Hi all,
I have a problem with ICMP Port Unreachables not getting NATed
correctly. Maybe someone knows what I am doing wrong.
I am using OpenBSD 4.7 in a simple DSL router setup. I am connecting
from a client in my LAN to my workplaces OpenVPN server via UDP.
When I disconnect the VPN session, the server keeps on sending UDP
packets which is normal. UDP is stateless, the server does not know that
I have disconnected. Theses packets get NATed correctly to my Client,
which responds with ICMP Port Unreachables.
These ICMP Port Unreachables however don't seem to be NATed correcty
when leaving the external interface of my DSL router.
They still carry the source IP of my internal host.
Edited tcpdump:
on LAN interface:
VPN_GW_IP.1194 > LAN_CLIENT_IP.1194: udp 101 (ttl 56, id 7308, len 129,
bad cksum 0! differs by 4e57)
LAN_CLIENT_IP > VPN_GW: icmp: LAN_CLIENT_IP udp port 1194 unreachable
for VPN_GW_IP.1194 > LAN_CLIENT_IP.1194: udp 101 (ttl 56, id 7308, len
129) (ttl 128, id 22873, len 157)
on WAN interface:
VPN_GW_IP.1194 > DSL_WAN_IP.59622: udp 125 (DF) (ttl 57, id 0, len 153)
LAN_CLIENT_IP > VPN_GW_IP: icmp: DSL_WAN_IP udp port 59622 unreachable
for VPN_GW_IP.1194 > DSL_WAN_IP.59622: udp 125 (ttl 56, id 55482, len
153) (ttl 127, id 22706, len 181)
I have been able to reproduce this behaviour with the most minimalistic
ruleset I could think of:
<snip>
set skip on { lo0 $LAN_INTERFACE }
match in all scrub (no-df)
block return log
pass out quick on $WAN_INTERFACE inet from $LAN nat-to ($WAN_INTERFACE)
</snip>
Any thoughts?
Cheers
Tobias
