Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 1700 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Masquerading not applied with policy routes

Nico Klinger

Hello volks,

yesterday I stumbled over a weird new issue. It seems that our NAT masquerading rules are not applied when traffic matches a policy or multipath route (in interface mode).

So I tried a traceroute with a port so the trace would match the route. But I won't get a response after the firewall. If I disable the route I get an answer depending on the WAN interface the traffic is going.

Interestingly, if I add an SNAT rule to the bottom of the NAT rules it only works when the route is disabled. If I re enable the route, there is no response in the traceroute after the firewall.

It seems that this problem occurred after we installed the version before 9.716-2.

Has anyone ever seen this behavior before? Any tips on how to diagnose this further?

Kind regards,

Nico



This thread was automatically locked due to age.
Parents
  • 0

    I did some packet captures on the wan interface today. When I enable the policy route (configured as an interface route), the firewall is sending out ARP requests in order to contact the destination directly. This is very strange because the wan interface an the destination are in different subnets (5.7... and 193.159...).

    For some reason the route works as an multipath route (interface bound) now. Yesterday that was not the case. Altering the policy route to a gateway route, it works as expected. This might also be related to the other post I wrote, in which I wonder why the web proxy is only affected by multipath routes and not by policy routes.Thinking

    Also the SNAT rule was not needed anymore and the results maybe related to a coincidence regarding load balancing. So natting and masquerading work as expected.

    I have never seen this behavior (arp on wan) before. Has anyone seen this before or a clue on how to debug this further?

Reply
  • 0

    I did some packet captures on the wan interface today. When I enable the policy route (configured as an interface route), the firewall is sending out ARP requests in order to contact the destination directly. This is very strange because the wan interface an the destination are in different subnets (5.7... and 193.159...).

    For some reason the route works as an multipath route (interface bound) now. Yesterday that was not the case. Altering the policy route to a gateway route, it works as expected. This might also be related to the other post I wrote, in which I wonder why the web proxy is only affected by multipath routes and not by policy routes.Thinking

    Also the SNAT rule was not needed anymore and the results maybe related to a coincidence regarding load balancing. So natting and masquerading work as expected.

    I have never seen this behavior (arp on wan) before. Has anyone seen this before or a clue on how to debug this further?

Children
No Data
Unfiltered HTML