Page MenuHomeVyOS Platform
Create Task
Maniphest T7513

VPP after configuring CGNAT the host does not respond on SSH and cannot initiate DNS request
In progress, HighPublicBUG
Actions

Description

monospaced textVPP, after configuring the CGNAT, the host does not respond to SSH and cannot initiate a DNS request
To reproduce:

set interfaces ethernet eth0 address '192.168.122.14/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address '100.64.0.1/24'
set interfaces ethernet eth1 description 'LAN'

set vpp settings interface eth0 driver 'dpdk'
set vpp settings interface eth1 driver 'dpdk'
set vpp settings unix poll-sleep-usec '222'

set vpp nat cgnat interface inside 'eth1'
set vpp nat cgnat interface outside 'eth0'
set vpp nat cgnat rule 100 inside-prefix '100.64.0.0/24'
set vpp nat cgnat rule 100 outside-prefix '192.168.122.111/32'
set vpp nat cgnat timeout icmp '30'
set vpp nat cgnat timeout tcp-established '600'
set vpp nat cgnat timeout tcp-transitory '120'
set vpp nat cgnat timeout udp '150'
  1. After this configuration, the SSH connection to the VyOS host 192.168.122.14 is broken, logs from the client (192.168.122.1):
sever@sever:~$ ssh -v vyos@192.168.122.14
OpenSSH_9.6p1 Ubuntu-3ubuntu13.11, OpenSSL 3.0.13 30 Jan 2024
debug1: Reading configuration data /home/sever/.ssh/config
debug1: /home/sever/.ssh/config line 1: Applying options for 192.168.122.14
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: /etc/ssh/ssh_config line 55: Applying options for 192.168.122.*
debug1: Connecting to 192.168.122.14 [192.168.122.14] port 22.

debug1: connect to address 192.168.122.14 port 22: Connection timed out
ssh: connect to host 192.168.122.14 port 22: Connection timed out

The client (192.168.122.1) can only ping the VPP server:

sever@sever:~$ ping 192.168.122.14
PING 192.168.122.14 (192.168.122.14) 56(84) bytes of data.
64 bytes from 192.168.122.14: icmp_seq=1 ttl=64 time=0.681 ms
^C
--- 192.168.122.14 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.681/0.681/0.681/0.000 ms
  1. The server with VPP configuration cannot initiate a DNS request
vyos@r14# sudo nslookup
> set debug
> github.com
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; no servers could be reached
>

The client under NAT (100.64.0.10) has the Internet connection but cannot ping the VPP host 192.168.122.14

$ ping 1.1.1.1 count 1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=11.1 ms

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 11.064/11.064/11.064/0.000 ms
vyos@r15:~$ 
vyos@r15:~$ 
vyos@r15:~$ ping 192.168.122.14 count 1
PING 192.168.122.14 (192.168.122.14) 56(84) bytes of data.

--- 192.168.122.14 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Easy way to check:

echo -e "set debug\ngithub.com" | nslookup

Details

Version
VyOS 2025.05.29-0019-rolling
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects
Search...

Event Timeline

Viacheslav created this task.Jun 2 2025, 2:40 PM
fernando subscribed.Jun 2 2025, 2:43 PM
pasik subscribed.Jun 2 2025, 2:45 PM
Viacheslav triaged this task as High priority.Jun 2 2025, 2:45 PM
Viacheslav updated the task description. (Show Details)
Viacheslav added a comment.Jun 3 2025, 6:42 AM

The same bug with nat44

set interfaces ethernet eth0 address '192.168.122.14/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address '100.64.0.1/24'
set interfaces ethernet eth1 description 'LAN'

set vpp settings interface eth0 driver 'dpdk'
set vpp settings interface eth1 driver 'dpdk'
set vpp settings unix poll-sleep-usec '222'

set vpp nat44 address-pool translation address '192.168.122.101-192.168.122.102'
set vpp nat44 interface inside 'eth1'
set vpp nat44 interface outside 'eth0'

check:

vyos@r14# echo -e "set debug\ngithub.com" | nslookup
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; no servers could be reached

[edit]
vyos@r14# whois  101.97.43.122
getaddrinfo(whois.apnic.net): Device or resource busy
[edit]
vyos@r14#
Viacheslav added a parent task: T7070: VPP related bugs the root task.Jun 3 2025, 7:46 AM
natali-rs1985 subscribed.EditedJun 24 2025, 12:25 PM

CGNAT testing:

vpp# clear trace
vpp# trace add dpdk-input 5
vpp# show trace
------------------- Start of thread 0 vpp_main -------------------
Packet 1

00:04:52:915237: dpdk-input
  eth0 rx queue 0
  buffer 0x91f7f: current data 0, length 66, buffer-pool 0, ref-count 1, trace handle 0x0
                  ext-hdr-valid
  PKT MBUF: port 0, nb_segs 1, pkt_len 66
    buf_len 2176, data_len 66, ol_flags 0x0, data_off 128, phys_addr 0xb447e040
    packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
    rss 0x0 fdir.hi 0x0 fdir.lo 0x0
  IP4: 00:50:56:c0:00:08 -> 0c:57:b6:14:00:00
  TCP: 192.168.179.1 -> 192.168.179.14
    tos 0x00, ttl 128, length 52, checksum 0xd855 dscp CS0 ecn NON_ECN
    fragment id 0x3b0d, flags DONT_FRAGMENT
  TCP: 64745 -> 22
    seq. 0x4bca9e0c ack 0x00000000
    flags 0x02 SYN, tcp header: 32 bytes
    window 64240, checksum 0xa5e7
    options:
      mss 1460, window scale 1285641616, sack permitted
00:04:52:915323: ethernet-input
  frame: flags 0x1, hw-if-index 1, sw-if-index 1
  IP4: 00:50:56:c0:00:08 -> 0c:57:b6:14:00:00
00:04:52:915429: ip4-input
  TCP: 192.168.179.1 -> 192.168.179.14
    tos 0x00, ttl 128, length 52, checksum 0xd855 dscp CS0 ecn NON_ECN
    fragment id 0x3b0d, flags DONT_FRAGMENT
  TCP: 64745 -> 22
    seq. 0x4bca9e0c ack 0x00000000
    flags 0x02 SYN, tcp header: 32 bytes
    window 64240, checksum 0xa5e7
    options:
      mss 1460, window scale 1285641616, sack permitted
00:04:52:915432: ip4-sv-reassembly-feature
  [not-fragmented]
00:04:52:915446: det44-out2in
  DET44_OUT2IN: sw_if_index 1, next index 0, session index -1
00:04:52:915478: error-drop
  rx:eth0
00:04:52:915497: drop
  det44-out2in: No translation

Ssh connection from local host to 192.168.179.14 cannot be established because det44 plugin does not allow this and drops everything that does not fit the rule.
Cannot be fixed (only by rewriting det44 plugin)

natali-rs1985 added a comment.Jun 24 2025, 12:35 PM

NAT44:
Adding exclude rule can fix the problem

set vpp nat44 address-pool translation address '192.168.179.100-192.167.179.102'
set vpp nat44 interface inside 'eth1'
set vpp nat44 interface outside 'eth0'
[edit]

vyos@vyos# commit
[edit]     echo -e "set debug\ngithub.com" | nslookup
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
;; no servers could be reached

vyos@vyos# set vpp nat44 exclude rule 10 local-address 192.168.179.14
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# echo -e "set debug\ngithub.com" | nslookup
Server:         8.8.8.8
Address:        8.8.8.8#53

------------
    QUESTIONS:
        github.com, type = A, class = IN
    ANSWERS:
    ->  github.com
        internet address = 140.82.121.3
        ttl = 60
    AUTHORITY RECORDS:
    ADDITIONAL RECORDS:
------------
Non-authoritative answer:
Name:   github.com
Address: 140.82.121.3
------------
    QUESTIONS:
        github.com, type = AAAA, class = IN
    ANSWERS:
    AUTHORITY RECORDS:
    ->  github.com
        origin = dns1.p08.nsone.net
        mail addr = hostmaster.nsone.net
        serial = 1656468023
        refresh = 43200
        retry = 7200
        expire = 1209600
        minimum = 3600
        ttl = 419
    ADDITIONAL RECORDS:
------------

ssh connection is also established

C:\Users\pc>ssh vyos@192.168.179.14
vyos@192.168.179.14's password:
Welcome to VyOS!

   ┌── ┐
   . VyOS 2025.06.17-0020-rolling
   └ ──┘  current

 * Documentation:  https://docs.vyos.io/en/latest
 * Project news:   https://blog.vyos.io
 * Bug reports:    https://vyos.dev

You can change this banner using "set system login banner post-login" command.

VyOS is a free software distribution that includes multiple components,
you can check individual component licenses under /usr/share/doc/*/copyright

---
WARNING: This VyOS system is not a stable long-term support version and
         is not intended for production use.
Last login: Tue Jun 24 11:41:06 2025 from 192.168.179.1
Unknown Object (User) changed the task status from Open to In progress.Jul 2 2025, 2:45 PM
Unknown Object (User) updated the task description. (Show Details)