NAT/DNS question/recommendation?

[Erik Norgaard]

Tom Huppi wrote:

> I mean one runs NAT, and the other uses it.  I've searched various
> things and have run into subtle refernences which seem related to
> my problem (like 'gethostbyname' isn't even supposed to consult
> /etc/hosts), but nothing specific.

Yeah, I sort of guessed that, I was thinking that if you were googling 
then you should probably search for "freebsd gateway ppp nat". The 
common lingo is that your "NAT-server" is a gateway/firewall and the 
"NAT-client" is a host.

> I think I did mention that the firewall and NAT are as implemented
> in user-PPP.  I could post my rule-set, but it would take a good
> bit of space.  Clearly DNS requests from 'the-machine-using-NAT-
> but-not-running-it' are dialbound-accept (either that, or
> user-ppp's firewall is broken.)  That is not to say I know these
> rules are correct, and in fact I had played around with this
> aspect of the rules earlier to try to aviod spurious dials
> associated with a windows 'machine-using-NAT', but unless there is
> a known mechanism associated with the rules which would cause the
> unhappiness I'm experiancing, it seems a waste of space.

OK, let me say first that since I have a permanent connection I haven't 
messed much with ppp, but this doesn't seem to be your problem. The 
soluitons I have heard of uses a setup where the pppd (what-ya-call-it) 
will call up the isp and start the firewall/nat. But fundamentally the 
firewall/nat is independent of the modem connection.

So, what do you use for firewall/nat? ipfw/ipf/pf? I think I can help 
you with ipf, if you use something else then I'm sure someone can help 
you once they know they have the knowledge you need.

While your filter rules might be long, the nat rules should be quite 
simple, and typically it's nat that causes problems, so please post that.

>>ssh delays? did you try to type in the ip to see if it was faster?
> 
> Yup.  No change.  I should have mentioned that for sure.

This is really important because this suggests that there is no problem 
with your resolv.conf or other named configuration files.

>>I think I get the picture of your network but sometimes it helps a lot
>>if you scetch the network with a ascii-diagram, add ip's etc.
> 
> 
>              - 172...20
>  ip-by-ppp  |  - 172...8
>        |    | |
>  net <-> gw <-> srvr
>   |      |         |
> info,   u-ppp,     dfrtr:isp's dns server
> porn,   w/fw       /etc/hosts: ....8  srvr.made-up-dom srvr
> trash,  w/nat.                 ...20  gw.made-up-dom gw
> etc.    defrt set  /e/nsswitch.conf: files dns
>          by uppp.
>         no ipv6    ipv6 (and 4)

Ah, I see, dfrtr is default router? It shouldn't be the isp but the 
internal ip of your gw. Otherwise you might get some strange behaviour 
(which you seem to have).

> I just realized that I am setting 'defaultdomain' in the server's
> /etc/rc.conf in spite of the fact that I'm not currently running
> NIS in my local network.  I'll try getting rid of that to see if
> it helps.

Note that nis domain and dns domain is _not_ the same. Setting your 
default domain in rc.conf sets the nis default domain, and has 
absolutely nothing to do with dns.

> BTW, here's the salient part of a tcpdump on the tun0 interface
> when I ssh from 'gw' to 'srvr':
> 
>  10:32:36.698042 IP gila.62914 > king.dialoregon.net.domain:
>     63948+ PTR? 20.0.16.172.in-addr.arpa. (42)
>  10:32:36.990638 IP king.dialoregon.net.domain > gila.62914:
>     63948 NXDomain 0/1/0 (119)

Ok, sorry, I'm used to snort output, but good idea, try sniff and dump 
so you can see what happens in slow.

> So 'srvr' is looking up 'gw's IP when it _thinks_ there is access
> to a DNS server.  That's what I thought.  Question is, 'how to
> make it stop?'

> 
> Here's my /etc/hosts:
> -------
> ::1                     localhost localhost.huppih.com
> 127.0.0.1               localhost localhost.huppih.com
> 
> 172.16.0.8 gila.huppih.com gila 172.16.0.20 agama.huppih.com agama

Typo or copy/paste error? One ip per line. In the above 172.16.0.20 
becomes an alias for 172.16.0.8 (if it makes sense at all).

> Just knowing that someone has a similar setup and it works would
> be of significant help since it would tell me if there even is a
> solution.  Else, and also very good would be to know that it's an
> intractable problem with the tools I use.

I think that when you get to that point it's time to start clean and be 
systematic. Remove anything that might blur the picture, unneeded 
services and stuff.

Cheers, Erik

-- 
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2