Hi,
I played a bit with the "redirect" rule.
If I configure a redirect rule for DNS and shoot from a Windows-PC a nslookup abc.om 8.8.8.8
I see a correct answer coming from 8.8.8.8 (it comes from the MT, not from Google-DNS). The source IP is 8.8.8.8 but I comes form the MT, so a source-NAT was done.
The way Windows to 8.8.8.8:
The answer:
And the Connection in the MT:
And here, MT say the "Reply SRC Address" is 10.88.20.1 NOT 8.8.8.8.
Somewhere was a SNAT done and replaced the 10.88.20.1 with 8.8.8.8 But I found no documentation regarding this topic.
DNAT Redirect-Rule / Source-IP
You do not have the required permissions to view the files attached to this post.
Re: DNAT Redirect-Rule / Source-IP
That's how connection tracking works. Reply src/dst address is what it looks for, to recognize response packets that belong to given connection. And then it automatically does the opposite of whatever src/dstnat was done to that connection.
Original request was from 10.88.10.1:53767 to 8.8.8.8.53. You did redirect, so dstnat, and changed destination to 10.88.20.1:53. Router sent response from 10.88.20.1:53 to 10.88.10.1:53767. Connection tracking sees that, understands that it belongs to previous request and changes 10.88.20.1:53 back to 8.8.8.8.53.
Original request was from 10.88.10.1:53767 to 8.8.8.8.53. You did redirect, so dstnat, and changed destination to 10.88.20.1:53. Router sent response from 10.88.20.1:53 to 10.88.10.1:53767. Connection tracking sees that, understands that it belongs to previous request and changes 10.88.20.1:53 back to 8.8.8.8.53.
Re: DNAT Redirect-Rule / Source-IP
The item names are brief and thus they may be misinterpreted.
When an initial packet of a connection (a "request") is sent from address A to address B, A is shown as src-address and B is shown as dst-address for the connection. If, during handling of the initial packet, a dst-nat rule is applied, a new destination address is assigned, but rather than new-request-dst-address, it is shown as reply-src-address. Similarly, if a src-nat rule is applied, a new source address of the request is assigned, but it is shown as reply-dst-address.
The redirect rule is equal to a dst-nat one whose to-addresses is one of the router's own ones. So the initial packet is only dst-nated, hence only reply-src-address is assigned; reply-dst-address remains the same because no src-nat rule is involved.
When an initial packet of a connection (a "request") is sent from address A to address B, A is shown as src-address and B is shown as dst-address for the connection. If, during handling of the initial packet, a dst-nat rule is applied, a new destination address is assigned, but rather than new-request-dst-address, it is shown as reply-src-address. Similarly, if a src-nat rule is applied, a new source address of the request is assigned, but it is shown as reply-dst-address.
The redirect rule is equal to a dst-nat one whose to-addresses is one of the router's own ones. So the initial packet is only dst-nated, hence only reply-src-address is assigned; reply-dst-address remains the same because no src-nat rule is involved.