> I have a memory that there were some problems with destination nat > but source nat works ie > iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source > [external ip] > works. > > You dont say what rules you are using for nat so it is not clear... I'm using SNAT, iptables -t nat -A POSTROUTING -o vlan4 -j SNAT --to [external ip] And the default gateway is on vlan4. Tested the same config without vlan's and that works, same hardware and wiring, it's the vlan that is the difference between a working and non-working configuration. Local networking works, only NAT does not completely work. I planned to have several vlan connections with this one interface (more than I can fit NIC's into the box). There are two vlan's active on this box for testing, vlan3 and vlan4. > On 3 Aug 2005, at 23:39, Jamie ffolliott wrote: > > > I have a strange problem, in that NAT isn't working over a vlan > > interface. > > vlan4 is on eth0 and works fine locally for all network access, and > > is nat'd > > for clients connecting over eth1. Ping's work over NAT, but http > > requests > > get no reply and time out on the nat'd client. > > > > My NIC that's on the vlan is using the intel e100 driver, > > (previously the > > eepro100 driver) > > e100: Intel(R) PRO/100 Network Driver, 3.3.6-k2-NAPI > > e100: Copyright(c) 1999-2004 Intel Corporation > > PCI: Found IRQ 15 for device 0000:00:03.0 > > PCI: Sharing IRQ 15 with 0000:00:02.2 > > e100: eth0: e100_probe: addr 0xf3bff000, irq 15, MAC addr 00:04:AC: > > 3A:39:2E > > PCI: Found IRQ 11 for device 0000:00:12.0 > > PCI: Sharing IRQ 11 with 0000:01:01.0 > > e100: eth1: e100_probe: addr 0xf3cfe000, irq 11, MAC addr > > 00:D0:B7:C8:A0:C1 > > > > The switch is a 3com superstack 1100, with several vlan's > > functioning just > > fine. All vlan interfaces and eth0 have mtu set to 1480, to deal with > > oversize ethernet frames from 802.1q's extra 4byte header. > > > > cherry:~# cat /proc/net/vlan/vlan4 > > vlan4 VID: 4 REORDER_HDR: 1 dev->priv_flags: 1 > > total frames received: 33 > > total bytes received: 9806 > > Broadcast/Multicast Rcvd: 0 > > > > total frames transmitted: 12 > > total bytes transmitted: 1488 > > total headroom inc: 0 > > total encap on xmit: 12 > > Device: eth0 > > INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0 > > EGRESSS priority Mappings: > > > > Are there any other issues I should know about with nat on a vlan > > iface? > > What can I do to troubleshoot this? > > > > Here's a tcp dump of an http request from a nat'd client (aspen): > > > > cherry:~# tcpdump -i vlan4 -n > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > > decode > > listening on vlan4, link-type EN10MB (Ethernet), capture size 96 bytes > > 18:02:44.078661 IP 24.150.175.20.2945 > 207.68.171.245.80: S > > 944680509:944680509(0) win 16384 <mss 460,nop,nop,sackOK> > > 18:02:44.151547 IP 207.68.171.245.80 > 24.150.175.20.2945: S > > 897552820:897552820(0) ack 944680510 win 16384 <mss > > 1460,nop,nop,sackOK> > > 18:02:47.288473 IP 24.150.175.20.2945 > 207.68.171.245.80: S > > 944680509:944680509(0) win 16384 <mss 1460,nop,nop,sackOK> > > 18:02:47.348261 IP 207.68.171.245.80 > 24.150.175.20.2945: S > > 897552820:897552820(0) ack 944680510 win 16384 <mss > > 1460,nop,nop,sackOK> > > 18:02:53.851230 IP 24.150.175.20.2945 > 207.68.171.245.80: S > > 944680509:944680509(0) win 16384 <mss 1460,nop,nop,sackOK> > > 18:02:53.911135 IP 207.68.171.245.80 > 24.150.175.20.2945: S > > 897552820:897552820(0) ack 944680510 win 16384 <mss > > 1460,nop,nop,sackOK> > > 18:03:06.978910 IP 24.150.175.20.2946 > 207.68.173.254.80: S > > 1127197685:1127197685(0) win 16384 <mss 1460,nop,nop,sackOK> > > 18:03:07.057326 IP 207.68.173.254.80 > 24.150.175.20.2946: S > > 2453967774:2453967774(0) ack 1127197686 win 8190 <mss 1460> > > 18:03:10.258109 IP 24.150.175.20.2946 > 207.68.173.254.80: S > > 1127197685:1127197685(0) win 16384 <mss 1460,nop,nop,sackOK> > > 18:03:10.335541 IP 207.68.173.254.80 > 24.150.175.20.2946: S > > 2453967774:2453967774(0) ack 1127197686 win 8190 <mss 1460> > > 18:03:16.820850 IP 24.150.175.20.2946 > 207.68.173.254.80: S > > 1127197685:1127197685(0) win 16384 <mss 1460,nop,nop,sackOK> > > 18:03:16.897891 IP 207.68.173.254.80 > 24.150.175.20.2946: S > > 2453967774:2453967774(0) ack 1127197686 win 8190 <mss 1460> > > 18:04:53.952053 IP 207.68.171.245.80 > 24.150.175.20.2945: R 0:0(0) > > win 0 > > > > and this is what aspen see's (the nat client), > > > > cherry:~# tcpdump -i eth1 -n | grep 192.168.1.62 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > > decode > > listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes > > 18:02:44.078556 IP 192.168.1.62.2945 > 207.68.171.245.80: S > > 944680509:944680509(0) win 16384 <mss 1460,nop,nop,sackOK> > > 18:02:47.288419 IP 192.168.1.62.2945 > 207.68.171.245.80: S > > 944680509:944680509(0) win 16384 <mss 1460,nop,nop,sackOK> > > 18:02:53.851181 IP 192.168.1.62.2945 > 207.68.171.245.80: S > > 944680509:944680509(0) win 16384 <mss 1460,nop,nop,sackOK> > > 18:03:06.978831 IP 192.168.1.62.2946 > 207.68.173.254.80: S > > 1127197685:1127197685(0) win 16384 <mss 1460,nop,nop,sackOK> > > 18:03:10.258059 IP 192.168.1.62.2946 > 207.68.173.254.80: S > > 1127197685:1127197685(0) win 16384 <mss 1460,nop,nop,sackOK> > > 18:03:16.820799 IP 192.168.1.62.2946 > 207.68.173.254.80: S > > 1127197685:1127197685(0) win 16384 <mss 1460,nop,nop,sackOK> > > > > Note here that the reply comes back from the webserver on vlan4, > > but it's > > never translated and sent back to the client on eth1. > > > > Any help is much appreciated. > > > > regards, > > Jamie > > > > > > _______________________________________________ > > Vlan mailing list > > Vlan@xxxxxxxxxxxxxxx > > http://www.lanforge.com/mailman/listinfo/vlan > > > > _______________________________________________ > Vlan mailing list > Vlan@xxxxxxxxxxxxxxx > http://www.lanforge.com/mailman/listinfo/vlan > > !DSPAM:42f15ad3283915045313060! > >
