Wednesday, July 03, 2024

Packet filter can't NAT devices 2 hops away?

Greetings,

I'm trying to get packet filter to provide NAT for a group of routers I
set up as follows:

R1 <--> Internet
10.1/16
^
|
veb12
|
R2 <--veb23--> R3 <--veb35--> R5 10.5/16
10.2/16 10.3/16
^ ^
\ /
veb24 /
\ veb34
\ /
> R4 <
10.4/16

At R1, I have this packet filter rule to perform NAT on packets going to the
Internet:

match out on egress from !(egress:network) to any nat-to (egress:0)

When I run $ ping 1.1.1.1 from R2, packets are successfully NAT'd to the
public IP address, and ping works.

However, when I run $ ping 1.1.1.1 from any other node (R3, R4, or R5), the
packets are sent to R1 but not properly NAT'd. Here is what I see when I run
tcpdump on the egress interface:

host# tcpdump -ne -i em1 'host 1.1.1.1'
tcpdump: listening on em1, link-type EN10MB
14:34:25.531207 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > 1.1.1.1: icmp: echo request
14:34:26.549336 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > 1.1.1.1: icmp: echo request
14:34:27.549307 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > 1.1.1.1: icmp: echo request
14:34:28.549275 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > 1.1.1.1: icmp: echo request

The ping from node R5 is properly routed to R1, and is being sent out the
egress interface, but for some reason, R1 is not properly performing NAT. NAT
seems only to work for devices directly connected to R1.

I don't believe the issue is with routing, but in case it helps, here are the relevant routing tables:

Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 104.167.241.193 UGS 11 4606309 - 8 em1
224/4 127.0.0.1 URS 0 175 32768 8 lo0
10/8 10.2.1.1 UGS 0 5 - 8 vport11
10.1/16 10.1.2.1 UCn 0 0 - 4 vport11
10.1.2.1 fe:e1:ba:dc:65:83 UHLl 0 13 - 1 vport11
10.1.255.255 10.1.2.1 UHb 0 0 - 1 vport11
10.2.1.1 e8:8b:21:21:21:21 UHLch 1 347 - 7 vport11
10.2.1.1 link#154 UHCS 1 0 - 8 vport11
104.167.241.192/26 104.167.241.211 UCn 2 1412997 - 4 em1
104.167.241.193 ac:1f:6b:fe:ca:98 UHLch 1 669180 - 3 em1
104.167.241.210 8a:2c:1c:4a:15:f4 UHLc 0 1412439 - 3 em1
104.167.241.211 00:25:90:5a:2d:92 UHLl 0 766416 - 1 em1
104.167.241.255 104.167.241.211 UHb 0 449707 - 1 em1
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 2 1707666 32768 1 lo0

--
jrmu
IRCNow (https://ircnow.org)

No comments:

Post a Comment