Hi Can you do a packet capture on the firewall and also closer to the 2 hops that don't work,
some ISPs / hotspots rewrite TTL to prevent a client Noting and sharing the connection with someone else tcpdump and have a look a the ttl field of packets in both direction ... the TTL is close to 1 that is probably your issue, On Wed, 3 Jul 2024 at 20:49, jrmu <j...@ircnow.org> wrote: > > Greetings, > > I'm trying to get packet filter to provide NAT for a group of routers I > set up as follows: > > R1 <--> Internet > 10.1/16 > ^ > | > veb12 > | > R2 <--veb23--> R3 <--veb35--> R5 10.5/16 > 10.2/16 10.3/16 > ^ ^ > \ / > veb24 / > \ veb34 > \ / > > R4 < > 10.4/16 > > At R1, I have this packet filter rule to perform NAT on packets going to the > Internet: > > match out on egress from !(egress:network) to any nat-to (egress:0) > > When I run $ ping 1.1.1.1 from R2, packets are successfully NAT'd to the > public IP address, and ping works. > > However, when I run $ ping 1.1.1.1 from any other node (R3, R4, or R5), the > packets are sent to R1 but not properly NAT'd. Here is what I see when I run > tcpdump on the egress interface: > > host# tcpdump -ne -i em1 'host 1.1.1.1' > tcpdump: listening on em1, link-type EN10MB > 14:34:25.531207 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > > 1.1.1.1: icmp: echo request > 14:34:26.549336 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > > 1.1.1.1: icmp: echo request > 14:34:27.549307 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > > 1.1.1.1: icmp: echo request > 14:34:28.549275 00:25:90:5a:2d:92 ac:1f:6b:fe:ca:98 0800 98: 10.5.3.1 > > 1.1.1.1: icmp: echo request > > The ping from node R5 is properly routed to R1, and is being sent out the > egress interface, but for some reason, R1 is not properly performing NAT. NAT > seems only to work for devices directly connected to R1. > > I don't believe the issue is with routing, but in case it helps, here are the > relevant routing tables: > > Routing tables > > Internet: > Destination Gateway Flags Refs Use Mtu Prio Iface > default 104.167.241.193 UGS 11 4606309 - 8 em1 > 224/4 127.0.0.1 URS 0 175 32768 8 lo0 > 10/8 10.2.1.1 UGS 0 5 - 8 > vport11 > 10.1/16 10.1.2.1 UCn 0 0 - 4 > vport11 > 10.1.2.1 fe:e1:ba:dc:65:83 UHLl 0 13 - 1 > vport11 > 10.1.255.255 10.1.2.1 UHb 0 0 - 1 > vport11 > 10.2.1.1 e8:8b:21:21:21:21 UHLch 1 347 - 7 > vport11 > 10.2.1.1 link#154 UHCS 1 0 - 8 > vport11 > 104.167.241.192/26 104.167.241.211 UCn 2 1412997 - 4 em1 > 104.167.241.193 ac:1f:6b:fe:ca:98 UHLch 1 669180 - 3 em1 > 104.167.241.210 8a:2c:1c:4a:15:f4 UHLc 0 1412439 - 3 em1 > 104.167.241.211 00:25:90:5a:2d:92 UHLl 0 766416 - 1 em1 > 104.167.241.255 104.167.241.211 UHb 0 449707 - 1 em1 > 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 > 127.0.0.1 127.0.0.1 UHhl 2 1707666 32768 1 lo0 > > -- > jrmu > IRCNow (https://ircnow.org) > -- Kindest regards, Tom Smyth.
