what to do when the peers use different IPs to transmit and receive

Raffaele Spazzoli rspazzol at redhat.com
Mon Sep 17 13:10:05 CEST 2018 

Ivan,

sorry for the formatting, it seemed right on my email editor (gmail).
I cannot do SNAT at the source because the packet would be dropped if it
didn't come from the actual IP of the VM.
So I am doing SNAT at the destination. why do you say I am doing it wrong?
I know it would be ideal to do it at the source, but should it work when
done at the destination?

Thanks,
Raffaele

Raffaele Spazzoli
Senior Architect - OpenShift <https://www.openshift.com>, Containers
and PaaS Practice <https://www.redhat.com/en/services/consulting/paas>
Tel: +1 216-258-7717



On Mon, Sep 17, 2018 at 5:16 AM, Ivan Labáth <labawi-wg at matrix-dream.net>
wrote:

> On Sun, Sep 16, 2018 at 07:08:58PM -0400, Raffaele Spazzoli wrote:
> > sh-4.2# iptables -t nat -n -L Chain PREROUTING (policy ACCEPT) target
> prot
> > opt source destination Chain INPUT (policy ACCEPT) target prot opt source
> > destination SNAT udp -- 10.128.2.10 0.0.0.0/0 udp dpt:5555 to:
> > 192.168.99.12:5555 SNAT udp -- 10.128.1.94 0.0.0.0/0 udp dpt:5555 to:
> > 192.168.99.14:5555 SNAT udp -- 10.130.0.136 0.0.0.0/0 udp dpt:5555 to:
> > 192.168.99.13:5555 SNAT udp -- 10.129.1.158 0.0.0.0/0 udp dpt:5555 to:
> > 192.168.99.15:5555 SNAT udp -- 10.131.0.199 0.0.0.0/0 udp dpt:5555 to:
> > 192.168.99.7:5555 SNAT udp -- 10.129.2.217 0.0.0.0/0 udp dpt:5555 to:
> > 192.168.99.6:5555 Chain OUTPUT (policy ACCEPT) target prot opt source
> > destination Chain POSTROUTING (policy ACCEPT) target prot opt source
> > destination
>
> Please try to have no or reasonable line wrapping.
>
> If you are applying SNAT on your source node, you are setting
> the source address, which should be set to the reachable address
> for the replies to come to. In your case VIP.
> If you are setting it on the destination, you are IMO doing it wrong.
>
> Same thing applies to TCP and most typical protocol, nothing special
> about wireguard here.
>
> If you have a middlebox doing DNAT, it would normaly be expected
> for it or something else to do SNAT in the reverse direction.
> Or, if your node has both adresses assigned, then it might be
> a case of improperly set source address on outgoing packets
> (e.g. your routing might need tuning).
>
> Regards,
> Ivan
> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20180917/55f3b084/attachment.html>

More information about the WireGuard mailing list