ipfw nat bug
Eugene Grosbein
eugen at grosbein.net
Mon Nov 30 09:22:12 UTC 2020
30.11.2020 16:10, Eugene Grosbein wrote:
> Hi!
>
> It seems I'm facing a bug in NAT44 ipfw nat/libalias implementation.
>
> Suppose we have a LAN 192.168.0.0/24 and two WAN channels with public IP addresses
> and internal server 192.168.0.100 that serves connection to the port 5060, both TCP and UDP,
> so we configure redirects:
>
> nat 1 config if vlan1 reset same_ports \
> redirect_port tcp 192.168.0.100:5060 5060
> redirect_port udp 192.168.0.100:5060 5060
>
> Same for nat 2 and vlan 2. And it works just fine.
>
> Then, this server 192.168.0.100 makes *outgoing* connection to external host A and udp port 5060,
to destination port 5060 and uses *source* port 5060, too
> same_ports keeps outgoing port 5060 and it works fine, too.
same_ports keeps *source* port 5060 for outgoing aliasing state
> Now, this server 192.168.0.100 makes second outgoing UDP connection over same WAN
> to different external IP address using same NAT instance.
>
> The source port get changed to dynamic one and here we have a problem:
> incoming UDP response is NOT translated with a rule:
>
> nat 1 ip from any to any in recv vlan1
>
> So, this UDP packet is not delivered to 192.168.0.100 but local delivery is performed
> resulting in ICMP port unreachable.
>
> 16:06:23.232792 IP X.X.X.X.60949 > Y.Y.Y.Y.5060: SIP: OPTIONS sip:AAA at BBB SIP/2.0
> 16:06:23.249020 IP Y.Y.Y.Y.5060 > X.X.X.X.60949: SIP: SIP/2.0 200 OK
> 16:06:23.249062 IP X.X.X.X > Y.Y.Y.Y: ICMP X.X.X.X udp port 60949 unreachable, length 36
>
> Two questions: is it right that dynamic port is used for second connection to different host
> and how do I fix this?
More information about the freebsd-net
mailing list