Nat source not translate

zakwan · December 29, 2021, 5:10am

Hi,

I have an issue where some of my private IP are not translate to my wan public ip when go to internet.

Below is the nat source rule to internet.

sh nat source rule 9999 {
destination {
address 0.0.0.0/0
}
log disable
outbound-interface eth0
protocol all
translation {
address masquerade
}

Below is the tcpdump on eth0 with not translated private ip address

sudo tcpdump -n -i eth0 | grep 10.160
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:58:29.488312 IP 10.160.7.123.56970 > 210.x.x.x.443: Flags [FP.], seq 1014804831:1014804862, ack 3633531146, win 400, length 31
12:58:29.584622 IP 10.160.1.158.3404 > 13.x.x.x.80: Flags [R.], seq 10845, ack 3577950066, win 20800, length 0
12:58:30.144467 IP 10.160.185.66.17985 > 52.x.x.x.8120: Flags [F.], seq 4151871068, ack 1261848454, win 32767, length 0
12:58:31.859203 IP 10.160.87.186.49302 > 210.x.x.x.443: Flags [F.], seq 937788605, ack 1081012842, win 400, length 0

Is this happen because of low cpu speed? and not fast enough to process too many conntrack?

I try to adjust the system conntrack size but the issue still persist.

show system conntrack
expect-table-size 3076
hash-size 32768
table-size 262144

Please advise.
Thanks

tjh · December 29, 2021, 6:50am

Couple of things:

What version of Vyos??
Are you sure you don’t have a rule further up the NAT rules chain that’s fowarding traffic out eth0 without natting it?

I really suspect that it’ll be a fault rule somewhere causing the problem.

aha · December 29, 2021, 8:04am

@zakwan
Do you block traffic with “INVALID” state in your firewall? If not: try it

Please take a look at the NAT documentation for further information:
https://docs.vyos.io/en/latest/configuration/nat/nat44.html#avoiding-leaky-nat

zakwan · December 29, 2021, 8:18am

Hi tjh,

version :
Version: VyOS 1.1.8
Description: VyOS 1.1.8 (helium)

Yes I am sure there is no rule further up that exclude private ip from being natted.
Only got few rules for public ip natting.
You may refer below nat source configuration :

sh conf com | grep “nat source” | strip-private
set nat source rule 10 description ‘20210401 - TEST VPN IPSEC 103b to NL Router’
set nat source rule 10 destination address ‘xxx.xxx.187.83’
set nat source rule 10 log ‘enable’
set nat source rule 10 outbound-interface ‘eth0’
set nat source rule 10 protocol ‘all’
set nat source rule 10 translation address ‘xxx.xxx.4.10’
set nat source rule 11 description ‘Exclude xxx.xxx.4.0/24 from be SNAT’
set nat source rule 11 ‘exclude’
set nat source rule 11 log ‘enable’
set nat source rule 11 outbound-interface ‘eth0’
set nat source rule 11 protocol ‘all’
set nat source rule 11 source address ‘xxx.xxx.4.0/24’
set nat source rule 12 description ‘Exclude xxx.xxx.146.128/29 from be SNAT’
set nat source rule 12 ‘exclude’
set nat source rule 12 log ‘enable’
set nat source rule 12 outbound-interface ‘eth0’
set nat source rule 12 protocol ‘all’
set nat source rule 12 source address ‘xxx.xxx.146.128/29’
set nat source rule 13 description ‘Exclude xxx.xxx.143.120/29 from be SNAT’
set nat source rule 13 ‘exclude’
set nat source rule 13 log ‘enable’
set nat source rule 13 outbound-interface ‘eth0’
set nat source rule 13 protocol ‘all’
set nat source rule 13 source address ‘xxx.xxx.143.120/29’
set nat source rule 9999 destination address ‘0.0.0.0/0’
set nat source rule 9999 log ‘disable’
set nat source rule 9999 outbound-interface ‘eth0’
set nat source rule 9999 protocol ‘all’
set nat source rule 9999 translation address ‘masquerade’

I just thought that it might be because of there are more than 100k private ips going out through this router and this huge numbers of ips causing some of it failed to get natted.

zakwan · December 29, 2021, 8:32am

Hi aha,

So does it means that if the connection is already closed but there are still some re-transmit tcp packet it will not get natted right?

Is this for outbound firewall? like below example?:

set firewall name INSIDE-OUT default-action drop
set firewall name INSIDE-OUT rule 1010 action accept
set firewall name INSIDE-OUT rule 1010 state established enable
set firewall name INSIDE-OUT rule 1010 state related enable
set firewall name INSIDE-OUT rule 1020 action drop
set firewall name INSIDE-OUT rule 1020 state invalid enable