Page 1 of 1

Issue NAT Router

Posted: 2020/06/26 21:45:04
by jidix
Hello,

My name is Jidix. I hope you're doing well.
I need your help for the below issue.
Assuming, we have 1 computer behind the router. This computer is able to Ping any IP Adress (example : 8.8.8.8) but when i try to ping an URL : It doesn't work

In first, here is my configuration

Code: Select all

WAN = ens33
LAN = ens34

Code: Select all

Interfaces configuration
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.64.128  netmask 255.255.255.0  broadcast 192.168.64.255
        
ens34: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.140.2  netmask 255.255.255.0  broadcast 192.168.140.255

Code: Select all

IP route
default via 192.168.64.2 dev ens33
default via 192.168.140.254 dev ens34 proto static metric 100
192.168.64.0/24 dev ens33 proto kernel scope link src 192.168.64.128
192.168.140.0/24 dev ens34 proto kernel scope link src 192.168.140.2 metric 100

Code: Select all

[root@localhost ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Code: Select all

 Simple Script IPTABLES Rules
#!/bin/bash

iptables -F
iptables --table nat --flush
iptables --table nat --delete-chain
iptables -A FORWARD -i ens33 -j ACCEPT
iptables -t nat -a POSTROUTING -o ens33 -j MASQUERADE

I am able to PING an URL directly from the router.

Code: Select all

[root@localhost ~]# ping centos.org
PING centos.org (81.171.33.202) 56(84) bytes of data.
64 bytes from ip-81.171.33.202.centos.org (81.171.33.202): icmp_seq=1 ttl=128 time=16.3 ms
64 bytes from ip-81.171.33.202.centos.org (81.171.33.202): icmp_seq=2 ttl=128 time=16.6 ms
64 bytes from ip-81.171.33.202.centos.org (81.171.33.202): icmp_seq=3 ttl=128 time=15.3 ms
64 bytes from ip-81.171.33.202.centos.org (81.171.33.202): icmp_seq=4 ttl=128 time=15.4 ms

But from a Virtual machine behind the router, it doesn't work.

I tried troubleshooting with TCPDUMP
If i ping 8.8.8.8 from the Virtual Machine

Code: Select all

admin@PA-VM> ping source 192.168.140.254 host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.140.254 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=127 time=14.9 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=127 time=13.7 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=127 time=12.9 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=127 time=11.8 ms

Code: Select all

 TCPDUMP on the LAN Interface (Router)
[root@localhost ~]# tcpdump -i ens34 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens34, link-type EN10MB (Ethernet), capture size 262144 bytes
23:33:16.130809 IP _gateway > dns.google: ICMP echo request, id 21799, seq 1, length 64
23:33:16.134747 IP dns.google > _gateway: ICMP echo reply, id 21799, seq 1, length 64
23:33:17.128935 IP _gateway > dns.google: ICMP echo request, id 21799, seq 2, length 64
23:33:17.133225 IP dns.google > _gateway: ICMP echo reply, id 21799, seq 2, length 64
23:33:17.763748 IP localhost.localdomain > _gateway: ICMP host dns.google unreachable - admin prohibited filter, length 77
23:33:17.774706 IP localhost.localdomain > _gateway: ICMP host one.one.one.one unreachable - admin prohibited filter, length 77

Code: Select all

 TCPDUMP on the WAN Interface (Router)  
[root@localhost ~]# tcpdump -i ens33 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:34:38.586249 IP localhost.localdomain > dns.google: ICMP echo request, id 30503, seq 1, length 64
23:34:38.590094 IP dns.google > localhost.localdomain: ICMP echo reply, id 30503, seq 1, length 64
23:34:39.583249 IP localhost.localdomain > dns.google: ICMP echo request, id 30503, seq 2, length 64
As you can see above, PING an IP address is OK.
Now if i want to ping www.centos.org

Code: Select all

admin@PA-VM> ping source 192.168.140.254 host www.centos.org
ping: unknown host www.centos.org

Code: Select all

TCPDUMP on the LAN Interface (Router)
[root@localhost ~]# tcpdump -i ens34 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens34, link-type EN10MB (Ethernet), capture size 262144 bytes
23:38:02.264396 IP _gateway.49905 > one.one.one.one.domain: 32000+ A? www.centos.org. (32)
23:38:02.274730 IP _gateway.33053 > dns.google.domain: 32000+ A? www.centos.org. (32)
23:38:02.280217 IP _gateway.50782 > one.one.one.one.domain: 32000+ A? www.centos.org. (32)

Code: Select all

TCPDUMP on the WANInterface (Router)
[root@localhost ~]# tcpdump -i ens33 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
DNS queries do not reach the WAN interface

Can you help me please ?

Thank you very much.

Jidix

Re: Issue NAT Router

Posted: 2020/06/27 18:39:07
by jidix
Hello,

I solved the problem.
The root cause was firewalld. After disabled it, all is working. I should use firewalld and not iptables.

Jidix

Re: Issue NAT Router

Posted: 2020/06/27 19:24:37
by jlehtone
Actually, tool 'iptables' on CentOS 8 is just a wrapper for tool 'nft' that writes nftables rules to kernel.
Firewalld writes nftables rules to kernel too.

It is possible to have 'iptables.service' to load ruleset from file written in iptables syntax.
It is possible to have 'nftables.service' to load ruleset from files written in nftables syntax.
It is possible to have 'firewalld.service' to load ruleset from files written in firewalld syntax.
The three are mutually exclusive.

IMHO, firewalld has not been suitable for a router, but suffices for a simple edge router.

Given LAN---router---WAN, where router masquerades the existence of LAN (WAN sees only the router's IP),
the routers connection to WAN could be in firewalld zone 'external' (which enables routing and NAT)
and connection to LAN in a zone that allows LAN to WAN forwarding. Alas, 'trusted' is the only one that I know.

Ruleset on router does not need to be complex. See https://wiki.gentoo.org/wiki/Nftables/Examples
One could generate ruleset with firewalld, toss out firewalld, and load similar (but "fixed") rules
with nftables.service.

Code: Select all

default via 192.168.64.2 dev ens33
default via 192.168.140.254 dev ens34 proto static metric 100
That is conceptually wrong. What is the default? There can be only one.