Unnumbered NAT no longer allowed?

MrPete
2010-10-12
2013-03-05
  • MrPete

    MrPete - 2010-10-12

    I have a FWbuilder firewall from version 2.0.10 (!) that has been working fine for a number of years. iptables…
    One of its roles is to provide NAT services for a VPN tunnel.

    Just now I tried to recompile the firewall in the current version. I get an error because of the unnumbered tun0 VPN interface which is used in the NAT. I searched here and found a statement:

    unnumbered interface can never have IP address (that's why it is called unnumbered), therefore it can not be used for NAT.

    Obviously this is incorrect because I have an old FWbuilder firewall that works! SO… why was this capability removed, and what can I do about it to re-enable my firewall?

     
  • Vadim Kurland

    Vadim Kurland - 2010-10-12

    how does the NAT rule you expect it to generate look like ?

     
  • MrPete

    MrPete - 2010-10-12

    Here's the NAT rules inside FWbuilder that relate to the tun0 VPN network object:

    Here's the generated iptables code from those rules:

    #
    # Rule 2 (NAT)
    #
    echo "Rule 2 (NAT)"
    #
    # Always NAT the NAT-network
    $IPTABLES -t nat -N Cid44361E5C.0
    $IPTABLES -t nat -A POSTROUTING -o tun0  -s 192.168.1.0/24 -j Cid44361E5C.0
    $IPTABLES -t nat -A Cid44361E5C.0   -d 0.0.0.0 -j RETURN
    $IPTABLES -t nat -A Cid44361E5C.0   -d 192.168.0.10 -j RETURN
    $IPTABLES -t nat -A Cid44361E5C.0 -o tun0  -j MASQUERADE
    #
    # Rule 3 (NAT)
    #
    echo "Rule 3 (NAT)"
    #
    # Anchor NAT target to tester
    $IPTABLES -t nat -A POSTROUTING -o tun0  -d 192.168.1.0/24 -j MASQUERADE
    
     
  • MrPete

    MrPete - 2010-10-12

    (PLH home is 192.168.1.*; tester is 192.168.0.10; VPN is tun0)

     
  • Vadim Kurland

    Vadim Kurland - 2010-10-12

    try to make interface tun0 "dynamic" rather than "unnumbered"

     
  • MrPete

    MrPete - 2010-10-12

    Appears to work! (Hopefully there won't be a race condition at startup time. Using the dynamic interface means the vpn must be alive when the firewall comes up.)

    This means there's a bug in the documentation:
    Pages 23 and 85:

    Unnumbered interface: Use this option if the interface can never have an IP address, such as the Ethernet
    interface used to run PPPoE communication on some ADSL connections, or tunnel endpoint interface
    (GRE, PPPoE, sometimes IPSEC). Although unnumbered interfaces do not have addresses, firewall
    policy rules and access lists can be associated with them.

     
  • Vadim Kurland

    Vadim Kurland - 2010-10-12

    I dont think documentation is inaccurate. Tunnel endpoints can be unnumbered, but this does not mean all tunnel endpoints are unnumbered.

     
  • MrPete

    MrPete - 2010-10-20

    It did NOT work. I need to analyze the difference in scripts produced, but bottom line the system works with FW generated by old FWB, not with new FWB. More to come…

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks