Page MenuHomeVyOS Platform

Bug: Changes in NAT or ZONES from 1.2 to 1.3
Open, Requires assessmentPublicBUG

Description

I tried upgrading from 1.2 to 1.3.

Everything seemed to be working except one thing:

I have multiple static IPv4 addresses on my external NIC interface eth2.

The eth2 NIC is in the Internet zone but my servers are on the Internal zone.

I then use DESTINATION NAT to translate the IPv4 address to an internal address and forward the packet on to that host.

In 1.2 it works fine, but in 1.3 it is acting like the IPv4 address and port are on the LOCAL zone instead of the Internet zone and it is not translating the IP address like my DESTINATION NAT rule says to do.

I'm getting an entry in the firewall log that says the packet to IP port 25 is being rejected and the rule name shows up in the internet-local4 zone firewall log.

As indicated above, this works great on 1.2.

Has something changed wrt to NAT or ZONES in 1.3 that wouldn't work the same and now cause the packet to be rejected?

Is this a bug or is there a different way to do in 1.3 what I've been doing in 1.2 and previous versions?

Is that explanation sufficient or do I need to show more detailed configuration?

Thanks

Details

Difficulty level
Unknown (require assessment)
Version
1.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

dsummers created this task.Jun 19 2020, 7:16 PM
dsummers added a comment.EditedJun 20 2020, 4:09 AM
Version:          VyOS 1.3-rolling-202006200117
Release Train:    equuleus

Built by:         autobuild@vyos.net
Built on:         Sat 20 Jun 2020 01:17 UTC
Build UUID:       29ee53d5-c062-4506-abe7-5e1da5c2f304
Build Commit ID:  5fc9c378b67c42

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  Red Hat
Hardware model:   KVM
Hardware S/N:     Unknown
Hardware UUID:    Unknown

Copyright:        VyOS maintainers and contributors

EDIT: See simplified configuration below

With this configuration on VyOS 1.2, external packets to, for instance, 24.XXX.YYY.140 port 25 get sent to 10.0.6.140.
With this configuration on VyOS 1.3, external packets to, for instance, 24.XXX.YYY.140 get rejected on the internet-local4 label zone for some reason.

Is this a bug on VyOS 1.3 or is there a different way to handle forwarded packets from the external interface NIC IP addresses to the internal addresses?

It sounds like a bug because it works fine in VyOS 1.2.

Thanks for either confirmation of a bug or some way to do this in VyOS 1.3.

Is there any more information that would be helpful in diagnosing and/or fixing this?
c-po added a subscriber: c-po.Jun 20 2020, 6:37 AM

VyOS 1.3 uses nftables for performing NAT operations. It might be possible that there is a bug in the new code. It would be interesting to get a copy of your sudo iptables-save -t nat and sudo iptables-save output on 1.2 so we can check it in 1.3.

dsummers added a comment.EditedJun 20 2020, 7:06 AM
EDIT: See simplified configuration below

Do you need the same info on 1.3?

If so, I'll have to wait until tomorrow night.

This is my production network and I need it operational during the day.

Alternately, if it would help, I could create a test VM with a simplified example of my configuration and give the whole configuration and iptables from that.

Thoughts?

dsummers added a comment.EditedJun 21 2020, 5:53 AM

EDIT: EDITED from original for clarity

Here is a simplified configuration on VyOS 1.3:

set firewall name internet-local4 default-action 'reject'
set firewall name internet-local4 description 'Internet to local (router)'
set firewall name internet-local4 enable-default-log
set firewall name internet-local4 rule 1 action 'accept'
set firewall name internet-local4 rule 1 description 'Allow all established/relate traffic to router.'
set firewall name internet-local4 rule 1 state established 'enable'
set firewall name internet-local4 rule 1 state related 'enable'
set firewall name internet-local4 rule 2 action 'drop'
set firewall name internet-local4 rule 2 description 'Drop invalid packets.'
set firewall name internet-local4 rule 2 state invalid 'enable'
set firewall name internet-local4 rule 4 action 'accept'
set firewall name internet-local4 rule 4 description 'Allow ICMP to router'
set firewall name internet-local4 rule 4 protocol 'icmp'
set firewall name internet-local4 rule 10 action 'accept'
set firewall name internet-local4 rule 10 description 'Allow SSH to router.'
set firewall name internet-local4 rule 10 destination port 'ssh'
set firewall name internet-local4 rule 10 protocol 'tcp'
set interfaces ethernet eth0 address '10.0.2.141/24'
set interfaces ethernet eth0 address '10.0.2.142/24'
set interfaces ethernet eth0 address '10.0.2.143/24'
set interfaces ethernet eth0 address '10.0.2.144/24'
set interfaces ethernet eth0 address '10.0.2.145/24'
set interfaces ethernet eth0 address '10.0.2.146/24'
set interfaces ethernet eth0 address '10.0.2.147/24'
set interfaces ethernet eth0 address '10.0.2.148/24'
set interfaces ethernet eth0 hw-id '08:00:27:85:84:15'
set interfaces ethernet eth1 address '10.0.100.1/24'
set interfaces ethernet eth1 description 'Private Network'
set interfaces ethernet eth1 hw-id '08:00:27:24:80:70'
set interfaces loopback lo
set nat destination rule 100 description 'Send all packets to 10.0.2.144 to 10.0.100.2.'
set nat destination rule 100 destination address '10.0.2.144'
set nat destination rule 100 inbound-interface 'eth0'
set nat destination rule 100 protocol 'all'
set nat destination rule 100 translation address '10.0.100.2'
set nat source rule 100 description 'Masquerade internal network IPs.'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '10.0.100.0/24'
set nat source rule 100 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop 10.0.2.1
set service ssh
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name 'router'
set system login user vyos authentication encrypted-password '$6$bItUhftHxgo$JJIVWo712DIgMcUU4sDsdYV7RdII6hF79b14CYpvbaXbiuuJIXlB8tB/Vb9ucgZPLSQHT1sYlNd/N8w8uS.bI.'
set system login user vyos authentication plaintext-password ''
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set zone-policy zone internet description 'Internet Zone'
set zone-policy zone internet interface 'eth0'
set zone-policy zone local description 'Local Zone'
set zone-policy zone local from internet firewall name 'internet-local4'
set zone-policy zone local local-zone
set zone-policy zone private description 'Private Zone'
set zone-policy zone private interface 'eth1'

So with this I was able to ssh in from "outside" the network to 10.0.2.144 which gets re-directed to private network 10.0.100.2 as expected until I created the zone-policy sections.

But this configuration introduces some new questions:

With this configuration, I can ping and ssh to 10.0.2.1 from the router, but I don't think it should allow me to because:

I don't have an OUTGOING firewall setting on the internet zone from the "local" zone.

So how is it getting to the internet zone from the router "local" zone?

Once that question is answered then I'll continue configuring to get from the "internet" zone to the "private" zone and see if that works or not.

I thought I would stop here for the moment because it is doing things I don't expect.

My understanding was that the zones required two separate firewalls for each zone, one for incoming and one for outgoing.

Thoughts?

Here is the iptables-save output for Vyos-1.3-rolling-202006260117:

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VYATTA_CT_IGNORE - [0:0]
:VYATTA_CT_TIMEOUT - [0:0]
:VYATTA_CT_HELPER - [0:0]
:VYATTA_CT_PREROUTING_HOOK - [0:0]
:VYATTA_CT_OUTPUT_HOOK - [0:0]
:FW_CONNTRACK - [0:0]
:NAT_CONNTRACK - [0:0]
-A PREROUTING -j VYATTA_CT_IGNORE
-A PREROUTING -j VYATTA_CT_HELPER
-A PREROUTING -j VYATTA_CT_HELPER
-A PREROUTING -j VYATTA_CT_TIMEOUT
-A PREROUTING -j VYATTA_CT_PREROUTING_HOOK
-A PREROUTING -j NAT_CONNTRACK
-A PREROUTING -j FW_CONNTRACK
-A PREROUTING -j NOTRACK
-A OUTPUT -j VYATTA_CT_IGNORE
-A OUTPUT -j VYATTA_CT_HELPER
-A OUTPUT -j VYATTA_CT_HELPER
-A OUTPUT -j VYATTA_CT_TIMEOUT
-A OUTPUT -j VYATTA_CT_OUTPUT_HOOK
-A OUTPUT -j NAT_CONNTRACK
-A OUTPUT -j FW_CONNTRACK
-A OUTPUT -j NOTRACK
-A VYATTA_CT_IGNORE -j RETURN
-A VYATTA_CT_TIMEOUT -j RETURN
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1536 -j CT --helper tns
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1525 -j CT --helper tns
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1521 -j CT --helper tns
-A VYATTA_CT_HELPER -p udp -m udp --dport 111 -j CT --helper rpc
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 111 -j CT --helper rpc
-A VYATTA_CT_HELPER -j RETURN
-A VYATTA_CT_PREROUTING_HOOK -j RETURN
-A VYATTA_CT_OUTPUT_HOOK -j RETURN
-A FW_CONNTRACK -j ACCEPT
-A NAT_CONNTRACK -j ACCEPT
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VYATTA_PRE_FW_IN_HOOK - [0:0]
:VYATTA_PRE_FW_FWD_HOOK - [0:0]
:VYATTA_PRE_FW_OUT_HOOK - [0:0]
:VYATTA_POST_FW_IN_HOOK - [0:0]
:VYATTA_POST_FW_FWD_HOOK - [0:0]
:VYATTA_POST_FW_OUT_HOOK - [0:0]
:VYATTA_FW_OUT_HOOK - [0:0]
:VYATTA_FW_IN_HOOK - [0:0]
:VYATTA_FW_LOCAL_HOOK - [0:0]
:internet-local4 - [0:0]
:VZONE_internet - [0:0]
:VZONE_local_IN - [0:0]
:VZONE_local_OUT - [0:0]
:VZONE_private - [0:0]
-A INPUT -j VYATTA_PRE_FW_IN_HOOK
-A INPUT -j VYATTA_FW_LOCAL_HOOK
-A INPUT -j VZONE_local_IN
-A INPUT -j VYATTA_POST_FW_IN_HOOK
-A FORWARD -j VYATTA_PRE_FW_FWD_HOOK
-A FORWARD -j VYATTA_FW_IN_HOOK
-A FORWARD -j VYATTA_FW_OUT_HOOK
-A FORWARD -o eth0 -j VZONE_internet
-A FORWARD -o eth1 -j VZONE_private
-A FORWARD -j VYATTA_POST_FW_FWD_HOOK
-A OUTPUT -j VYATTA_PRE_FW_OUT_HOOK
-A OUTPUT -j VYATTA_POST_FW_OUT_HOOK
-A VYATTA_PRE_FW_IN_HOOK -j RETURN
-A VYATTA_PRE_FW_FWD_HOOK -j RETURN
-A VYATTA_PRE_FW_OUT_HOOK -j RETURN
-A VYATTA_POST_FW_IN_HOOK -j ACCEPT
-A VYATTA_POST_FW_FWD_HOOK -j ACCEPT
-A VYATTA_POST_FW_OUT_HOOK -j ACCEPT
-A internet-local4 -m state --state RELATED,ESTABLISHED -m comment --comment internet-local4-1 -j RETURN
-A internet-local4 -m state --state INVALID -m comment --comment internet-local4-2 -j DROP
-A internet-local4 -p icmp -m comment --comment internet-local4-4 -j RETURN
-A internet-local4 -p tcp -m tcp --dport 22 -m comment --comment internet-local4-10 -j RETURN
-A internet-local4 -m comment --comment "internet-local4-10000 default-action reject" -j LOG --log-prefix "[internet-local4-default-R]"
-A internet-local4 -m comment --comment "internet-local4-10000 default-action reject" -j REJECT --reject-with icmp-port-unreachable
-A VZONE_internet -i eth0 -j RETURN
-A VZONE_internet -j DROP
-A VZONE_local_IN -i lo -j RETURN
-A VZONE_local_IN -i eth0 -j internet-local4
-A VZONE_local_IN -i eth0 -j RETURN
-A VZONE_local_IN -j DROP
-A VZONE_local_OUT -o lo -j RETURN
-A VZONE_local_OUT -j DROP
-A VZONE_private -i eth1 -j RETURN
-A VZONE_private -j DROP
COMMIT
dsummers renamed this task from Question: Changes in NAT or ZONES from 1.2 to 1.3? to Bug: Changes in NAT or ZONES from 1.2 to 1.3.Jul 2 2020, 4:10 PM
pasik added a subscriber: pasik.Jul 6 2020, 12:30 PM