From owner-freebsd-net@freebsd.org Thu Aug 27 07:56:47 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7D9259C2069 for ; Thu, 27 Aug 2015 07:56:47 +0000 (UTC) (envelope-from eliezer@ngtech.co.il) Received: from mtaout21.012.net.il (mtaout21.012.net.il [80.179.55.169]) by mx1.freebsd.org (Postfix) with ESMTP id 3089E7BD for ; Thu, 27 Aug 2015 07:56:46 +0000 (UTC) (envelope-from eliezer@ngtech.co.il) Received: from conversion-daemon.a-mtaout21.012.net.il by a-mtaout21.012.net.il (HyperSendmail v2007.08) id <0NTQ00K00DUQ9M00@a-mtaout21.012.net.il> for freebsd-net@freebsd.org; Thu, 27 Aug 2015 10:56:45 +0300 (IDT) Received: from mail.ngtech.co.il ([84.95.212.160]) by a-mtaout21.012.net.il (HyperSendmail v2007.08) with ESMTPSA id <0NTQ00KARE2K2590@a-mtaout21.012.net.il> for freebsd-net@freebsd.org; Thu, 27 Aug 2015 10:56:45 +0300 (IDT) Received: by mail.ngtech.co.il (Postfix, from userid 5001) id 26EA523973; Thu, 27 Aug 2015 10:56:44 +0300 (IDT) Received: from [192.168.10.131] (unknown [192.168.10.131]) by mail.ngtech.co.il (Postfix) with ESMTPA id 38648234AF; Thu, 27 Aug 2015 10:56:43 +0300 (IDT) Date: Thu, 27 Aug 2015 10:56:44 +0300 From: Eliezer Croitoru Subject: Re: Issues with MASQUARDE and FreeBSD router. In-reply-to: <55DDEA51.8010902@ngtech.co.il> X-012-Sender: eliezer-111@012.net.il To: netfilter@vger.kernel.org Cc: freebsd-net@freebsd.org Message-id: <55DEC2BC.8030800@ngtech.co.il> MIME-version: 1.0 Content-type: text/plain; charset=utf-8; format=flowed Content-transfer-encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.ngtech.co.il References: <55DDEA51.8010902@ngtech.co.il> User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 X-Spam-Status: No, score=-1.0 required=3.0 tests=ALL_TRUSTED autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Level: X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2015 07:56:47 -0000 I added a filter rule to iptables with a INVALID reject match and any packet that is being passed throw the FreeBSD router is being marked by itpables as INVALID. An example for an INVALID packet: http://ngtech.co.il/nat_issue/proxy2.pcap Eliezer On 26/08/2015 21:24, Eliezer Croitoru wrote: > Hey lists, > > I had a similar issue in the past but now I have found the combination > which results in the issue. > My topology is between two KVM hosts. > Server is on KVM1 ip address 192.168.10.1/24 > Another whole network on the KVM2. > And the traffic is: > client 192.168.11.2/24 --> R1 - 192.168.11.254/24 > R1 192.168.15.1/24 --> R2(NAT SERVER) 192.168.15.254/24 > R3 eth4 NATed(masquerade) 192.168.10.179/24 --> Server 192.168.10.1/24 > > The Above is what is suppose to happen and the reality us that > 192.168.10.1 receives a packet but from 192.168.11.2. > > I can reproduce the issue successfully replacing the R1 server from a > linux box to a FreeBSD 10.1 box.(freebsd causes the issue) > The routers I have used are: > CentOS 7 > VYOS 1.6 > > It is the same for both and I can reproduce the issue successfully. > > I have also tested the R1 replaced with: > VYOS 1.7 > CENTOS 7 > DEBIAN 8 > vSRX > FreeBSD 4.11 with e1000 card, works fine. > FreeBSD 10.1(amd64) with e1000 card, works fine. > *FreeBSD 10.1(amd64) with virtio card, have an issue.* > > Now I am trying to figure out if it's a netfilter issue or FreeBSD > virtio driver issue and if so what might be the direction to make this > issue fixed. > > Tcpdump captures on the NAT router of different packets and sessions are > here: > http://ngtech.co.il/nat_issue/ > > If the issue is probably with the FreeBSD virtio drivers why would the > MASQUERADE pass the packet to the destination server? > > Thanks, > Eliezer > > >