[rbak-nsp] Double NAT - strange thing

Yury Shefer shefys at gmail.com
Tue Oct 27 15:06:42 EDT 2015 

You may try to check "end-point independent" command under nat policy ...
enhanced. Maybe it is what you're looking for:

[local]SE1200(config-policy-nat)#?
  abort                 Abort this configuration - backout from running
config
  access-group          Define access-group to classify dynamic NAT
  admission-control     Configure connection admission control
  commit                Commit configuration transactions to running config
  connections           Define connection admission control parameters
  destination           Configure to overwrite destination IP address
  drop                  Configure to drop not classified traffic
  endpoint-independent  Set endpoint-indepenent traffic mode
 <<<<<<<<<<<<<<<<<<<<


On Tue, Oct 27, 2015 at 2:47 AM, Wojciech Wrona <w0jtas at w0jtas.com> wrote:

> UPDATE: This was only half success. Broadcom based routers on more heavy
> load will open more than one TCP connection from the same source port. This
> will be dropped by Redback NAT implementation. For now i have do idea how
> to deal with it :(
>
> Best regards,
>
> --
> w0jtas
>
> W dniu 26.10.2015 o 18:38, Wojciech Wrona pisze:
>
> Hi again.
>
> It seems like i've solved the problem, so i'm posting it here for future
> use. Routers like Pentagram, Netgear and some other clones (mailnly based
> on broadcom router on the chip chipset) are using strange but the most
> efficient NAT immplementation.
>
> If your subscribers are using theese routers as CPE, and you're NATing
> them and using not enhanced NAT on Your redback (becouse of lack of
> microblocks at the line cards as we are, or maybe becouse of lack of
> license but its less possible i think), you will have experience the same
> problem.
>
> On every "normall" (Linux based) NAT implementation source ports for
> outgoing connections are used in always growing manner. Starting from port
> 1025 up to 65536 and then again from 1025 .... Broadcom want to be super
> efficient (dont know why - its only home class router), and it is doing it
> in a different way. Couple seconds after closing TCP connection, its source
> port can be reused again for another one, it is not waiting with reuse for
> hitting the 65536 limit. I don't know what is the time limit (if there is
> any) for the reuse, but in my tests i didnt see any port reuse in time
> shorter than 10-12 seconds.
>
> The problem is that Redback has default timeout for FIN-RESET set to 240
> seconds. During this time this connection is considered still open, so any
> other SYN packet sent from the same source port is considered TCP P2MP
> connection attempt. Which (as u probably know) is prohibited in not
> enhanced nat.
>
> Therefore the only solution for those routers is to set Redback FIN-RESET
> timeout to its minimal value (4 seconds) in nat policy. I'm not sure if it
> solved the problem in 100% (still i can imagine port reuse in 2 or 3
> seconds after TCP connection close), but in my user experience tests (10
> firefox tabs constantly loading, and refreshing pages) everything worked
> well. IMO its more than enough :)
>
>  nat policy publicNatPolicy
> ! Default class
>   drop
>   icmp-notification
> ! Named classes
>   access-group publicNatAccess
>    class NAT
>     pool publicNatIP userAccess
>     timeout tcp 7200
>     timeout udp 120
>     timeout fin-reset 4
>     endpoint-independent filtering udp
>     inbound-refresh udp
>     icmp-notification
>    class IGNORE
>     ignore
>     inbound-refresh udp
>     icmp-notification
>
> Best regards,
>
> --
> w0jtas
>
> W dniu 23.10.2015 o 14:48, Wojciech Wrona pisze:
>
> Hi guys,
> I'm struggling for some days with strange issue on Redback. I have
> services configured as CLIPS based on DHCP/Radius auth. Everything works
> fine besides NAT. When the connecting host is normal single PC (as a
> subscriber) it looks ok, but when i connect a router (some Pentagram
> P6362 - becouse those were tested) and that single PC is connected after
> this router, here comes the situation where double NAT is going on. It
> should work fine, when IP addressed in both network are not overlaping,
> and i'm sure that they're not. But when pentagram is connected there is
> a trouble with opening more than few TCP connections. After opening few
> of them (rather random but small value) another SYN packets are lost
> (sent to redback, but no answer is received). It happens only when using
> a harware home router (like pentagram or something else), but when i
> connect in this place another PC with 2 network interfaces and Linux on
> board which is doing as second NAT box, the problem is not seen.
>
> What could cause this ? I have no idea where to start.
> My tests i'm doing at biuroInside interface
>
> *My config below:*
> context userAccess
> !
>  no ip domain-lookup
>  nat fragments
> !
> !
>  ip nat pool publicNatIP napt multibind
>   address 188.122.20.96/32
>    exclude well-known
> !
>  nat policy publicNatPolicy
> ! Default class
>   drop
>   icmp-notification
> ! Named classes
>   access-group publicNatAccess
>    class NAT
>     pool publicNatIP userAccess
>     timeout tcp 7200
>     timeout udp 60
>     endpoint-independent filtering udp
>     inbound-refresh udp
>     icmp-notification
>    class IGNORE
>     ignore
>     inbound-refresh udp
>     icmp-notification
> !
>  interface biuroInside multibind
>   ip address 192.168.129.254/24
>   dhcp server interface
>   ip access-group vlan2000Security out
> !
>  interface radiusIf
>   ip address 10.0.0.2/30
>    ip source-address radius
> !
>  interface tichyWiFi multibind
>   ip address 192.168.128.1/26
>   dhcp server interface
>   ip arp secured-arp
>
>  no logging console
> !
>  ip access-list adminAccess
>   seq 10 permit udp any any eq rip
>   seq 20 permit tcp any any eq bgp
>   seq 30 permit icmp any
>   seq 40 permit udp any any eq bootps
>   seq 50 permit udp any eq 1812 any
>   seq 60 permit tcp any any established
> !
>  ip access-list vlan2000Security
>   seq 10 permit ip 188.122.17.32 0.0.0.31 any
>   seq 20 deny tcp any any eq 135
>   seq 30 deny tcp any any eq 139
>   seq 40 deny tcp any any eq 445
>   seq 50 deny tcp any any eq www
>   seq 60 deny tcp any any eq 8080
>   seq 70 deny tcp any any eq 443
>   seq 80 deny tcp any any eq lpd
>   seq 90 deny tcp any any eq 631
>   seq 100 deny tcp any any eq 9100
>   seq 110 permit ip any any
> !
>  policy access-list publicNatAccess
>   seq 10 permit ip 192.168.0.0 0.0.63.255 host 188.122.20.1 class IGNORE
>   seq 20 permit ip 192.168.0.0 0.0.63.255 host 188.122.20.3 class IGNORE
>   seq 30 permit ip 192.168.129.0 0.0.0.255 192.168.191.0 0.0.0.255 class
> IGNORE
>   seq 40 permit ip 192.168.129.0 0.0.0.255 192.168.192.0 0.0.31.255
> class IGNORE
>   seq 50 permit ip 192.168.129.0 0.0.0.255 188.122.17.32 0.0.0.31 class
> IGNORE
>   seq 60 permit ip 192.168.129.0 0.0.0.255 host 188.122.20.36 class IGNORE
>   seq 70 permit ip 192.168.129.0 0.0.0.255 host 188.122.20.1 class IGNORE
>   seq 80 permit ip 192.168.129.0 0.0.0.255 host 188.122.20.12 class IGNORE
>   seq 90 permit ip 192.168.129.0 0.0.0.255 host 192.168.129.254 class IGNORE
>   seq 100 permit ip 192.168.129.0 0.0.0.255 host 188.122.18.122 class IGNORE
>   seq 110 permit ip 192.168.0.0 0.0.255.255 class NAT
> !
>  aaa authentication administrator local
>  aaa authentication administrator maximum sessions 1
>  aaa authentication subscriber radius
>  ip pool options use-class-c-bcast-addrs
> !
>  radius server 10.0.0.1 encrypted-key <key_cut_off>
>  radius attribute nas-port-id format physical
> !
>  subscriber default
>    ip source-validation
>    nat policy-name publicNatPolicy
> !
>  ip route 0.0.0.0/0 context local
>  service ftp client
>  service ssh client
>  service telnet client
> !
>  admin-access-group adminAccess in
> !
>  dhcp server policy
>    nak-on-subnet-deletion
>    option domain-name-server 188.122.20.9 8.8.8.8
>    option domain-name finemedia.pl
>    option ntp-server 188.122.20.1
>    option tftp-server-name finemedia.pl
>    default-lease-time 3600
>    subnet 192.168.128.0/26 name tichyWiFi
>      range 192.168.128.2 192.168.128.62
>      option router 192.168.128.1
>    subnet 192.168.129.0/24 name biuroInside
>      range 192.168.129.50 192.168.129.253
>      option router 192.168.129.254
> !
> !
> !
> end*
> My clips config goes like this:*
> dot1q profile dot1qCLIPS
>   radius attribute nas-port-type 15
>
> port ethernet 1/4
>  description SE600Downlink_10G
>  no shutdown
>  encapsulation dot1q
>  dot1q pvc 2000 profile dot1qCLIPS
>   service clips dhcp context userAccess
>
> Best regards,
>
> --
> w0jtas
>
>
>
>
> _______________________________________________
> redback-nsp mailing listredback-nsp at puck.nether.nethttps://puck.nether.net/mailman/listinfo/redback-nsp
>
>
>
>
> _______________________________________________
> redback-nsp mailing listredback-nsp at puck.nether.nethttps://puck.nether.net/mailman/listinfo/redback-nsp
>
>
>
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
>
>


-- 
Best regards,
Yury.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20151027/20c87245/attachment.html>

More information about the redback-nsp mailing list