Date: Mon, 30 Nov 2020 16:10:03 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Cc: "Alexander V. Chernikov" <melifaro@freebsd.org>, "Andrey V. Elsukov" <ae@FreeBSD.org> Subject: ipfw nat bug Message-ID: <4c530439-32fe-0e67-ad1a-faafe0cfbeb9@grosbein.net>
next in thread | raw e-mail | index | archive | help
Hi! It seems I'm facing a bug in NAT44 ipfw nat/libalias implementation. Suppose we have a LAN 192.168.0.0/24 and two WAN channels with public IP addresses and internal server 192.168.0.100 that serves connection to the port 5060, both TCP and UDP, so we configure redirects: nat 1 config if vlan1 reset same_ports \ redirect_port tcp 192.168.0.100:5060 5060 redirect_port udp 192.168.0.100:5060 5060 Same for nat 2 and vlan 2. And it works just fine. Then, this server 192.168.0.100 makes *outgoing* connection to external host A and udp port 5060, same_ports keeps outgoing port 5060 and it works fine, too. Now, this server 192.168.0.100 makes second outgoing UDP connection over same WAN to different external IP address using same NAT instance. The source port get changed to dynamic one and here we have a problem: incoming UDP response is NOT translated with a rule: nat 1 ip from any to any in recv vlan1 So, this UDP packet is not delivered to 192.168.0.100 but local delivery is performed resulting in ICMP port unreachable. 16:06:23.232792 IP X.X.X.X.60949 > Y.Y.Y.Y.5060: SIP: OPTIONS sip:AAA@BBB SIP/2.0 16:06:23.249020 IP Y.Y.Y.Y.5060 > X.X.X.X.60949: SIP: SIP/2.0 200 OK 16:06:23.249062 IP X.X.X.X > Y.Y.Y.Y: ICMP X.X.X.X udp port 60949 unreachable, length 36 Two questions: is it right that dynamic port is used for second connection to different host and how do I fix this?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4c530439-32fe-0e67-ad1a-faafe0cfbeb9>