[RESOLVED] Destination NAT also changes source IP?

fearnaboinne · November 3, 2015, 7:22pm

I’ve installed a Vyos VM, and outbound loadbalancing works fine.

Inbound connections have a weird behavior though… When an inbound connection comes in, the destination is correctly translated, but the SOURCE is translated as well, and Vyos uses the WAN IP for that…

Assuming:
WAN host 5.4.3.2
LAN server: 192.168.1.5
WAN gateway: 192.168.178.1
Vyos WAN IP: 192.168.178.240
Vyos LAN IP: 192.168.1.240

When I tcpdump the incoming connection on both WAN and LAN interfaces (-i any), I see the following for every packet:

5.4.3.2:43335 -> 192.168.178.240:80
192.168.178.240:43335 -> 192.168.1.5:80
192.168.1.5:80 -> 192.168.178.240:43335
192.168.178.240:80 -> 5.4.3.2:43335

What I’d expect to see:
5.4.3.2:43335 -> 192.168.178.240:80
5.4.3.2:43335 -> 192.168.1.5:80
192.168.1.5:80 -> 5.4.3.2:43335
192.168.178.240:80 -> 5.4.3.2:43335

I’ve attached the config.boot (scrubbed and IP subnet-addresses anonymized) to the post.

Can anyone tell me what is wrong with this config, or is this a bug?

jl3128 · November 3, 2015, 8:03pm

I would try switching eth+ to eth1 in your DNAT rules. Also your SNAT rule 50 doesn’t look necessary to me.

fearnaboinne · November 3, 2015, 9:08pm

Tried eth1, eth+, doesn’t make a difference!
I added SNAT rule 50 to try resolve the problem, but that didn’t make a difference either!

jl3128 · November 4, 2015, 5:11pm

what about using tcpdump on each individual interface to split up the viewing of the flow. it might help narrow down where exactly the problem is happening. you could also check iptables to make sure the VyOS config layer matches the underlying firewall sets.

fearnaboinne · November 4, 2015, 7:54pm

I did the ‘-i any’ to see both flows to be able to correlate, but also did the individual ones…

When I did the individual ones, I’d see:
Eth0 (LAN side):
192.168.178.240:43335 -> 192.168.1.5:80
192.168.1.5:80 -> 192.168.178.240:43335

Eth1 (WAN side):
5.4.3.2:43335 -> 192.168.178.240:80
192.168.178.240:80 -> 5.4.3.2:43335

However, your suggestion to look at the iptables helped resolve my problem, as ‘iptables -L -t nat’ does show IMHO the problem:

Chain WANLOADBALANCE (1 references)
pkts bytes target prot opt in out source destination
89264 5356K SNAT all – any any anywhere anywhere connmark match 0x1 to:10.50.164.240
3916 235K SNAT all – any any anywhere anywhere connmark match 0x2 to:192.168.178.240

So I started looking in to the load-balancing section and found:
set load-balancing wan disable-source-nat

This resolved the SNAT on onbound connections issue…

Now onward with testing!