-
Notifications
You must be signed in to change notification settings - Fork 250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNAT PortRange missbehaves #233
Comments
@modzilla99 If I understand correctly your use case I guess there's a confusion of terms here. The Lines 3763 to 3767 in dc34b4d
With your example, So, essentially, this doesn't mean "DNAT only traffic destined to IP 1.1.1.1 and port range 22-23", it means "DNAT traffic destined to IP 1.1.1.1 and select a new destination port from range 22-23". Or did I misunderstand your scenario? As a side note, it shouldn't be round-robin, it should be random. But maybe that's because you're missing this recent fix: Thanks, |
Ah, okay. The term PAT got me confused and I thought it was like traditional port-forwarding. Is there a way to accomplish said thing, though?
Yes, we don't have that patch applied. Seems like its causing it.
No you did not. Thanks for the clarification. Best regards |
Hmm, probably the only way is to add a (stateless maybe) ACL in the switch connecting to the router that does the DNAT. I guess that's a security group rule in OpenStack terminology. |
Closing this as it's working as expected. Please feel free to continue the discussion but you might get more feedback by posting this question as an email to ovs-discuss@openvswitch.org. |
Hey there,
we are on OVN 23.06 and face an issue when using the portrange dnat option. Our main use is to Port-Forward IPSEC ports to a VM.
The PAT on the set ports works properly, but every other port that's not the selected Port will be forwarded to a port in the selected range. So if I used port 22 every other Port would forward the traffic to the SSH port.
ssh -p 1234 $IP
would therefore work. If you select more than one port all the traffic would be loadbalanced between the selected ports in a round-robin fashion.The only way to not run into this behaviour is to port-forward all ports
1-65535
and let the SecurityGroup/ACLs handle the rest.Example
Best regards.
The text was updated successfully, but these errors were encountered: