NetBSD Problem Report #48920
From www@NetBSD.org Wed Jun 18 07:56:02 2014
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 481EBA5D59
for <gnats-bugs@gnats.NetBSD.org>; Wed, 18 Jun 2014 07:56:02 +0000 (UTC)
Message-Id: <20140618075600.F0E17A653F@mollari.NetBSD.org>
Date: Wed, 18 Jun 2014 07:56:00 +0000 (UTC)
From: gergely@egervary.hu
Reply-To: gergely@egervary.hu
To: gnats-bugs@NetBSD.org
Subject: ipfilter: source routing does not work with NAT
X-Send-Pr-Version: www-1.0
>Number: 48920
>Category: kern
>Synopsis: ipfilter: source routing does not work with NAT
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Jun 18 08:00:00 +0000 2014
>Originator: Gergely EGERVARY
>Release: NetBSD 6.1.4
>Organization:
>Environment:
NetBSD galileo.poli.hu 6.1.4 NetBSD 6.1.4 (GALILEO) #0: Thu May 1 14:00:54 CEST 2014 root@venus.poli.hu:/usr/src/sys/arch/amd64/compile/GALILEO amd64
>Description:
Typical dual-wan scenario: gateway with 3 interfaces:
WAN #1: interface: vlan12 ip: 193.225.174.65 netmask: 0xffffffc0 next-hop: 193.225.174.126
WAN #2: interface: vlan14 ip: 195.199.157.49 netmask: 0xfffffff8 next-hop: 195.199.157.54
internal LAN: interface: vlan10 ip: 10.0.0.1 netmask 0xff000000
Internal LAN needs NAT on both WAN connections. ipnat.conf:
# LAN -> WAN #1
map vlan12 10.0.0.0/8 -> 193.225.174.65/32 proxy port 21 ftp/tcp
map vlan12 10.0.0.0/8 -> 193.225.174.65/32 portmap tcp/udp 25000:30000
map vlan12 10.0.0.0/8 -> 193.225.174.65/32
# LAN -> WAN #2
map vlan14 10.0.0.0/8 -> 195.199.157.49/32 proxy port 21 ftp/tcp
map vlan14 10.0.0.0/8 -> 195.199.157.49/32 portmap tcp/udp 20000:25000
map vlan14 10.0.0.0/8 -> 195.199.157.49/32
Default route is set to 193.225.174.126 - all outgoing traffic is on WAN #1 by default.
With this ipfilter rule, I expect matching traffic should go on WAN #2 instead:
pass out quick on vlan12 to vlan14:195.199.157.54 from 10.0.0.13 to 195.70.49.210
ICMP works good, 10.0.0.13 can ping 195.70.49.210 via WAN #2, ICMP-based traceroute (mtr) shows correct route. That's all - TCP and UDP is not working.
With this less-specific ipfilter rule, all traffic to 195.70.49.210 should go on WAN #2:
pass out quick on vlan12 to vlan14:195.199.157.54 from any to 195.70.49.210
This works good on the gateway - there's no NAT required there - but does not work on internal network - only ICMP passes, see above.
For testing purposes, all other ipfilter rules are flushed - all packets are allowed to pass.
>How-To-Repeat:
Get a second wan connection...
>Fix:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.