port-mac68k: MORE: Stumped on aliases

Subject: MORE: Stumped on aliases
To: None <port-mac68k@netbsd.org>
From: David A. Gatwood <dgatwood@deepspace.mklinux.org>
List: port-mac68k
Date: 11/05/2000 14:18:00
On Sun, 5 Nov 2000, David A. Gatwood wrote:

> So back to the routing dilemma.  I decided to just take my changes and run
> two networks over the same ether.  Now I'm getting real problems.  I have:
> 
> sn0: dynamically configured (dhclient)
> ae0: defective NIC (times out when sending data, throughput really slow)
> ae1: dynamically configured (dhclient)
> ae2: inet 10.0.0.1 netmask 255.255.255.0
> ae2: alias 192.168.0.1 netmask 255.255.255.0
> 
> where sn0 is the interface for traffic to/from my firewall machine itself
> and to the 10 network behind it, while ae1 is a different number for
> everything coming frm the airport network (192.168.0.x)
> 
> /etc/natdata:
> map sn0 10.0.0.0/24 -> 0/32 portmap tcp/udp 40000:60000
> man sn0 10.0.0.0/24 -> 0/32
> map ae1 192.168.0.0/24 ->0/32 portmap tcp/udp 20000:40000
> map ae1 192.168.0.0/24 -> 0/32
> 
> And I've tried substituting the dynamically assigned addresses for the
> appropriate interfaces instead of the 0, but it makes no difference.  In
> either case, ONE of the two networks works (random whether it's the
> 192 network or the 10 network) and the other doesn't.  I really don't want
> the traffic from the airport (which might eventually be used by other
> people) to look like it's coming from my main machine address, and I
> really don't want those two networks to be able to see each other in any
> way.  I've even tried making both of the two nets masquerade to the same
> outside address.  Still no go.  It looks like the NAT just will not work
> at all with aliases on different networks, but the same interface.
> 
> I've confirmed that both outgoing interfaces work corectly using
> traceroutes out the appropriate interface.  I've confirmed that all
> machines involved can connect to the firewall itself (which wasn't the
> case using the defective NIC... :-).  It's only the NAT that is
> failing....

Wow.  With the right parameters, tcpdump can give you some interesting
info.  At the moment, the 10 network stuff gets masqueraded correctly via
sn0.  The 192 network stuff gets passed out sn0 as well, but without being
masqueraded.  So I'm spewing 192.168.x.x crap out onto the campus ether. 
They'll probably disable my network port if I don't get this fixed SOON!
Any ideas?


David

---------------------------------------------------------------------
                    Check out my weekly web comic:
                     http://www.techmagazine.org