port-i386: NetBSD router questions

Subject: NetBSD router questions
To: None <port-i386@netbsd.org>
From: Ray Phillips <r.phillips@jkmrc.com>
List: port-i386
Date: 09/22/2004 18:56:30
I've configured a PC running NetBSD/i386 2.0G (built from CVS sources 
updated on 27 August) with three 3Com 3c905C-TX 10/100 NICs as a 
router.  I did this by uncommenting

   options        GATEWAY         # packet forwarding

in the GENERIC kernel configuration file, adding

   options NMBCLUSTERS=16384

to it, and building a new kernel, then creating /etc/ipf.conf which 
contains just two lines:

   pass in quick from any to any
   pass out quick from any to any

Would you suggest any other changes/additions to the kernel or 
system?  There are some Macs on our network so I'm planning to run 
netatalk's atalkd daemon on it.  (ipf.conf could obviously do with 
some more statements but at the moment I'm trying to keep things 
simple.)

I'm intending to use this box as the router for our LAN so thought 
I'd test it by making a micro-LAN consisting of three NetBSD/i386 
machines, each connected to one of the router's NICs with a 
transposed cable.  There are no connections outside this micro-LAN. 
Here's a diagram of the trial setup:

        +-------------------------------------------+
        |                                           |
    ____| inet 192.168.37.1 netmask 255.255.255.192 |
   |    |       default route 192.168.37.30         |
   |    |                                           |
   |    +-------------------------------------------+
   |
   |
   |    +-------------------------------------------+
   |    |                                           |
   |    |_________________________                  |
   |    | inet 192.168.37.30      |                 |
   |____| netmask 255.255.255.192 |   ex0           |
        |_________________________|                 |
        |                                           |
        |_________________________                  |
        | inet 192.168.37.158     |                 |
   _____| netmask 255.255.255.192 |   ex2           |
  |     |_________________________|                 |
  |     |                                           |
  |     |_________________________                  |
  |     | inet 192.168.37.94      |                 |
  |   __| netmask 255.255.255.192 |   ex1           |
  |  |  |_________________________|                 |
  |  |  |                                           |
  |  |  +-------------------------------------------+
  |  |
  |  |
  |  |  +--------------------------------------------+
  |  |  |                                            |
  |  |__| inet 192.168.37.65 netmask 255.255.255.192 |
  |     |       default route 192.168.37.94          |
  |     |                                            |
  |     +--------------------------------------------+
  |
  |
  |     +---------------------------------------------+
  |     |                                             |
  |_____| inet 192.168.37.129 netmask 255.255.255.192 |
        |       default route 192.168.37.158          |
        |                                             |
        +---------------------------------------------+


(The three NICs are in adjacent PCI slots and, strangely, when 
viewing the PC from the rear ex0 is on the left, ex2 is in the 
middle, and ex1 is on the right.  I thought they'd be in order from 
left to right.)


This works fine--it's possible to ping any machine from any other and 
telnet and ftp between them.  I didn't go to the trouble of modifying 
their /etc/hosts files or setting up bind on one of them, so I've had 
to use IP numbers to specify the machine I want to connect to and use 
the -n switch for  ping  and  route  and -N for telnet.  (I couldn't 
see a switch like that for ftp; is there one?)

I don't understand why, even when using -N, it takes so long to 
establish a telnet session in this situation.  There's a long delay 
(perhaps a minute or more) after the 'Escape character is' line.  Why 
would that be?

% telnet -N 192.168.37.65
Trying 192.168.37.65...
Connected to 192.168.65.
Escape character is '^]'
                                               <-- there's a long delay here
NetBSD/i386 (p1.pvt.jkmrc.uq.edu.au) (ttyp0)
login:

When ftp'ing, the 'Connected to' message comes up straight away but 
there's a long delay before the Name(...): prompt appears.

% ftp 192.168.37.65
Connected to 192.168.37.65
220-                                          <-- there's a long delay here
220 192.168.37.65 FTP Server (NetBSD-ftp 20040809) ready.
Name(192.168.37.65:ray):

What would be causing that behaviour?  (What do the 220's mean, by the way?)

Actually, the IP numbers I've shown above aren't the ones I used at 
first.  To begin with I assigned two of the non-router PCs IP numbers 
from two of our public subnets and gave one a private IP number. 
That setup was OK except it wasn't possible to ftp to the PC with a 
private IP number; however it could be ping'ed and telnet'ed to, and 
it could ftp to any of the other machines.  This is what would happen:

% ftp 192.168.37.1
Connected to 192.168.37.1.

421 Service not available, remote server timed out. Connection closed.
ftp>

You'd think that meant I'd made a mistake editing it's 
/etc/inetd.conf file, but no.  It was possible to ftp to it when I 
connected it to our LAN after just telling it to use dhcp to get its 
network setup.  When watching the startup messages on the console 
there would be a long pause after 'Starting sendmail.' then 
eventually 'Starting inetd.' would come up.  So I guess I'd somehow 
succeeded in messing up inetd and ftpd was indeed not running when it 
should have been.  Can you say what I might have done wrong?


Ray