Why SNAT does not work for locally generated packets?
# show nat source
rule 50 {
outbound-interface eth2.1574
protocol icmp
source {
address 192.168.16.234
}
translation {
address 192.168.208.52
}
}
show interfaces ethernet eth2.1574
eth2.1574@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 9c:69:b4:60:07:f6 brd ff:ff:ff:ff:ff:ff
inet 192.168.16.234/30 brd 192.168.16.235 scope global eth2.1574
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3397 322K VYATTA_PRE_SNAT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 SNAT icmp -- * eth2.1574 192.168.16.234 0.0.0.0/0 /* SRC-NAT-50 */ to:192.168.208.52
The translation address must be present on the outbound interface, otherwise ARP for it won’t work and the remote router won’t know where to send the packets destined to the IP.
You can just add the IP on the interface with add interface eth2.1574 address 192.168.208.52
.
Unless you have that 192.168.208.52 address or subnet already present on a different interface, then you can’t do SNAT to it.
Address 192.168.208.52 is assigned on the dummy interface, and the remote host has a route to it.
The rule works for forwarded packets. The rule does not work for locally generated packets (rule counter does not increment.).
zsdc
July 11, 2019, 6:51pm
4
Hello, @Harunaga !
Please, provide also interface configuration and routing table. NAT rule should work if nothing other modify packets before it.
afaik , this should work
Try flushing conntrack table, and use tcpdump to see if packets leave on eth2.1574 un-masqueraded
It’s my fault.
The system has a rule:
iptables -I OUTPUT -t raw -j NOTRACK
I deleted the rule. Problems solved.
system
Closed
July 14, 2019, 1:52pm
7
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.