[VLAN] NAT over vlan problem

jamieff at inline.net (Jamie ffolliott) · Wed Aug 3 15:41:55 2005

I have a strange problem, in that NAT isn't working over a vlan interface.
vlan4 is on eth0 and works fine locally for all network access, and is nat'd
for clients connecting over eth1.  Ping's work over NAT, but http requests
get no reply and time out on the nat'd client.

My NIC that's on the vlan is using the intel e100 driver, (previously the
eepro100 driver)
e100: Intel(R) PRO/100 Network Driver, 3.3.6-k2-NAPI
e100: Copyright(c) 1999-2004 Intel Corporation
PCI: Found IRQ 15 for device 0000:00:03.0
PCI: Sharing IRQ 15 with 0000:00:02.2
e100: eth0: e100_probe: addr 0xf3bff000, irq 15, MAC addr 00:04:AC:3A:39:2E
PCI: Found IRQ 11 for device 0000:00:12.0
PCI: Sharing IRQ 11 with 0000:01:01.0
e100: eth1: e100_probe: addr 0xf3cfe000, irq 11, MAC addr 00:D0:B7:C8:A0:C1

The switch is a 3com superstack 1100, with several vlan's functioning just
fine.  All vlan interfaces and eth0 have mtu set to 1480, to deal with
oversize ethernet frames from 802.1q's extra 4byte header.

cherry:~# cat /proc/net/vlan/vlan4
vlan4  VID: 4    REORDER_HDR: 1  dev->priv_flags: 1
         total frames received:           33
          total bytes received:         9806
      Broadcast/Multicast Rcvd:            0

      total frames transmitted:           12
       total bytes transmitted:         1488
            total headroom inc:            0
           total encap on xmit:           12
Device: eth0
INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
EGRESSS priority Mappings:

Are there any other issues I should know about with nat on a vlan iface?
What can I do to troubleshoot this?

Here's a tcp dump of an http request from a nat'd client (aspen):

cherry:~# tcpdump -i vlan4 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan4, link-type EN10MB (Ethernet), capture size 96 bytes
18:02:44.078661 IP 24.150.175.20.2945 > 207.68.171.245.80: S
944680509:944680509(0) win 16384 <mss 460,nop,nop,sackOK>
18:02:44.151547 IP 207.68.171.245.80 > 24.150.175.20.2945: S
897552820:897552820(0) ack 944680510 win 16384 <mss 1460,nop,nop,sackOK>
18:02:47.288473 IP 24.150.175.20.2945 > 207.68.171.245.80: S
944680509:944680509(0) win 16384 <mss 1460,nop,nop,sackOK>
18:02:47.348261 IP 207.68.171.245.80 > 24.150.175.20.2945: S
897552820:897552820(0) ack 944680510 win 16384 <mss 1460,nop,nop,sackOK>
18:02:53.851230 IP 24.150.175.20.2945 > 207.68.171.245.80: S
944680509:944680509(0) win 16384 <mss 1460,nop,nop,sackOK>
18:02:53.911135 IP 207.68.171.245.80 > 24.150.175.20.2945: S
897552820:897552820(0) ack 944680510 win 16384 <mss 1460,nop,nop,sackOK>
18:03:06.978910 IP 24.150.175.20.2946 > 207.68.173.254.80: S
1127197685:1127197685(0) win 16384 <mss 1460,nop,nop,sackOK>
18:03:07.057326 IP 207.68.173.254.80 > 24.150.175.20.2946: S
2453967774:2453967774(0) ack 1127197686 win 8190 <mss 1460>
18:03:10.258109 IP 24.150.175.20.2946 > 207.68.173.254.80: S
1127197685:1127197685(0) win 16384 <mss 1460,nop,nop,sackOK>
18:03:10.335541 IP 207.68.173.254.80 > 24.150.175.20.2946: S
2453967774:2453967774(0) ack 1127197686 win 8190 <mss 1460>
18:03:16.820850 IP 24.150.175.20.2946 > 207.68.173.254.80: S
1127197685:1127197685(0) win 16384 <mss 1460,nop,nop,sackOK>
18:03:16.897891 IP 207.68.173.254.80 > 24.150.175.20.2946: S
2453967774:2453967774(0) ack 1127197686 win 8190 <mss 1460>
18:04:53.952053 IP 207.68.171.245.80 > 24.150.175.20.2945: R 0:0(0) win 0

and this is what aspen see's (the nat client),

cherry:~# tcpdump -i eth1 -n | grep 192.168.1.62
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
18:02:44.078556 IP 192.168.1.62.2945 > 207.68.171.245.80: S
944680509:944680509(0) win 16384 <mss 1460,nop,nop,sackOK>
18:02:47.288419 IP 192.168.1.62.2945 > 207.68.171.245.80: S
944680509:944680509(0) win 16384 <mss 1460,nop,nop,sackOK>
18:02:53.851181 IP 192.168.1.62.2945 > 207.68.171.245.80: S
944680509:944680509(0) win 16384 <mss 1460,nop,nop,sackOK>
18:03:06.978831 IP 192.168.1.62.2946 > 207.68.173.254.80: S
1127197685:1127197685(0) win 16384 <mss 1460,nop,nop,sackOK>
18:03:10.258059 IP 192.168.1.62.2946 > 207.68.173.254.80: S
1127197685:1127197685(0) win 16384 <mss 1460,nop,nop,sackOK>
18:03:16.820799 IP 192.168.1.62.2946 > 207.68.173.254.80: S
1127197685:1127197685(0) win 16384 <mss 1460,nop,nop,sackOK>

Note here that the reply comes back from the webserver on vlan4, but it's
never translated and sent back to the client on eth1.

Any help is much appreciated.

regards,
Jamie