Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT reflection broken in 2.0? (SOLVED)

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    8 Posts 2 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danswartz
      last edited by

      My fiancee's work VPN hijacks DNS so she can't get to email on the LAN, since it sends her to the outside IP.  I turned on NAT reflection, but when I try to connect to a port that is reflected, I see:

      usage: nc [-46DdEhklnrStUuvz] [-e policy] [-I length] [-i interval] [-O length]
                [-P proxy_username] [-p source_port] [-s source_ip_address] [-T ToS]
                [-V fib] [-w timeout] [-X proxy_protocol]
                [-x proxy_address[:port]] [hostname] [port]
      Connection closed by foreign host.
      
      

      snapshot from May 1st.

      1 Reply Last reply Reply Quote 0
      • E
        Efonnes
        last edited by

        What does the rdr rule look like in /tmp/rules.debug and what does the entry for it look like in /var/etc/inetd.conf?  I can probably figure out what is going on if I have those two pieces of information.

        1 Reply Last reply Reply Quote 0
        • E
          Efonnes
          last edited by

          Looking through the history of the port forward and reflection code, I see a couple potential issues from around that time, so it may not be an issue in newer snapshots.  One issue is that there was a change to the port forwards to allow options for the source and more options for the destination, but the upgrade code for it was not fully fixed until a few days after that snapshot.  If you have already fixed the port forwards that were not upgraded properly it will not be an issue, though.  There were also some cases in NAT reflection and port forwards in general that didn't get fixed before the changes for those extra options were committed.  I made several changes to both a couple days after that snapshot was built.

          1 Reply Last reply Reply Quote 0
          • D
            danswartz
            last edited by

            Sorry was too tired to purse last night.  The entries in /var/etc/inetd.conf are broken?  I will try a newer snapshot too.

            
            19000   dgram   udp     nowait/0        nobody  /usr/bin/nc     nc -u -w 2000   10.0.0.1 514
            19001   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1 22
            19002   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1
            19003   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1
            19004   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1 25
            19005   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1
            19006   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1 143
            19007   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1
            19008   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1 993
            19003   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1
            19004   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1
            19005   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1 80
            19006   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1
            19007   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1 443
            
            and
            
            rdr-anchor "relayd/*"
            rdr-anchor "tftp-proxy/*"
            rdr on re0 proto udp from any to    port 514  -> $sphinx
            rdr on {  re1 openvpn } proto udp from any to 173.48.201.X port 514 tag PFREFLECT -> 127.0.0.1 port 19000
            rdr on re0 proto tcp from any to    port 2222  -> $sphinx port 22
            rdr on {  re1 openvpn } proto tcp from any to 173.48.201.X port 2222 tag PFREFLECT -> 127.0.0.1 port 19001
            rdr on re0 proto tcp from any to    port $mailports  -> $sphinx
            rdr on {  re1 openvpn } proto tcp from any to 173.48.201.X port $mailports tag PFREFLECT -> 127.0.0.1 port 19002
            rdr on re0 proto tcp from any to    port $webports  -> $sphinx
            rdr on {  re1 openvpn } proto tcp from any to 173.48.201.X port $webports tag PFREFLECT -> 127.0.0.1 port 19003
            rdr on re0 proto udp from any to    port 10000:19999 -> 10.0.0.7 port 10000:19999
            
            

            (sanitized last octet from public IP)

            1 Reply Last reply Reply Quote 0
            • D
              danswartz
              last edited by

              Hmmm, I upgraded to snapshot from May 26.  Now, it is completely absent.  e.g. even with both "disable NAT" boxes unchecked, no rdr or inetd.conf entries are created at all?

              1 Reply Last reply Reply Quote 0
              • E
                Efonnes
                last edited by

                It looks like your port forwards have their destination address (external address) messed up from the upgrade.  You will need to fix all of them.  Snapshots from a few days after the May 1st one and any after will upgrade it properly, but if the damage has already been done it won't automatically fix it for you.  It will not create reflection rules when the address is absent because of the port forwards that were not properly upgraded (I added a check for blank addresses because of the unwanted effects it would have if reflection allowed it).

                Also, it looks like it is messing up on your port aliases.  As far as I know, reflection might work with aliases that only specify one port but never was made to work on aliases with multiple ports, so reflection still might not work for some of your port forwards after you fix them.

                Is this a full install or NanoBSD?  If it is the full version and if you would like to try something that would make port aliases work 100% on reflection, you could use gitsync to merge in changes from a branch of mine that has to do with a rewrite of NAT reflection on port forwards. (reflection on 1:1 mappings is related to the rewritten implementation and also came from that branch)  If you are interested, I'll post details on how to use gitsync to merge it in.

                1 Reply Last reply Reply Quote 0
                • D
                  danswartz
                  last edited by

                  Thanks, but I think I'll just recreate the port forward rules.  This is my production gateway, so not feeling that adventurous :)

                  1 Reply Last reply Reply Quote 0
                  • D
                    danswartz
                    last edited by

                    Thanks, that did it :)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.