Community discussions

MUM Europe 2020
 
SweetSunday
Member Candidate
Member Candidate
Topic Author
Posts: 296
Joined: Tue Nov 07, 2006 3:06 am

Parallel networks and RADIUS

Sat Apr 21, 2007 10:27 am

The idea on a network is to have traffic within the network unmonitored and unrestricted but all Internet traffic to-and fro-accounted and given priority.

Everything on the network falls within subnets of 10.0.0.0/16. User-Manager/RADIUS allocates pppoe addresses in the 10.100.0.0/16 range.

Client CPEs have the following firewall nat rule:

0 chain=srcnat out-interface=pppoe-out1 dst-address=0.0.0.0/0
action=masquerade

1 chain=srcnat out-interface=wlan1 dst-address=10.0.0.0/16 action=masquerade

This should surely split traffic, sending 'local' data outside RADIUS and pppoe but sending all other traffic through the pppoe tunnel.

However local traffic is also being sent over the client's pppoe interface, ie a traceroute from a CPE to a server attached to the AP results in:

address: 10.0.0.33
ADDRESS STATUS
1 10.100.3.1 4ms 2ms 2ms
2 10.0.0.33 4ms 4ms 4ms


Can anyone spot the obvious mistake, 'cos I can't.
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Sat Apr 21, 2007 11:22 am

srcnat does not influence the route/next-hop/outgoing-interface that is used to forward a packet.

It's the other way around, i.e. if the routing code decides that a packet will be send out on interface ppoe-out1 then a particular srcnat rule might be selected for this (because it has a matching out-interface), but not vice versa.

--Tom
 
SweetSunday
Member Candidate
Member Candidate
Topic Author
Posts: 296
Joined: Tue Nov 07, 2006 3:06 am

Sat Apr 21, 2007 12:38 pm

Tom wrote:

"srcnat does not influence the route/next-hop/outgoing-interface that is used to forward a packet. "

No, but the rules above should surely have the effect of giving every packet with a 10.0.0.0/16 destination address a source address of 10.0.3.2 (wlan1) and routing it via wlan1, and every other packet a source address of 10.100.3.2 (pppoe-out) and routing it via pppoe-out.

But everything, including 10.0.0.0/16 addresses, is being routed out of pppoe-out, it seems.
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Sat Apr 21, 2007 4:21 pm

... the rules above should surely have the effect of giving every packet with a 10.0.0.0/16 destination address a source address of 10.0.3.2 (wlan1)
True, if and only if the packet were to go out on interface wlan1 in the first place!
... and routing it via wlan1
That, on the other hand, need not be the case. If this is true or not depends on your routing table, which you did not show in your posting...

--Tom
 
SweetSunday
Member Candidate
Member Candidate
Topic Author
Posts: 296
Joined: Tue Nov 07, 2006 3:06 am

Sat Apr 21, 2007 11:46 pm

That, on the other hand, need not be the case. If this is true or not depends on your routing table, which you did not show in your posting...
Ok. Here it is. (DISTANCE omitted for presentation)

Flags:.X.-.disabled,.A.-.active,.D.-.dynamic,.
C.-.connect,.S.-.static,.r.-.rip,.b.-.bgp,.o.-.ospf.
#.DST-ADDRESS...PREF-SRC...G.GATEWAY.INTERFACE.
0.ADC.10.0.3.0/24....10.0.3.2..........................wlan1.....
1.ADC.10.3.2.0/24....10.3.2.1.........................ether1....
2.ADC.10.100.3.1/32..10.100.3.2...............pppoe-out
3.AD..0.0.0.0/0.....................r.10.100.3.1.......pppoe-out

All these entries are dynamic so can't be altered or deleted. I could add a dst=10.0.0.0/16 > gateway 10.0.3.2 but that would just be duplicating the firewall rule.

edit:typo
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Mon Apr 23, 2007 2:33 pm

Well, with this routing table it's clear that packets with destination 10.0.0.33 choose the default route and get sent out on the pppoe interface. It appears that you need to change your routing, and only after that works the way you need it to you then can take care of srcnat...

--Tom
 
SweetSunday
Member Candidate
Member Candidate
Topic Author
Posts: 296
Joined: Tue Nov 07, 2006 3:06 am

Mon Apr 23, 2007 10:48 pm

it's clear that packets with destination 10.0.0.33 choose the default route and get sent out on the pppoe interface.

--Tom
And this despite the fact that the firewall filter rule is set to send them out of the wlan1 interface.

And I read in the MT manual that routing is done BEFORE firewall rules are applied.

I can't see the correlation between the route tables and the filter rules - yes routing would sent 10.0.0.0/16 traffic to the default route over pppoe but why doesn't the firewall filter rule then pick them up and redirect them to wlan1?
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Tue Apr 24, 2007 12:38 am

yes routing would sent 10.0.0.0/16 traffic to the default route over pppoe but why doesn't the firewall filter rule then pick them up and redirect them to wlan1?
Because redirecting something is not the srcnat's job at all. The out-interface parameter in the srcnat rule is not an action parameter; it does not work the way of "when the packet is handled by this rule, then set the out-interface to this". The out-interface parameter is a match condition for the srcnat rule. It works like "if the packet will go out on that interface (as has already been decided by routing before the srcnat rule is even checked) then this srcnat rule will apply, otherwise skip it altogether".

--Tom
 
SweetSunday
Member Candidate
Member Candidate
Topic Author
Posts: 296
Joined: Tue Nov 07, 2006 3:06 am

Tue Apr 24, 2007 2:01 am

The out-interface parameter in the srcnat rule is not an action parameter; it does not work the way of "when the packet is handled by this rule, then set the out-interface to this". The out-interface parameter is a match condition for the srcnat rule. It works like "if the packet will go out on that interface (as has already been decided by routing before the srcnat rule is even checked) then this srcnat rule will apply, otherwise skip it altogether".

--Tom
Okay.... So in fact I don't really need two srcnat rules? A simple:

"If destination=anything forward, src.nat it=masquerade." would do?

I'm guessing that would result in some data being srcnatted with the wlan1 address and some with the pppoe interface but I don't see how that would be a problem.

Who is online

Users browsing this forum: Doberman, ghemassagetoanthan, kingfitz and 82 guests