tech-net: Re: ipnat: Multiple interfaces and routing

Subject: Re: ipnat: Multiple interfaces and routing
To: None <tech-net@netbsd.org>
From: Christos Zoulas <christos@astron.com>
List: tech-net
Date: 11/28/2005 00:28:35
In article <Pine.NEB.4.63.0511271331540.2695@extremecode.org>,
 <wysoft@extremecode.org> wrote:
>I'm having a problem getting ipnat to do NAT for two internal interfaces 
>through one external. It looks to be a routing problem at this point, and 
>I'm stumped. Here's the situation:
>
>                                  /--mc0---192.168.2.0/24
>[67.168.161.233]--ex0--[ipnat box]
>                                  \--tlp0--192.168.1.0/24
>
>I'm trying to NAT for both 192.168 networks. 192.168.1 works just fine, 
>all traffic is routed correctly. However, anything on 192.168.2 appears to 
>get routed into oblivion before any outbound Internet traffic can pass 
>through the ipnat router. For example, pinging 192.168.2.1 (mc0's IP) 
>from a Solaris client will get a response from 67.168.161.233, instead of 
>192.168.2.1. If I run tcpdump on ex0, and try to ping 'google.com' from 
>192.168.2.2 (the Solaris client), I can see that the icmp echo messages 
>appear to be leaving through ex0, but no data is ever returned.
>
>Fortunately, routing within the LAN seems to be fine. The two LAN subnets 
>can communicate with eachother just fine. I can telnet into 192.168.2.2 
>from anywhere in 192.168.1, and vice versa. Still, nothing coming from 
>192.168.2 ever gets NAT'ed properly.
>
>The ipf/ipnat box is running 2.1/macppc. As far as ipf rules are 
>concerned, I'm allowing any and all traffic on both LAN interfaces, so 
>nothing should be getting blocked. Here is my ipnat.conf:
>
># Compensate for NAT-broken protocols
>map ex0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
>map mc0 192.168.2.0/24 -> 0/32 proxy port ftp ftp/tcp
>
># Port redirections
>#rdr ex0 0.0.0.0/0 port 6114 -> 192.168.1.106 port 6114 udp
>
># Essential mappings
>map ex0 192.168.1.0/24 -> 67.168.161.233/32
>map ex0 192.168.1.0/24 -> 67.168.161.233/32 portmap tcp/udp auto
>map mc0 192.168.2.0/24 -> 67.168.161.233/32
>map mc0 192.168.2.0/24 -> 67.168.161.233/32 portmap tcp/udp auto

change all the mc0's to ex0's like:

map ex0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map ex0 192.168.2.0/24 -> 0/32 proxy port ftp ftp/tcp

map ex0 192.168.1.0/24 -> 0/32
map ex0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map ex0 192.168.2.0/24 -> 0/32
map ex0 192.168.2.0/24 -> 0/32 portmap tcp/udp auto

or simplify:

map ex0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp
map ex0 192.168.0.0/16 -> 0/32
map ex0 192.168.0.0/16 -> 0/32 portmap tcp/udp auto

christos