Hi, There is bug in hairpinning code for ICMP protocol, TCP/UDP should work, I will fix it.
Regards, Matus From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On Behalf Of Denis Lotarev via vpp-dev Sent: Tuesday, May 30, 2017 2:01 PM To: vpp-dev@lists.fd.io Subject: [vpp-dev] SNAT problem between users Hi! We are testing VPP SNAT plugin, simple SNAT working wheel, but: In this example: Client A cannot ping and connect to client B by IP address 2.2.2.3. Client A can access to internet. Client B cannot ping and connect to client A by IP address 2.2.2.2. Client B can access to internet. Another clients from subnet 1.1.2.0/24 cannot connect to client A and client B by IP addresses 2.2.2.2 and 2.2.2.3 respectively. Another clients can access to internet. My VPP configuration is: set int state GigabitEthernet2/0/1 up (internet interface) set int state GigabitEthernet2/0/0 up (local interface) set int ip address GigabitEthernet2/0/1 2.2.2.100/24 (internet address) set int ip address GigabitEthernet2/0/0 1.1.2.1/24 (local address) ip route add 0.0.0.0/0 via 2.2.2.1 GigabitEthernet2/0/1 (default route to upper gateway) set int snat in GigabitEthernet2/0/0 out GigabitEthernet2/0/1 (configure snat on local interface (in) and ineternet interface (out)) snat add static mapping local 1.1.2.22 external 2.2.2.2 (static mapping client A) snat add static mapping local 1.1.2.33 external 2.2.2.3 (static mapping client B) snat add address 2.2.2.10 (for SNAT another clients, without static mapping) But the same configuration on Linux iptables working wheel and clients between mapping and SNAT could connect to to each other as usual. In this example: Client A can ping and connect to client B by IP address 2.2.2.3. Client A can access to internet. Client B can ping and connect to client A by IP address 2.2.2.2. Client B can access to internet. Another clients from subnet 1.1.2.0/24 can connect to client A and client B by IP addresses 2.2.2.2 and 2.2.2.3 respectively. Another clients can access to internet. My iptables configuration is (ip forwarding turned on): *filter :INPUT ACCEPT :OUTPUT ACCEPT :FORWARD ACCEPT COMMIT *nat :POSTROUTING ACCEPT -A POSTROUTING -s 1.1.2.22/32 -o eno2 -j NETMAP --to 2.2.2.2/32 (static mapping client A) -A POSTROUTING -s 1.1.2.33/32 -o eno2 -j NETMAP --to 2.2.2.3/32 (static mapping client B) -A POSTROUTING -s 1.1.2.0/24 -o eno2 -j SNAT --to source 2.2.2.10 (for SNAT another clients, without static mapping) :PREROUTING ACCEPT -A PREROUTING -s 2.2.2.2/32 -i eno2 -j NETMAP --to 1.1.2.22/32 (static mapping client A) -A PREROUTING -s 2.2.2.3/32 -i eno2 -j NETMAP --to 1.1.2.33/32 (static mapping client B) COMMIT ip link set dev eno1 up; (local interface) ip link set dev eno2 up; (internet interface) ip addr add dev eno1 1.1.2.1/24; (local address) ip addr add dev eno2 2.2.2.100/24 (internet address, we are route to this address subnet 2.2.2.0/24 from upper gateway with IP address 2.2.2.1) ip route add default via 2.2.2.1 (default route to upper gateway) -- Yours sincerely, Denis Lotarev
_______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
