OpenWrt/LEDE Project

Attached to Project: OpenWrt/LEDE Project
Opened by Baptiste Jonglez - 09.10.2019

Just after a reboot, some flows are not NATed: packets from a machine in the LAN are sent to the WAN port with a private source IP address.

This is on a Linksys RE6500 (ramips mt7621) running openwrt 19.07-SNAPSHOT r10578-b3d70f628.
It is configured with flow_offloading and flow_offloading_hw.

Here is a tcpdump capture showing the problem on the WAN port (172.23.184.0/24 is my LAN address space):

root@openwrt:~# tcpdump -n -i eth0.20 net 172.23.184.0/24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.20, link-type EN10MB (Ethernet), capture size 262144 bytes
18:51:21.756552 IP 172.23.184.119.51001 > 91.224.XX.YY.52001: UDP, length 112
18:51:22.651556 IP 172.23.184.119.51001 > 91.224.XX.YY.52001: UDP, length 148
18:51:26.681032 IP 172.23.184.119.51001 > 91.224.XX.YY.52001: UDP, length 768
18:51:27.771654 IP 172.23.184.119.51001 > 91.224.XX.YY.52001: UDP, length 148

Here is what conntrack -L says:

udp      17 55 src=172.23.184.119 dst=91.224.XX.YY sport=51001 dport=52001 packets=93 bytes=20412 [UNREPLIED] src=91.224.XX.YY dst=172.23.184.119 sport=52001 dport=51001 packets=0 bytes=0 mark=0 use=1

Notice the second dst= that shows the private IP address of the LAN machine.

After restarting the firewall, the flow is correctly NAT-ed and conntrack -L shows the correct entry (193.33.ZZ.WW is my public IP address):

udp      17 175 src=172.23.184.119 dst=91.224.XX.YY sport=51001 dport=52001 packets=4 bytes=704 [UNREPLIED] src=91.224.XX.YY dst=193.33.ZZ.WW sport=52001 dport=51001 packets=0 bytes=0 mark=0 use=1

Note: when I only enable flow_offloading, the issue does not appear anymore, so this really seems to be an issue with the hw offloading integration in the firewall.