Re: SNAT and remote IP problem
It seems fine also in a 4.3.0 VPC (KVM) I run. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Andrija Panic andrija.pa...@gmail.com To: dev@cloudstack.apache.org Cc: Rohit Yadav rohit.ya...@shapeblue.com Sent: Wednesday, 18 March, 2015 11:29:54 Subject: Re: SNAT and remote IP problem I reacall this was fine in clean 4.4.0 or 4.4.1/2cant remember any more... but anyone willing to share their VR output, as I asked, will I guess help us greatly... On 18 March 2015 at 12:28, Erik Weber terbol...@gmail.com wrote: Has anyone checked if this is present in 4.5? If so we should aim to have a fix available with 4.5.1 -- Erik On Wed, Mar 18, 2015 at 10:47 AM, Paul Shadwell shadw...@me.com wrote: I also have this problem, it effects running vPBX/VoIP services behind a VR. In fact any service that requires a view on incoming IPs and domain names. For example fail2ban will block ALL access to ssh because it only ever sees the VR IP address. Upgrading to 4.3.2 did not fix it. This needs fixing urgently. Best regards Paul On 17 Mar 2015, at 14:01, Andrija Panic andrija.pa...@gmail.com wrote: Hi, is anybody willing to share the result from the folowing command, run in VR (VPC VR): iptables -t nat -nvL This should preferable be run from SSH-to-VR, instead of ConsoleProxy-to-VR, because of nice output over SSH. It seems in 4.3.0 and 4.3.2, SNAT is done on ALL incoming connections, no matter to WHAT IP the traffic from internet came - primary IP, or additional one that is used for i.e. Static NAT - so SNAT rules always replace remote cleint IP with MAIN IP of the VPC... Please share your examples - this is serious bug in my opinion, and I wil raise JIRA - but would like some examples from other guys first. THanks, -- Andrija Panić -- Andrija Panić
Re: SNAT and remote IP problem
we managed once to get it working, after doing PF, DNAT, rebooting VR/VPC and mixing all this together in no particular oder it started working at some point, but with new VPC deployed again - again doesnt work - have no idea what the heck is happening... :( On 19 March 2015 at 17:35, Nux! n...@li.nux.ro wrote: It seems fine also in a 4.3.0 VPC (KVM) I run. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Andrija Panic andrija.pa...@gmail.com To: dev@cloudstack.apache.org Cc: Rohit Yadav rohit.ya...@shapeblue.com Sent: Wednesday, 18 March, 2015 11:29:54 Subject: Re: SNAT and remote IP problem I reacall this was fine in clean 4.4.0 or 4.4.1/2cant remember any more... but anyone willing to share their VR output, as I asked, will I guess help us greatly... On 18 March 2015 at 12:28, Erik Weber terbol...@gmail.com wrote: Has anyone checked if this is present in 4.5? If so we should aim to have a fix available with 4.5.1 -- Erik On Wed, Mar 18, 2015 at 10:47 AM, Paul Shadwell shadw...@me.com wrote: I also have this problem, it effects running vPBX/VoIP services behind a VR. In fact any service that requires a view on incoming IPs and domain names. For example fail2ban will block ALL access to ssh because it only ever sees the VR IP address. Upgrading to 4.3.2 did not fix it. This needs fixing urgently. Best regards Paul On 17 Mar 2015, at 14:01, Andrija Panic andrija.pa...@gmail.com wrote: Hi, is anybody willing to share the result from the folowing command, run in VR (VPC VR): iptables -t nat -nvL This should preferable be run from SSH-to-VR, instead of ConsoleProxy-to-VR, because of nice output over SSH. It seems in 4.3.0 and 4.3.2, SNAT is done on ALL incoming connections, no matter to WHAT IP the traffic from internet came - primary IP, or additional one that is used for i.e. Static NAT - so SNAT rules always replace remote cleint IP with MAIN IP of the VPC... Please share your examples - this is serious bug in my opinion, and I wil raise JIRA - but would like some examples from other guys first. THanks, -- Andrija Panić -- Andrija Panić -- Andrija Panić
Re: SNAT and remote IP problem
I reacall this was fine in clean 4.4.0 or 4.4.1/2cant remember any more... but anyone willing to share their VR output, as I asked, will I guess help us greatly... On 18 March 2015 at 12:28, Erik Weber terbol...@gmail.com wrote: Has anyone checked if this is present in 4.5? If so we should aim to have a fix available with 4.5.1 -- Erik On Wed, Mar 18, 2015 at 10:47 AM, Paul Shadwell shadw...@me.com wrote: I also have this problem, it effects running vPBX/VoIP services behind a VR. In fact any service that requires a view on incoming IPs and domain names. For example fail2ban will block ALL access to ssh because it only ever sees the VR IP address. Upgrading to 4.3.2 did not fix it. This needs fixing urgently. Best regards Paul On 17 Mar 2015, at 14:01, Andrija Panic andrija.pa...@gmail.com wrote: Hi, is anybody willing to share the result from the folowing command, run in VR (VPC VR): iptables -t nat -nvL This should preferable be run from SSH-to-VR, instead of ConsoleProxy-to-VR, because of nice output over SSH. It seems in 4.3.0 and 4.3.2, SNAT is done on ALL incoming connections, no matter to WHAT IP the traffic from internet came - primary IP, or additional one that is used for i.e. Static NAT - so SNAT rules always replace remote cleint IP with MAIN IP of the VPC... Please share your examples - this is serious bug in my opinion, and I wil raise JIRA - but would like some examples from other guys first. THanks, -- Andrija Panić -- Andrija Panić
Re: SNAT and remote IP problem
Has anyone checked if this is present in 4.5? If so we should aim to have a fix available with 4.5.1 -- Erik On Wed, Mar 18, 2015 at 10:47 AM, Paul Shadwell shadw...@me.com wrote: I also have this problem, it effects running vPBX/VoIP services behind a VR. In fact any service that requires a view on incoming IPs and domain names. For example fail2ban will block ALL access to ssh because it only ever sees the VR IP address. Upgrading to 4.3.2 did not fix it. This needs fixing urgently. Best regards Paul On 17 Mar 2015, at 14:01, Andrija Panic andrija.pa...@gmail.com wrote: Hi, is anybody willing to share the result from the folowing command, run in VR (VPC VR): iptables -t nat -nvL This should preferable be run from SSH-to-VR, instead of ConsoleProxy-to-VR, because of nice output over SSH. It seems in 4.3.0 and 4.3.2, SNAT is done on ALL incoming connections, no matter to WHAT IP the traffic from internet came - primary IP, or additional one that is used for i.e. Static NAT - so SNAT rules always replace remote cleint IP with MAIN IP of the VPC... Please share your examples - this is serious bug in my opinion, and I wil raise JIRA - but would like some examples from other guys first. THanks, -- Andrija Panić
Re: SNAT and remote IP problem
I also have this problem, it effects running vPBX/VoIP services behind a VR. In fact any service that requires a view on incoming IPs and domain names. For example fail2ban will block ALL access to ssh because it only ever sees the VR IP address. Upgrading to 4.3.2 did not fix it. This needs fixing urgently. Best regards Paul On 17 Mar 2015, at 14:01, Andrija Panic andrija.pa...@gmail.com wrote: Hi, is anybody willing to share the result from the folowing command, run in VR (VPC VR): iptables -t nat -nvL This should preferable be run from SSH-to-VR, instead of ConsoleProxy-to-VR, because of nice output over SSH. It seems in 4.3.0 and 4.3.2, SNAT is done on ALL incoming connections, no matter to WHAT IP the traffic from internet came - primary IP, or additional one that is used for i.e. Static NAT - so SNAT rules always replace remote cleint IP with MAIN IP of the VPC... Please share your examples - this is serious bug in my opinion, and I wil raise JIRA - but would like some examples from other guys first. THanks, -- Andrija Panić
SNAT and remote IP problem
Hi, is anybody willing to share the result from the folowing command, run in VR (VPC VR): iptables -t nat -nvL This should preferable be run from SSH-to-VR, instead of ConsoleProxy-to-VR, because of nice output over SSH. It seems in 4.3.0 and 4.3.2, SNAT is done on ALL incoming connections, no matter to WHAT IP the traffic from internet came - primary IP, or additional one that is used for i.e. Static NAT - so SNAT rules always replace remote cleint IP with MAIN IP of the VPC... Please share your examples - this is serious bug in my opinion, and I wil raise JIRA - but would like some examples from other guys first. THanks, -- Andrija Panić