Re: [vpp-dev] NAT44 for TCP/UDP
Hi Ashwini,
I am sorry I wasn't able to respond earlier.
Basically you have multiple issues here. You are not configuring NAT
outside address as suggested by yangbin. Though you can ignore the default
route comment you don't need to worry about this to make the example work.
Also output-feature (post routing) vs in and out (similar to prerouting)
configuration commes basically down to the use case you have. Usually if
you have just one wan interface and you want to nat all the packets from
all of the other interfaces going outside of the wan interface but you
don't want any other communication internally (between local lan interface)
to be nated then you can stick with output-feature. Post and Pre routing as
mentioned before are just features of NAT that decide at what stage of
packet processing translation occurs.
What you have to do to make the setup work is pretty simple.
1) setup basic nat configuration - aka dynamic nat enabled
nat44 enable
set interface nat44 in lan
set interface nat44 out wan1
set interface nat44 out wan2
nat44 add interface address wan1
nat44 add interface address wan2
or:
nat44 enable
set interface nat44 out wan1 output-feature
set interface nat44 out wan2 output-feature
nat44 add interface address wan1
nat44 add interface address wan2
2) configure static mapping
nat44 add static mapping local 192.168.1.20 external
or
nat44 add static mapping local 192.168.1.20 external
NOTES:
- this is an address only type of static mapping. I would rather suggest
configuring port mapping.
- using tcp in address only mapping has no use.
nat44 add static mapping tcp local 192.168.1.20 external
or
nat44 add static mapping tcp local 192.168.1.20 external
- nat44 ed requires nat44 pool address to be configured to use static
mapping
- you can configure nat44 pool address simply by running the command "nat44
add interface address wan1" or manually specifying the address "nat44 add
address 4.4.4.4"
This to work several conditions must be met:
a) vpp interface needs to be configured with ip address (for example
4.4.4.4)
b) nat44 outside interface has to be configured on the vpp interface with
4.4.4.4 address
c) nat44 ed plugin needs to have pool address (the same as the interface
4.4.4.4)
Example [0]:
set interface state lan up
set interface state wan1 up
set interface state wan2 up
set interface ip address lan 192.168.1.1/24
set interface ip address wan1 10.0.1.1/24
set interface ip address wan2 10.0.2.1/24
nat44 enable
set interface nat44 in lan
set interface nat44 out wan1
set interface nat44 out wan2
nat44 add address 10.0.1.1
nat44 add address 10.0.2.1
nat44 add static mapping tcp local 192.168.1.20 5001 external 10.0.1.1 5001
Because of NAT limitations we can't have multiple static mapping records
that share the same host and port.
Suggestion:
1) if you don't have a specific need to change the default session
timeouts I would suggest against it
2) if you don't know or need the forwarding feature don't use it.
- with the forwarding feature on your dynamic translations won't work.
- it is a special feature used in very rare situations
P.S.:
I would suggest using example[0] as the base of your configuration.
Obviously with updated IP addresses.
Hope I was able to help. Sorry again for the delay.
Best regards,
Filip Varga
st 21. 9. 2022 o 19:44 yangbin_1638136...@qq.com
napísal(a):
> There are 2 types of NAT implementation.
> when you use "in" and "out" at same time. it's PRE-ROUTING NAT
> when you use "out" with "output-feature" keyword . it's POST-ROUTING NAT.
>
> no matter what type of NAT you choose to use, there are 2 import thing
> you need to do,
> first,enable nat
> second,make sure you have a right NAT address pool.(nat44 add interface
> address {wan1} )
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21913): https://lists.fd.io/g/vpp-dev/message/21913
Mute This Topic: https://lists.fd.io/mt/92906473/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] NAT44 for TCP/UDP
There are 2 types of NAT implementation.
when you use "in" and "out" at same time. it's PRE-ROUTING NAT
when you use "out" with "output-feature" keyword . it's POST-ROUTING NAT.
no matter what type of NAT you choose to use, there are 2 import thing you
need to do,
first,enable nat
second,make sure you have a right NAT address pool.(nat44 add interface address
{wan1} )
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21907): https://lists.fd.io/g/vpp-dev/message/21907
Mute This Topic: https://lists.fd.io/mt/92906473/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] NAT44 for TCP/UDP
I would advise trying command below:
nat44 plugin enable sessions 63000
nat44 forwarding enable
set nat timeout udp 3000 tcp-established 7440 tcp-transitory 2400 icmp 600
set interface nat44 out {wan1} output-feature
nat44 add static mapping tcp local 192.168.1.20 external 4.4.4.4
nat44 add interface address {wan1} //replace "wan1" with your wan
interface name
just make sure , your default route(fib 0.0.0.0/0) output interface is wan1.
if not, just repalce {wan1} with the specific interface name.
and if there is no default fib item in your fib table, just check the
destination ip address in your fib table with command (sh ip fib
X.X.X.X/32),the output info will dispaly the output interface name, make sure
the "NAT44 command" with the right
output interface name.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21906): https://lists.fd.io/g/vpp-dev/message/21906
Mute This Topic: https://lists.fd.io/mt/92906473/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] NAT44 for TCP/UDP
Hi Ashwini, Thank you. I am looking into it. Best regards, Filip Varga po 15. 8. 2022 o 21:33 Ashwini Kadam napísal(a): > Hi Filip, > > Please let me know your thoughts on what the issue is and how it can be > resolved. We are working towards a demo and hoping to use VPP in it. This > is kind of a blocker right now. > > Regards, > Ashwini Kadam > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21800): https://lists.fd.io/g/vpp-dev/message/21800 Mute This Topic: https://lists.fd.io/mt/92906473/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] NAT44 for TCP/UDP
Hi Filip, Please let me know your thoughts on what the issue is and how it can be resolved. We are working towards a demo and hoping to use VPP in it. This is kind of a blocker right now. Regards, Ashwini Kadam -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21799): https://lists.fd.io/g/vpp-dev/message/21799 Mute This Topic: https://lists.fd.io/mt/92906473/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] NAT44 for TCP/UDP
Hi Filip, Please let me know your thoughts on what the issue is and how it can be resolved. Regards, Ashwini Kadam -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21795): https://lists.fd.io/g/vpp-dev/message/21795 Mute This Topic: https://lists.fd.io/mt/92906473/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] NAT44 for TCP/UDP
Hi Filip, Please also find attached the VPP trace for tcp data when nat44 forwarding is disabled. Regards, Ashwini Kadam --- Start of thread 0 vpp_main --- Packet 1 00:02:25:661524: dpdk-input wan1920 rx queue 0 buffer 0xff681f: current data 0, length 74, buffer-pool 0, ref-count 1, trace handle 0x0 ext-hdr-valid PKT MBUF: port 1, nb_segs 1, pkt_len 74 buf_len 2176, data_len 74, ol_flags 0x180, data_off 128, phys_addr 0x3fda0840 packet_type 0x111 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt. PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid PKT_RX_L4_CKSUM_NONE (0x0108) no L4 cksum of RX pkt. Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers RTE_PTYPE_L4_TCP (0x0100) TCP packet IP4: b6:52:e6:15:68:df -> 82:29:ec:79:f5:5b TCP: 10.197.61.30 -> 192.168.1.20 tos 0x00, ttl 64, length 60, checksum 0xe0dd dscp CS0 ecn NON_ECN fragment id 0x503f, flags DONT_FRAGMENT TCP: 39806 -> 5201 seq. 0xa937694d ack 0x flags 0x02 SYN, tcp header: 40 bytes window 29200, checksum 0x754d 00:02:25:661555: ethernet-input frame: flags 0x3, hw-if-index 2, sw-if-index 2 IP4: b6:52:e6:15:68:df -> 82:29:ec:79:f5:5b 00:02:25:661573: ip4-input-no-checksum TCP: 10.197.61.30 -> 192.168.1.20 tos 0x00, ttl 64, length 60, checksum 0xe0dd dscp CS0 ecn NON_ECN fragment id 0x503f, flags DONT_FRAGMENT TCP: 39806 -> 5201 seq. 0xa937694d ack 0x flags 0x02 SYN, tcp header: 40 bytes window 29200, checksum 0x754d 00:02:25:661586: ip4-sv-reassembly-feature [not-fragmented] 00:02:25:661607: nat-pre-out2in out2in next_index 6 arc_next_index 10 00:02:25:661613: nat44-ed-out2in NAT44_OUT2IN_ED_FAST_PATH: sw_if_index 2, next index 7 search key local 10.197.61.30:39806 remote 192.168.1.20:5201 proto TCP fib 0 thread-index 32673 session-index 3862091520 slow path because lookup failed 00:02:25:661618: nat44-ed-out2in-slowpath NAT44_OUT2IN_ED_SLOW_PATH: sw_if_index 2, next index 0 00:02:25:661627: error-drop rx:wan1920 00:02:25:661631: drop nat44-ed-out2in-slowpath: no translation Packet 2 00:02:26:709707: dpdk-input wan1920 rx queue 0 buffer 0xff67f8: current data 0, length 74, buffer-pool 0, ref-count 1, trace handle 0x1 ext-hdr-valid PKT MBUF: port 1, nb_segs 1, pkt_len 74 buf_len 2176, data_len 74, ol_flags 0x180, data_off 128, phys_addr 0x3fd9fe80 packet_type 0x111 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt. PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid PKT_RX_L4_CKSUM_NONE (0x0108) no L4 cksum of RX pkt. Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers RTE_PTYPE_L4_TCP (0x0100) TCP packet IP4: b6:52:e6:15:68:df -> 82:29:ec:79:f5:5b TCP: 10.197.61.30 -> 192.168.1.20 tos 0x00, ttl 64, length 60, checksum 0xe0dc dscp CS0 ecn NON_ECN fragment id 0x5040, flags DONT_FRAGMENT TCP: 39806 -> 5201 seq. 0xa937694d ack 0x flags 0x02 SYN, tcp header: 40 bytes window 29200, checksum 0x7135 00:02:26:709730: ethernet-input frame: flags 0x3, hw-if-index 2, sw-if-index 2 IP4: b6:52:e6:15:68:df -> 82:29:ec:79:f5:5b 00:02:26:709746: ip4-input-no-checksum TCP: 10.197.61.30 -> 192.168.1.20 tos 0x00, ttl 64, length 60, checksum 0xe0dc dscp CS0 ecn NON_ECN fragment id 0x5040, flags DONT_FRAGMENT TCP: 39806 -> 5201 seq. 0xa937694d ack 0x flags 0x02 SYN, tcp header: 40 bytes window 29200, checksum 0x7135 00:02:26:709752: ip4-sv-reassembly-feature [not-fragmented] 00:02:26:709755: nat-pre-out2in out2in next_index 6 arc_next_index 10 00:02:26:709757: nat44-ed-out2in NAT44_OUT2IN_ED_FAST_PATH: sw_if_index 2, next index 7 search key local 10.197.61.30:39806 remote 192.168.1.20:5201 proto TCP fib 0 thread-index 32673 session-index 3862091520 00:02:26:709762: nat44-ed-out2in-slowpath NAT44_OUT2IN_ED_SLOW_PATH: sw_if_index 2, next index 0 00:02:26:709769: error-drop rx:wan1920 00:02:26:709773: drop nat44-ed-out2in-slowpath: no translation Packet 3 00:02:28:757428: dpdk-input wan1920 rx queue 0 buffer 0xff67d1: current data 0, length 74, buffer-pool 0, ref-count 1, trace handle 0x2 ext-hdr-valid PKT MBUF: port 1, nb_segs 1, pkt_len 74 buf_len 2176, data_len 74, ol_flags 0x180, data_off 128, phys_addr 0x3fd9f4c0 packet_type 0x111 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
Re: [vpp-dev] NAT44 for TCP/UDP
Hi Filip, The VPP trace for dpdk-input in last email incuded TCP requests from HOST C to Host A by iperf3 server and client via VPP. Please find below the vpp trace for dpdk-input for ICMP ping requests from Host C to Host A via VPP. As mentioned above this work. Incuded trace for comparison. vpp# show trace --- Start of thread 0 vpp_main --- Packet 1 00:02:55:923706: dpdk-input lan rx queue 0 buffer 0xffb5f8: current data 0, length 98, buffer-pool 0, ref-count 1, trace handle 0x0 ext-hdr-valid PKT MBUF: port 2, nb_segs 1, pkt_len 98 buf_len 2176, data_len 98, ol_flags 0x180, data_off 128, phys_addr 0x3fed7e80 packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt. PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid PKT_RX_L4_CKSUM_NONE (0x0108) no L4 cksum of RX pkt. IP4: 72:11:2f:ce:29:a6 -> 42:6e:9e:ce:a6:7e ICMP: 192.168.1.20 -> 10.197.61.30 tos 0x00, ttl 64, length 84, checksum 0x9cdb dscp CS0 ecn NON_ECN fragment id 0x942e, flags DONT_FRAGMENT ICMP echo_request checksum 0x3a52 id 314 00:02:55:923733: ethernet-input frame: flags 0x3, hw-if-index 3, sw-if-index 3 IP4: 72:11:2f:ce:29:a6 -> 42:6e:9e:ce:a6:7e 00:02:55:923746: ip4-input-no-checksum ICMP: 192.168.1.20 -> 10.197.61.30 tos 0x00, ttl 64, length 84, checksum 0x9cdb dscp CS0 ecn NON_ECN fragment id 0x942e, flags DONT_FRAGMENT ICMP echo_request checksum 0x3a52 id 314 00:02:55:923755: ip4-sv-reassembly-feature [not-fragmented] 00:02:55:923760: nat-pre-in2out in2out next_index 2 arc_next_index 10 00:02:55:923764: nat44-ed-in2out NAT44_IN2OUT_ED_FAST_PATH: sw_if_index 3, next index 3 search key local 192.168.1.20:314 remote 10.197.61.30:314 proto ICMP fib 0 thread-index 32561 session-index 1606442176 00:02:55:923769: nat44-ed-in2out-slowpath NAT44_IN2OUT_ED_SLOW_PATH: sw_if_index 3, next index 10, session 0, translation result 'success' via i2of i2of match: saddr 192.168.1.20 sport 314 daddr 10.197.61.30 dport 314 proto ICMP fib_idx 0 rewrite: saddr 4.4.4.4 daddr 10.197.61.30 icmp-id 314 txfib 0 o2if match: saddr 10.197.61.30 sport 314 daddr 4.4.4.4 dport 314 proto ICMP fib_idx 0 rewrite: daddr 192.168.1.20 icmp-id 314 txfib 0 00:02:55:923813: ip4-lookup fib 0 dpo-idx 6 flow hash: 0x ICMP: 4.4.4.4 -> 10.197.61.30 tos 0x00, ttl 64, length 84, checksum 0x5690 dscp CS0 ecn NON_ECN fragment id 0x942e, flags DONT_FRAGMENT ICMP echo_request checksum 0x3a52 id 314 00:02:55:923818: ip4-rewrite tx_sw_if_index 1 dpo-idx 6 : ipv4 via 10.197.61.30 wan1920: mtu:9000 next:3 flags:[] b652e61568df0ebab47ca6940800 flow hash: 0x : b652e61568df0ebab47ca69408004554942e40003f015790040404040ac5 0020: 3d1e08003a52013a63f8f362e0860701 00:02:55:923822: wan1920-output wan1920 IP4: 0e:ba:b4:7c:a6:94 -> b6:52:e6:15:68:df ICMP: 4.4.4.4 -> 10.197.61.30 tos 0x00, ttl 63, length 84, checksum 0x5790 dscp CS0 ecn NON_ECN fragment id 0x942e, flags DONT_FRAGMENT ICMP echo_request checksum 0x3a52 id 314 00:02:55:923827: wan1920-tx wan1920 tx queue 0 buffer 0xffb5f8: current data 0, length 98, buffer-pool 0, ref-count 1, trace handle 0x0 ext-hdr-valid l2-hdr-offset 0 l3-hdr-offset 14 PKT MBUF: port 2, nb_segs 1, pkt_len 98 buf_len 2176, data_len 98, ol_flags 0x180, data_off 128, phys_addr 0x3fed7e80 packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt. PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid PKT_RX_L4_CKSUM_NONE (0x0108) no L4 cksum of RX pkt. IP4: 0e:ba:b4:7c:a6:94 -> b6:52:e6:15:68:df ICMP: 4.4.4.4 -> 10.197.61.30 tos 0x00, ttl 63, length 84, checksum 0x5790 dscp CS0 ecn NON_ECN fragment id 0x942e, flags DONT_FRAGMENT ICMP echo_request checksum 0x3a52 id 314 Packet 2 00:02:55:924002: dpdk-input wan1920 rx queue 0 buffer 0xff681f: current data 0, length 98, buffer-pool 0, ref-count 1, trace handle 0x1 ext-hdr-valid PKT MBUF: port 0, nb_segs 1, pkt_len 98 buf_len 2176, data_len 98, ol_flags 0x180, data_off 128, phys_addr 0x3fda0840 packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt. PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid PKT_RX_L4_CKSUM_NONE (0x0108) no L4 cksum of RX pkt. IP4: b6:52:e6:15:68:df -> 0e:ba:b4:7c:a6:94 ICMP: 10.197.61.30 -> 4.4.4.4 tos 0x00, ttl 64, length 84, checksum 0x7cb0 dscp CS0 ecn NON_ECN fragment id 0xae0e ICMP echo_reply checksum 0x4252 id 314 00:02:55:924008: ethernet-input frame: flags 0x3, hw-if-index 1, sw-if-index 1 IP4: b6:52:e6:15:68:df -> 0e:ba:b4:7c:a6:94 00:02:55:924011: ip4-input-no-checksum
Re: [vpp-dev] NAT44 for TCP/UDP
Hi Filip , Added the following NAT Config vpp# clear trace vpp# trace add dpdk-input 100 vpp# nat44 plugin enable sessions 63000 vpp# nat44 forwarding enable vpp# set interface nat44 in lan vpp# set interface nat44 out wan1920 vpp# set interface nat44 out wan1930 vpp# nat44 add static mapping tcp local 192.168.1.20 external 4.4.4.4 Added trace for dpdk-input vpp# trace add dpdk-input 100 vpp# show int Name Idx State MTU (L3/IP4/IP6/MPLS) Counter Count lan 3 up 9000/0/0/0 rx packets 145667 rx bytes 9616430 tx packets 4856059 tx bytes 7352048880 ip4 145666 local0 0 down 0/0/0/0 wan1920 1 up 9000/0/0/0 rx packets 4856058 rx bytes 7352048838 tx packets 145666 tx bytes 9616388 ip4 4856058 wan1930 2 up 9000/0/0/0 vpp# show ip neighbors Time IP Flags Ethernet Interface 155.3758 192.168.1.20 D 72:11:2f:ce:29:a6 lan 13.5418 10.197.61.30 D b6:52:e6:15:68:df wan1920 23.2733 10.197.62.30 D 6e:9d:96:5c:31:b4 wan1930 Please find below packet trace from VPP vpp# show trace Limiting display to 50 packets. To display more specify max. --- Start of thread 0 vpp_main --- Packet 1 00:02:27:773184: dpdk-input wan1920 rx queue 0 buffer 0xff681f: current data 0, length 74, buffer-pool 0, ref-count 1, trace handle 0x0 ext-hdr-valid PKT MBUF: port 0, nb_segs 1, pkt_len 74 buf_len 2176, data_len 74, ol_flags 0x180, data_off 128, phys_addr 0x3fda0840 packet_type 0x111 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt. PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid PKT_RX_L4_CKSUM_NONE (0x0108) no L4 cksum of RX pkt. Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers RTE_PTYPE_L4_TCP (0x0100) TCP packet IP4: b6:52:e6:15:68:df -> 0e:ba:b4:7c:a6:94 TCP: 10.197.61.30 -> 192.168.1.20 tos 0x00, ttl 64, length 60, checksum 0xd75f dscp CS0 ecn NON_ECN fragment id 0x59bd, flags DONT_FRAGMENT TCP: 47468 -> 5201 seq. 0xe72586e0 ack 0x flags 0x02 SYN, tcp header: 40 bytes window 29200, checksum 0x9d81 00:02:27:773227: ethernet-input frame: flags 0x3, hw-if-index 1, sw-if-index 1 IP4: b6:52:e6:15:68:df -> 0e:ba:b4:7c:a6:94 00:02:27:773243: ip4-input-no-checksum TCP: 10.197.61.30 -> 192.168.1.20 tos 0x00, ttl 64, length 60, checksum 0xd75f dscp CS0 ecn NON_ECN fragment id 0x59bd, flags DONT_FRAGMENT TCP: 47468 -> 5201 seq. 0xe72586e0 ack 0x flags 0x02 SYN, tcp header: 40 bytes window 29200, checksum 0x9d81 00:02:27:773255: ip4-sv-reassembly-feature [not-fragmented] 00:02:27:773260: nat-pre-out2in out2in next_index 6 arc_next_index 10 00:02:27:773267: nat44-ed-out2in NAT44_OUT2IN_ED_FAST_PATH: sw_if_index 1, next index 7 search key local 10.197.61.30:47468 remote 192.168.1.20:5201 proto TCP fib 0 thread-index 32513 session-index 2925668096 slow path because lookup failed 00:02:27:773273: nat44-ed-out2in-slowpath NAT44_OUT2IN_ED_SLOW_PATH: sw_if_index 1, next index 10 00:02:27:773288: ip4-lookup fib 0 dpo-idx 7 flow hash: 0x TCP: 10.197.61.30 -> 192.168.1.20 tos 0x00, ttl 64, length 60, checksum 0xd75f dscp CS0 ecn NON_ECN fragment id 0x59bd, flags DONT_FRAGMENT TCP: 47468 -> 5201 seq. 0xe72586e0 ack 0x flags 0x02 SYN, tcp header: 40 bytes window 29200, checksum 0x9d81 00:02:27:773297: ip4-rewrite tx_sw_if_index 3 dpo-idx 7 : ipv4 via 192.168.1.20 lan: mtu:9000 next:4 flags:[] 72112fce29a6426e9ecea67e0800 flow hash: 0x : 72112fce29a6426e9ecea67e0800453c59bd40003f06d85f0ac53d1ec0a8 0020: 0114b96c1451e72586e0a00272109d81020405b40402 00:02:27:773304: lan-output lan IP4: 42:6e:9e:ce:a6:7e -> 72:11:2f:ce:29:a6 TCP: 10.197.61.30 -> 192.168.1.20 tos 0x00, ttl 63, length 60, checksum 0xd85f dscp CS0 ecn NON_ECN fragment id 0x59bd, flags DONT_FRAGMENT TCP: 47468 -> 5201 seq. 0xe72586e0 ack 0x flags 0x02 SYN, tcp header: 40 bytes window 29200, checksum 0x9d81 00:02:27:773310: lan-tx lan tx queue 0 buffer 0xff681f: current data 0, length 74, buffer-pool 0, ref-count 1, trace handle 0x0 ext-hdr-valid l2-hdr-offset 0 l3-hdr-offset 14 PKT MBUF: port 0, nb_segs 1, pkt_len 74 buf_len 2176, data_len 74, ol_flags 0x180, data_off 128, phys_addr 0x3fda0840 packet_type 0x111 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD
Re: [vpp-dev] NAT44 for TCP/UDP
Hi Ashwini,
Can you also please send me a packet trace from VPP ?
Thank you.
Best regards,
Filip Varga
ut 9. 8. 2022 o 23:50 Ashwini Kadam napísal(a):
> Hi Filip,
>
> I did try your recommendations . Updated NAT config to as below
>
> Test Case 1
> nat44 plugin enable sessions 63000
> nat44 forwarding enable
> set nat timeout udp 3000 tcp-established 7440 tcp-transitory 2400 icmp 600
> set interface nat44 in lan
> set interface nat44 out wan1
> set interface nat44 out wan2
> nat44 add static mapping tcp local 192.168.1.20 external 4.4.4.4
>
> Test Case 2
>
> nat44 plugin enable sessions 63000
> nat44 forwarding enable
> set nat timeout udp 3000 tcp-established 7440 tcp-transitory 2400 icmp 600
> set interface nat44 out wan1 output-feature
> set interface nat44 out wan2 output-feature
> nat44 add static mapping tcp local 192.168.1.20 external 4.4.4.4
>
>
>
> However in both cases i see the same result as below
>
> vpp# show nat44 sessions
> NAT44 ED sessions:
> thread 0 vpp_main: 2 sessions
> i2o 192.168.1.20 proto TCP port 5201 fib 0
> o2i 192.168.1.20 proto TCP port 5201 fib 0
>external host 10.197.61.30:42280
>i2o flow: match: saddr 192.168.1.20 sport 5201 daddr 10.197.61.30
> dport 42280 proto TCP fib_idx 0 rewrite: txfib 0
>o2i flow: match: saddr 0.0.0.0 sport 0 daddr 0.0.0.0 dport 0 proto
> IP6_HOP_BY_HOP_OPTIONS fib_idx 0
>index 0
>last heard 287.92
>timeout in 2396.83
>total pkts 30, total bytes 985
>dynamic translation
>forwarding-bypass
>
> i2o 192.168.1.20 proto TCP port 5201 fib 0
> o2i 192.168.1.20 proto TCP port 5201 fib 0
>external host 10.197.61.30:42284
>i2o flow: match: saddr 192.168.1.20 sport 5201 daddr 10.197.61.30
> dport 42284 proto TCP fib_idx 0 rewrite: txfib 0
>o2i flow: match: saddr 0.0.0.0 sport 0 daddr 0.0.0.0 dport 0 proto
> IP6_HOP_BY_HOP_OPTIONS fib_idx 0
>index 1
>last heard 287.84
>timeout in 2396.75
>total pkts 4720516, total bytes 5249440
>dynamic translation
>forwarding-bypass
>
> The other thing I noticed was the output says dynamic translations instead
> of static translations.
> In ICMP nat44 sessions i can see that it shows static translations. Below
> is an ICMP NAT44 session
>
> vpp# show nat44 sessions
> NAT44 ED sessions:
> thread 0 vpp_main: 1 sessions
> i2o 192.168.1.20 proto ICMP port 141 fib 0
> o2i 4.4.4.4 proto ICMP port 141 fib 0
>external host 10.197.61.30:141
>i2o flow: match: saddr 192.168.1.20 sport 141 daddr 10.197.61.30
> dport 141 proto ICMP fib_idx 0 rewrite: saddr 4.4.4.4 daddr 10.197.61.30
> icmp-id 141 txfib 0
>o2i flow: match: saddr 10.197.61.30 sport 141 daddr 4.4.4.4 dport
> 141 proto ICMP fib_idx 0 rewrite: daddr 192.168.1.20 icmp-id 141 txfib 0
>index 0
>last heard 127.02
>timeout in -26.69
>total pkts 40, total bytes 3360
>static translation
>
>
> Also have a couple of questions. MY VPP has 3 dpdk interfaces each for
> lan, wan1, wan2 . The lan interface IP is 192.168.1.1.
> In my static mapping i am creating a rule as below
>
> nat44 add static mapping tcp local 192.168.1.20 external 4.4.4.4
>
> While creating static mapping rules what should the local correspond to (
> here i am setting it to IP of Host C and not the VPP dpdk interface IP )
> and what should the external correspond to ( here i am setting it to a fake
> external IP and not wan1 or wan2 IP ).
>
> I aso tried to det44 nat however ran into the following issues.
>
> In startup config if i add the nat { deterministic } or just nat {} config
> it fails to run. Run into an error saying unkown nat configuration.
>
> Tried the below det44 nat however dint see any translations in sessions.
>
> det44 plugin enable
> set nat timeout udp 300 tcp-established 7440 tcp-transitory 240 icmp 6000
> set interface det44 inside lan outside wan
> det44 add in 192.168.1.0/24 out 4.4.4.0/24
>
> I see a deubg message saying and dont see any det44 sessions.
>
> vpp# det44 [info ]: unknown dst address: 192.168.1.20
> det44[info ]: unknown dst address: 192.168.1.20
> det44[info ]: unknown dst address: 192.168.1.20
>
> Do let me know what I am missing. Is a different VPP version i should use
> ? My current one is build from master branch 22.10. Thanks
>
> Regards,
> Ashwini Kadam
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21785): https://lists.fd.io/g/vpp-dev/message/21785
Mute This Topic: https://lists.fd.io/mt/92906473/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] NAT44 for TCP/UDP
Hi Filip,
I did try your recommendations . Updated NAT config to as below
Test Case 1
nat44 plugin enable sessions 63000
nat44 forwarding enable
set nat timeout udp 3000 tcp-established 7440 tcp-transitory 2400 icmp 600
set interface nat44 in lan
set interface nat44 out wan1
set interface nat44 out wan2
nat44 add static mapping tcp local 192.168.1.20 external 4.4.4.4
Test Case 2
nat44 plugin enable sessions 63000
nat44 forwarding enable
set nat timeout udp 3000 tcp-established 7440 tcp-transitory 2400 icmp 600
set interface nat44 out wan1 output-feature
set interface nat44 out wan2 output-feature
nat44 add static mapping tcp local 192.168.1.20 external 4.4.4.4
However in both cases i see the same result as below
vpp# show nat44 sessions
NAT44 ED sessions:
thread 0 vpp_main: 2 sessions
i2o 192.168.1.20 proto TCP port 5201 fib 0
o2i 192.168.1.20 proto TCP port 5201 fib 0
external host 10.197.61.30:42280
i2o flow: match: saddr 192.168.1.20 sport 5201 daddr 10.197.61.30 dport 42280
proto TCP fib_idx 0 rewrite: txfib 0
o2i flow: match: saddr 0.0.0.0 sport 0 daddr 0.0.0.0 dport 0 proto
IP6_HOP_BY_HOP_OPTIONS fib_idx 0
index 0
last heard 287.92
timeout in 2396.83
total pkts 30, total bytes 985
dynamic translation
forwarding-bypass
i2o 192.168.1.20 proto TCP port 5201 fib 0
o2i 192.168.1.20 proto TCP port 5201 fib 0
external host 10.197.61.30:42284
i2o flow: match: saddr 192.168.1.20 sport 5201 daddr 10.197.61.30 dport 42284
proto TCP fib_idx 0 rewrite: txfib 0
o2i flow: match: saddr 0.0.0.0 sport 0 daddr 0.0.0.0 dport 0 proto
IP6_HOP_BY_HOP_OPTIONS fib_idx 0
index 1
last heard 287.84
timeout in 2396.75
total pkts 4720516, total bytes 5249440
dynamic translation
forwarding-bypass
The other thing I noticed was the output says dynamic translations instead of
static translations.
In ICMP nat44 sessions i can see that it shows static translations. Below is an
ICMP NAT44 session
vpp# show nat44 sessions
NAT44 ED sessions:
thread 0 vpp_main: 1 sessions
i2o 192.168.1.20 proto ICMP port 141 fib 0
o2i 4.4.4.4 proto ICMP port 141 fib 0
external host 10.197.61.30:141
i2o flow: match: saddr 192.168.1.20 sport 141 daddr 10.197.61.30 dport 141
proto ICMP fib_idx 0 rewrite: saddr 4.4.4.4 daddr 10.197.61.30 icmp-id 141
txfib 0
o2i flow: match: saddr 10.197.61.30 sport 141 daddr 4.4.4.4 dport 141 proto
ICMP fib_idx 0 rewrite: daddr 192.168.1.20 icmp-id 141 txfib 0
index 0
last heard 127.02
timeout in -26.69
total pkts 40, total bytes 3360
static translation
Also have a couple of questions. MY VPP has 3 dpdk interfaces each for lan,
wan1, wan2 . The lan interface IP is 192.168.1.1.
In my static mapping i am creating a rule as below
nat44 add static mapping tcp local 192.168.1.20 external 4.4.4.4
While creating static mapping rules what should the local correspond to ( here
i am setting it to IP of Host C and not the VPP dpdk interface IP ) and what
should the external correspond to ( here i am setting it to a fake external IP
and not wan1 or wan2 IP ).
I aso tried to det44 nat however ran into the following issues.
In startup config if i add the nat { deterministic } or just nat {} config it
fails to run. Run into an error saying unkown nat configuration.
Tried the below det44 nat however dint see any translations in sessions.
det44 plugin enable
set nat timeout udp 300 tcp-established 7440 tcp-transitory 240 icmp 6000
set interface det44 inside lan outside wan
det44 add in 192.168.1.0/24 out 4.4.4.0/24
I see a deubg message saying and dont see any det44 sessions.
vpp# det44 [info ]: unknown dst address: 192.168.1.20
det44 [info ]: unknown dst address: 192.168.1.20
det44 [info ]: unknown dst address: 192.168.1.20
Do let me know what I am missing. Is a different VPP version i should use ? My
current one is build from master branch 22.10. Thanks
Regards,
Ashwini Kadam
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21784): https://lists.fd.io/g/vpp-dev/message/21784
Mute This Topic: https://lists.fd.io/mt/92906473/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] NAT44 for TCP/UDP
Hi Ashwini,
I will look into your issue. But for reference I would advise against using
a combination of inside interface and output-feature.
OUTPUT-FEATURE or in other words output interface already contains
nat44-inside node. Output-feature does postrouting - after ip4-lookup node
decides which interface the packet is supposed to go to - in your config it
would be wan1 or wan2 then the translation occurs. Either use combination
of
nat44 in lan
nat44 out wan1
nat44 out wan2
or
nat44 out wan1 output-feature
nat44 out wan2 output-feature
.
The CLI is not very user friendly. Specifically in configuring
output-feature because it looks like you are actually configuring the
outside interface but you are not; instead the wan1 or wan2 contain both
nat44 inside (output-feature) and nat44 outside nodes.
I will do some testing and get back to you.
Best regards,
Filip Varga
ut 9. 8. 2022 o 2:49 Ashwini Kadam napísal(a):
> Hi All,
>
>
>
> I am trying to make NAT44 ed work for TCP/UDP traffic on my setup. My
> setup is as follows
>
>
>
> Host A, Host B <-VPP <- Host C
>
>
>
> Host A , Host B and Host C can communicate to each other via VPP. The VPP
> container has two interfaces. My current version of VPP is 22.10 . The
> startup config is as follows
>
>
>
> unix {
>
> nodaemon
>
> log /var/log/vpp/vpp.log
>
> interactive
>
> full-coredump
>
> cli-listen /run/vpp/cli.sock
>
> poll-sleep-usec 100
>
> startup-config setup.tmpl
>
> gid vpp
>
> }
>
> api-trace { on }
>
> api-segment { gid vpp }
>
> socksvr { default }
>
> dpdk {
>
>log-level debug
>
> dev default {
>
> num-rx-desc 512
>
> num-tx-desc 512
>
> }
>
> # Replace PCIDEVICE once Pod is up
>
> dev :07:13.2 {
>
> name lan
>
> }
>
> dev :07:12.6 {
>
> name wan1
>
> }
>
> dev :07:13.0 {
>
> name wan2
>
> }
>
> uio-driver vfio-pci
>
> }
>
> cpu {}
>
> memory {
>
> # main-heap-size 1G
>
> # main-heap-page-size 1G
>
> default-hugepage-size 1G
>
> }
>
> logging {
>
> default-log-level debug
>
> default-syslog-log-level debug
>
> }
>
>
>
> plugins {
>
>
>
> plugin dpdk_plugin.so { enable }
>
> plugin dhcp_plugin.so { enable }
>
> plugin nat_plugin.so { enable }
>
> plugin nat44_plugin.so { enable }
>
> plugin nat44_ei_plugin.so { enable }
>
> plugin cnat_plugin.so { enable }
>
> plugin ping_plugin.so { enable }
>
> plugin det44_plugin.so { enable }
>
> plugin map_plugin.so { enable }
>
> plugin dns_plugin.so { enable }
>
> plugin tracedump_plugin.so { enable }
>
> }
>
>
>
>
>
>
>
>
>
>
>
> VPP dpdk interface IP’s
>
>
>
> Lan : 192.168.1.x/24
>
> Wan1 : 10.x.x.x/24
>
> Wan2 : 10.x.x.x/24
>
>
>
> Host C has interface with IP : 192.168.1.20/24. Iperf3 is run on Host C
> as server and on Host A as a client
>
> My NAT configuration is as follows
>
>
>
> nat44 plugin enable sessions 63000
>
> nat44 forwarding enable
>
> set nat timeout udp 300 tcp-established 7440 tcp-transitory 240 icmp 60
>
> nat mss-clamping 1452
>
> set interface nat44 in lan
>
> set interface nat44 out wan1 output-feature
>
> set interface nat44 out wan2 output-feature
>
> nat44 add static mapping tcp local 192.168.1.20 external 4.4.4.4
>
>
>
>
>
> However when I look at my nat44 sessions I don’t see any re-writes
> happening. The rules don’t get applied. The same works for ICMP traffic but
> not for UDP or TCP . Also I see a lot of garbage data coming in. Below as
> an example of nat44 session I see for tcp traffic
>
>
>
> NAT44 ED sessions:
>
> thread 0 vpp_main: 2 sessions
>
> i2o 192.168.1.20 proto TCP port 5201 fib 0
>
> o2i 192.168.1.20 proto TCP port 5201 fib 0
>
>external host 10.197.61.30:33702
>
>i2o flow: match: saddr 192.168.1.20 sport 5201 daddr 10.197.61.30
> dport 33702 proto TCP fib_idx 0 rewrite: txfib 0
>
>o2i flow: match: saddr 0.0.0.0 sport 0 daddr 0.0.0.0 dport 0 proto
> IP6_HOP_BY_HOP_OPTIONS fib_idx 0
>
>index 0
>
>last heard 216.03
>
>timeout in 239.92
>
>total pkts 43, total bytes 2148
>
>dynamic translation
>
>forwarding-bypass
>
>
>
> i2o 192.168.1.20 proto TCP port 5201 fib 0
>
> o2i 192.168.1.20 proto TCP port 5201 fib 0
>
>external host 10.197.61.30:33704
>
>i2o flow: match: saddr 192.168.1.20 sport 5201 daddr 10.197.61.30
> dport 33704 proto TCP fib_idx 0 rewrite: txfib 0
>
>o2i flow: match: saddr 0.0.0.0 sport 0 daddr 0.0.0.0 dport 0 proto
> IP6_HOP_BY_HOP_OPTIONS fib_idx 0
>
>index 1
>
>last heard 215.95
>
>timeout in 239.83
>
>total pkts 5395516, total bytes 21042010
>
>dynamic translation
>
>forwarding-bypass
>
>
>
> Below is output of nat44 summary
>
>
>
> vpp# show nat44 summary
>
> max translations per thread: 63000 fib 0
>
>
