Re: [Shorewall-users] Difficult NAT problem

Norman Henderson Fri, 04 May 2018 22:55:42 -0700

Thanks Tom; the default route is 10.1.0.1 on vlan1:

Shorewall 5.1.12.3 Routing at voyage3 - Sat May  5 04:40:55 WAT 2018


Routing Rules

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Table default:

Table local:

local 192.168.1.40 dev wlan1 proto kernel scope host src 192.168.1.40
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.1.0.252 dev vlan1 proto kernel scope host src 10.1.0.251
local 10.1.0.251 dev vlan1 proto kernel scope host src 10.1.0.251
broadcast 192.168.1.255 dev wlan1 proto kernel scope link src 192.168.1.40
broadcast 192.168.1.0 dev wlan1 proto kernel scope link src 192.168.1.40
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.1.0.255 dev vlan1 proto kernel scope link src 10.1.0.251
broadcast 10.1.0.0 dev vlan1 proto kernel scope link src 10.1.0.251
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1

Table main:

192.168.1.0/24 dev wlan1 proto kernel scope link src 192.168.1.40
10.1.0.0/24 dev vlan1 proto kernel scope link src 10.1.0.251
default via 10.1.0.1 dev vlan1 onlink

For now I am going to use a static IP on wlan1; can you think of a solution
that will allow continued use of DHCP?

- Norm


On Sat, May 5, 2018 at 12:43 AM, Tom Eastep <teas...@shorewall.net> wrote:

> On 05/04/2018 11:19 AM, Norman Henderson wrote:
> > Hello again Tom, After a busy week I got back to this and I have some
> > interesting data. After a bit more than 2 hours of monitoring, in
> > tcpdump I found the time that the first packets start to be directed
> > (inappropriately) via wlan1 to the address that was the original
> > destination, 10.1.0.252.
> > Around that time I found the following conntrack -E entries (readable
> > times added):
> >
> > 08:47:57 [1525420077.899523][DESTROY] udp      17 src=10.1.0.3
> > dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40
> > sport=5060 dport=5060 [ASSURED] delta-time=1423
> > 08:48:14 [1525420094.949138]    [NEW] udp      17 3607 src=10.1.0.3
> > dst=10.1.0.252 sport=5060 dport=5060 [UNREPLIED] src=192.168.1.35
> > dst=192.168.1.40 sport=5060 dport=5060 helper=sip
> > 08:48:39 [1525420119.414182][UPDATE] udp      17 3600 src=10.1.0.3
> > dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40
> > sport=5060 dport=5060 helper=sip
> > 08:48:39 [1525420119.414356][UPDATE] udp      17 3600 src=10.1.0.3
> > dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40
> > sport=5060 dport=5060 [ASSURED] helper=sip
> > 09:04:39 [1525421079.191758][DESTROY] udp      17 src=10.1.0.3
> > dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40
> > sport=5060 dport=5060 [ASSURED] delta-time=985
> > 09:04:39 [1525421079.791446]    [NEW] udp      17 3613 src=10.1.0.3
> > dst=10.1.0.252 sport=5060 dport=5060 [UNREPLIED] src=192.168.1.35
> > dst=10.1.0.3 sport=5060 dport=5060 helper=sip
> > Suddenly the DST address is different.
> >
> > The corresponding tcpdump data on vlan1 is:
> > 09:03:12.540129 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: REGISTER
> > sip:10.1.0.252 SIP/2.0
> > 09:03:12.570423 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 200 OK
> > 09:03:14.969710 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP
> > 09:03:39.763456 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
> > sip:10.1.0.252 SIP/2.0
> > 09:03:39.790185 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 504
> > Server Time-out
> > 09:03:39.790307 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 504
> > Server Time-out
> > 09:03:39.790426 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 504
> > Server Time-out
> > 09:04:14.970098 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP
> > 09:04:39.791168 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
> > sip:10.1.0.252 SIP/2.0
> > 09:04:39.791424 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> > 09:04:40.791264 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
> > sip:10.1.0.252 SIP/2.0
> > 09:04:40.791467 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> > 09:04:41.790606 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
> > sip:10.1.0.252 SIP/2.0
> > 09:04:41.790809 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> > 09:04:42.791197 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
> > sip:10.1.0.252 SIP/2.0
> > 09:04:42.791402 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> > 09:04:43.790635 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
> > sip:10.1.0.252 SIP/2.0
> > 09:04:43.790846 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> > 09:04:53.791447 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS
> > sip:10.1.0.252 SIP/2.0
> > Before and after that section, the addresses on vlan1 are always
> > 10.1.0.3 and 10.1.0.252 as they should be.
> >
> > I also was running tcpdump on wlan1:
> > (earlier entries are all between 192.168.1.40 and 192.168.1.35)
> > 09:04:14.970293 IP 192.168.1.40.5060 > 192.168.1.35.5060: SIP
> > 09:04:53.791704 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> > 09:04:54.791616 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> > 09:04:55.792774 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS
> > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0
> > (subsequent entries are all from 10.1.0.3 to 192.168.1.35 without
> > responses)
> >
> > The most interesting part perhaps is syslog, including the output of
> > shorewall iptrace -p udp --destination-port 5060:
> > May  4 09:04:09 voyage3 dhclient[1664]: DHCPREQUEST of 192.168.1.40 on
> > wlan1 to 192.168.1.35 port 67 (xid=0x5104a2ea)
> > May  4 09:04:14 voyage3 kernel: [477354.231212] TRACE:
> > raw:PREROUTING:rule:13 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=31 TOS=0x00 PREC=0x60
> >  TTL=64 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
> > May  4 09:04:14 voyage3 kernel: [477354.231243] TRACE:
> > raw:PREROUTING:policy:14 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=31 TOS=0x00 PREC=0x
> > 60 TTL=64 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
> > May  4 09:04:14 voyage3 kernel: [477354.231267] TRACE:
> > mangle:PREROUTING:policy:1 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=31 TOS=0x00 PREC=
> > 0x60 TTL=64 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
> > May  4 09:04:14 voyage3 kernel: [477354.231297] TRACE:
> > mangle:FORWARD:rule:1 IN=vlan1 OUT=wlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=31 TOS=0x00 PRE
> > C=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
> > May  4 09:04:14 voyage3 kernel: [477354.231315] TRACE:
> > mangle:FORWARD:policy:2 IN=vlan1 OUT=wlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=31 TOS=0x00 P
> > REC=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
> > May  4 09:04:14 voyage3 kernel: [477354.231332] TRACE:
> > filter:FORWARD:rule:1 IN=vlan1 OUT=wlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=31 TOS=0x00 PRE
> > C=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
> > May  4 09:04:14 voyage3 kernel: [477354.231353] TRACE:
> > filter:clean_frwd:rule:2 IN=vlan1 OUT=wlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=31 TOS=0x00
> > PREC=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11
> > May  4 09:04:14 voyage3 kernel: [477354.231368] TRACE:
> > mangle:POSTROUTING:policy:1 IN= OUT=wlan1 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=31 TOS=0x00 PREC=0x60 TTL=63 ID=37212 PROTO=UDP
> > SPT=5060 DPT
> > =5060 LEN=11
> > May  4 09:04:24 voyage3 dhclient[1664]: message repeated 3 times: [
> > DHCPREQUEST of 192.168.1.40 on wlan1 to 192.168.1.35 port 67
> > (xid=0x5104a2ea)]
> > May  4 09:04:34 voyage3 dhclient[1664]: DHCPREQUEST of 192.168.1.40 on
> > wlan1 to 255.255.255.255 port 67 (xid=0x5104a2ea)
> > May  4 09:04:39 voyage3 avahi-daemon[980]: Withdrawing address record
> > for 192.168.1.40 on wlan1.
> > May  4 09:04:39 voyage3 avahi-daemon[980]: Leaving mDNS multicast
> > group on interface wlan1.IPv4 with address 192.168.1.40.
> > May  4 09:04:39 voyage3 avahi-daemon[980]: Interface wlan1.IPv4 no
> > longer relevant for mDNS.
> > May  4 09:04:39 voyage3 dhclient[1664]: DHCPDISCOVER on wlan1 to
> > 255.255.255.255 port 67 interval 3 (xid=0xd862dc03)
> > May  4 09:04:39 voyage3 kernel: [477379.054124] TRACE:
> > raw:PREROUTING:rule:13 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:39 voyage3 kernel: [477379.054148] TRACE:
> > raw:PREROUTING:policy:14 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:39 voyage3 kernel: [477379.054169] TRACE:
> > mangle:PREROUTING:policy:1 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:39 voyage3 kernel: [477379.054184] TRACE:
> > nat:PREROUTING:rule:1 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:39 voyage3 kernel: [477379.054224] TRACE:
> > mangle:FORWARD:rule:1 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:39 voyage3 kernel: [477379.054236] TRACE:
> > mangle:FORWARD:policy:2 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:39 voyage3 kernel: [477379.054248] TRACE:
> > filter:FORWARD:rule:1 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:39 voyage3 kernel: [477379.054262] TRACE:
> > filter:clean_frwd:rule:1 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:39 voyage3 kernel: [477379.054276] TRACE:
> > filter:dynamic:return:1 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:39 voyage3 kernel: [477379.054288] TRACE:
> > filter:clean_frwd:rule:4 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:39 voyage3 kernel: [477379.054297] TRACE:
> > mangle:POSTROUTING:policy:1 IN= OUT=vlan1 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:39 voyage3 kernel: [477379.054306] TRACE:
> > nat:POSTROUTING:policy:3 IN= OUT=vlan1 SRC=10.1.0.3 DST=192.168.1.35
> > LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP SPT=5060 DPT=5060
> > LEN=525
> > May  4 09:04:40 voyage3 kernel: [477380.054284] TRACE:
> > raw:PREROUTING:rule:13 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37214 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:40 voyage3 kernel: [477380.054308] TRACE:
> > raw:PREROUTING:policy:14 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37214 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:40 voyage3 kernel: [477380.054326] TRACE:
> > mangle:PREROUTING:policy:1 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37214 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:40 voyage3 kernel: [477380.054360] TRACE:
> > mangle:FORWARD:rule:1 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:40 voyage3 kernel: [477380.054373] TRACE:
> > mangle:FORWARD:policy:2 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:40 voyage3 kernel: [477380.054386] TRACE:
> > filter:FORWARD:rule:1 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:40 voyage3 kernel: [477380.054400] TRACE:
> > filter:clean_frwd:rule:1 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:40 voyage3 kernel: [477380.054414] TRACE:
> > filter:dynamic:return:1 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:40 voyage3 kernel: [477380.054427] TRACE:
> > filter:clean_frwd:rule:4 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:40 voyage3 kernel: [477380.054437] TRACE:
> > mangle:POSTROUTING:policy:1 IN= OUT=vlan1 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:41 voyage3 ntpd[2704]: Deleting interface #80 wlan1,
> > 192.168.1.40#123, interface stats: received=0, sent=15, dropped=0,
> > active_time=992 secs
> > May  4 09:04:41 voyage3 kernel: [477381.053708] TRACE:
> > raw:PREROUTING:rule:13 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37215 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:41 voyage3 kernel: [477381.053731] TRACE:
> > raw:PREROUTING:policy:14 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37215 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:41 voyage3 kernel: [477381.053750] TRACE:
> > mangle:PREROUTING:policy:1 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37215 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:41 voyage3 kernel: [477381.053783] TRACE:
> > mangle:FORWARD:rule:1 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:41 voyage3 kernel: [477381.053795] TRACE:
> > mangle:FORWARD:policy:2 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:41 voyage3 kernel: [477381.053807] TRACE:
> > filter:FORWARD:rule:1 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:41 voyage3 kernel: [477381.053821] TRACE:
> > filter:clean_frwd:rule:1 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:41 voyage3 kernel: [477381.053835] TRACE:
> > filter:dynamic:return:1 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:41 voyage3 kernel: [477381.053847] TRACE:
> > filter:clean_frwd:rule:4 IN=vlan1 OUT=vlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:41 voyage3 kernel: [477381.053856] TRACE:
> > mangle:POSTROUTING:policy:1 IN= OUT=vlan1 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:42 voyage3 dhclient[1664]: DHCPDISCOVER on wlan1 to
> > 255.255.255.255 port 67 interval 8 (xid=0xd862dc03)
> > ...
> > similar
> > ...
> > May  4 09:04:50 voyage3 dhclient[1664]: DHCPDISCOVER on wlan1 to
> > 255.255.255.255 port 67 interval 9 (xid=0xd862dc03)
> > May  4 09:04:50 voyage3 dhclient[1664]: DHCPREQUEST of 192.168.1.40 on
> > wlan1 to 255.255.255.255 port 67 (xid=0x3dc62d8)
> > May  4 09:04:50 voyage3 dhclient[1664]: DHCPOFFER of 192.168.1.40 from
> > 192.168.1.35
> > May  4 09:04:50 voyage3 dhclient[1664]: DHCPACK of 192.168.1.40 from
> > 192.168.1.35
> > May  4 09:04:50 voyage3 systemd[1]: Reloading LSB: start Samba
> > SMB/CIFS daemon (smbd).
> > May  4 09:04:50 voyage3 smbd[4693]:  * Reloading /etc/samba/smb.conf smbd
> > May  4 09:04:50 voyage3 smbd[4693]:    ...done.
> > May  4 09:04:50 voyage3 systemd[1]: Reloaded LSB: start Samba SMB/CIFS
> > daemon (smbd).
> > May  4 09:04:50 voyage3 avahi-daemon[980]: Joining mDNS multicast
> > group on interface wlan1.IPv4 with address 192.168.1.40.
> > May  4 09:04:50 voyage3 avahi-daemon[980]: New relevant interface
> > wlan1.IPv4 for mDNS.
> > May  4 09:04:50 voyage3 avahi-daemon[980]: Registering new address
> > record for 192.168.1.40 on wlan1.IPv4.
> > May  4 09:04:50 voyage3 dhclient[1664]: bound to 192.168.1.40 --
> > renewal in 30 seconds.
> > May  4 09:04:52 voyage3 ntpd[2704]: Listen normally on 81 wlan1
> > 192.168.1.40:123 <http://192.168.1.40:123>
> > May  4 09:04:52 voyage3 ntpd[2704]: new interface(s) found: waking up
> > resolver
> > May  4 09:04:53 voyage3 kernel: [477393.055430] TRACE:
> > raw:PREROUTING:rule:13 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37218 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:53 voyage3 kernel: [477393.055460] TRACE:
> > raw:PREROUTING:policy:14 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37218 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:53 voyage3 kernel: [477393.055484] TRACE:
> > mangle:PREROUTING:policy:1 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37218 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:53 voyage3 kernel: [477393.055509] TRACE:
> > mangle:FORWARD:rule:1 IN=vlan1 OUT=wlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:53 voyage3 kernel: [477393.055527] TRACE:
> > mangle:FORWARD:policy:2 IN=vlan1 OUT=wlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:53 voyage3 kernel: [477393.055544] TRACE:
> > filter:FORWARD:rule:1 IN=vlan1 OUT=wlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:53 voyage3 kernel: [477393.055566] TRACE:
> > filter:clean_frwd:rule:1 IN=vlan1 OUT=wlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:53 voyage3 kernel: [477393.055587] TRACE:
> > filter:dynamic:return:1 IN=vlan1 OUT=wlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:53 voyage3 kernel: [477393.055608] TRACE:
> > filter:clean_frwd:rule:5 IN=vlan1 OUT=wlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> > May  4 09:04:53 voyage3 kernel: [477393.055622] TRACE:
> > mangle:POSTROUTING:policy:1 IN= OUT=wlan1 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=525
> >
> > So, what it looks like to me, is that the communications device fails
> > to respond to DHCP; avahi-daemon (which isn't relevant on this box) is
> > taking the interface down; the interface recovers, but
> > iptables/shorewall do not, unless and until I do a conntrack -F.
> >
> > On spec, I have done: systemctl disable/stop
> > avahi-daemon.service/.socket. I will be very interested in your
> > assessment.
> >
> > Best regards, Norm
> >
> Norm,
>
> I believe that dhclient is taking the interface down. Once the interface
> is down, the route to 192.168.1.0/24 out of wlan1 is no longer
> available. I don't believe you have said which interface has the default
> route, but if it isn't wlan1 then when a new connection comes in, no
> SNAT/MASQUERADE will occur. When  the interface comes back up, the
> conntrack entry created while the interface was down continues to be used.
>
> What is the output of 'shorewall show routing'?
>
> -Tom
>
> --
> Tom Eastep        \   Q: What do you get when you cross a mobster with
> Shoreline,         \     an international standard?
> Washington, USA     \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>                       \_______________________________________________
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Difficult NAT problem

Reply via email to