Subject: Re: ipnat RDR doesn't work with multipath routing in KAME+NetBSD
To: Darren Reed <>
From: Alicia da Conceicao <>
List: tech-net
Date: 10/28/2001 23:53:40
> In some email I received from Alicia da Conceicao, sie wrote:
> [...]
>> This RDR redirection works for arbitrary incoming tcp connections
>> to port 1234, but does not work for
>> port 1234.  Note that if this KAME+NetBSD server is running a web
>> server on tcp port 80, then incoming web connections work to both
>> &  In fact RDR only works for the
>> default external interface that is listed first in netstat, which
>> in this case is ext1, but can also be set to ext0.
>> Any ideas as to why RDR does not work for both external interfaces?
>> Note that my ipf.conf is blank with no keep state and no fast
>> routing.
> IPFilter needs to see the packets going in and out over the same interface.
Unfortunately this does not appear to be true, since RDR is only
able to forward a port from an arbitrary IP number to/from *ONLY*
one external interface.  When a TCP/UDP connection from an
arbitrary IP number is made to the same port on the second
external interface RDR is unable to forward that port, even
though the multipath routing in KAME+NetBSD is sending packets in
and out over exclusive that second interface!

For example, if I am on remote client on the Internet with an
arbitrary IP number, and I run:

	telnet 25	(external interface ext1)
& 	telnet 25	(external interface ext0)

If I am running sendmail locally on the KAME+NetBSD server, then
that remote client can type in SMTP commands with *EITHER* telnet
command, and sendmail will process and repsond to those commands.

If I am using RDR to forward port 25 to an internal mail server
with sendmail instead, and I use the following IPNAT rulesets:

rdr ext1 port 25 -> port 25 tcp
rdr ext0 port 25 -> port 25 tcp

then only the *FIRST* telnet command will work and be forwarded, and
will not work for the second.

I can easily use a TCP proxy program in userspace to forward the
SMTP port instead, but then that internal mail server only records
in its maillogs the KAME+NetBSD internal interface IP number
(, and not the IP number of the originating client that
executed the telnet command.

The transparent proxying done by RDR in IPFILTER+IPNAT is done at
the packet level and is very much preferable to an userspace TCP
proxy program.

Does anyone have any suggestions on how to get RDR to work with
multipath routing?  I would have never imagined how difficult
it would be to have simple Unix gateway computer with 2 external
interfaces to separate ISP's, and one internal interface.  This
is something that Cisco routers can easily do!

Thank you in advance.