From: John Lauro <johnalauro@gmail.com>
To: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Fwd: Source IP incorrect on multi homed systems
Date: Sun, 19 Feb 2023 13:30:42 -0500 [thread overview]
Message-ID: <CADGd2DoGhYw1YHLu6e=-weWQhWMccbKS=UKbS7Z_LnvNZm+65g@mail.gmail.com> (raw)
In-Reply-To: <CADGd2DoE6TCtCxxWL7JWyNW5+yy_Pe+9MNzHznbudMWLTXQreA@mail.gmail.com>
I think the ip route with src would work, but only as a short lived
work around. The problem with it is if dealing with dynamic routes is
it could go a way when a link is down and then come back and the src
setting would be lost. You would need the bgp software to add the
src.
UDP is connectionless. Sending back out the same as it's coming in
isn't strictly the same. The streams are not attached the same as
they would be with TCP on nginx or a reply with icmp. You should be
able to whitelist the udp port on the NAT devices, as it shouldn't use
state info.
I am not sure if you are attempting to do site to site or client to
server/site and which end has the NAT (or both). What I do for site
to site is use a different port for each connection and have a
separate BGP connection for each possible connection (ie: different
one for different network providers). Have a full mesh with 8 sites
and upto 3 providers per site.
That said, you probably have floating IPs on the client side, and
don't want to lock in a single IP on the multi-homed server side? You
could nat the incoming IPs on the border from an internal IP and then
then lock to a single private IP on the wireguard server for in/out
and that border nat would force the reply back to the same gateway it
came in from.
I know, you don't want work arounds, just want to mention it's not the
same as comparing a single stream to something that handles routing
though it. As you are doing bgp and redundant routes I assume you
also reset rp_filter on all nat/wireguard/routers so the routers will
allow packets to come from different sources.
On Sun, Feb 19, 2023 at 12:07 PM tlhackque <tlhackque@yahoo.com> wrote:
>
> FWIW, while clever, I don't think that iptables mark solves all cases.
> E.g., consider an interface with multiple addresses, where a packet
> comes in on a secondary address. The proposed rule would send it out
> the right interface, but still with the wrong (primary) address picked
> from the interface...
>
> With IPv6 it's common to assign an address to a service rather than a
> host so services can move easily. So multiple addresses per interface
> are the rule, not the exception.
>
> I do the same with IPv4 inside addresses, though these days public IPv4
> addresses are scarce enough that it's not common for public IPs. It
> amounts to the same issue - the NAT tracking is stateful.
>
> Trying to work around this with routing seems like a maze of twisty
> passages - so I agree that the right solution is for WG to respond from
> the address that receives a packet.
next prev parent reply other threads:[~2023-02-20 11:37 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-18 20:14 Nico Schottelius
[not found] ` <CAHx9msc1cNV80YU7HRmQ9gsjSEiVZ=pb31aYqfP62hy8DeuGZA@mail.gmail.com>
2023-02-18 22:34 ` Nico Schottelius
2023-02-19 0:45 ` Mike O'Connor
2023-02-19 8:01 ` Nico Schottelius
2023-02-19 9:19 ` Mikma
2023-02-19 12:04 ` Nico Schottelius
2023-02-19 12:10 ` Nico Schottelius
2023-02-19 18:59 ` Peter Linder
[not found] ` <2ed829aaed9fec59ac2a9b32c4ce0a9005b8d8b850be81c81a226791855fe4eb@mu.id>
2023-02-19 12:13 ` Nico Schottelius
2023-02-19 14:39 ` Christoph Loesch
2023-02-19 16:32 ` David Kerr
2023-02-19 16:54 ` Sebastian Hyrvall
2023-02-19 18:04 ` Janne Johansson
2023-02-19 18:08 ` Sebastian Hyrvall
2023-02-19 20:11 ` Nico Schottelius
2023-02-19 17:05 ` tlhackque
2023-02-19 18:37 ` David Kerr
2023-02-19 18:52 ` tlhackque
2023-02-19 18:42 ` tlhackque
2023-02-19 20:18 ` Nico Schottelius
2023-02-19 20:42 ` Roman Mamedov
2023-02-19 21:19 ` Nico Schottelius
2023-02-19 22:06 ` tlhackque
2023-02-19 22:42 ` Src addr code review (Was: Source IP incorrect on multi homed systems) Daniel Gröber
2023-02-20 0:28 ` 曹煜
2023-02-20 10:40 ` Nico Schottelius
2023-02-20 11:21 ` 曹煜
2023-02-20 9:47 ` Nico Schottelius
2023-02-20 20:43 ` dxld
2023-02-19 21:39 ` Source IP incorrect on multi homed systems tlhackque
[not found] ` <CADGd2DoE6TCtCxxWL7JWyNW5+yy_Pe+9MNzHznbudMWLTXQreA@mail.gmail.com>
2023-02-19 18:30 ` John Lauro [this message]
2023-02-19 22:28 ` tlhackque
2023-02-20 0:58 ` Luiz Angelo Daros de Luca
2023-02-19 20:02 ` Nico Schottelius
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADGd2DoGhYw1YHLu6e=-weWQhWMccbKS=UKbS7Z_LnvNZm+65g@mail.gmail.com' \
--to=johnalauro@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).