IP-NAT (Internet Protocol-Network Address Translation) allows the routing of a fake IP network over a real one (the Internet). This means that with one IP from your Internet Provider, you can connect multiple computers to the Internet by creating a fake internal IP Network, and routing the data through a computer which has IP-NAT and is connected to the real internet.
What about firewall capability?
IP-NAT also serves as a firewall from the real internet, because, since the other computers on your LAN have a fake IP address, there is no way people can access them. However, if one had an account on your "gateway" machine, they could log into your gateway machine, and subsequently log into one of the other computers on your network.
Are there other functions that do the same thing?
IP-NAT serves the same function as IP-MASQ (which Linux's name for IP-NAT), Vicom TCP Gateway (a commercial MacOS utility) or IPNet Router (another commercial product for MacOS)
How can you get one computer on a real IP network and a fake IP network at the same time with the same IP address?
Essentially, your gateway computer has TWO IP's, one which the real internet can access, and one which the other computer on your fake internal network can access. The difference between the two IP's is the interface they are on (e.g. whether PPP or Ethernet).
RFC 1918 (Internet standards) specifies that these networks are "internal", or can be used to fake IP addresses. Although you could probably get away with using a real IP address, It would confuse people when troubleshooting your setup. These addresses are:
from 10.0.0.0 to 10.255.255.255
from 172.16.0.0 to 172.16.255.255
from 192.168.0.0 to 192.168.255.255
Step One: You will need to determine whether your computer is running NetBSD-1.2 or NetBSD-1.3. this can be done by running uname -a. NetBSD-1.2 GENERIC kernels do *not* have IPFILTER compiled into the kernel, whereas any of the NetBSD 1.3 (whether ALPHA, BETA, or final) GENERIC kernels do.
Consult the kernel compiling HOW-TO if you are a die-hard 1.2-er and want to add IPFILTER to your custom kernel. As you might have guessed, IPFILTER is necessary to get IP-NAT working.
NEW (5/31/98): See end of document for ipnat bug
Step Two: Edit /etc/rc.conf and change the line
ipfilter=NO # uses /etc/ipf.confto
ipfilter=YES # uses /etc/ipf.conf
This will turn on ipfiltering as startup. IPFilter allows firewalling data going *out* of your internal LAN, and it's setup will not be discussed here (not yet, it seems relevant enough to add, however.)
Step Three: Create an /etc/ipf.conf by running touch /etc/ipf.conf. ipf needs to be running for IP-NAT to run, and creating a blank configuration file for ipf passes no arguments to IPF, so it firewalls none of the data going out of your LAN to the real internet. However, if this step isn't taken, ipf will complain of not having a configuration file, and immediately quit.
Step Four: Create an /etc/netstart.local (or append this to the end if you have one already), and add this:
if [ -f /etc/ipnat.conf ]; then
echo 'starting IP network address translation (ipnat)...';
/usr/sbin/ipnat -f /etc/ipnat.conf
fi
This will allow your computer start IP-NAT up when /etc/netstart is run, or at normal startups.
Step Five: In /etc/ipnat.conf, I only have the following line:
map ppp0 10.0.2.0/24 -> 0.0.0.0/32 portmap tcp/udp 10000:40000
IPs are 32-bit numbers, consisting of four 8-bit parts. The first
10.0.2.0/24 will route any information from 10.0.2.*, or from IP's that
have the first 24 bits of their IP (being 10.0.2). The second 0.0.0.0/32
is to signify the current IP address to route over. 0.0.0.0/32 is
necessary for dynamic addresses, because the IP keeps changes every time
ppp link (which is ideally the "real internet") goes down. If you have a
static IP address, you can use 192.54.36.72 or whatever your's is, and
since you only want one IP address to route over, a /32 must be added for
the NetBSD box to route over all 32-bits of that IP number, or a single IP
address.
The tcp/udp 10000:40000 indicates that the source port number is changed to a port between 10000 and 40000, inclusive. Click here to see a more detailed explanation. Unless you know what you're doing, use these values.
The ICMP protocol does not work properly over two different IP networks, namely the internet and the LAN. This means that it won't work from inside-out or ouside-in. Pinging and IP on the LAN from the real internet will not be possible, because the computer does not know where 10.*.*.* is, and routers on the internet will usually deflect such information, because they have been programmed that 10.* networks are internal and not to try to route them. If the internal LAN addresses were not part of the RFC-defined "internal networks", then anyone pinging "your" IP will actually be pinging the IP of a computer on the real internet that has that address. (i.e. ping 192.54.36.72 will not be pinging a computer on your internal LAN, but a real computer on the real internet.) To sum it up, IP-NAT doesn't support the fake routing of ICMP, and niether does ICMP.
ppp0 is given as the common address for a ppp link. if you have a cable modem you wish to route data over, be sure to have the correct device number (cable modem and your lan will both be using Ethernet, so you will need two Ethernet cards for your machine!) and replace the device number (most likely either ae0 or ae1).
Step Six: Since /etc/netstart.local) is run at multi-user bootup, the machine must be rebooted, or shut down into single user, and then back up in multi-user again. The former can be done by
shutdown -r nowand the latter can be done by
shutdown nowfollowed by
exitat the single-user prompt.
friction:~# netstat -i
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
ae0 1500 <Link> 00:00:94:20:1c:39 2391316 0 1166091 0 33
ae0 1500 10 friction 2391316 0 1166091 0 33
ppp0 1500 <Link> 1578399 165 1666592 199 0
ppp0 1500 209.61.76 p25.tc5.metro.MA. 1578399 165 1666592 199 0
ppp1* 1500 <Link> 0 0 0 0 0
lo0 32976 <Link> 227655 0 227655 0 0
lo0 32976 your-net localhost.tiac.ne 227655 0 227655 0 0
sl0* 296 <Link> 0 0 0 0 0
friction:~#
As you can see, my machine belongs to two different subnets, 10.0.0.0 on ae0 (and on that network, the name of the machine is "friction") and 209.61.76.0 on ppp0 (on which the machine is named "p25.tc5.metro.MA.tiac.com", or my dynamically assigned IP). The kernel now auto-magically routes data between the two interfaces.
Might I add that you want to put defaultroute in your /etc/ppp/options to make data on your gateway box route over the real internet, and not the fake network.
Update (added 5/31/98): There appears to be some problem with the ipnat code in the 1.3 and 1.3.1 distributions of the kernel. This problem has been fixed in -current. The problem causes the NetBSD system to crash when ~3 or more systems are added to the internal network. A patchfile is available here, and a patched 1.3.1 GENERIC#0 kernel is available here. Note that IPNAT will work with GENERIC kernels, just not as reliably. Thanks to Scott Reynolds for locating the patch.
Common Problem: Be sure to set your ftp client to use passive transfer, or ftp'ing will not work. Consult your ftp client's documentation for information on how to do this.
Click here for disclaimer.