NetBSD Problem Report #48920

From www@NetBSD.org  Wed Jun 18 07:56:02 2014
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 481EBA5D59
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 18 Jun 2014 07:56:02 +0000 (UTC)
Message-Id: <20140618075600.F0E17A653F@mollari.NetBSD.org>
Date: Wed, 18 Jun 2014 07:56:00 +0000 (UTC)
From: gergely@egervary.hu
Reply-To: gergely@egervary.hu
To: gnats-bugs@NetBSD.org
Subject: ipfilter: source routing does not work with NAT
X-Send-Pr-Version: www-1.0

>Number:         48920
>Category:       kern
>Synopsis:       ipfilter: source routing does not work with NAT
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 18 08:00:00 +0000 2014
>Originator:     Gergely EGERVARY
>Release:        NetBSD 6.1.4
>Organization:
>Environment:
NetBSD galileo.poli.hu 6.1.4 NetBSD 6.1.4 (GALILEO) #0: Thu May  1 14:00:54 CEST 2014  root@venus.poli.hu:/usr/src/sys/arch/amd64/compile/GALILEO amd64
>Description:
Typical dual-wan scenario: gateway with 3 interfaces:

WAN #1: interface: vlan12 ip: 193.225.174.65 netmask: 0xffffffc0 next-hop: 193.225.174.126
WAN #2: interface: vlan14 ip: 195.199.157.49 netmask: 0xfffffff8 next-hop: 195.199.157.54
internal LAN: interface: vlan10 ip: 10.0.0.1 netmask 0xff000000

Internal LAN needs NAT on both WAN connections. ipnat.conf:

# LAN -> WAN #1
map vlan12 10.0.0.0/8 -> 193.225.174.65/32 proxy port 21 ftp/tcp
map vlan12 10.0.0.0/8 -> 193.225.174.65/32 portmap tcp/udp 25000:30000
map vlan12 10.0.0.0/8 -> 193.225.174.65/32

# LAN -> WAN #2
map vlan14 10.0.0.0/8  -> 195.199.157.49/32 proxy port 21 ftp/tcp
map vlan14 10.0.0.0/8  -> 195.199.157.49/32 portmap tcp/udp 20000:25000
map vlan14 10.0.0.0/8  -> 195.199.157.49/32

Default route is set to 193.225.174.126 - all outgoing traffic is on WAN #1 by default.

With this ipfilter rule, I expect matching traffic should go on WAN #2 instead:

pass out quick on vlan12 to vlan14:195.199.157.54 from 10.0.0.13 to 195.70.49.210

ICMP works good, 10.0.0.13 can ping 195.70.49.210 via WAN #2, ICMP-based traceroute (mtr) shows correct route. That's all - TCP and UDP is not working.

With this less-specific ipfilter rule, all traffic to 195.70.49.210 should go on WAN #2:

pass out quick on vlan12 to vlan14:195.199.157.54 from any to 195.70.49.210

This works good on the gateway - there's no NAT required there - but does not work on internal network - only ICMP passes, see above.

For testing purposes, all other ipfilter rules are flushed - all packets are allowed to pass.

>How-To-Repeat:
Get a second wan connection...

>Fix:

Home	PR Database Search