Bug #8341
closed
NAT Port forwarding issues (port collision from internal host)
Added by Beat Siegenthaler almost 7 years ago.
Updated almost 7 years ago.
Description
I think this should be omitted by design:
Found following constellation who troubled me for many hours:
PortNAT: Internet incoming -> DstPort 55555 -> Internal host "UNO" DstPort 55555
LAN host "DUE" connects with (random) SrcPort 55555 to DstPort MQTT internet
In this case MQTT is a longterm active connection and omits new connections for the incoming PortNAT for many hours.
As workaround i made a rule who blocks LAN outgoing src port 55555
But i think this is something that should be solved internally?
Files
- Status changed from New to Rejected
There isn't a way to automatically detect or predict that scenario to prevent it.
Outbound NAT uses random ports anywhere from 1024:65535, the only time you'd have a collision is if you forward a port and both the local source port, local destination address, and remote source IP address match up.
If you have enough connections that it becomes a problem, then you should obtain additional WAN addresses and have outbound user connections utilize a different VIP from the IP address accepting inbound connections.
Jim Pingle wrote:
the only time you'd have a collision is if you forward a port and both the local source port, local destination address, and remote source IP address match up.
Sorry, there are no matching "tuples" or "triples". Must be in the logic how NAT is handled and how it is preferred. Please take a look on my ASCII-Art. This were two complete different connections between different hosts with different services.
@
Tried to reproduce in lab. Not successful. Some additional factor must be involved.
Also available in: Atom
PDF