Re: Issues with MASQUARDE and FreeBSD router.

Sun, 30 Aug 2015 10:28:59 -0700 

As a reference to this issue the bugzilla report at:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059#c9
The issue is that packets sums are being corrupted and there for cannot be accepted by the TCP stack of the destination machine. 
The issue might also effect UDP.
*The issue only affects packets that are being routed throw the FreeBSD box and not regular sockets.* An exact same issue was there in OpenBSD 5.7 and on current(5.8) it got fixed. 

Eliezer

On 27/08/2015 10:56, Eliezer Croitoru wrote:

I added a filter rule to iptables with a INVALID reject match and any
packet that is being passed throw the FreeBSD router is being marked by
itpables as INVALID.
An example for an INVALID packet:
http://ngtech.co.il/nat_issue/proxy2.pcap

Eliezer

On 26/08/2015 21:24, Eliezer Croitoru wrote:

Hey lists,

I had a similar issue in the past but now I have found the combination
which results in the issue.
My topology is between two KVM hosts.
Server is on KVM1 ip address 192.168.10.1/24
Another whole network on the KVM2.
And the traffic is:
client 192.168.11.2/24 --> R1 - 192.168.11.254/24
R1 192.168.15.1/24 --> R2(NAT SERVER) 192.168.15.254/24
R3 eth4 NATed(masquerade) 192.168.10.179/24 --> Server 192.168.10.1/24

The Above is what is suppose to happen and the reality us that
192.168.10.1 receives a packet but from 192.168.11.2.

I can reproduce the issue successfully replacing the R1 server from a
linux box to a FreeBSD 10.1 box.(freebsd causes the issue)
The routers I have used are:
CentOS 7
VYOS 1.6

It is the same for both and I can reproduce the issue successfully.

I have also tested the R1 replaced with:
VYOS 1.7
CENTOS 7
DEBIAN 8
vSRX
FreeBSD 4.11 with e1000 card, works fine.
FreeBSD 10.1(amd64) with e1000 card, works fine.
*FreeBSD 10.1(amd64) with virtio card, have an issue.*

Now I am trying to figure out if it's a netfilter issue or FreeBSD
virtio driver issue and if so what might be the direction to make this
issue fixed.

Tcpdump captures on the NAT router of different packets and sessions are
here:
http://ngtech.co.il/nat_issue/

If the issue is probably with the FreeBSD virtio drivers why would the
MASQUERADE pass the packet to the destination server?

Thanks,
Eliezer





_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"


_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to