NAT: conflict w/ multiple clients useing same source port
Posted: Tue May 15, 2007 12:41 am
Dear fellow-RouterOS fans,
We have masquerade NAT configured with a single Public IP. We have an application that always uses udp source port 9000 from multiple clients on the inside. Most of the time each client is sending to a unique destination IP/udp port combination, so, ROS simply NATs the source IP address, leaving the source port the same.
This works fine and provides a unique NAT state for each connection (because the destination IP and port are unique on the outside even though the source IP and port are not). Here is an example of two client connections that work.
Client1
Request:
inside src: 10.1.1.20/udp9000 -->original dst: 1.1.1.50/udp12345
masq source: 2.2.2.29/udp9000 -->original dst: 1.1.1.50/udp12345
Reply:
dst: 1.1.1.50/12345 --> masq source 2.2.2.29/udp 9000
dst: 1.1.1.50/12345 --> inside source 10.1.1.20/udp9000
Client2
Request:
inside src: 10.1.1.21/udp9000 -->original dst: 1.1.1.50/udp54321
masq source: 2.2.2.29/udp9000 -->original dst: 1.1.1.50/udp54321
Reply:
dst: 1.1.1.50/54321 --> masq source 2.2.2.29/udp 9000
dst: 1.1.1.50/54321 --> inside source 10.1.1.21/udp9000
Here's when this does not work so well: On occasion, two clients, both using source udp9000, need to connect to the same destination IP/udp port. When this happens, ROS does not appear to PAT the source address from the second client. So, the reply traffic for the first client works until the second client connects, then ROS starts sending all reply traffic (for both connections) to the second client. In the example below the * NAT/PATs do not result in two unique NAT/PAT states, so ROS appears to get confused.
Client1
Request:
inside src: 10.1.1.20/udp9000 -->original dst: 1.1.1.50/udp12345
masq source: 2.2.2.29/udp9000 -->original dst: 1.1.1.50/udp12345 *
Reply:
dst: 1.1.1.50/udp12345 --> masq source 2.2.2.29/udp 9000
dst: 1.1.1.50/udp12345 --> inside source 10.1.1.20/udp9000 (this NAT state gets replaced by Client2's connection)
Client2
Request:
inside src: 10.1.1.21/udp9000 -->original dst: 1.1.1.50/udp12345
masq source: 2.2.2.29/udp9000 -->original dst: 1.1.1.50/udp12345 *
Reply:
dst: 1.1.1.50/udp12345 --> masq source 2.2.2.29/udp 9000
dst: 1.1.1.50/udp12345 --> inside source 10.1.1.21/udp9000
I can work around this problem by setting up rules that src-nat 9000 to something unique for each client. However, does this sound like a bug? Is there possibly a feature that I do not have turned on that might alleviate this issue? The ROS behavior seems like it breaks the rules of basic NAT/PAT. Maybe the application is just not NAT-friendly.
I would appreciate your comments or suggestions.
Thanks,
Lea Anne
We have masquerade NAT configured with a single Public IP. We have an application that always uses udp source port 9000 from multiple clients on the inside. Most of the time each client is sending to a unique destination IP/udp port combination, so, ROS simply NATs the source IP address, leaving the source port the same.
This works fine and provides a unique NAT state for each connection (because the destination IP and port are unique on the outside even though the source IP and port are not). Here is an example of two client connections that work.
Client1
Request:
inside src: 10.1.1.20/udp9000 -->original dst: 1.1.1.50/udp12345
masq source: 2.2.2.29/udp9000 -->original dst: 1.1.1.50/udp12345
Reply:
dst: 1.1.1.50/12345 --> masq source 2.2.2.29/udp 9000
dst: 1.1.1.50/12345 --> inside source 10.1.1.20/udp9000
Client2
Request:
inside src: 10.1.1.21/udp9000 -->original dst: 1.1.1.50/udp54321
masq source: 2.2.2.29/udp9000 -->original dst: 1.1.1.50/udp54321
Reply:
dst: 1.1.1.50/54321 --> masq source 2.2.2.29/udp 9000
dst: 1.1.1.50/54321 --> inside source 10.1.1.21/udp9000
Here's when this does not work so well: On occasion, two clients, both using source udp9000, need to connect to the same destination IP/udp port. When this happens, ROS does not appear to PAT the source address from the second client. So, the reply traffic for the first client works until the second client connects, then ROS starts sending all reply traffic (for both connections) to the second client. In the example below the * NAT/PATs do not result in two unique NAT/PAT states, so ROS appears to get confused.
Client1
Request:
inside src: 10.1.1.20/udp9000 -->original dst: 1.1.1.50/udp12345
masq source: 2.2.2.29/udp9000 -->original dst: 1.1.1.50/udp12345 *
Reply:
dst: 1.1.1.50/udp12345 --> masq source 2.2.2.29/udp 9000
dst: 1.1.1.50/udp12345 --> inside source 10.1.1.20/udp9000 (this NAT state gets replaced by Client2's connection)
Client2
Request:
inside src: 10.1.1.21/udp9000 -->original dst: 1.1.1.50/udp12345
masq source: 2.2.2.29/udp9000 -->original dst: 1.1.1.50/udp12345 *
Reply:
dst: 1.1.1.50/udp12345 --> masq source 2.2.2.29/udp 9000
dst: 1.1.1.50/udp12345 --> inside source 10.1.1.21/udp9000
I can work around this problem by setting up rules that src-nat 9000 to something unique for each client. However, does this sound like a bug? Is there possibly a feature that I do not have turned on that might alleviate this issue? The ROS behavior seems like it breaks the rules of basic NAT/PAT. Maybe the application is just not NAT-friendly.
I would appreciate your comments or suggestions.
Thanks,
Lea Anne