[rbak-nsp] Double NAT - strange thing
Wojciech Wrona
w0jtas at w0jtas.com
Fri Oct 23 08:48:01 EDT 2015
Hi guys,
I'm struggling for some days with strange issue on Redback. I have
services configured as CLIPS based on DHCP/Radius auth. Everything works
fine besides NAT. When the connecting host is normal single PC (as a
subscriber) it looks ok, but when i connect a router (some Pentagram
P6362 - becouse those were tested) and that single PC is connected after
this router, here comes the situation where double NAT is going on. It
should work fine, when IP addressed in both network are not overlaping,
and i'm sure that they're not. But when pentagram is connected there is
a trouble with opening more than few TCP connections. After opening few
of them (rather random but small value) another SYN packets are lost
(sent to redback, but no answer is received). It happens only when using
a harware home router (like pentagram or something else), but when i
connect in this place another PC with 2 network interfaces and Linux on
board which is doing as second NAT box, the problem is not seen.
What could cause this ? I have no idea where to start.
My tests i'm doing at biuroInside interface
*My config below:*
context userAccess
!
no ip domain-lookup
nat fragments
!
!
ip nat pool publicNatIP napt multibind
address 188.122.20.96/32
exclude well-known
!
nat policy publicNatPolicy
! Default class
drop
icmp-notification
! Named classes
access-group publicNatAccess
class NAT
pool publicNatIP userAccess
timeout tcp 7200
timeout udp 60
endpoint-independent filtering udp
inbound-refresh udp
icmp-notification
class IGNORE
ignore
inbound-refresh udp
icmp-notification
!
interface biuroInside multibind
ip address 192.168.129.254/24
dhcp server interface
ip access-group vlan2000Security out
!
interface radiusIf
ip address 10.0.0.2/30
ip source-address radius
!
interface tichyWiFi multibind
ip address 192.168.128.1/26
dhcp server interface
ip arp secured-arp
no logging console
!
ip access-list adminAccess
seq 10 permit udp any any eq rip
seq 20 permit tcp any any eq bgp
seq 30 permit icmp any
seq 40 permit udp any any eq bootps
seq 50 permit udp any eq 1812 any
seq 60 permit tcp any any established
!
ip access-list vlan2000Security
seq 10 permit ip 188.122.17.32 0.0.0.31 any
seq 20 deny tcp any any eq 135
seq 30 deny tcp any any eq 139
seq 40 deny tcp any any eq 445
seq 50 deny tcp any any eq www
seq 60 deny tcp any any eq 8080
seq 70 deny tcp any any eq 443
seq 80 deny tcp any any eq lpd
seq 90 deny tcp any any eq 631
seq 100 deny tcp any any eq 9100
seq 110 permit ip any any
!
policy access-list publicNatAccess
seq 10 permit ip 192.168.0.0 0.0.63.255 host 188.122.20.1 class IGNORE
seq 20 permit ip 192.168.0.0 0.0.63.255 host 188.122.20.3 class IGNORE
seq 30 permit ip 192.168.129.0 0.0.0.255 192.168.191.0 0.0.0.255 class
IGNORE
seq 40 permit ip 192.168.129.0 0.0.0.255 192.168.192.0 0.0.31.255
class IGNORE
seq 50 permit ip 192.168.129.0 0.0.0.255 188.122.17.32 0.0.0.31 class
IGNORE
seq 60 permit ip 192.168.129.0 0.0.0.255 host 188.122.20.36 class IGNORE
seq 70 permit ip 192.168.129.0 0.0.0.255 host 188.122.20.1 class IGNORE
seq 80 permit ip 192.168.129.0 0.0.0.255 host 188.122.20.12 class IGNORE
seq 90 permit ip 192.168.129.0 0.0.0.255 host 192.168.129.254 class IGNORE
seq 100 permit ip 192.168.129.0 0.0.0.255 host 188.122.18.122 class IGNORE
seq 110 permit ip 192.168.0.0 0.0.255.255 class NAT
!
aaa authentication administrator local
aaa authentication administrator maximum sessions 1
aaa authentication subscriber radius
ip pool options use-class-c-bcast-addrs
!
radius server 10.0.0.1 encrypted-key <key_cut_off>
radius attribute nas-port-id format physical
!
subscriber default
ip source-validation
nat policy-name publicNatPolicy
!
ip route 0.0.0.0/0 context local
service ftp client
service ssh client
service telnet client
!
admin-access-group adminAccess in
!
dhcp server policy
nak-on-subnet-deletion
option domain-name-server 188.122.20.9 8.8.8.8
option domain-name finemedia.pl
option ntp-server 188.122.20.1
option tftp-server-name finemedia.pl
default-lease-time 3600
subnet 192.168.128.0/26 name tichyWiFi
range 192.168.128.2 192.168.128.62
option router 192.168.128.1
subnet 192.168.129.0/24 name biuroInside
range 192.168.129.50 192.168.129.253
option router 192.168.129.254
!
!
!
end
*
My clips config goes like this:*
dot1q profile dot1qCLIPS
radius attribute nas-port-type 15
port ethernet 1/4
description SE600Downlink_10G
no shutdown
encapsulation dot1q
dot1q pvc 2000 profile dot1qCLIPS
service clips dhcp context userAccess
Best regards,
-- w0jtas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20151023/1085b567/attachment.html>
More information about the redback-nsp
mailing list