Subject: ipnat limitation or user error
To: None <netsbsd-help@netbsd.org>
From: Patrick Norman <patrick@lunchbongs.com>
List: tech-net
Date: 11/09/2003 21:10:26
Sirs,
I am attempting to allow a network device (ps2, socom ii voice chat) to 
use the ports it needs (udp range 6000-6999) through the nat.

I have this in ipnat.conf:
rdr rtk0 0.0.0.0/0 port 6000-6999 -> 10.0.0.99 port 6000 tcp/udp
and this in ipf.conf:
pass in log quick on rtk0 proto tcp/udp from any to any port 5999 >< 
7000 keep state
ipf logging shows:
09/11/2003 21:00:52.004920             rtk0 @0:24 p 
216.231.49.120,50805 -> 10.0.0.99,6000 PR udp len 20 8704  K-S IN
09/11/2003 21:00:52.004939             rtk1 @65535:0 p 
216.231.49.120,50805 -> 10.0.0.99,6000 PR udp len 20 8704  K-S IN
as a result core% nc -u k.lunchbongs.com 6000 (core is outside the 
network, k is my router here)

Is my application correct?  Hopefully I have made a simple mistake.

Others have pointed me to http://www.pdos.lcs.mit.edu/~baford/nat/ 
which states my nat has inconsistent translation.
 From the page:
There is one important requirement that the NATs must satisfy in order 
for this technique to work: the NATs must be designed so that they 
assign only one (public IP address, public UDP port) pair to each 
(internal IP address, internal UDP port) combination, rather than 
allocating and assigning a new public UDP port for each new UDP 
session. Recall that a "session" in Internet terminology is defined by 
the IP addresses and port numbers of both communicating endpoints, so 
host B's communication with host A is considered to be one session 
while host B's communication with host C is a different session. If B's 
NAT, for example, assigns one public UDP port for B's communication 
with A, and then assigns B a differentpublic UDP port for the new 
session B tries to open up with C, then the above technique for 
peer-to-peer communication will not work because C's messages to B will 
be directed to the wrong UDP port.

Is there a way to configure ipnat to comply with these requirements?
My standard map directives are:
map rtk0 10.0.0.0/24 -> 0/32 portmap tcp/udp 10000:60000
map rtk0 10.0.0.0/24 -> 0/32

I have come across a flag for natd:
-t | -target_address address
Set the target address. When an incoming packet not associated with any 
pre-existing link arrives at the host machine, it will be sent to the 
specified addr

Is this functionality possible with ipnat?  If not, is it possible to 
replace ipnat with natd?  Would this even fix anything?

I appreciate your insight,
Patrick Norman