Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 30 Nov 2020 16:21:50 +0700
From:      Eugene Grosbein <eugen@grosbein.net>
To:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Cc:        "Alexander V. Chernikov" <melifaro@freebsd.org>, "Andrey V. Elsukov" <ae@FreeBSD.org>
Subject:   Re: ipfw nat bug
Message-ID:  <ff27b182-de36-f383-fc19-6c306e182af5@grosbein.net>
In-Reply-To: <4c530439-32fe-0e67-ad1a-faafe0cfbeb9@grosbein.net>
References:  <4c530439-32fe-0e67-ad1a-faafe0cfbeb9@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
30.11.2020 16:10, Eugene Grosbein wrote:

> Hi!
> 
> It seems I'm facing a bug in NAT44 ipfw nat/libalias implementation.
> 
> Suppose we have a LAN 192.168.0.0/24 and two WAN channels with public IP addresses
> and internal server 192.168.0.100 that serves connection to the port 5060, both TCP and UDP,
> so we configure redirects:
> 
> nat 1 config if vlan1 reset same_ports \
>   redirect_port tcp 192.168.0.100:5060 5060
>   redirect_port udp 192.168.0.100:5060 5060
> 
> Same for nat 2 and vlan 2. And it works just fine.
> 
> Then, this server 192.168.0.100 makes *outgoing* connection to external host A and udp port 5060,

to destination port 5060 and uses *source* port 5060, too

> same_ports keeps outgoing port 5060 and it works fine, too.

same_ports keeps *source* port 5060 for outgoing aliasing state

> Now, this server 192.168.0.100 makes second outgoing UDP connection over same WAN
> to different external IP address using same NAT instance.
> 
> The source port get changed to dynamic one and here we have a problem:
> incoming UDP response is NOT translated with a rule:
> 
> nat 1 ip from any to any in recv vlan1
> 
> So, this UDP packet is not delivered to 192.168.0.100 but local delivery is performed
> resulting in ICMP port unreachable.
> 
> 16:06:23.232792 IP X.X.X.X.60949 > Y.Y.Y.Y.5060: SIP: OPTIONS sip:AAA@BBB SIP/2.0
> 16:06:23.249020 IP Y.Y.Y.Y.5060 > X.X.X.X.60949: SIP: SIP/2.0 200 OK
> 16:06:23.249062 IP X.X.X.X > Y.Y.Y.Y: ICMP X.X.X.X udp port 60949 unreachable, length 36
> 
> Two questions: is it right that dynamic port is used for second connection to different host
> and how do I fix this?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ff27b182-de36-f383-fc19-6c306e182af5>