Masquerade bug!

DEGABB · November 7, 2017, 10:31am

Good day!
I finded bug:
If I create NAT rules with “src-nat” action and enter values in fields “to-addresses” and “to-ports”, then NAT (src-nat) works good!
If I change action to “masquerade” after that, then masquerade works wrong (see below) and I can see old fields “to-addresses” and “to-ports” in CLI, but I can not see them in WinBox!

Example (rules created via WinBox):

add action = masquerade chain = srcnat comment = masquerade out-interface = ether1
add action = dst-nat chain = dstnat comment = “port forwarding sw-server” dst-address = 177.19.xxx.xxx dst-port = 9999 protocol = tcp to-addresses = 192.168.0.100 to-ports = 9999
add action = masquerade chain = srcnat comment = “It’s wrong rules (with bug)” dst-address=192.168.0.100 dst-port = 9999 protocol = tcp src-address = 192.168.0.0 / 24 to-addresses = 192.168.0.101 to-ports = 221
add action = masquerade chain = srcnat comment = “It’s right rule (without bug)” disabled = yes dst-address=192.168.0.100 dst-port = 9999 protocol = tcp src-address = 192.168.0.0 / 24

First rule is classic masquerade (NAT Overload).
Second rule is classic port forwarding (for remote access to 192.168.0.100).
Third rule (Hairpin NAT) was created from “src-nat” action (change to “masquerade”) and it has bug.
Fourth rule (Hairpin NAT) was created from scratch and it has not bug.

I do “nmap -p 9999 177.19.xxx.xxx” (IP of ether1 interface) from 192.168.0.100 and start listening (tcpdump).
When third rule is off, fourth - on (Hairpin rule without bug) then I see:
08:09:01.254741 IP 192.168.0.100.44120 > 177.19.xxx.xxx.9999: Flags , seq 899668298, win 29200, options [mss 1460,sackOK,TS val 286369359 ecr 0,nop,wscale 7], length 0
08:09:01.254949 IP 192.168.0.1.44120 > 192.168.0.100.9999: Flags , seq 899668298, win 29200, options [mss 1460,sackOK,TS val 286369359 ecr 0,nop,wscale 7], length 0
08:09:01.254974 IP 192.168.0.100.9999 > 192.168.0.1.44120: Flags [R.], seq 0, ack 899668299, win 0, length 0
08:09:01.255097 IP 177.19.xxx.xxx.9999 > 192.168.0.100.44120: Flags [R.], seq 0, ack 899668299, win 0, length 0

OK!

When third rule is on, fourth - off (Harpin rule with bug), then I see:
08:09:52.948175 IP 192.168.0.100.44125 > 177.19.xxx.xxx.9999: Flags , seq 2824100454, win 29200, options [mss 1460,sackOK,TS val 286382283 ecr 0,nop,wscale 7], length 0
08:09:52.948357 IP 192.168.0.1.221 > 192.168.0.100.9999: Flags , seq 2824100454, win 29200, options [mss 1460,sackOK,TS val 286382283 ecr 0,nop,wscale 7], length 0
08:09:52.948405 IP 192.168.0.100.9999 > 192.168.0.1.221: Flags [R.], seq 0, ack 2824100455, win 0, length 0
08:09:52.948507 IP 177.19.xxx.xxx.9999 > 192.168.0.100.44125: Flags [R.], seq 0, ack 2824100455, win 0, length 0

Wrong!

I had a lot of Hairpin NAT rules (I made them by copying and changing fields “dst-address” and “dst-port”) and had seen that all connections are creating with same src.port (221) and problems are appears.

Are You have comments?

mrz · November 7, 2017, 10:45am

When action=masquerade port and to address parameters are ignored.

DEGABB · November 7, 2017, 11:26am

“to-addresses” parameters is ignored, but not “to-ports”.
Why I can see that source port was changed in this case?
If you create this scheme, then you can confirm my words.