Full NAT Support #107
Replies: 6 comments 11 replies
-
|
Hi @infinitydon, |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the response, could you also let me know if other features like DSR, DSR_IPIP (tunnel mode) are been considered also? |
Beta Was this translation helpful? Give feedback.
-
|
We have planned these features in December Release. |
Beta Was this translation helpful? Give feedback.
-
|
We have implemented this with two LB modes - full-nat and one-arm with subtle differences between them. In one-arm mode, the LB itself is placed in the same broadcast domain as client and end-points. In such a case the LB does full NAT with source-IP changed to subnet IP assigned to itself. In full-NAT mode, there is no restriction that the LB needs to be in same broadcast domain, and it selects the source IP as the service IP when sending packets towards end-points. This is considering the fact that end-points have route to this service IP (LB) or we can also configure GoBGP to advertise the service IP path to the end-points.
Example scenario and config can be found here |
Beta Was this translation helpful? Give feedback.
-
|
Much thanks for the effort, will try to find time to test |
Beta Was this translation helpful? Give feedback.
-
|
I just tried the fullNAT for SCTP traffic but it is not working The sctp init message is getting to the loxiLB VM but it is not responding to the request: What could be wrong? Was SCTP tested? Thanks |
Beta Was this translation helpful? Give feedback.
-
|
Hi Christopher,
Thanks for reaching out. We will look into it and get back to you.
Thanks,
Nikhil
…On Sat, Dec 3, 2022, 8:23 AM Christopher Adigun ***@***.***> wrote:
I just tried the fullNAT for SCTP traffic but it is not working
***@***.***:~# ip -br a
lo UNKNOWN 127.0.0.1/8 ::1/128
ens5 UP 10.0.1.17/24 fe80::85:deff:fe4d:7731/64
ens6 UP 10.0.3.17/24 fe80::78:1fff:fe3b:a117/64
llb0 UNKNOWN fe80::cc1d:67ff:feda:fff1/64
***@***.***:~# loxicmd create lb 20.20.20.1 --sctp=38412:38412 --endpoints=10.0.3.10:1,10.0.3.11:1 --mode=fullnat
[API] Load balancer POST API called. url : /netlox/v1/config/loadbalancer
[API] lbRules : {{20.20.20.1 38412 sctp 0 false 2 0} [{10.0.3.10 38412 1} {10.0.3.11 38412 1}]}
nat lb-rule added - 1:dst-20.20.20.1/32,proto-132,dport-38412,-do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive|
1:dst-20.20.20.1/32,proto-132,dport-38412,,do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive| pc 0 bc 0
1:dst-20.20.20.1/32,proto-132,dport-38412,,do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive| pc 0 bc 0
##10.0.0.59:38104 -> 10.0.1.17:22 (6):0 (Aged:0:0:0)
rdir ct4 not found 10.0.0.59:38104 -> 10.0.1.17:22 (6)
1:dst-20.20.20.1/32,proto-132,dport-38412,,do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive| pc 0 bc 0
1:dst-20.20.20.1/32,proto-132,dport-38412,,do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive| pc 0 bc 0
1:dst-20.20.20.1/32,proto-132,dport-38412,,do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive| pc 0 bc 0
1:dst-20.20.20.1/32,proto-132,dport-38412,,do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive| pc 0 bc 0
1:dst-20.20.20.1/32,proto-132,dport-38412,,do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive| pc 0 bc 0
1:dst-20.20.20.1/32,proto-132,dport-38412,,do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive| pc 0 bc 0
1:dst-20.20.20.1/32,proto-132,dport-38412,,do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive| pc 0 bc 0
1:dst-20.20.20.1/32,proto-132,dport-38412,,do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive| pc 0 bc 0
1:dst-20.20.20.1/32,proto-132,dport-38412,,do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive| pc 0 bc 0
1:dst-20.20.20.1/32,proto-132,dport-38412,,do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive| pc 0 bc 0
1:dst-20.20.20.1/32,proto-132,dport-38412,,do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive| pc 0 bc 0
1:dst-20.20.20.1/32,proto-132,dport-38412,,do-fullnat:eip-10.0.3.10,ep-38412,w-1,alive|eip-10.0.3.11,ep-38412,w-1,alive| pc 0 bc 0
The sctp init message is getting to the loxiLB VM but it is not responding
to the request:
***@***.***:~# tcpdump -i any host 10.0.3.71 -s 0 -nv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
23:10:27.915525 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto SCTP (132), length 68)
10.0.3.71.9487 > 20.20.20.1.38412: sctp (1) [INIT] [init tag: 609061942] [rwnd: 106496] [OS: 2] [MIS: 2] [init TSN: 655851557]
23:14:25.355978 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto SCTP (132), length 68)
10.0.3.71.9487 > 20.20.20.1.38412: sctp (1) [INIT] [init tag: 3472513034] [rwnd: 106496] [OS: 2] [MIS: 2] [init TSN: 3516414202]
23:16:36.671788 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto SCTP (132), length 68)
10.0.3.71.9487 > 20.20.20.1.38412: sctp (1) [INIT] [init tag: 3658667719] [rwnd: 106496] [OS: 2] [MIS: 2] [init TSN: 743260408]
What could be wrong? Was SCTP tested?
Thanks
—
Reply to this email directly, view it on GitHub
<#107 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AP2UN3BTE4BE5JMHDJU53KDWLKAIHANCNFSM6AAAAAAQ2S6IVY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Hi @infinitydon We have verified that sctp fullnat mode works fine. It is also added in our cicd scenario. You can check (sctp-fullnat config etc) it you need. I would request you to double confirm certain things:
|
Beta Was this translation helpful? Give feedback.
-
|
Tested with your cicd script, it works but in non-docker setup it is still not working. I just tested with virtualbox instead, same thing is still happening, loxilb is not responding to the SCTP INIT: loxilb node setup: Below is the logs Was the setup tested using VMs directly and not docker containers? |
Beta Was this translation helpful? Give feedback.
-
|
We did test with VMs a while back (but not full nat mode). And only docker based test setup is part of CICD. We will retest VM scenario. What applications are you using for sctp client and end-points? |
Beta Was this translation helpful? Give feedback.
-
|
Applications am using: Open5gs AMF |
Beta Was this translation helpful? Give feedback.
-
|
Confirmed to be working in our setup. Just needed the following in (sctp client and end-point host) : Also, please note that "tcpdump -i any host 192.168.1.125" will show only the incoming request as the outgoing request in full nat mode will have source/dest both changed. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @infinitydon Thanks for your time today. I think there was some confusion related to nat-mode implementation in loxilb. So, we would like to clarify mode details. As per your scenario : sequenceDiagram
participant C1
participant loxilb
participant EP1
C1->>loxilb: 192.168.56.X<->192.168.56.101
loxilb->>EP1: 192.168.70.1<->192.168.70.3
In this case, traffic with a source IP of 88.88.88.1 (after NAT) will be sent towards end-point 192.168.70.3 and this end-point is expected to have a route of 88.88.88.1 back to loxilb. We have this mode to be able to use BGP to influence route back to loxilb in case of HA/Cluster deployment of loxilb on a per-rule basis.
In this case, traffic with a source IP of 192.168.70.1 (interface IP) will be sent towards end-point 192.168.70.3. Since end-point will be in the same subnet, there is no need for any route configuration at end-point. Also, for this mode it is not necessary to have Client C1 to be in the same subnet. If Client C1 is to be in the same subnet, only additional requirement is to disable rp_filter in loxilb (at least in the interfaces used for LB operation) and make the additional topology changes. I hope it helps !! |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the time, it is clearer now. I have shared my learning in my second LoxiLB blog-post: https://futuredon.medium.com/5g-sctp-loadbalancer-using-loxilb-b525198a9103 |
Beta Was this translation helpful? Give feedback.
-
|
By the way, what is required to enable the bgp mode, I want to advertise the VIP to a BGP router (FRR) |
Beta Was this translation helpful? Give feedback.
-
|
You can find information on how to run bgp mode here Section 4 onwards. In summary :
It is also possible to use gobgp utils to advertise VIP/route without using "loxicmd --bgb" . For example - |
Beta Was this translation helpful? Give feedback.
-
Hi,
I will like to know if loxilb supports Full NAT scenarios whereby the real-servers will only see loxilb as the source and destination IP.
This can help where the loxilb and the real-servers are in separate VLANs/network.
Example with ipvs:
https://www.loadbalancer.org/blog/enabling-snat-in-lvs-xt_ipvs-and-iptables/
Beta Was this translation helpful? Give feedback.
All reactions