Change Details

VPP, after configuring the CGNAT, the host does not respond to SSH and cannot initiate a DNS request To reproduce: ``` set interfaces ethernet eth0 address '192.168.122.14/24' set interfaces ethernet eth0 description 'WAN' set interfaces ethernet eth1 address '100.64.0.1/24' set interfaces ethernet eth1 description 'LAN' set vpp settings interface eth0 driver 'dpdk' set vpp settings interface eth1 driver 'dpdk' set vpp settings unix poll-sleep-usec '222' set vpp nat cgnat interface inside 'eth1' set vpp nat cgnat interface outside 'eth0' set vpp nat cgnat rule 100 inside-prefix '100.64.0.0/24' set vpp nat cgnat rule 100 outside-prefix '192.168.122.111/32' set vpp nat cgnat timeout icmp '30' set vpp nat cgnat timeout tcp-established '600' set vpp nat cgnat timeout tcp-transitory '120' set vpp nat cgnat timeout udp '150' ``` 1. After this configuration, the SSH connection to the VyOS host `192.168.122.14` is broken, logs from the client (192.168.122.1): ``` sever@sever:~$ ssh -v vyos@192.168.122.14 OpenSSH_9.6p1 Ubuntu-3ubuntu13.11, OpenSSL 3.0.13 30 Jan 2024 debug1: Reading configuration data /home/sever/.ssh/config debug1: /home/sever/.ssh/config line 1: Applying options for 192.168.122.14 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: /etc/ssh/ssh_config line 55: Applying options for 192.168.122.* debug1: Connecting to 192.168.122.14 [192.168.122.14] port 22. debug1: connect to address 192.168.122.14 port 22: Connection timed out ssh: connect to host 192.168.122.14 port 22: Connection timed out ``` The client (192.168.122.1) can only ping the VPP server: ``` sever@sever:~$ ping 192.168.122.14 PING 192.168.122.14 (192.168.122.14) 56(84) bytes of data. 64 bytes from 192.168.122.14: icmp_seq=1 ttl=64 time=0.681 ms ^C --- 192.168.122.14 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.681/0.681/0.681/0.000 ms ``` 2. The server with VPP configuration cannot initiate a DNS request ``` vyos@r14# sudo nslookup > set debug > github.com ;; communications error to 1.1.1.1#53: timed out ;; communications error to 1.1.1.1#53: timed out ;; communications error to 1.1.1.1#53: timed out ;; no servers could be reached > ``` The client under NAT (100.64.0.10) has the Internet connection but cannot ping the VPP host `192.168.122.14` ``` $ ping 1.1.1.1 count 1 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. 64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=11.1 ms --- 1.1.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 11.064/11.064/11.064/0.000 ms vyos@r15:~$ vyos@r15:~$ vyos@r15:~$ ping 192.168.122.14 count 1 PING 192.168.122.14 (192.168.122.14) 56(84) bytes of data. --- 192.168.122.14 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms ```

VPP, after configuring the CGNAT, the host does not respond to SSH and cannot initiate a DNS request To reproduce: ``` set interfaces ethernet eth0 address '192.168.122.14/24' set interfaces ethernet eth0 description 'WAN' set interfaces ethernet eth1 address '100.64.0.1/24' set interfaces ethernet eth1 description 'LAN' set vpp settings interface eth0 driver 'dpdk' set vpp settings interface eth1 driver 'dpdk' set vpp settings unix poll-sleep-usec '222' set vpp nat cgnat interface inside 'eth1' set vpp nat cgnat interface outside 'eth0' set vpp nat cgnat rule 100 inside-prefix '100.64.0.0/24' set vpp nat cgnat rule 100 outside-prefix '192.168.122.111/32' set vpp nat cgnat timeout icmp '30' set vpp nat cgnat timeout tcp-established '600' set vpp nat cgnat timeout tcp-transitory '120' set vpp nat cgnat timeout udp '150' ``` 1. After this configuration, the SSH connection to the VyOS host `192.168.122.14` is broken, logs from the client (192.168.122.1): ``` sever@sever:~$ ssh -v vyos@192.168.122.14 OpenSSH_9.6p1 Ubuntu-3ubuntu13.11, OpenSSL 3.0.13 30 Jan 2024 debug1: Reading configuration data /home/sever/.ssh/config debug1: /home/sever/.ssh/config line 1: Applying options for 192.168.122.14 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: /etc/ssh/ssh_config line 55: Applying options for 192.168.122.* debug1: Connecting to 192.168.122.14 [192.168.122.14] port 22. debug1: connect to address 192.168.122.14 port 22: Connection timed out ssh: connect to host 192.168.122.14 port 22: Connection timed out ``` The client (192.168.122.1) can only ping the VPP server: ``` sever@sever:~$ ping 192.168.122.14 PING 192.168.122.14 (192.168.122.14) 56(84) bytes of data. 64 bytes from 192.168.122.14: icmp_seq=1 ttl=64 time=0.681 ms ^C --- 192.168.122.14 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.681/0.681/0.681/0.000 ms ``` 2. The server with VPP configuration cannot initiate a DNS request ``` vyos@r14# sudo nslookup > set debug > github.com ;; communications error to 1.1.1.1#53: timed out ;; communications error to 1.1.1.1#53: timed out ;; communications error to 1.1.1.1#53: timed out ;; no servers could be reached > ``` The client under NAT (100.64.0.10) has the Internet connection but cannot ping the VPP host `192.168.122.14` ``` $ ping 1.1.1.1 count 1 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. 64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=11.1 ms --- 1.1.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 11.064/11.064/11.064/0.000 ms vyos@r15:~$ vyos@r15:~$ vyos@r15:~$ ping 192.168.122.14 count 1 PING 192.168.122.14 (192.168.122.14) 56(84) bytes of data. --- 192.168.122.14 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms ``` Easy way to check: ``` echo -e "set debug\ngithub.com" | nslookup ```

VPP, after configuring the CGNAT, the host does not respond to SSH and cannot initiate a DNS request To reproduce: ``` set interfaces ethernet eth0 address '192.168.122.14/24' set interfaces ethernet eth0 description 'WAN' set interfaces ethernet eth1 address '100.64.0.1/24' set interfaces ethernet eth1 description 'LAN' set vpp settings interface eth0 driver 'dpdk' set vpp settings interface eth1 driver 'dpdk' set vpp settings unix poll-sleep-usec '222' set vpp nat cgnat interface inside 'eth1' set vpp nat cgnat interface outside 'eth0' set vpp nat cgnat rule 100 inside-prefix '100.64.0.0/24' set vpp nat cgnat rule 100 outside-prefix '192.168.122.111/32' set vpp nat cgnat timeout icmp '30' set vpp nat cgnat timeout tcp-established '600' set vpp nat cgnat timeout tcp-transitory '120' set vpp nat cgnat timeout udp '150' ``` 1. After this configuration, the SSH connection to the VyOS host `192.168.122.14` is broken, logs from the client (192.168.122.1): ``` sever@sever:~$ ssh -v vyos@192.168.122.14 OpenSSH_9.6p1 Ubuntu-3ubuntu13.11, OpenSSL 3.0.13 30 Jan 2024 debug1: Reading configuration data /home/sever/.ssh/config debug1: /home/sever/.ssh/config line 1: Applying options for 192.168.122.14 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: /etc/ssh/ssh_config line 55: Applying options for 192.168.122.* debug1: Connecting to 192.168.122.14 [192.168.122.14] port 22. debug1: connect to address 192.168.122.14 port 22: Connection timed out ssh: connect to host 192.168.122.14 port 22: Connection timed out ``` The client (192.168.122.1) can only ping the VPP server: ``` sever@sever:~$ ping 192.168.122.14 PING 192.168.122.14 (192.168.122.14) 56(84) bytes of data. 64 bytes from 192.168.122.14: icmp_seq=1 ttl=64 time=0.681 ms ^C --- 192.168.122.14 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.681/0.681/0.681/0.000 ms ``` 2. The server with VPP configuration cannot initiate a DNS request ``` vyos@r14# sudo nslookup > set debug > github.com ;; communications error to 1.1.1.1#53: timed out ;; communications error to 1.1.1.1#53: timed out ;; communications error to 1.1.1.1#53: timed out ;; no servers could be reached > ``` The client under NAT (100.64.0.10) has the Internet connection but cannot ping the VPP host `192.168.122.14` ``` $ ping 1.1.1.1 count 1 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. 64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=11.1 ms --- 1.1.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 11.064/11.064/11.064/0.000 ms vyos@r15:~$ vyos@r15:~$ vyos@r15:~$ ping 192.168.122.14 count 1 PING 192.168.122.14 (192.168.122.14) 56(84) bytes of data. --- 192.168.122.14 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms ``` Easy way to check: ``` echo -e "set debug\ngithub.com" | nslookup ```