UDP packets randomly natted to wrong ip address

xeba

We are experiencing some issues with nat:
UDP packets coming in DMZ interface are forwarded to servers on LAN, sometimes they are forwarded to the wrong address and we cannot understand why.

These are the relevant nat rules obtained via pfctl -sn :

rdr on igb1 inet proto udp from any to <Supervisore3_VPN> port = 2347 -> <Supervisore3> round-robin
rdr on igb1 inet proto udp from any to <Supervisore4_VPN> port = 2347 -> <Supervisore4> round-robin
rdr on igb1 inet proto udp from any to <Supervisore5_VPN> port = 2347 -> <Supervisore5> round-robin
rdr on igb1 inet proto udp from any to <Supervisore6_VPN> port = 2347 -> <Supervisore6> round-robin

All aliases are single host aliases. Using tcpdump we found this strage behaviour:

# LAN Interface
# Correct forwarding 
...
00:22:55.647991 IP 172.31.139.46.56714 > 10.0.0.109.2347: UDP, length 5
00:22:55.721093 IP 10.0.0.109.2347 > 172.31.139.46.56714: UDP, length 1
  
# This is forwarded to the wrong address
00:23:47.050535 IP 172.31.139.46.56714 > 10.0.0.110.2347: UDP, length 5
00:23:47.089689 IP 10.0.0.110.2347 > 172.31.139.46.56714: UDP, length 1

# Correct forwarding resumes
00:24:36.228739 IP 172.31.139.46.56714 > 10.0.0.109.2347: UDP, length 5
00:24:36.301912 IP 10.0.0.109.2347 > 172.31.139.46.56714: UDP, length 1
...

A dump from DMZ interface shows no issues:

# DMZ Interface
00:22:55.647971 IP 172.31.139.46.56714 > 172.28.0.1.2347: UDP, length 5
00:22:55.721095 IP 172.28.0.1.2347 > 172.31.139.46.56714: UDP, length 1
00:23:47.050524 IP 172.31.139.46.56714 > 172.28.0.1.2347: UDP, length 5
00:23:47.089692 IP 172.28.0.1.2347 > 172.31.139.46.56714: UDP, length 1
00:24:36.228731 IP 172.31.139.46.56714 > 172.28.0.1.2347: UDP, length 5
00:24:36.301915 IP 172.28.0.1.2347 > 172.31.139.46.56714: UDP, length 1

Any idea on how to troubleshoot this issue?
Thanks!

kiokoman

if "Supervisore*" under NAT is an alias contaninig that ip then you have round-robin enabled and that behavior is normal. don't use alias for "Redirect target IP"

xeba

Thank you for the feedback.

I've double-checked the aliases, and they all contain a single ip, so round-robin should not be an issue.

We have around 1300 hosts sending udp packets in DMZ once per minute and this issues happens almost once per day

Cool_Corona

@xeba Disable roud robin and see if the issue persist.

xeba

I've changed the rules and now we are not using aliases anymore:

rdr on igb1 inet proto udp from any to <Supervisore3_VPN> port = 2347 -> 10.0.0.107
rdr on igb1 inet proto udp from any to <Supervisore4_VPN> port = 2347 -> 10.0.0.109
rdr on igb1 inet proto udp from any to <Supervisore5_VPN> port = 2347 -> 10.0.0.110
rdr on igb1 inet proto udp from any to <Supervisore6_VPN> port = 2347 -> 10.0.0.119

Should this config work, any idea why? I really cannot understand it.

Thanks!

kiokoman

@xeba
idk, could be a combination of this
https://redmine.pfsense.org/issues/11716
https://redmine.pfsense.org/issues/11568