Unnumbered NAT no longer allowed?

MrPete
2010-10-12
2013-03-05
  • MrPete
    MrPete
    2010-10-12

    I have a FWbuilder firewall from version 2.0.10 (!) that has been working fine for a number of years. iptables…
    One of its roles is to provide NAT services for a VPN tunnel.

    Just now I tried to recompile the firewall in the current version. I get an error because of the unnumbered tun0 VPN interface which is used in the NAT. I searched here and found a statement:

    unnumbered interface can never have IP address (that's why it is called unnumbered), therefore it can not be used for NAT.

    Obviously this is incorrect because I have an old FWbuilder firewall that works! SO… why was this capability removed, and what can I do about it to re-enable my firewall?

     
  • Vadim Kurland
    Vadim Kurland
    2010-10-12

    how does the NAT rule you expect it to generate look like ?

     
  • MrPete
    MrPete
    2010-10-12

    Here's the NAT rules inside FWbuilder that relate to the tun0 VPN network object:

    Here's the generated iptables code from those rules:

    #
    # Rule 2 (NAT)
    #
    echo "Rule 2 (NAT)"
    #
    # Always NAT the NAT-network
    $IPTABLES -t nat -N Cid44361E5C.0
    $IPTABLES -t nat -A POSTROUTING -o tun0  -s 192.168.1.0/24 -j Cid44361E5C.0
    $IPTABLES -t nat -A Cid44361E5C.0   -d 0.0.0.0 -j RETURN
    $IPTABLES -t nat -A Cid44361E5C.0   -d 192.168.0.10 -j RETURN
    $IPTABLES -t nat -A Cid44361E5C.0 -o tun0  -j MASQUERADE
    #
    # Rule 3 (NAT)
    #
    echo "Rule 3 (NAT)"
    #
    # Anchor NAT target to tester
    $IPTABLES -t nat -A POSTROUTING -o tun0  -d 192.168.1.0/24 -j MASQUERADE
    
     
  • MrPete
    MrPete
    2010-10-12

    (PLH home is 192.168.1.*; tester is 192.168.0.10; VPN is tun0)

     
  • Vadim Kurland
    Vadim Kurland
    2010-10-12

    try to make interface tun0 "dynamic" rather than "unnumbered"

     
  • MrPete
    MrPete
    2010-10-12

    Appears to work! (Hopefully there won't be a race condition at startup time. Using the dynamic interface means the vpn must be alive when the firewall comes up.)

    This means there's a bug in the documentation:
    Pages 23 and 85:

    Unnumbered interface: Use this option if the interface can never have an IP address, such as the Ethernet
    interface used to run PPPoE communication on some ADSL connections, or tunnel endpoint interface
    (GRE, PPPoE, sometimes IPSEC). Although unnumbered interfaces do not have addresses, firewall
    policy rules and access lists can be associated with them.

     
  • Vadim Kurland
    Vadim Kurland
    2010-10-12

    I dont think documentation is inaccurate. Tunnel endpoints can be unnumbered, but this does not mean all tunnel endpoints are unnumbered.

     
  • MrPete
    MrPete
    2010-10-20

    It did NOT work. I need to analyze the difference in scripts produced, but bottom line the system works with FW generated by old FWB, not with new FWB. More to come…