Home » General » Support » NATed GRE packets does not reach VETH (NAT,GRE,VETH)
|
|
|
|
| Re: NATed GRE packets does not reach VETH (NAT,GRE,VETH) [message #33694 is a reply to message #33692] |
Fri, 31 October 2008 14:36   |
a1bert
Messages: 9
Registered: October 2007
Location: .cz
|
Junior Member |
|
|
gre packet arrives via tun102 iface, should be NATed and then go out via eth0:
Linux routername 2.6.24-6-fza-686 #1 SMP Mon May 19 06:30:48 UTC 2008 i686 GNU/Linux
ip ro:
10.255.255.32 dev tun102 proto kernel scope link src 10.255.255.31
x.x.202.20 dev lo scope link
y.y.227.192/27 dev eth0 proto kernel scope link src y.y.227.193
10.24.127.0/24 dev eth0 proto kernel scope link src 10.24.127.8
10.1.0.0/16 via 10.255.255.32 dev tun102
default via 10.24.127.1 dev eth0
# Generated by iptables-save v1.3.6 on Fri Oct 31 15:26:39 2008
*mangle
:PREROUTING ACCEPT [1537:90221]
:INPUT ACCEPT [328:27453]
:FORWARD ACCEPT [1199:62254]
:OUTPUT ACCEPT [233:35478]
:POSTROUTING ACCEPT [1432:97732]
COMMIT
# Completed on Fri Oct 31 15:26:39 2008
# Generated by iptables-save v1.3.6 on Fri Oct 31 15:26:39 2008
*filter
:INPUT ACCEPT [328:27453]
:FORWARD ACCEPT [1199:62254]
:OUTPUT ACCEPT [235:35742]
COMMIT
# Completed on Fri Oct 31 15:26:39 2008
# Generated by iptables-save v1.3.6 on Fri Oct 31 15:26:39 2008
*nat
:PREROUTING ACCEPT [23:1847]
:POSTROUTING ACCEPT [3:230]
:OUTPUT ACCEPT [2:175]
[2:175] -A POSTROUTING -s 10.24.127.8 -o eth0 -j RETURN
[8:456] -A POSTROUTING -s 10.0.0.0/255.0.0.0 -o eth0 -p gre -j SNAT --to-source x.x.202.20
[2:108] -A POSTROUTING -s 10.0.0.0/255.0.0.0 -o eth0 -j SNAT --to-source x.x.202.20
COMMIT
tcpdump -i tun102 proto gre -n
tcpdump: WARNING: arptype 65534 not supported by libpcap - falling back to
cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun102, link-type LINUX_SLL (Linux cooked), capture size 96
bytes
15:26:12.752991 IP 10.1.60.35 > 1.1.1.1: GREv1, call 5159, seq 0,length 37: LCP, Conf-Request (0x01), id 0, length 23
15:26:14.743937 IP 10.1.60.35 > 1.1.1.1: GREv1, call 5159, seq 1,length 37: LCP, Conf-Request (0x01), id 1, length 23
15:26:17.742849 IP 10.1.60.35 > 1.1.1.1: GREv1, call 5159, seq 2,length 37: LCP, Conf-Request (0x01), id 2, length 23
15:26:21.741342 IP 10.1.60.35 > 1.1.1.1: GREv1, call 5159, seq 3,length 37: LCP, Conf-Request (0x01), id 3, length 23
15:26:25.739857 IP 10.1.60.35 > 1.1.1.1: GREv1, call 5159, seq 4,length 37: LCP, Conf-Request (0x01), id 4, length 23
tcpdump -i eth0 proto gre -n
(note, only GRE from remote end, no NATted gre packets)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:26:12.735405 IP1.1.1.1 > x.x.202.20: GREv1, call 32768, seq 1, ack 4294967295, length 35: LCP, Conf-Request (0x01), id 0, length 17
15:26:15.673657 IP1.1.1.1 > x.x.202.20: GREv1, call 32768, seq 2, length 31: LCP, Conf-Request (0x01), id 1, length 17
15:26:18.672094 IP1.1.1.1 > x.x.202.20: GREv1, call 32768, seq 3, length 31: LCP, Conf-Request (0x01), id 2, length 17
15:26:21.672513 IP1.1.1.1 > x.x.202.20: GREv1, call 32768, seq 4, length 31: LCP, Conf-Request (0x01), id 3, length 17
15:26:24.670767 IP1.1.1.1 > x.x.202.20: GREv1, call 32768, seq 5, length 31: LCP, Conf-Request (0x01), id 4, length 17
15:26:27.669076 IP1.1.1.1 > x.x.202.20: GREv1, call 32768, seq 6, length 31: LCP, Conf-Request (0x01), id 5, length 17
|
|
|
|
|
|
| Re: NATed GRE packets does not reach VETH (NAT,GRE,VETH) [message #33713 is a reply to message #33695] |
Sun, 02 November 2008 18:54 |
a1bert
Messages: 9
Registered: October 2007
Location: .cz
|
Junior Member |
|
|
| maratrus wrote on Fri, 31 October 2008 11:07 |
- are we talking about VE? Are previous outputs from inside the VE?
|
yes, it's all from inside VE
| maratrus wrote on Fri, 31 October 2008 11:07 |
- could you please show "ip a l" from inside the VE and also "ip rule list".
|
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP> mtu 1500 qdisc noop
link/void
3: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
link/ether 00:19:51:32:02:01 brd ff:ff:ff:ff:ff:ff
inet 10.24.127.8/24 brd 10.24.127.255 scope global eth0
inet 2.2.2.2/27 scope global eth0
inet6 fe80::219:51ff:fe32:201/64 scope link
valid_lft forever preferred_lft forever
2.2.2.2 is on different A network than 1.1.1.1
there is no special source routing:
# ip ru
0: from all lookup 255
32766: from all lookup main
32767: from all lookup default
| Quote: |
- I don't quite understand the following thing: have you masked ip address "1.1.1.1" that are shown in tcpdump ouput. Should your VE forward that packets?
|
yes real addres is masked as 1.1.1.1 and is routable , everything works except proto 47 (GRE) packets. NATed ip is trying to establish pptp connection with 1.1.1.1, tcp handshake (port 1723) is succesfully established but not GRE ...
| Quote: |
- why do you need "-A POSTROUTING -s 10.24.127.8 -o eth0 -j RETURN " rule?
|
to not to NAT locally originating packets (10.24.127.8 is bind on eth0 interface)
| Quote: |
- could you please show "ip r get "1.1.1.1""
|
ip ro get 1.1.1.1
1.1.1.1 via 10.24.127.1 dev eth0 src 10.24.127.8
cache mtu 1500 advmss 1460 hoplimit 64
As I said above 1.1.1.1 is routable , everything (UDP,TCP,ICMP) works except GRE
| Quote: |
- could you please also run tcpdump on lo interface
|
I have tried also lo, no GRE packets enters lo interface, GRE packets just disapear  , that is why I have created this thread
|
|
|
|
Goto Forum:
Current Time: Sat Jul 27 22:21:22 GMT 2024
Total time taken to generate the page: 0.02728 seconds
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
