82.226.7.107.40041 > 145.58.30.133.80: . ack 1 win
49640
17:45:47.722245 IP 145.58.30.133.80 > 82.226.7.107.40041: FP 1:455(454)
ack 177 win 54
17:45:53.722625 IP 145.58.30.133.80 > 82.226.7.107.40041: FP 1:455(454)
ack 177 win 54
17:45:58.564887 IP 82.226.7.107.40041 > 145.58.30.133.80: F 177:177(0)
ack 1 win 49640
17:45:58.609308 IP 145.58.30.133.80 > 82.226.7.107.40041: . ack 178 win
54
17:46:05.722988 IP 145.58.30.133.80 > 82.226.7.107.40041: FP 1:455(454)
ack 178 win 54

[internal NIC, 172.16.0.1 is the server, 0.4 the client]
17:45:44.628159 IP 172.16.0.4.44352 > 145.58.30.133.80: S
3028053274:3028053274(0) win 49640 <mss 1460,nop,wscale
0,nop,nop,sackOK>
17:45:44.673517 IP 145.58.30.133.80 > 172.16.0.4.44352: S
388414347:388414347(0) ack 3028053275 win 5840 <mss
1460,nop,nop,sackOK,nop,wscale 7>
17:45:44.673781 IP 172.16.0.4.44352 > 145.58.30.133.80: . ack 1 win
49640
17:45:44.679468 IP 172.16.0.4.44352 > 145.58.30.133.80: P 1:177(176) ack
1 win 49640
17:45:44.725767 IP 145.58.30.133.80 > 172.16.0.4.44352: . ack 177 win 54
17:45:44.726205 IP 145.58.30.133.80 > 172.16.0.4.44352: P 1:455(454) ack
177 win 54
17:45:44.726345 IP 145.58.30.133.80 > 172.16.0.4.44352: F 455:455(0) ack
177 win 54
17:45:44.726551 IP 172.16.0.4.44352 > 145.58.30.133.80: . ack 1 win
49640
17:45:47.722804 IP 145.58.30.133.80 > 172.16.0.4.44352: FP 1:455(454)
ack 177 win 54
17:45:53.723102 IP 145.58.30.133.80 > 172.16.0.4.44352: FP 1:455(454)
ack 177 win 54
17:45:58.564689 IP 172.16.0.4.44352 > 145.58.30.133.80: F 177:177(0) ack
1 win 49640
17:45:58.609567 IP 145.58.30.133.80 > 172.16.0.4.44352: . ack 178 win 54
17:46:05.723460 IP 145.58.30.133.80 > 172.16.0.4.44352: FP 1:455(454)
ack 178 win 54

Given that I've just reused my configuration from 3.1 which worked
perfectly (and the problem persists even with a 'pass everything'
ipf.conf and the standard ipnat.conf from the NetBSD manual), I'd like
to ask: is there something that changed between 3.1 and 4.0 that I've
missed and could cause this problem? (I saw something about kernel
memory problems with ipnat, but that's a bug that's supposed to have
been fixed by 4.0rc3, right?)

And if not, does anyone have other tips? I haven't even got an idea
where to begin troubleshooting...

Thanks,

  Jaap Boender