kern/48920: ipfilter: source routing does not work with NAT

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/48920: ipfilter: source routing does not work with NAT
From: gergely%egervary.hu@localhost
Date: Wed, 18 Jun 2014 08:00:00 +0000 (UTC)

>Number:         48920
>Category:       kern
>Synopsis:       ipfilter: source routing does not work with NAT
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 18 08:00:00 +0000 2014
>Originator:     Gergely EGERVARY
>Release:        NetBSD 6.1.4
>Organization:
>Environment:
NetBSD galileo.poli.hu 6.1.4 NetBSD 6.1.4 (GALILEO) #0: Thu May  1 14:00:54 
CEST 2014  root%venus.poli.hu@localhost:/usr/src/sys/arch/amd64/compile/GALILEO 
amd64
>Description:
Typical dual-wan scenario: gateway with 3 interfaces:

WAN #1: interface: vlan12 ip: 193.225.174.65 netmask: 0xffffffc0 next-hop: 
193.225.174.126
WAN #2: interface: vlan14 ip: 195.199.157.49 netmask: 0xfffffff8 next-hop: 
195.199.157.54
internal LAN: interface: vlan10 ip: 10.0.0.1 netmask 0xff000000

Internal LAN needs NAT on both WAN connections. ipnat.conf:

# LAN -> WAN #1
map vlan12 10.0.0.0/8 -> 193.225.174.65/32 proxy port 21 ftp/tcp
map vlan12 10.0.0.0/8 -> 193.225.174.65/32 portmap tcp/udp 25000:30000
map vlan12 10.0.0.0/8 -> 193.225.174.65/32

# LAN -> WAN #2
map vlan14 10.0.0.0/8  -> 195.199.157.49/32 proxy port 21 ftp/tcp
map vlan14 10.0.0.0/8  -> 195.199.157.49/32 portmap tcp/udp 20000:25000
map vlan14 10.0.0.0/8  -> 195.199.157.49/32

Default route is set to 193.225.174.126 - all outgoing traffic is on WAN #1 by 
default.

With this ipfilter rule, I expect matching traffic should go on WAN #2 instead:

pass out quick on vlan12 to vlan14:195.199.157.54 from 10.0.0.13 to 
195.70.49.210

ICMP works good, 10.0.0.13 can ping 195.70.49.210 via WAN #2, ICMP-based 
traceroute (mtr) shows correct route. That's all - TCP and UDP is not working.

With this less-specific ipfilter rule, all traffic to 195.70.49.210 should go 
on WAN #2:

pass out quick on vlan12 to vlan14:195.199.157.54 from any to 195.70.49.210

This works good on the gateway - there's no NAT required there - but does not 
work on internal network - only ICMP passes, see above.

For testing purposes, all other ipfilter rules are flushed - all packets are 
allowed to pass.

>How-To-Repeat:
Get a second wan connection...

>Fix:

Prev by Date: Re: lib/48881: /etc/hosts file parsing broken (since Aug 2013)
Next by Date: PR/48104 CVS commit: src/sys/net
Previous by Thread: Re: kern/48916 (OpenGL does not work with DRMKMS kernel and X.org intel driver)
Next by Thread: lib/48923: mkstemps(3)
Indexes:

Home | Main Index | Thread Index | Old Index