Hi all. I stumbled over some (for me) weird behavior. I wanted to create some firewall rules and they behaved different than expected in IPv4 and IPv6. For some reason I wanted to SNAT all traffic which goes out on my interface "wgcircle". I know this should be avoided for IPv6, but I have some reasons to do so. As far as I know there are different ways to do so.
1.) Create a seperate firewall zone and and configure option masq '1'
and option masq6 '1'
on it.
2.) Do selective SNAT by a firewall rule.
Just for testing I did the 2nd way:
config nat 'nat_cirle_both'
option src 'wg_zone'
option target 'MASQUERADE'
option name 'WG Circle NAT both'
option device 'wgcircle'
list proto 'all'
However, despite the grafically description of IPv4 and IPv6 this rule did only work for IPv4. Source (not SNATed) IPs were 192.168.12.3
and dead:beef::ca11:3
. SNATed IPs should be 192.168.123.1
and d00d:badc:ab1e::1
root@A:/home/dagama# tcpdump -i wgcircle
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wgcircle, link-type RAW (Raw IP), snapshot length 262144 bytes
21:11:05.756607 IP 192.168.123.1 > 192.168.89.1: ICMP echo request, id 1515, seq 1, length 64
21:11:05.801231 IP 192.168.89.1 > 192.168.123.1: ICMP echo reply, id 1515, seq 1, length 64
21:11:06.754157 IP 192.168.123.1 > 192.168.89.1: ICMP echo request, id 1516, seq 1, length 64
21:11:06.798580 IP 192.168.89.1 > 192.168.123.1: ICMP echo reply, id 1516, seq 1, length 64
21:11:07.840234 IP 192.168.123.1 > 192.168.89.1: ICMP echo request, id 1517, seq 1, length 64
21:11:07.881127 IP 192.168.89.1 > 192.168.123.1: ICMP echo reply, id 1517, seq 1, length 64
21:11:36.261500 IP6 dead:beef::ca11:3 > somehost.somedomain.dynv6.net: ICMP6, echo request, id 1518, seq 1, length 64
21:11:37.282313 IP6 dead:beef::ca11:3 > somehost.somedomain.dynv6.net: ICMP6, echo request, id 1519, seq 1, length 64
21:11:38.264975 IP6 dead:beef::ca11:3 > somehost.somedomain.dynv6.net: ICMP6, echo request, id 1520, seq 1, length 64
21:11:39.283943 IP6 dead:beef::ca11:3 > somehost.somedomain.dynv6.net: ICMP6, echo request, id 1521, seq 1, length 64
21:11:40.273306 IP6 dead:beef::ca11:3 > somehost.somedomain.dynv6.net: ICMP6, echo request, id 1522, seq 1, length 64
21:11:41.289804 IP6 dead:beef::ca11:3 > somehost.somedomain.dynv6.net: ICMP6, echo request, id 1523, seq 1, length 64
If I set two seperate firewall rules for IPv4 and IPv6 instead then the result is like expected:
config nat 'nat_cirle'
option src 'wg_zone'
option target 'MASQUERADE'
option name 'WG Circle NAT'
option device 'wgcircle'
option family 'ipv4'
list proto 'all'
config nat 'nat66_cirle'
option src 'wg_zone'
option target 'MASQUERADE'
option name 'WG Circle NAT66'
option device 'wgcircle'
option family 'ipv6'
list proto 'all'
root@A:/home/dagama# tcpdump -i wgcircle
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wgcircle, link-type RAW (Raw IP), snapshot length 262144 bytes
21:13:06.631924 IP 192.168.123.1 > 192.168.89.1: ICMP echo request, id 1524, seq 1, length 64
21:13:06.673868 IP 192.168.89.1 > 192.168.123.1: ICMP echo reply, id 1524, seq 1, length 64
21:13:07.653366 IP 192.168.123.1 > 192.168.89.1: ICMP echo request, id 1525, seq 1, length 64
21:13:07.708570 IP 192.168.89.1 > 192.168.123.1: ICMP echo reply, id 1525, seq 1, length 64
21:13:08.674219 IP 192.168.123.1 > 192.168.89.1: ICMP echo request, id 1526, seq 1, length 64
21:13:08.717588 IP 192.168.89.1 > 192.168.123.1: ICMP echo reply, id 1526, seq 1, length 64
21:13:09.647632 IP 192.168.123.1 > 192.168.89.1: ICMP echo request, id 1527, seq 1, length 64
21:13:09.687356 IP 192.168.89.1 > 192.168.123.1: ICMP echo reply, id 1527, seq 1, length 64
21:13:19.273348 IP6 d00d:badc:ab1e::1 > somehost.somedomain.dynv6.net: ICMP6, echo request, id 1528, seq 1, length 64
21:13:19.324282 IP6 somehost.somedomain.dynv6.net > d00d:badc:ab1e::1: ICMP6, echo reply, id 1528, seq 1, length 64
21:13:20.298049 IP6 d00d:badc:ab1e::1 > somehost.somedomain.dynv6.net: ICMP6, echo request, id 1529, seq 1, length 64
21:13:20.339751 IP6 somehost.somedomain.dynv6.net > d00d:badc:ab1e::1: ICMP6, echo reply, id 1529, seq 1, length 64
21:13:21.284698 IP6 d00d:badc:ab1e::1 > somehost.somedomain.dynv6.net: ICMP6, echo request, id 1530, seq 1, length 64
21:13:21.335579 IP6 somehost.somedomain.dynv6.net > d00d:badc:ab1e::1: ICMP6, echo reply, id 1530, seq 1, length 64
21:13:22.300383 IP6 d00d:badc:ab1e::1 > somehost.somedomain.dynv6.net: ICMP6, echo request, id 1531, seq 1, length 64
21:13:22.345165 IP6 somehost.somedomain.dynv6.net > d00d:badc:ab1e::1: ICMP6, echo reply, id 1531, seq 1, length 64
So my question is: is this expected behavior? Is it a display bug in LuCI? Am I thinking wrong?
Thank you in advance for all that help I will hopefully get !