From: Eliezer Croitoru <eliezer@ngtech.co.il>
To: netfilter@vger.kernel.org
Cc: freebsd-net@freebsd.org
Subject: Re: Issues with MASQUARDE and FreeBSD router.
Date: Thu, 27 Aug 2015 10:56:44 +0300 [thread overview]
Message-ID: <55DEC2BC.8030800@ngtech.co.il> (raw)
In-Reply-To: <55DDEA51.8010902@ngtech.co.il>
I added a filter rule to iptables with a INVALID reject match and any
packet that is being passed throw the FreeBSD router is being marked by
itpables as INVALID.
An example for an INVALID packet:
http://ngtech.co.il/nat_issue/proxy2.pcap
Eliezer
On 26/08/2015 21:24, Eliezer Croitoru wrote:
> Hey lists,
>
> I had a similar issue in the past but now I have found the combination
> which results in the issue.
> My topology is between two KVM hosts.
> Server is on KVM1 ip address 192.168.10.1/24
> Another whole network on the KVM2.
> And the traffic is:
> client 192.168.11.2/24 --> R1 - 192.168.11.254/24
> R1 192.168.15.1/24 --> R2(NAT SERVER) 192.168.15.254/24
> R3 eth4 NATed(masquerade) 192.168.10.179/24 --> Server 192.168.10.1/24
>
> The Above is what is suppose to happen and the reality us that
> 192.168.10.1 receives a packet but from 192.168.11.2.
>
> I can reproduce the issue successfully replacing the R1 server from a
> linux box to a FreeBSD 10.1 box.(freebsd causes the issue)
> The routers I have used are:
> CentOS 7
> VYOS 1.6
>
> It is the same for both and I can reproduce the issue successfully.
>
> I have also tested the R1 replaced with:
> VYOS 1.7
> CENTOS 7
> DEBIAN 8
> vSRX
> FreeBSD 4.11 with e1000 card, works fine.
> FreeBSD 10.1(amd64) with e1000 card, works fine.
> *FreeBSD 10.1(amd64) with virtio card, have an issue.*
>
> Now I am trying to figure out if it's a netfilter issue or FreeBSD
> virtio driver issue and if so what might be the direction to make this
> issue fixed.
>
> Tcpdump captures on the NAT router of different packets and sessions are
> here:
> http://ngtech.co.il/nat_issue/
>
> If the issue is probably with the FreeBSD virtio drivers why would the
> MASQUERADE pass the packet to the destination server?
>
> Thanks,
> Eliezer
>
>
>
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
parent reply other threads:[~2015-08-27 7:56 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <55DDEA51.8010902@ngtech.co.il>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55DEC2BC.8030800@ngtech.co.il \
--to=eliezer@ngtech.co.il \
--cc=freebsd-net@freebsd.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.