NAT/DNS question/recommendation?

Tom Huppi thuppi at huppi.com
Wed Jan 19 10:55:41 PST 2005




On Wed, 19 Jan 2005, Erik Norgaard wrote:

> Tom Huppi wrote:
> > I have a FreeBSD 5.3 workstation connected to the net via user-ppp
> > with a dynamic IP.  I have user-ppp doing both NAT and simple
> > firewall.
> >
> > I have a headless server box, also 5.3, set up as a NAT client.
> > I run it only when I need the horsepower since it's loud and sucks
> > power.
> >
> > My problem is that the NAT client acts funny.  It makes the
> > gateway/workstation box dial up when I attempt to automount from
> > it for example.  Also I've had troubles with ssh delays.  I'm
> > pretty sure that what is happening is that it wants to use DNS to
> > resolve names sometime even though all that it needs _should_ be
> > in the /etc/hosts file (and nsswitch.conf lists files first.)
> >
> > On the NAT client, I have my defaultrouter set to the NAT server's
> > IP (in the 172.16 range.)  Also I have my ISP's dns server in
> > /etc/resolv.conf.  I can't seem to make things work well any other
> > way.
> >
> > Can someone recommend a better setup to aviod my problems, or
> > suggest that I should _not_ be having these problems with this
> > setup and that something else in my setup must be wrong?
> >
> > A long, long time ago, I set up a caching-only DNS server on a
> > gateway box 'for the fun of it.' If there is not a simpler
> > solution, I'll do it again (though the fun has worn off), but I
> > thought I'de ask here first.
> >
> > BTW, I have done some research on this, but really didn't find
> > that many specific details about NAT client
> > configuration...possibly I just didn't look hard enough.
>
> Maybe you are searching for the wrong keywords. I simply haven't heard
> of anyone speak of a "NAT client" or "NAT Server" before.

I mean one runs NAT, and the other uses it.  I've searched various
things and have run into subtle refernences which seem related to
my problem (like 'gethostbyname' isn't even supposed to consult
/etc/hosts), but nothing specific.

> Secondly you haven't told us anything about how things are setup: Are
> you using ipfw, ipf or pf? What are your nat-rules? what are your filter
> rules?

I think I did mention that the firewall and NAT are as implemented
in user-PPP.  I could post my rule-set, but it would take a good
bit of space.  Clearly DNS requests from 'the-machine-using-NAT-
but-not-running-it' are dialbound-accept (either that, or
user-ppp's firewall is broken.)  That is not to say I know these
rules are correct, and in fact I had played around with this
aspect of the rules earlier to try to aviod spurious dials
associated with a windows 'machine-using-NAT', but unless there is
a known mechanism associated with the rules which would cause the
unhappiness I'm experiancing, it seems a waste of space.

BTW, it does seem that when the user-ppp daemon is shut down
completely, these delay's _don't_ exist, and the problem is
similarly non-noticable when the connection is actually
established (in spite of the fact that, obviously, my local
hostnames are not known to the global internet.)

If someone knows, for instance, that DNS requests from
'the-machine-not-running-NAT-but-using-it' will quickly and
silently give up _or_ revert to files upon hitting a
dialbound-blocked rule, I can certainly make it so.  Obviously I
don't want to block DNS requests from the
'machine-not-running-NAT'.

> You are trying to automount what? nfs, smbfs?

NFS.  (unix <-> unix)

> ssh delays? did you try to type in the ip to see if it was faster?

Yup.  No change.  I should have mentioned that for sure.

> I think I get the picture of your network but sometimes it helps a lot
> if you scetch the network with a ascii-diagram, add ip's etc.

             - 172...20
 ip-by-ppp  |  - 172...8
       |    | |
 net <-> gw <-> srvr
  |      |         |
info,   u-ppp,     dfrtr:isp's dns server
porn,   w/fw       /etc/hosts: ....8  srvr.made-up-dom srvr
trash,  w/nat.                 ...20  gw.made-up-dom gw
etc.    defrt set  /e/nsswitch.conf: files dns
         by uppp.
        no ipv6    ipv6 (and 4)

I just realized that I am setting 'defaultdomain' in the server's
/etc/rc.conf in spite of the fact that I'm not currently running
NIS in my local network.  I'll try getting rid of that to see if
it helps.

BTW, here's the salient part of a tcpdump on the tun0 interface
when I ssh from 'gw' to 'srvr':

 10:32:36.698042 IP gila.62914 > king.dialoregon.net.domain:
    63948+ PTR? 20.0.16.172.in-addr.arpa. (42)
 10:32:36.990638 IP king.dialoregon.net.domain > gila.62914:
    63948 NXDomain 0/1/0 (119)

So 'srvr' is looking up 'gw's IP when it _thinks_ there is access
to a DNS server.  That's what I thought.  Question is, 'how to
make it stop?'

Here's my /etc/hosts:
-------
::1                     localhost localhost.huppih.com
127.0.0.1               localhost localhost.huppih.com

172.16.0.8 gila.huppih.com gila 172.16.0.20 agama.huppih.com agama
---------
and I have tried various permutations of this on both machines
(specifically, the additional 'name.dom.com.' entry which seems to
exist on a CD installation of the OS.)  The domain 'huppih.com' is
fabricated.

Just knowing that someone has a similar setup and it works would
be of significant help since it would tell me if there even is a
solution.  Else, and also very good would be to know that it's an
intractable problem with the tools I use.

Thanks,

 - Tom


More information about the freebsd-questions mailing list