Hello all,
Today I took some time to review my firewall filtering when I came across something weird.
Every time I ping across vlans (going through router), client → router, router → client and even router → router I always see NAT implied:
forward: in:bridge-vlan100-management out:bridge-vlan200-private, src-mac aa:bb:cc:dd:ee:ff, proto ICMP (type 8, code 0), 10.1.0.60->10.2.0.50, NAT 10.1.0.60->10.2.0.50, prio 1->0, len 84
However a “regular” TCP connection (e.g. http) is doing the expected:
forward: in:bridge-vlan100-management out:bridge-vlan200-private, src-mac aa:bb:cc:dd:ee:ff, proto TCP (SYN), 10.1.0.60:58166->10.2.0.50:80, prio 1->0, len 60
As stated above, NAT even show up when pinging router → router with /ping 10.1.0.1 interface=bridge-vlan100-management src-address=10.1.0.1
output: in:(none) out:(unknown), proto ICMP (type 8, code 0), 10.1.0.1->10.1.0.1, NAT 10.1.0.1->10.1.0.1, len 56
I am sure none of my NAT rule is guilty because no one matches this traffic, counters do not increment when I ping and I even tried to disable them all (as well as reboot the router, we never know).
A nice guy took some time on IRC but I still can’t seem to understand if there’s a rationale behind this NAT when pinging.
Can anyone shed a light on this?
Thanks!