[rbak-nsp] Double NAT - strange thing

Wojciech Wrona w0jtas at w0jtas.com
Fri Oct 23 08:48:01 EDT 2015 

Hi guys,
I'm struggling for some days with strange issue on Redback. I have
services configured as CLIPS based on DHCP/Radius auth. Everything works
fine besides NAT. When the connecting host is normal single PC (as a
subscriber) it looks ok, but when i connect a router (some Pentagram
P6362 - becouse those were tested) and that single PC is connected after
this router, here comes the situation where double NAT is going on. It
should work fine, when IP addressed in both network are not overlaping,
and i'm sure that they're not. But when pentagram is connected there is
a trouble with opening more than few TCP connections. After opening few
of them (rather random but small value) another SYN packets are lost
(sent to redback, but no answer is received). It happens only when using
a harware home router (like pentagram or something else), but when i
connect in this place another PC with 2 network interfaces and Linux on
board which is doing as second NAT box, the problem is not seen.

What could cause this ? I have no idea where to start.
My tests i'm doing at biuroInside interface


*My config below:*
context userAccess
!
 no ip domain-lookup
 nat fragments
!
!
 ip nat pool publicNatIP napt multibind
  address 188.122.20.96/32
   exclude well-known
!
 nat policy publicNatPolicy
! Default class
  drop
  icmp-notification
! Named classes
  access-group publicNatAccess
   class NAT
    pool publicNatIP userAccess
    timeout tcp 7200
    timeout udp 60
    endpoint-independent filtering udp
    inbound-refresh udp
    icmp-notification
   class IGNORE
    ignore
    inbound-refresh udp
    icmp-notification
!
 interface biuroInside multibind
  ip address 192.168.129.254/24
  dhcp server interface
  ip access-group vlan2000Security out
!
 interface radiusIf
  ip address 10.0.0.2/30
   ip source-address radius
!
 interface tichyWiFi multibind
  ip address 192.168.128.1/26
  dhcp server interface
  ip arp secured-arp

 no logging console
!
 ip access-list adminAccess
  seq 10 permit udp any any eq rip
  seq 20 permit tcp any any eq bgp
  seq 30 permit icmp any
  seq 40 permit udp any any eq bootps
  seq 50 permit udp any eq 1812 any
  seq 60 permit tcp any any established
!
 ip access-list vlan2000Security
  seq 10 permit ip 188.122.17.32 0.0.0.31 any
  seq 20 deny tcp any any eq 135
  seq 30 deny tcp any any eq 139
  seq 40 deny tcp any any eq 445
  seq 50 deny tcp any any eq www
  seq 60 deny tcp any any eq 8080
  seq 70 deny tcp any any eq 443
  seq 80 deny tcp any any eq lpd
  seq 90 deny tcp any any eq 631
  seq 100 deny tcp any any eq 9100
  seq 110 permit ip any any
!
 policy access-list publicNatAccess
  seq 10 permit ip 192.168.0.0 0.0.63.255 host 188.122.20.1 class IGNORE
  seq 20 permit ip 192.168.0.0 0.0.63.255 host 188.122.20.3 class IGNORE
  seq 30 permit ip 192.168.129.0 0.0.0.255 192.168.191.0 0.0.0.255 class
IGNORE
  seq 40 permit ip 192.168.129.0 0.0.0.255 192.168.192.0 0.0.31.255
class IGNORE
  seq 50 permit ip 192.168.129.0 0.0.0.255 188.122.17.32 0.0.0.31 class
IGNORE
  seq 60 permit ip 192.168.129.0 0.0.0.255 host 188.122.20.36 class IGNORE
  seq 70 permit ip 192.168.129.0 0.0.0.255 host 188.122.20.1 class IGNORE
  seq 80 permit ip 192.168.129.0 0.0.0.255 host 188.122.20.12 class IGNORE
  seq 90 permit ip 192.168.129.0 0.0.0.255 host 192.168.129.254 class IGNORE
  seq 100 permit ip 192.168.129.0 0.0.0.255 host 188.122.18.122 class IGNORE
  seq 110 permit ip 192.168.0.0 0.0.255.255 class NAT
!
 aaa authentication administrator local 
 aaa authentication administrator maximum sessions 1
 aaa authentication subscriber radius 
 ip pool options use-class-c-bcast-addrs
!
 radius server 10.0.0.1 encrypted-key <key_cut_off>
 radius attribute nas-port-id format physical
!
 subscriber default
   ip source-validation
   nat policy-name publicNatPolicy
!
 ip route 0.0.0.0/0 context local
 service ftp client
 service ssh client
 service telnet client
!
 admin-access-group adminAccess in
!
 dhcp server policy
   nak-on-subnet-deletion
   option domain-name-server 188.122.20.9 8.8.8.8
   option domain-name finemedia.pl
   option ntp-server 188.122.20.1
   option tftp-server-name finemedia.pl
   default-lease-time 3600
   subnet 192.168.128.0/26 name tichyWiFi
     range 192.168.128.2 192.168.128.62
     option router 192.168.128.1
   subnet 192.168.129.0/24 name biuroInside
     range 192.168.129.50 192.168.129.253
     option router 192.168.129.254
!
!
!
end
*
My clips config goes like this:*
dot1q profile dot1qCLIPS
  radius attribute nas-port-type 15

port ethernet 1/4
 description SE600Downlink_10G
 no shutdown
 encapsulation dot1q
 dot1q pvc 2000 profile dot1qCLIPS
  service clips dhcp context userAccess

Best regards,

-- w0jtas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20151023/1085b567/attachment.html>

More information about the redback-nsp mailing list