Packet filter can't NAT devices 2 hops away?

Wed, 03 Jul 2024 12:44:47 -0700 

Greetings,

I'm trying to get packet filter to provide NAT for a group of routers I
set up as follows:

    R1 <--> Internet
  10.1/16
    ^
    |
   veb12
    |
    R2  <--veb23-->  R3 <--veb35--> R5 10.5/16
  10.2/16          10.3/16
     ^              ^
      \            /
     veb24        /
        \       veb34
         \      /
          > R4 <
          10.4/16

At R1, I have this packet filter rule to perform NAT on packets going to the
Internet:

match out on egress from !(egress:network) to any nat-to (egress:0)

When I run $ ping 1.1.1.1 from R2, packets are successfully NAT'd to the
public IP address, and ping works.

However, when I run $ ping 1.1.1.1 from any other node (R3, R4, or R5), the
packets are sent to R1 but not properly NAT'd. Here is what I see when I run
tcpdump on the egress interface:

host# tcpdump -ne -i em1 'host 1.1.1.1'
tcpdump: listening on em1, link-type EN10MB
14:34:25.531207 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > 
1.1.1.1: icmp: echo request
14:34:26.549336 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > 
1.1.1.1: icmp: echo request
14:34:27.549307 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > 
1.1.1.1: icmp: echo request
14:34:28.549275 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > 
1.1.1.1: icmp: echo request

The ping from node R5 is properly routed to R1, and is being sent out the
egress interface, but for some reason, R1 is not properly performing NAT. NAT
seems only to work for devices directly connected to R1.

I don't believe the issue is with routing, but in case it helps, here are the 
relevant routing tables:

Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            104.167.241.193    UGS       11  4606309     -     8 em1  
224/4              127.0.0.1          URS        0      175 32768     8 lo0  
10/8               10.2.1.1           UGS        0        5     -     8 vport11
10.1/16            10.1.2.1           UCn        0        0     -     4 vport11
10.1.2.1           fe:e1:ba:dc:65:83  UHLl       0       13     -     1 vport11
10.1.255.255       10.1.2.1           UHb        0        0     -     1 vport11
10.2.1.1           e8:8b:21:21:21:21  UHLch      1      347     -     7 vport11
10.2.1.1           link#154           UHCS       1        0     -     8 vport11
104.167.241.192/26 104.167.241.211    UCn        2  1412997     -     4 em1  
104.167.241.193    ac:1f:6b:fe:ca:98  UHLch      1   669180     -     3 em1  
104.167.241.210    8a:2c:1c:4a:15:f4  UHLc       0  1412439     -     3 em1  
104.167.241.211    00:25:90:5a:2d:92  UHLl       0   766416     -     1 em1  
104.167.241.255    104.167.241.211    UHb        0   449707     -     1 em1  
127/8              127.0.0.1          UGRS       0        0 32768     8 lo0  
127.0.0.1          127.0.0.1          UHhl       2  1707666 32768     1 lo0  

-- 
jrmu
IRCNow (https://ircnow.org)

Reply via email to