[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Newbie NAT difficulties

To: "Misc @OpenBSD" <misc@openbsd.org>
Subject: Re: Newbie NAT difficulties
From: Nick Holland <nick@holland-consulting.net>
Date: Wed, 15 Aug 2001 20:09:46 -0400
References: <D1FE12CF0777D1118A7200A0C9314FE28B139D@dogbert.corp.tconcepts.com>

"Jake L. Wegman" wrote:
<snip> 
>         Would you have any insight as to why it was not routing correctly
> using my /29 network?  

Well, um, mostly because it is wrong... 8-)

>The packets were going out and hitting the
> destination, but nothing was coming back to the originating client.
> 
>         In fact, I'm back at the office and tried the following with
> success...
> 
> /etc/ipnat.rules
> map dc0 10.0.0.0/24 -> 209.163.32.126/32 portmap tcp/udp 10000:60000
> map dc0 10.0.0.0/24 -> 209.163.32.126/32
> 
> Perhaps it was inappropriate to use 209.163.32.126/29 as the item to be
> mapped to...?  (using the entire network had mapped the address to MY
> network gateway - so yes, that does appear to be incorrect.)

Absolutely.
The reason /32 worked there and /29 did not is because /32 is right,
and /29 is not.

Look at what the rule is stating:
Map stuff from the 10.0.0.0 to a PARTICULAR IP: 209.163.32.126 (i.e.,
/32) NOT to random (or even calculated) spot on a subnet!  IF you used
the same subnet, (i.e., /24), it could mean 1:1 NAT.  Or something. 
Not sure, don't have reason to look it up at the momement. 8-)

> Bottom line, use /32 to map to a singe IP...  The documentation is vague for
> a newbie such as myself...

Uh, nowhere does the FAQ show anything other than a /32 on the
destination side of a mapping statement.  In fact, the FAQ
documentation is darned good:

"
"24.5.0.5/32" 
     This IP address and netmask state the IP address that the LAN IP
addresses will be mapped to. /32 means one single IP address.  You can
also map to a /24, or 256 IP addresses (or a /27, or whatever number
of bits you'd like)!! This is useful if you have several thousand
client machines behind your NAT.... (Of course, this is only useful if
that /24 is being routed to your OpenBSD box!) 
"
http://www.openbsd.org/faq/faq6.html#6.3

However, I will grant this is is a common error.  People don't
understand the significance of subnet masks. IPNAT doesn't give a
rat's rear about the size of the subnet the destination IP is in, it
cares where to send and get data...which in this case is a single IP,
which is a /32.  That said, I think I have made this mistake when my
brain falls into the mode of typing without thinking about what I am
really saying.

Nick.
-- 
http://www.holland-consulting.net/

References:
- RE: Newbie NAT difficulties
  - From: "Jake L. Wegman" <jake@ultrex.com>

Prev by Date: same port on different virtual IPs ?
Next by Date: Re: same port on different virtual IPs ?
Prev by thread: RE: Newbie NAT difficulties
Next by thread: package info, and cvs vs cvsup
Index(es):
- Date
- Thread