NetBSD Problem Report #48920

From  Wed Jun 18 07:56:02 2014
Return-Path: <>
Received: from ( [])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "", Issuer "Postmaster" (verified OK))
	by (Postfix) with ESMTPS id 481EBA5D59
	for <>; Wed, 18 Jun 2014 07:56:02 +0000 (UTC)
Message-Id: <>
Date: Wed, 18 Jun 2014 07:56:00 +0000 (UTC)
Subject: ipfilter: source routing does not work with NAT
X-Send-Pr-Version: www-1.0

>Number:         48920
>Category:       kern
>Synopsis:       ipfilter: source routing does not work with NAT
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 18 08:00:00 +0000 2014
>Originator:     Gergely EGERVARY
>Release:        NetBSD 6.1.4
NetBSD 6.1.4 NetBSD 6.1.4 (GALILEO) #0: Thu May  1 14:00:54 CEST 2014 amd64
Typical dual-wan scenario: gateway with 3 interfaces:

WAN #1: interface: vlan12 ip: netmask: 0xffffffc0 next-hop:
WAN #2: interface: vlan14 ip: netmask: 0xfffffff8 next-hop:
internal LAN: interface: vlan10 ip: netmask 0xff000000

Internal LAN needs NAT on both WAN connections. ipnat.conf:

# LAN -> WAN #1
map vlan12 -> proxy port 21 ftp/tcp
map vlan12 -> portmap tcp/udp 25000:30000
map vlan12 ->

# LAN -> WAN #2
map vlan14  -> proxy port 21 ftp/tcp
map vlan14  -> portmap tcp/udp 20000:25000
map vlan14  ->

Default route is set to - all outgoing traffic is on WAN #1 by default.

With this ipfilter rule, I expect matching traffic should go on WAN #2 instead:

pass out quick on vlan12 to vlan14: from to

ICMP works good, can ping via WAN #2, ICMP-based traceroute (mtr) shows correct route. That's all - TCP and UDP is not working.

With this less-specific ipfilter rule, all traffic to should go on WAN #2:

pass out quick on vlan12 to vlan14: from any to

This works good on the gateway - there's no NAT required there - but does not work on internal network - only ICMP passes, see above.

For testing purposes, all other ipfilter rules are flushed - all packets are allowed to pass.

Get a second wan connection...


NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD:,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.