[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
YA nat problem
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: YA nat problem
- From: Geoff Steckel <gwes_(_at_)_oat_(_dot_)_com>
- Date: Sat, 10 Jul 1999 07:36:29 -0400 (EDT)
Does anyone run a dual-homed network with NAT?
I've got a gateway connected to two ISPs, using NAT to
connect a few machines.
There's an interaction between routing and NAT which
makes life difficult. I am seeing the problem with
smtp, but basically any service will encounter the problem.
Call two of my machines "cerebus" the gateway and "nosy" an
internal machine. My two ISP's networks are A and B.
My internal net is Z.
I have a service (smtp) on a nosy. I redirect incoming smtp
traffic to that machine. The address to which a connection
is made is on net A. As long as the default route on
cerebus is via net A, everything works.
If the default route on cerebus is via net B, this is what
Incoming setup request vi interface netA gets forwarded to
nosy. A NAT connection entry is made for interface netA.
The setup request is forwarded to nosy over net Z.
Nosy replies to the setup request via net Z. Cerebus
then routes the packet via netB. There is no NAT entry
for this address and port on net B, so a new one is made,
changing the source port address in the packet.
The external host gets the mangled packet and discards it.
No connection succeeds.
Here's my ipnat.rules from cerebus:
map de1 192.168.1.0/24 -> de1/32 portmap tcp/udp 10000:14999
map mx0 192.168.1.0/24 -> mx0/32 portmap tcp/udp 15000:20000
rdr de1 0.0.0.0/0 port smtp -> 192.168.1.3 port smtp
rdr mx0 0.0.0.0/0 port smtp -> 192.168.1.3 port smtp
I would assume that the "correct" thing for ipnat to do
would be to somehow associate the outgoing packet with
the connection record containing the "other" interface.
Is there a workaround, such as a way to disable the portmap
for a specific internal port #?