Hello community
I've got a problem with a network setup and I havent been able to make it work for 2 days. I hope you can help me out here.
Short overview over the setup:
I have to connect to several networks via VPN, which in some cases do have the same subnet. Thats why i did set up some NAT.
Internal Network------><-------(Internal IF)--NAT Gateway--(Transfer IF)-------><-------(transfer IF)--VPNGateway1--(Public IF)
172.64.30.0/20------------------172.64.30.250--------------193.228.47.250--------------193.228.47.10------------------0.0.0.0
The Transfer Network is on a separate Network.
VPN connections are established via VPNGateway1 (and several more).
Every host behind a VPN is assigned an IP within 172.80.0.0/16 Network - Its then DNATtet at the NAT Gateway to its real IP (and in mangle chain assign a mark to route it to the right VPN Gateway).
In return every host in the Internal network is SNATet to a different 192.168.50.0/24 network. On my VPN Gateways the VPNs are established with always the same 192.168.50.0/24 network as the leftsubnet .
This is working perfect. I can track the packets on the interface and also reaching the desired host.
When i now try to ICMP a given host behind the VPN lets say with IP 172.80.111.10, I can observe the icmp packets pass the NAT Gateway and get rewritten to DST 192.168.111.10(which is the real IP within the network the VPNGateway is connected to) and with SRC IP 192.168.50.50 (my IP). Its reaching the desired machine.
The ICMP reply is then first seen on Public IF (with internal IP DST IP 192.168.50.50 SRC IP 172.28.111.10) and also on Transfer IF of VPN Gateway and also on transfer IF of NAT-Gateway. But then its kind of lost. For me it seems like it hasnt been rewritten and thus not getting to the internal IF of my NAT-Gateway.
Could you point me to the right direction? My NAT is obviously working ( I guess) as there is no trouble rewriting the packets on their way to the VPN.
Any hint would be thankfully appreciated.
SNAT not working
Re: SNAT not working
Update:
I tried to ping a machine in our local network from a device in a network which is connected via VPN, which is not working either.
Inspecting rule hits with iptables -L -t nat -v -n revealed that every ping is hitting the desired DNAT rule in the Prerouting chain, but no further action is taken.
Surprisingly, when i ping the remote machine from a local device, the rounters are not incrementing, although the packets are correctly rewritten regarding source and destination address and are arriving at the remote machine.
These are my NAT rules currently in use:
- 192.168.111.101 -> Real device IP in remote LAN
- 172.80.153.101 -> "Virtual IP" of device in remote LAN
- 192.168.50.50 -> "Virtual IP" of device in local LAN
- 172.64.30.209 -> Real device IP in local LAN
If somebody has an idea what is going on, please let me know.
greetz
I tried to ping a machine in our local network from a device in a network which is connected via VPN, which is not working either.
Inspecting rule hits with iptables -L -t nat -v -n revealed that every ping is hitting the desired DNAT rule in the Prerouting chain, but no further action is taken.
Surprisingly, when i ping the remote machine from a local device, the rounters are not incrementing, although the packets are correctly rewritten regarding source and destination address and are arriving at the remote machine.
These are my NAT rules currently in use:
Code: Select all
-A POSTROUTING -s 192.168.111.101 -j SNAT --to-source 172.80.153.101
-A PREROUTING -d 172.80.153.101 -m comment --comment "" -j DNAT --to-destination 192.168.111.101
-A PREROUTING -d 192.168.50.50 -m comment --comment "" -j DNAT --to-destination 172.64.30.209
-A POSTROUTING -s 172.64.30.209 -j SNAT --to-source 192.168.50.50
- 172.80.153.101 -> "Virtual IP" of device in remote LAN
- 192.168.50.50 -> "Virtual IP" of device in local LAN
- 172.64.30.209 -> Real device IP in local LAN
If somebody has an idea what is going on, please let me know.
greetz
Re: SNAT not working
Update
I've set up a completely new server with nothing else but the configuration needed to eliminate possible other issues but the problem persists.
I've also added logging rules to my iptables mangle/nat prerouting chains to log possible invalid packets or so, but this is also leading to nothing, unfortunately.
Im running out of ideas. Is my question maybe misleading or lacking information or does simply nobody have a hint for me?
Greetz
I've set up a completely new server with nothing else but the configuration needed to eliminate possible other issues but the problem persists.
I've also added logging rules to my iptables mangle/nat prerouting chains to log possible invalid packets or so, but this is also leading to nothing, unfortunately.
Im running out of ideas. Is my question maybe misleading or lacking information or does simply nobody have a hint for me?
Greetz
Re: SNAT not working
Hi,
To be honest, it's a bit confusing.
What I have understood is that the NAT/MANGLE rules on the NAT gateway aren't working as expected. If my understand is correct, will share the following output:
# iptables -nvL
# iptables -t nat -nvL
# iptables -t mangle -nvL
To be honest, it's a bit confusing.
What I have understood is that the NAT/MANGLE rules on the NAT gateway aren't working as expected. If my understand is correct, will share the following output:
# iptables -nvL
# iptables -t nat -nvL
# iptables -t mangle -nvL
Re: SNAT not working
I have kind of resolved the issue.
I've tested the whole thing with a Fedora 25 and iptables1.6.0 and its working as expected. I've also tested it with an iptables1.4.21-16 and its also working.
Its not working on:
Centos 7.3
Redhat 7.3
But works on
CentOS 5.6
Fedora 25
I've used the same configuration for all machines. Strange. Any hint?
@Macenger
Thanks for your reply. Yeah I see, I can upload a visio later if needed. But now I think the problem might not be related to iptables.
Greetz
I've tested the whole thing with a Fedora 25 and iptables1.6.0 and its working as expected. I've also tested it with an iptables1.4.21-16 and its also working.
Its not working on:
Centos 7.3
Redhat 7.3
But works on
CentOS 5.6
Fedora 25
I've used the same configuration for all machines. Strange. Any hint?
@Macenger
Thanks for your reply. Yeah I see, I can upload a visio later if needed. But now I think the problem might not be related to iptables.
Greetz
Re: SNAT not working
Thanks interesting! Will you please test the same rules on CentOS7.2? This is help to identify whether it's a regression with the iptables package.