Subject: ipnat RDR doesn't work with multipath routing in KAME+NetBSD
To: None <port-i386@netbsd.org, tech-net@netbsd.org, ipfilter@coombs.anu.edu.au>
From: Alicia da Conceicao <alicia@cyberstation.ca>
List: tech-net
Date: 10/28/2001 13:00:05
Greetings:
I've recently downloaded the KAME+NetBSD-1.52 kernel snapshot 20011022
from "ftp://ftp.kame.net:pub/kame/snap/", and easily compiled a new
kernel with Kame's multipath routing support (options RADIX_MPATH).
With Kame's multipath routing support, I can have multiple default
routes through different interfaces at the same time that work
prefectly for incoming connections to daemon services running on it.
Unfortunately IPFilter's IPNAT RDR for port forwarding does not work
through *BOTH* external interfaces. Below is a copy of "netstat -nr":
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 231.231.231.1 UGS 2 2689 - ext1 =>
default 123.123.123.1 UGS 0 0 - ext0
127/8 127.0.0.1 UGRS 0 0 33228 lo0
127.0.0.1 127.0.0.1 UH 4 106 33228 lo0
123.123.123/24 link#2 UC 1 0 - ext0
123.123.123.123 127.0.0.1 UGHS 0 194 33228 lo0
231.231.231/24 link#3 UC 1 0 - ext1
231.231.231.231 127.0.0.1 UGHS 0 194 33228 lo0
192.168/24 link#1 UC 3 0 - int0
192.168.0.133 12:34:56:78:9a:bc UHLc 1 14 - int0
Note that ext0 & ext1 are my external interfaces, each with their own
default routes (gateways), and int0 is the internal interface to a
private lan.
ext0 (inet 123.123.123.123 netmask 0xffffff00 gate 123.123.123.1)
ext1 (inet 231.231.231.231 netmask 0xffffff00 gate 231.231.231.1)
int1 (inet 192.168.0.1 netmask 0xffffff00)
With a *BLANK* ipf.conf, and with an ipnat.conf configured to forward
incoming tcp connections to port 1234 onto the 192.168.0.133 internal
machine:
rdr ext0 123.123.123.123/32 port 1234 -> 192.168.0.133 port 1234 tcp
rdr ext1 231.231.231.231/32 port 1234 -> 192.168.0.133 port 1234 tcp
This RDR redirection works for arbitrary incoming tcp connections
to 231.231.231.231 port 1234, but does not work for 123.123.123.123
port 1234. Note that if this KAME+NetBSD server is running a web
server on tcp port 80, then incoming web connections work to both
123.123.123.123 & 231.231.231.231. In fact RDR only works for the
default external interface that is listed first in netstat, which
in this case is ext1, but can also be set to ext0.
Any ideas as to why RDR does not work for both external interfaces?
Note that my ipf.conf is blank with no keep state and no fast
routing.
Thank you in advance.
Sincerely,
Alicia.