Date: Thu, 27 Aug 2015 10:56:44 +0300 From: Eliezer Croitoru <eliezer@ngtech.co.il> To: netfilter@vger.kernel.org Cc: freebsd-net@freebsd.org Subject: Re: Issues with MASQUARDE and FreeBSD router. Message-ID: <55DEC2BC.8030800@ngtech.co.il> In-Reply-To: <55DDEA51.8010902@ngtech.co.il> References: <55DDEA51.8010902@ngtech.co.il>
next in thread | previous in thread | raw e-mail | index | archive | help
I added a filter rule to iptables with a INVALID reject match and any packet that is being passed throw the FreeBSD router is being marked by itpables as INVALID. An example for an INVALID packet: http://ngtech.co.il/nat_issue/proxy2.pcap Eliezer On 26/08/2015 21:24, Eliezer Croitoru wrote: > Hey lists, > > I had a similar issue in the past but now I have found the combination > which results in the issue. > My topology is between two KVM hosts. > Server is on KVM1 ip address 192.168.10.1/24 > Another whole network on the KVM2. > And the traffic is: > client 192.168.11.2/24 --> R1 - 192.168.11.254/24 > R1 192.168.15.1/24 --> R2(NAT SERVER) 192.168.15.254/24 > R3 eth4 NATed(masquerade) 192.168.10.179/24 --> Server 192.168.10.1/24 > > The Above is what is suppose to happen and the reality us that > 192.168.10.1 receives a packet but from 192.168.11.2. > > I can reproduce the issue successfully replacing the R1 server from a > linux box to a FreeBSD 10.1 box.(freebsd causes the issue) > The routers I have used are: > CentOS 7 > VYOS 1.6 > > It is the same for both and I can reproduce the issue successfully. > > I have also tested the R1 replaced with: > VYOS 1.7 > CENTOS 7 > DEBIAN 8 > vSRX > FreeBSD 4.11 with e1000 card, works fine. > FreeBSD 10.1(amd64) with e1000 card, works fine. > *FreeBSD 10.1(amd64) with virtio card, have an issue.* > > Now I am trying to figure out if it's a netfilter issue or FreeBSD > virtio driver issue and if so what might be the direction to make this > issue fixed. > > Tcpdump captures on the NAT router of different packets and sessions are > here: > http://ngtech.co.il/nat_issue/ > > If the issue is probably with the FreeBSD virtio drivers why would the > MASQUERADE pass the packet to the destination server? > > Thanks, > Eliezer > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55DEC2BC.8030800>