Hi all,
Anyone get this working? When I enable nat44 forwarding, all NAT
translations stop working.
example - 110.21.22.12 is the IP address of my wan0.
I have:
set interface nat44 in loop0 out wan0
Without forwarding:
vpp# sh nat44 sessions
NAT44 sessions:
-------- thread 0 vpp_main: 2240 sessions --------
10.1.3.138: 1540 dynamic translations, 0 static translations
10.1.3.135: 36 dynamic translations, 0 static translations
10.1.3.125: 524 dynamic translations, 0 static translations
10.1.1.2: 108 dynamic translations, 0 static translations
10.1.3.174: 5 dynamic translations, 0 static translations
10.1.3.169: 15 dynamic translations, 0 static translations
10.1.3.62: 10 dynamic translations, 0 static translations
10.1.2.203: 2 dynamic translations, 0 static translations
With forwarding:
vpp# sh nat44 sessions
NAT44 sessions:
-------- thread 0 vpp_main: 19 sessions --------
110.21.22.12: 19 dynamic translations, 0 static translations
Thanks
On Mon, Apr 15, 2019 at 1:29 AM Shahid Khan <shahidnasimk...@gmail.com>
wrote:
> Hi Ole,
>
> any finding on it ? are u able to reproduce it ?
>
> -Shahid.
>
>
>
> On Thu, Apr 11, 2019 at 1:32 PM Shahid Khan via Lists.Fd.Io
> <shahidnasimkhan=gmail....@lists.fd.io> wrote:
>
>> There is another physical port bridged to loop1 which is on
>> 192.168.15.0/24 network.
>> .....the packets coming inside GRE tunnel are for 192.168.15.0/24
>> network.
>>
>> also just want to understand why SNAT is blocked when forwarding is
>> enabled ?
>> someone might have a requirement to SNAT first and then do forward.
>>
>> when i comment the code as below, SNAT and GRE both works. but i don't
>> know how it will impact rest of code/functionality.
>>
>> static inline int
>> snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
>> u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
>> u32 rx_fib_index0, u32 thread_index)
>> {
>> udp_header_t *udp0 = ip4_next_header (ip0);
>> snat_session_key_t key0, sm0;
>> clib_bihash_kv_8_8_t kv0, value0;
>>
>> key0.addr = ip0->dst_address;
>> key0.port = udp0->dst_port;
>> key0.protocol = proto0;
>> key0.fib_index = sm->outside_fib_index;
>> kv0.key = key0.as_u64;
>>
>> /* NAT packet aimed at external address if */
>> /* has active sessions */
>> if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
>> &kv0,
>> &value0))
>> {
>> /* or is static mappings */
>> if (!snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0, 0))
>> return 0;
>> }
>> else
>> return 0;
>>
>> /*
>> if (sm->forwarding_enabled)
>> return 1;
>> */
>>
>> return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
>> rx_fib_index0);
>> }
>>
>>
>>
>> -Shahid.
>>
>>
>>
>>
>> On Thu, Apr 11, 2019 at 12:44 PM Ole Troan <otr...@employees.org> wrote:
>>
>>> Shahid,
>>>
>>> Right, so the GRE packets shouldn’t go through the NAT at all.
>>> Are the GRE tunnel itself marked as inside?
>>>
>>> I should have thoguht this was supported with
>>> https://jira.fd.io/browse/VPP-447
>>> Let me see if I can reproduce.,
>>>
>>> Best regards,
>>> Ole
>>>
>>> > On 10 Apr 2019, at 12:55, Shahid Khan <shahidnasimk...@gmail.com>
>>> wrote:
>>> >
>>> > Hi Ole,
>>> >
>>> > we have a bridge(loop0) with a private ip say 192.168.100.2/24.
>>> > a TAP is also connected to this bridge and other end of TAP is on host
>>> side.
>>> >
>>> > we have one physical interface connected to another bridge (loop1)
>>> with outside network ip of say 192.168.10.1/24
>>> > and a GRE tunnel is created having source as 192.168.10.1.
>>> >
>>> > Host has requirement to initiate sessions(tcp/udp) to outside network.
>>> so we have applied NAT as below.
>>> >
>>> > nat44 add interface address loop1
>>> > set interface nat44 in loop0 out loop1
>>> >
>>> > with this host can initiate session with outside network and SNAT
>>> works fine.
>>> >
>>> > But GRE does not work. we looked into traces and found that packet
>>> comming to GRE tunnels are getting dropped with trace showing "unknown
>>> protocol".
>>> >
>>> > if we enable forwarding then GRE packets are getting forwarded to
>>> destination but now host is not able to initiate session to outside network
>>> because SNAT stops
>>> >
>>> > -Shahid.
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Wed, Apr 10, 2019 at 2:33 PM Ole Troan <otr...@employees.org>
>>> wrote:
>>> > Hi Shahid,
>>> >
>>> > What are you trying to achieve?
>>> > https://wiki.fd.io/view/VPP/NAT#Enable_or_disable_forwarding
>>> >
>>> > You do not typically enable the “forwarding” feature.
>>> >
>>> > Cheers,
>>> > Ole
>>> >
>>> > > On 8 Apr 2019, at 07:52, Shahid Khan <shahidnasimk...@gmail.com>
>>> wrote:
>>> > >
>>> > > can someone look into below query ?
>>> > >
>>> > > -Shahid.
>>> > >
>>> > > On Wed, Apr 3, 2019 at 12:56 PM Shahid Khan via Lists.Fd.Io
>>> <shahidnasimkhan=gmail....@lists.fd.io> wrote:
>>> > > Hi,
>>> > >
>>> > > can someone help us on below query ?
>>> > >
>>> > > -Shahid.
>>> > >
>>> > > On Mon, Apr 1, 2019 at 11:45 AM Shahid Khan via Lists.Fd.Io
>>> <shahidnasimkhan=gmail....@lists.fd.io> wrote:
>>> > >
>>> > > I have following query related to SNAT on VPP Release 19.0.1.02
>>> > >
>>> > > following is the code from vpp/src/plugins/nat/in2out.c
>>> > >
>>> > > static inline int
>>> > > snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
>>> > > u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
>>> > > u32 rx_fib_index0, u32 thread_index)
>>> > > {
>>> > > udp_header_t *udp0 = ip4_next_header (ip0);
>>> > > snat_session_key_t key0, sm0;
>>> > > clib_bihash_kv_8_8_t kv0, value0;
>>> > >
>>> > > key0.addr = ip0->dst_address;
>>> > > key0.port = udp0->dst_port;
>>> > > key0.protocol = proto0;
>>> > > key0.fib_index = sm->outside_fib_index;
>>> > > kv0.key = key0.as_u64;
>>> > >
>>> > > /* NAT packet aimed at external address if */
>>> > > /* has active sessions */
>>> > > if (clib_bihash_search_8_8
>>> (&sm->per_thread_data[thread_index].out2in, &kv0,
>>> > > &value0))
>>> > > {
>>> > > /* or is static mappings */
>>> > > if (!snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0,
>>> 0))
>>> > > return 0;
>>> > > }
>>> > > else
>>> > > return 0;
>>> > >
>>> > > if (sm->forwarding_enabled)
>>> > > return 1;
>>> > >
>>> > >
>>> > > return snat_not_translate_fast (sm, node, sw_if_index0, ip0,
>>> proto0,
>>> > > rx_fib_index0);
>>> > > }
>>> > >
>>> > > want to understand why above highlighted condition is there in code ?
>>> > >
>>> > > this is causing SNAT to stop working the moment we enable
>>> forwarding.
>>> > > what will be impact we comment this condition ?
>>> > >
>>> > > -Shahid.
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > -=-=-=-=-=-=-=-=-=-=-=-
>>> > > Links: You receive all messages sent to this group.
>>> > >
>>> > > View/Reply Online (#12680):
>>> https://lists.fd.io/g/vpp-dev/message/12680
>>> > > Mute This Topic: https://lists.fd.io/mt/30851776/1713129
>>> > > Group Owner: vpp-dev+ow...@lists.fd.io
>>> > > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [
>>> shahidnasimk...@gmail.com]
>>> > > -=-=-=-=-=-=-=-=-=-=-=-
>>> > > -=-=-=-=-=-=-=-=-=-=-=-
>>> > > Links: You receive all messages sent to this group.
>>> > >
>>> > > View/Reply Online (#12691):
>>> https://lists.fd.io/g/vpp-dev/message/12691
>>> > > Mute This Topic: https://lists.fd.io/mt/30851776/1713129
>>> > > Group Owner: vpp-dev+ow...@lists.fd.io
>>> > > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [
>>> shahidnasimk...@gmail.com]
>>> > > -=-=-=-=-=-=-=-=-=-=-=-
>>> > > -=-=-=-=-=-=-=-=-=-=-=-
>>> > > Links: You receive all messages sent to this group.
>>> > >
>>> > > View/Reply Online (#12723):
>>> https://lists.fd.io/g/vpp-dev/message/12723
>>> > > Mute This Topic: https://lists.fd.io/mt/30851776/675193
>>> > > Group Owner: vpp-dev+ow...@lists.fd.io
>>> > > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [
>>> otr...@employees.org]
>>> > > -=-=-=-=-=-=-=-=-=-=-=-
>>> >
>>> > -=-=-=-=-=-=-=-=-=-=-=-
>>> > Links: You receive all messages sent to this group.
>>> >
>>> > View/Reply Online (#12743):
>>> https://lists.fd.io/g/vpp-dev/message/12743
>>> > Mute This Topic: https://lists.fd.io/mt/30851776/675193
>>> > Group Owner: vpp-dev+ow...@lists.fd.io
>>> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [
>>> otr...@employees.org]
>>> > -=-=-=-=-=-=-=-=-=-=-=-
>>>
>>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>>
>> View/Reply Online (#12759): https://lists.fd.io/g/vpp-dev/message/12759
>> Mute This Topic: https://lists.fd.io/mt/30851776/1713129
>> Group Owner: vpp-dev+ow...@lists.fd.io
>> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [
>> shahidnasimk...@gmail.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
> View/Reply Online (#12785): https://lists.fd.io/g/vpp-dev/message/12785
> Mute This Topic: https://lists.fd.io/mt/30851776/675621
> Group Owner: vpp-dev+ow...@lists.fd.io
> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [carlitonu...@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#14593): https://lists.fd.io/g/vpp-dev/message/14593
Mute This Topic: https://lists.fd.io/mt/30851776/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
