UDP packets randomly natted to wrong ip address
-
We are experiencing some issues with nat:
UDP packets coming in DMZ interface are forwarded to servers on LAN, sometimes they are forwarded to the wrong address and we cannot understand why.These are the relevant nat rules obtained via
pfctl -sn
:rdr on igb1 inet proto udp from any to <Supervisore3_VPN> port = 2347 -> <Supervisore3> round-robin rdr on igb1 inet proto udp from any to <Supervisore4_VPN> port = 2347 -> <Supervisore4> round-robin rdr on igb1 inet proto udp from any to <Supervisore5_VPN> port = 2347 -> <Supervisore5> round-robin rdr on igb1 inet proto udp from any to <Supervisore6_VPN> port = 2347 -> <Supervisore6> round-robin
All aliases are single host aliases. Using
tcpdump
we found this strage behaviour:# LAN Interface # Correct forwarding ... 00:22:55.647991 IP 172.31.139.46.56714 > 10.0.0.109.2347: UDP, length 5 00:22:55.721093 IP 10.0.0.109.2347 > 172.31.139.46.56714: UDP, length 1 # This is forwarded to the wrong address 00:23:47.050535 IP 172.31.139.46.56714 > 10.0.0.110.2347: UDP, length 5 00:23:47.089689 IP 10.0.0.110.2347 > 172.31.139.46.56714: UDP, length 1 # Correct forwarding resumes 00:24:36.228739 IP 172.31.139.46.56714 > 10.0.0.109.2347: UDP, length 5 00:24:36.301912 IP 10.0.0.109.2347 > 172.31.139.46.56714: UDP, length 1 ...
A dump from DMZ interface shows no issues:
# DMZ Interface 00:22:55.647971 IP 172.31.139.46.56714 > 172.28.0.1.2347: UDP, length 5 00:22:55.721095 IP 172.28.0.1.2347 > 172.31.139.46.56714: UDP, length 1 00:23:47.050524 IP 172.31.139.46.56714 > 172.28.0.1.2347: UDP, length 5 00:23:47.089692 IP 172.28.0.1.2347 > 172.31.139.46.56714: UDP, length 1 00:24:36.228731 IP 172.31.139.46.56714 > 172.28.0.1.2347: UDP, length 5 00:24:36.301915 IP 172.28.0.1.2347 > 172.31.139.46.56714: UDP, length 1
Any idea on how to troubleshoot this issue?
Thanks! -
if "Supervisore*" under NAT is an alias contaninig that ip then you have round-robin enabled and that behavior is normal. don't use alias for "Redirect target IP"
-
Thank you for the feedback.
I've double-checked the aliases, and they all contain a single ip, so round-robin should not be an issue.
We have around 1300 hosts sending udp packets in DMZ once per minute and this issues happens almost once per day
-
@xeba Disable roud robin and see if the issue persist.
-
I've changed the rules and now we are not using aliases anymore:
rdr on igb1 inet proto udp from any to <Supervisore3_VPN> port = 2347 -> 10.0.0.107 rdr on igb1 inet proto udp from any to <Supervisore4_VPN> port = 2347 -> 10.0.0.109 rdr on igb1 inet proto udp from any to <Supervisore5_VPN> port = 2347 -> 10.0.0.110 rdr on igb1 inet proto udp from any to <Supervisore6_VPN> port = 2347 -> 10.0.0.119
Should this config work, any idea why? I really cannot understand it.
Thanks!
-
@xeba
idk, could be a combination of this
https://redmine.pfsense.org/issues/11716
https://redmine.pfsense.org/issues/11568