-
Bug
-
Resolution: Won't Do
-
Medium
-
None
-
21.10
-
None
Hi all,
I am trying to setup mixed NAT and non-NAT traffic.
In GNS3 I created VPP VM with three interfaces (1 external, 2 internal).
External interface GigabitEthernet0/5/0 with public IP address 203.0.113.1/30 connected to host with IP 203.0.113.2/30 and route to 198.51.100.0/24 via 203.0.113.1
Internal interface GigabitEthernet0/6/0 with private IP address 172.16.0.1/24 connected to host with IP 172.16.0.2/24
Internal interface GigabitEthernet0/7/0 with public IP address 198.51.100.1/25 connected to host with IP 198.51.100.2/25
Internal traffic from/to 198.51.100.0/25 should be forwarded without NAT.
NAT address 198.51.100.128 should be applied on external interface only for internal traffic from 172.16.0.0/24.
Here my setup for VPP 21.01.1 (running on CentOS 8)
/etc/vpp/startup.conf:
unix {
nodaemon
startup-config /etc/vpp/startup-config
log /var/log/vpp/vpp.log
full-coredump
cli-listen /run/vpp/cli.sock
cli-history-limit 100
cli-no-banner
poll-sleep-usec 10
gid vpp
}
api-trace {
on
}
api-segment {
gid vpp
}
dpdk {
dev 0000:00:05.0
dev 0000:00:06.0
dev 0000:00:07.0
}
plugins {
plugin default { disable }
plugin dpdk_plugin.so { enable }
plugin nat_plugin.so { enable }
plugin arping_plugin.so { enable }
plugin ping_plugin.so { enable }
}
logging {
default-log-level debug
default-syslog-log-level debug
}
ethernet {
default-mtu 1500
}
/etc/vpp/startup-config:
set interface state GigabitEthernet0/5/0 up set interface state GigabitEthernet0/6/0 up set interface state GigabitEthernet0/7/0 up set interface ip address GigabitEthernet0/5/0 203.0.113.1/30 set interface ip address GigabitEthernet0/6/0 172.16.0.1/24 set interface ip address GigabitEthernet0/7/0 198.51.100.1/25 nat44 enable sessions 50000 endpoint-dependent nat44 forwarding enable nat44 add address 198.51.100.128 set interface nat44 in GigabitEthernet0/6/0 output-feature set interface nat44 out GigabitEthernet0/5/0 output-feature
If I run ping from internal host 172.16.0.2 to external host 203.0.113.2 then translation works correctly (tcpdump output on external host)
02:44:23.420497 IP 198.51.100.128 > 203.0.113.2: ICMP echo request, id 64233, seq 4, length 64 02:44:23.420516 IP 203.0.113.2 > 198.51.100.128: ICMP echo reply, id 64233, seq 4, length 64
But if I run ping 203.0.113.2 from internal host 198.51.100.2 then NAT also applied even though I didn't set nat in on the interface GigabitEthernet0/7/0
02:47:15.242598 IP 198.51.100.128 > 203.0.113.2: ICMP echo request, id 22324, seq 127, length 64 02:47:15.242620 IP 203.0.113.2 > 198.51.100.128: ICMP echo reply, id 22324, seq 127, length 64
vpp# show nat44 interfaces NAT44 interfaces: GigabitEthernet0/6/0 output-feature in GigabitEthernet0/5/0 output-feature out
If I remove "output-feature" then translation not applied at all with enabled "nat44 forwarding enable".
In setup for VPP 21.10 I removed "endpoint-dependent" but if "output-feature" will stay on internal interface GigabitEthernet0/6/0 I see new problem.
Only one correct response received on internal host 172.16.0.2 when running ping 203.0.113.2, second response comes with source IP 198.51.100.128 instead of 203.0.113.2 (tcpdump on internal host)
03:06:18.420787 IP 172.16.0.2 > 203.0.113.2: ICMP echo request, id 405, seq 1, length 64 03:06:18.427246 IP 203.0.113.2 > 172.16.0.2: ICMP echo reply, id 405, seq 1, length 64 03:06:19.424157 IP 172.16.0.2 > 203.0.113.2: ICMP echo request, id 405, seq 2, length 64 03:06:19.424441 IP 198.51.100.128 > 172.16.0.2: ICMP echo reply, id 59651, seq 2, length 64
So I removed "output-feature" from internal interface GigabitEthernet0/6/0
/etc/vpp/startup-config:
set interface state GigabitEthernet0/5/0 up set interface state GigabitEthernet0/6/0 up set interface state GigabitEthernet0/7/0 up set interface ip address GigabitEthernet0/5/0 203.0.113.1/30 set interface ip address GigabitEthernet0/6/0 172.16.0.1/24 set interface ip address GigabitEthernet0/7/0 198.51.100.1/25 nat44 enable sessions 50000 nat44 forwarding enable nat44 add address 198.51.100.128 set interface nat44 in GigabitEthernet0/6/0 set interface nat44 out GigabitEthernet0/5/0 output-feature
vpp# show nat44 interfaces NAT44 interfaces: GigabitEthernet0/6/0 in GigabitEthernet0/5/0 output-feature in out
With this setup in VPP 21.10 NAT also applied to both subnets 172.16.0.0/24 and 198.51.100.0/25.
Can someone, please, check is this bug or error in my configuration?
