[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

2.6 and ipnat problems?

Hello all:

I'm having a strange problem with ipnat. I had this problem yesterday,
so I used anoncvs to update my kernel sources and rebuild last night,
but I'm still having the problem. It doesn't seem to be doing any
translation across interfaces. Here's the relevant configuration info 
(I hope):

Here's the dmesg:
sorrento# dmesg
bootargv: diskinfo 0xe033b00c cksumlen 1 memmap 0xe033b088 pciinfo
0xe033b10c apminfo 0xe033b128
OpenBSD 2.6 (ISSITH) #4: Wed Nov 10 09:18:01 PST 1999
cpu0: F00F bug workaround installed
cpu0: Intel Pentium (P54C) ("GenuineIntel" 586-class) 134 MHz
BIOS mem  = 654336 conventional, 32505856 extended
real mem  = 33161216
avail mem = 28856320
using 430 buffers containing 1761280 bytes of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(dd) BIOS, date 06/21/96
apm0 at bios0: Power Management spec V1.1
apm0: APM engage (device 1): power management disabled (1)
apm0: AC on, no battery
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82437VX System (TVX)" rev 0x02
pcib0 at pci0 dev 7 function 0 "Intel 82371SB (Triton II) PCI-ISA" rev
pciide0 at pci0 dev 7 function 1 "Intel 82371SB (Triton II) IDE" rev
0x00: DMA, channel 0 wired to compatibility, channel 1 wired to
wd0 at pciide0 channel 0 drive 0: <Seagate Technology 1275MB - ST31276A>
wd0: can use 32-bit, PIO mode 4, DMA mode 2
wd0: 16-sector PIO, LBA, 1221MB, 2482 cyl, 16 head, 63 sec, 2502308
pciide0: channel 0 interrupting at irq 14
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 (using DMA data
atapiscsi0 at pciide0 channel 1
scsibus0 at atapiscsi0: 2 targets
scsibus0 targ 0 lun 0: <MITSUMI, CD-ROM FX400D !B, B07> SCSI0 5/cdrom
removable not configured
pciide0: channel 1 interrupting at irq 15
atapiscsi0(pciide0:1:0): using PIO mode 3
"ATI Technologies Mach64 GX" rev 0x01 at pci0 dev 8 function 0 not
isa0 at pcib0
isadma0 at isa0
we0 at isa0 port 0x280/32 iomem 0xd0000/16384 irq 3: WD8013WC (16-bit)
we0: address 00:00:c0:ba:97:58
we1 at isa0 port 0x300/32 iomem 0xcc000/16384 irq 10: WD8013WC (16-bit)
we1: address 00:00:c0:7f:7e:7a
pcppi0 at isa0 port 0x61
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo
vt0 at isa0 port 0x60/16 irq 1: generic VGA, 80 col, color, 8 scr,
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask c040 netmask c448 ttymask c4ca
pctr: 586-class performance counters and user-level cycle counter
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
IP Filter: initialized.  Default = pass all, Logging = enabled

Interface setup:
sorrento# more /etc/hostname.we0
inet NONE 

sorrento# more /etc/hostname.we1
inet NONE

Boot configuration:
sorrento# cat /etc/rc.conf
#!/bin/sh -
#       $OpenBSD: rc.conf,v 1.40 1999/10/17 00:58:02 millert Exp $

# set these to "NO" to turn them off.  otherwise, they're used as flags
routed_flags=NO         # for normal use: "-q"
mrouted_flags=NO        # for normal use: "", if activated
                        # be sure to enable multicast_router below.
rarpd_flags=NO          # for normal use: "-a"
bootparamd_flags=NO     # for normal use: ""
rbootd_flags=NO         # for normal use: ""
sendmail_flags="-q10m"  # for normal use: "-bd -q30m"
smtpfwdd_flags=NO       # for normal use: "", and no "-bd" above.
named_flags=""          # for normal use: ""
timed_flags=NO          # for normal use: ""
photurisd_flags=NO      # for normal use: ""
isakmpd_flags=NO        # for normal use: ""
mopd_flags=NO           # for normal use: "-a"
httpd_flags=""          # for normal use: "" (or "-DSSL" after reading
apmd_flags=NO           # for normal use: ""
dhcpd_flags="-q"        # for normal use: "-q"

# Set to NO if ftpd is running out of inetd
ftpd_flags=NO           # for non-inetd use: "-D"

# On some architectures, you must also disable console getty in
xdm_flags=NO            # for normal use: ""

# set the following to "YES" to turn them on
kerberos_server=NO      # kerberos server. run 'info kth-krb' for
kerberos_slave=NO       # kerberos slave server.
ipnat=YES               # for "YES" ipfilter must also be "YES"
portmap=YES             # almost always needed
inetd=YES               # almost always needed
lpd=NO                  # printing daemons
check_quotas=YES        # NO may be desireable in some YP environments
sshd=YES                # run sshd if it exists
ntpd=YES                # run ntpd if it exists
afs=NO                  # mount and run afs

# Multicast routing configuration
# Please look at /etc/netstart for a detailed description if you change
multicast_host=NO       # Route all multicast packets to a single
multicast_router=NO     # A multicast routing daemon will be run, e.g.

# miscellaneous other flags
# only used if the appropriate server is marked YES above
ypserv_flags=                   # E.g. -1 for YP v1, -d for DNS etc
yppasswdd_flags=                # "-d /etc/yp" if passwd files are in
nfsd_flags="-tun 4"             # Crank the 4 for a busy NFS fileserver
nfsiod_flags="-n 4"             # Crank the 4 for a busy NFS client
amd_dir=/tmp_mnt                # AMD's mount directory
amd_master=/etc/amd/master      # AMD 'master' map
ipfilter_rules=/etc/ipf.rules   # Rules for IP packet filtering
ipnat_rules=/etc/ipnat.rules    # Rules for Network Address Translation
ipmon_flags=-Ds                 # To disable logging, use ipmon_flags=NO
syslogd_flags=                  # add more flags, ie. "-u -a
named_user=named                # Named should not run as root unless
named_chroot=/var/named         # Where to chroot named if not empty
afs_mount_point=/afs            # Mountpoint for AFS
afs_device=/dev/xfs0            # Device used by afsd
afsd_flags=-z                   # Flags passed to afsd
shlib_dirs=                     # extra directories for ldconfig

Firewall rules:
sorrento# more /etc/ipf.rules
#       $OpenBSD: ipf.rules,v 1.6 1997/11/04 08:39:32 deraadt Exp $
# IP filtering rules.  See the ipf(5) man page for more
# information on the format of this file, and /usr/share/ipf
# for example configuration files.
# Pass all packets by default.
# edit the ipfilter= line in /etc/rc.conf to enable IP filtering
pass in from any to any
pass out from any to any

IP NAT rules:
sorrento# more /etc/ipnat.rules
# Example NAT Rules
# Scenario: Two network interfaces; one connected to internal
# network, other connected externally to the Internet. Suppose the
# interface is named ep1 and the external interface is named xl0. The
# following mapping will provide the internal network with Internet
# connectivity for tcp/udp traffic (note the ep1 name is not used;
# its network address is used):
map we0 -> we1/32 portmap tcp/udp 10000:60000

# map all tcp connections from network 10 to the address of the first
# interface (which can be dynamically assigned prior to use of ipnat)
#map ppp0 -> ppp0/32 portmap tcp/udp 10000:20000

# map all tcp connections from network 10 into addresses of network
#map ppp0 -> portmap tcp/udp 10000:60000

# map all tcp connections from to, changing the
# port number to something between 10,000 and 20,000 inclusive.  For all
# IP packets, allocate an IP # between and,
# for each new user.
#map ed1 -> portmap tcp 10000:20000
#map ed1 ->
# Redirection is triggered for input packets.
# For example, to redirect FTP connections through this box, to the
local ftp
# port, forcing them to connect through a proxy, you would use:
#rdr we0 port ftp -> port ftp

Looking at the inside interface, things seem to be OK:

sorrento# tcpdump -i we0 host
tcpdump: listening on we0
12:29:33.622364 > sorrento-gw.gtran.com.domain: 1+
12:29:33.623426 sorrento-gw.gtran.com.domain > 1
1/2/2 (132)
12:29:33.642341 > hermes.pwebtech.com.telnet: S
2750363:2750363(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
12:29:33.642662 > hermes.pwebtech.com.telnet: S
2750363:2750363(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
12:29:36.624659 > hermes.pwebtech.com.telnet: S
2750363:2750363(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
12:29:36.625014 > hermes.pwebtech.com.telnet: S
2750363:2750363(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
503 packets received by filter
0 packets dropped by kernel

But when I look at the outside interface, it seems like no NAT is being
done. The inside packets are coming out as is:

sorrento# tcpdump -i we1 host
tcpdump: listening on we1
12:35:27.319798 > hermes.pwebtech.com.telnet: S
3101154:3101154(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
12:35:27.319917 > hermes.pwebtech.com.telnet: S
3101154:3101154(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)

What's going on here? I've poked and prodded and looked at all of
the docs I could find, yet as far as I can tell this setup should
work. I also heard a rumour that ipnat and VPN won't play together.
Is this true?

Larry Gadallah                                     larry_(_at_)_gtran_(_dot_)_com
GTran, San Diego                               (858) 458-6888 x124
Key fingerprint = D6 79 5D 9D 41 27 74 03  68 FD D7 F3 86 68 EB A5