Hi,
I was debugging what I thought was a vlan leak and a broken configuration.. or
at worst broken firmware, since I had bought new switches and wasn't completely
comfortable with them yet.
Anyway, it turns out that netfilter masq can leak internal information.
I thought most things would be caught by this:
table ip nat {
...
chain postrouting {
type nat hook postrouting priority 100
oifname $ext_interface masquerade
---
But my machine was still sending unmasquraded data.
It was fixed by doing:
table inet filter {
...
chain forward {
type filter hook forward priority 0
ct state invalid counter drop # <- this one
----
It just seems odd to me that traffic can go through without being NAT:ed
I only discovered this since one device managed to NAK alot of DHCP
packets and eventually
i was disconnected from my ISP (so switches are still suspect, and
will be inspected further when they are reconnected again)
And since i thought it was quite bad to just drop internal traffic
that tries to get somewhere i was looking
to see if i could do a ttl exceeded or so response to make it retry -
best i could do was:
ct state invalid counter reject with icmp type port-unreachable
Which could be further enhanced by iifname <int interface> as a prefix
