[SOLVED] Strange Nat Errors

Rainwolf · Wednesday at 12:22

Hello everyone,

I've been struggling for hours with a strange problem that I don't understand.

I'll try to explain:

I have a VPS server on the Internet with a public IP 178.xxx.xxx.xxx/22.
Proxmox is installed on this server, and it should only be accessible via a VPN connection.
An opnsens is responsible for the vpn connection.

On Proxmox, there is an LXC container running that provides a VPN connection using Wireguard.

This part works.
For example, I can access Proxmox’s web interface or SSH into the LXC container from my local network (10.10.10.0/24).

However, there are some irregularities and certain things don't always work.

Sometimes, after restarting Proxmox, the LXC containers lose internet access.

It seems that the rule for outgoing NAT is not taking effect:

Code:

iptables -t nat -A POSTROUTING -s '192.168.10.0/24' -o ens3 -j MASQUERADE

Although the rule is loaded, nothing is being routed through it:

Code:

Chain POSTROUTING

 pkts bytes target     prot opt in     out     source               destination

   0    0 MASQUERADE  0    --  *      ens3    192.168.10.0/24      0.0.0.0/0

That’s one issue. Another is that I can’t reliably SSH into an LXC container at 192.168.10.10.

It works once, but after a few minutes, if I try to open a second session, I get the error:
Network error: Software caused connection abort.

Other SSH sessions—such as to Proxmox directly at 192.168.10.1 or to the Wireguard gateway at 192.168.10.5—always work.
Even accessing the web interface at 192.168.1.1:8006 always works.

If I assign a different IP to the container at 192.168.10.10, it works at first but then stops working after a short time.
I see the same phenomenon with a new container.

What I’ve noticed is that establishing an SSH connection to 192.168.10.10 takes a few seconds longer than to 192.168.10.5 or 192.168.10.1.

During the period when an SSH connection cannot be established, I can still successfully ping the addresses.

Based on the network diagram, this might be easier to understand.

When I track the packages with tcpdump, everything looks good so far.

it also makes no difference whether I switch the proxmox firewall off or on at all levels.

Where am I going wrong? This doesn't make sense to me.

Proxmox network/interfaces

auto lo
iface lo inet loopback

auto ens3
#real IP address
iface ens3 inet static
address 178.xxx.xxx.xxx/22
gateway 178.xxx.xxx.1

#privat sub network
auto vmbr0
iface vmbr0 inet static
address 192.168.10.1/24
bridge-ports none
bridge-stp off
bridge-fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.10.0/24' -o ens3 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.10.0/24' -o ens3 -j MASQUERADE

post-up iptables -t nat -A PREROUTING -p udp -d 178.xxx.xxx.xxx --dport 64123 -i ens3 -j DNAT --to-destination 192.168.10.5:64123
post-down iptables -t nat -D PREROUTING -p udp -d 178.xxx.xxx.xxx --dport 64123 -i ens3 -j DNAT --to-destination 192.168.10.5:64123

post-up iptables -t nat -A PREROUTING -p udp -d 178.xxx.xxx.xxx --dport 64000 -i ens3 -j DNAT --to-destination 192.168.10.10:64000
post-down iptables -t nat -D PREROUTING -p udp -d 178.xxx.xxx.xxx --dport 64000 -i ens3 -j DNAT --to-destination 192.168.10.10:64000
post-up iptables -t nat -A PREROUTING -p udp -d 178.xxx.xxx.xxx --dport 64001 -i ens3 -j DNAT --to-destination 192.168.10.10:64001
post-down iptables -t nat -D PREROUTING -p udp -d 178.xxx.xxx.xxx --dport 64001 -i ens3 -j DNAT --to-destination 192.168.10.10:64001

post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

source /etc/network/interfaces.d/*

Rainwolf · Wednesday at 12:24

ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.7.0.0/24 -o eth0 -m comment --comment "wireguard-nat-rule" -j MASQUERADE
ExecStart=/usr/sbin/iptables -I INPUT -p udp --dport 64123 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -s 10.7.0.0/24 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.7.0.0/24 -o eth0 -m comment --comment "wireguard-nat-rule" -j MASQUERADE
ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 64123 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -s 10.7.0.0/24 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

sudo tcpdump -ni any port 22 and host 192.168.10.10
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
11:03:33.899186 eth0 In IP 192.168.10.10.22 > 192.168.10.5.11910: Flags [F.], seq 731086476, ack 2306822438, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:03:33.899218 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.11910: Flags [F.], seq 731086476, ack 2306822438, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:03:36.540940 wg0 In IP 10.7.0.2.12705 > 192.168.10.10.22: Flags , seq 3889987052, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:03:36.541010 eth0 Out IP 192.168.10.5.12705 > 192.168.10.10.22: Flags , seq 3889987052, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:03:36.541125 eth0 In IP 192.168.10.10.22 > 192.168.10.5.12705: Flags [S.], seq 374887056, ack 3889987053, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:03:36.541131 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.12705: Flags [S.], seq 374887056, ack 3889987053, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:03:36.565772 wg0 In IP 10.7.0.2.12705 > 192.168.10.10.22: Flags [.], ack 1, win 255, length 0
11:03:36.565808 eth0 Out IP 192.168.10.5.12705 > 192.168.10.10.22: Flags [.], ack 1, win 255, length 0
11:03:36.567518 eth0 In IP 192.168.10.10.22 > 192.168.10.5.12705: Flags [P.], seq 1:43, ack 1, win 502, length 42: SSH: SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.8
11:03:36.567530 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.12705: Flags [P.], seq 1:43, ack 1, win 502, length 42: SSH: SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.8
11:03:36.593654 wg0 In IP 10.7.0.2.12705 > 192.168.10.10.22: Flags [P.], seq 1:29, ack 43, win 255, length 28: SSH: SSH-2.0-MoTTY_Release_0.81
11:03:36.593676 eth0 Out IP 192.168.10.5.12705 > 192.168.10.10.22: Flags [P.], seq 1:29, ack 43, win 255, length 28: SSH: SSH-2.0-MoTTY_Release_0.81
11:03:36.593773 eth0 In IP 192.168.10.10.22 > 192.168.10.5.12705: Flags [.], ack 29, win 502, length 0
11:03:36.593778 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.12705: Flags [.], ack 29, win 502, length 0
11:03:36.593805 wg0 In IP 10.7.0.2.12705 > 192.168.10.10.22: Flags [P.], seq 1489:1645, ack 43, win 255, length 156
11:03:36.593810 eth0 Out IP 192.168.10.5.12705 > 192.168.10.10.22: Flags [P.], seq 1489:1645, ack 43, win 255, length 156
11:03:36.593855 eth0 In IP 192.168.10.10.22 > 192.168.10.5.12705: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 0
11:03:36.593860 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.12705: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 0
11:03:36.596555 eth0 In IP 192.168.10.10.22 > 192.168.10.5.12705: Flags [P.], seq 43:1163, ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 1120
11:03:36.596572 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.12705: Flags [P.], seq 43:1163, ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 1120
11:03:36.635730 wg0 In IP 10.7.0.2.12705 > 192.168.10.10.22: Flags [P.], seq 1645:2853, ack 1163, win 251, length 1208
11:03:36.635780 eth0 Out IP 192.168.10.5.12705 > 192.168.10.10.22: Flags [P.], seq 1645:2853, ack 1163, win 251, length 1208
11:03:36.635917 eth0 In IP 192.168.10.10.22 > 192.168.10.5.12705: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:2853}], length 0
11:03:36.635925 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.12705: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:2853}], length 0
11:03:41.323228 eth0 In IP 192.168.10.10.22 > 192.168.10.5.11910: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:03:41.323261 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.11910: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:03:56.171233 eth0 In IP 192.168.10.10.22 > 192.168.10.5.11910: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:03:56.171261 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.11910: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:10.063304 eth0 In IP 192.168.10.10.22 > 192.168.10.5.42578: Flags [F.], seq 3932141691, ack 1823574639, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:10.063334 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.42578: Flags [F.], seq 3932141691, ack 1823574639, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:10.301096 eth0 In IP 192.168.10.10.22 > 192.168.10.5.42578: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:10.301119 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.42578: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:10.539194 eth0 In IP 192.168.10.10.22 > 192.168.10.5.42578: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:10.539220 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.42578: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:11.003129 eth0 In IP 192.168.10.10.22 > 192.168.10.5.42578: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:11.003157 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.42578: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:11.979196 eth0 In IP 192.168.10.10.22 > 192.168.10.5.42578: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:11.979225 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.42578: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:13.835160 eth0 In IP 192.168.10.10.22 > 192.168.10.5.42578: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:13.835259 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.42578: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:17.547269 eth0 In IP 192.168.10.10.22 > 192.168.10.5.42578: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:17.547295 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.42578: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:25.365078 eth0 In IP 192.168.10.10.22 > 192.168.10.5.42578: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:25.365102 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.42578: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:25.365118 eth0 In IP 192.168.10.10.22 > 192.168.10.5.11910: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0
11:04:25.365126 wg0 Out IP 192.168.10.10.22 > 10.7.0.2.11910: Flags [F.], seq 0, ack 1, win 502, options [nop,nop,sack 1 {1461:2825}], length 0

sudo tcpdump -ni any port 22
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
12:12:18.307482 eth0 In IP 192.168.10.5.6518 > 192.168.10.10.22: Flags , seq 2487375312, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:12:18.307513 eth0 Out IP 192.168.10.10.22 > 192.168.10.5.6518: Flags [S.], seq 1677988396, ack 2487375313, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
12:12:18.330646 eth0 In IP 192.168.10.5.6518 > 192.168.10.10.22: Flags [.], ack 1, win 255, length 0
12:12:18.332197 eth0 Out IP 192.168.10.10.22 > 192.168.10.5.6518: Flags [P.], seq 1:43, ack 1, win 502, length 42: SSH: SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.8
12:12:18.399788 eth0 In IP 192.168.10.5.6518 > 192.168.10.10.22: Flags [.], ack 43, win 255, length 0
12:12:18.492212 eth0 In IP 192.168.10.5.6518 > 192.168.10.10.22: Flags [P.], seq 1:29, ack 43, win 255, length 28: SSH: SSH-2.0-MoTTY_Release_0.81
12:12:18.492262 eth0 Out IP 192.168.10.10.22 > 192.168.10.5.6518: Flags [.], ack 29, win 502, length 0
12:12:18.493175 eth0 In IP 192.168.10.5.6518 > 192.168.10.10.22: Flags [P.], seq 1489:1645, ack 43, win 255, length 156
12:12:18.493183 eth0 Out IP 192.168.10.10.22 > 192.168.10.5.6518: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 0
12:12:18.494778 eth0 Out IP 192.168.10.10.22 > 192.168.10.5.6518: Flags [P.], seq 43:1163, ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 1120
12:12:18.576886 eth0 In IP 192.168.10.5.6518 > 192.168.10.10.22: Flags [P.], seq 1645:2853, ack 1163, win 251, length 1208
12:12:18.576927 eth0 Out IP 192.168.10.10.22 > 192.168.10.5.6518: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:2853}], length 0

Rainwolf · Wednesday at 12:25

tcpdump -ni any port 22 and host 192.168.10.10
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
12:05:26.437452 veth100i0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags , seq 1366671840, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:05:26.437476 fwln100i0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags , seq 1366671840, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:05:26.437478 fwpr100p0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags , seq 1366671840, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:05:26.437489 fwpr101p0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags , seq 1366671840, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:05:26.437491 fwln101i0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags , seq 1366671840, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:05:26.437507 veth101i0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags , seq 1366671840, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:05:26.437549 veth101i0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [S.], seq 668754818, ack 1366671841, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
12:05:26.437555 fwln101i0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [S.], seq 668754818, ack 1366671841, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
12:05:26.437558 fwpr101p0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [S.], seq 668754818, ack 1366671841, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
12:05:26.437562 fwpr100p0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [S.], seq 668754818, ack 1366671841, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
12:05:26.437565 fwln100i0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [S.], seq 668754818, ack 1366671841, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
12:05:26.437568 veth100i0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [S.], seq 668754818, ack 1366671841, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
12:05:26.462482 veth100i0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [.], ack 1, win 255, length 0
12:05:26.462496 fwln100i0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [.], ack 1, win 255, length 0
12:05:26.462498 fwpr100p0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [.], ack 1, win 255, length 0
12:05:26.462507 fwpr101p0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [.], ack 1, win 255, length 0
12:05:26.462510 fwln101i0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [.], ack 1, win 255, length 0
12:05:26.462519 veth101i0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [.], ack 1, win 255, length 0
12:05:26.477657 veth101i0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [P.], seq 1:43, ack 1, win 502, length 42: SSH: SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.8
12:05:26.477694 fwln101i0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [P.], seq 1:43, ack 1, win 502, length 42: SSH: SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.8
12:05:26.477698 fwpr101p0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [P.], seq 1:43, ack 1, win 502, length 42: SSH: SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.8
12:05:26.477707 fwpr100p0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [P.], seq 1:43, ack 1, win 502, length 42: SSH: SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.8
12:05:26.477711 fwln100i0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [P.], seq 1:43, ack 1, win 502, length 42: SSH: SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.8
12:05:26.477718 veth100i0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [P.], seq 1:43, ack 1, win 502, length 42: SSH: SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.8
12:05:26.508292 veth100i0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1:29, ack 43, win 255, length 28: SSH: SSH-2.0-MoTTY_Release_0.81
12:05:26.508303 fwln100i0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1:29, ack 43, win 255, length 28: SSH: SSH-2.0-MoTTY_Release_0.81
12:05:26.508304 fwpr100p0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1:29, ack 43, win 255, length 28: SSH: SSH-2.0-MoTTY_Release_0.81
12:05:26.508311 fwpr101p0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1:29, ack 43, win 255, length 28: SSH: SSH-2.0-MoTTY_Release_0.81
12:05:26.508314 fwln101i0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1:29, ack 43, win 255, length 28: SSH: SSH-2.0-MoTTY_Release_0.81
12:05:26.508322 veth101i0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1:29, ack 43, win 255, length 28: SSH: SSH-2.0-MoTTY_Release_0.81
12:05:26.508357 veth101i0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, length 0
12:05:26.508362 fwln101i0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, length 0
12:05:26.508364 fwpr101p0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, length 0
12:05:26.508368 fwpr100p0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, length 0
12:05:26.508369 fwln100i0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, length 0
12:05:26.508373 veth100i0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, length 0
12:05:26.508397 veth100i0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1489:1645, ack 43, win 255, length 156
12:05:26.508402 fwln100i0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1489:1645, ack 43, win 255, length 156
12:05:26.508403 fwpr100p0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1489:1645, ack 43, win 255, length 156
12:05:26.508407 fwpr101p0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1489:1645, ack 43, win 255, length 156
12:05:26.508408 fwln101i0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1489:1645, ack 43, win 255, length 156
12:05:26.508412 veth101i0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1489:1645, ack 43, win 255, length 156
12:05:26.508421 veth101i0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 0
12:05:26.508424 fwln101i0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 0
12:05:26.508426 fwpr101p0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 0
12:05:26.508429 fwpr100p0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 0
12:05:26.508431 fwln100i0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 0
12:05:26.508434 veth100i0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 0
12:05:26.513092 veth101i0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [P.], seq 43:1163, ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 1120
12:05:26.513104 fwln101i0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [P.], seq 43:1163, ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 1120
12:05:26.513108 fwpr101p0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [P.], seq 43:1163, ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 1120
12:05:26.513111 fwpr100p0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [P.], seq 43:1163, ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 1120
12:05:26.513114 fwln100i0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [P.], seq 43:1163, ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 1120
12:05:26.513118 veth100i0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [P.], seq 43:1163, ack 29, win 502, options [nop,nop,sack 1 {1489:1645}], length 1120
12:05:26.552034 veth100i0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1645:2853, ack 1163, win 251, length 1208
12:05:26.552066 fwln100i0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1645:2853, ack 1163, win 251, length 1208
12:05:26.552068 fwpr100p0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1645:2853, ack 1163, win 251, length 1208
12:05:26.552077 fwpr101p0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1645:2853, ack 1163, win 251, length 1208
12:05:26.552078 fwln101i0 P IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1645:2853, ack 1163, win 251, length 1208
12:05:26.552086 veth101i0 Out IP 192.168.10.5.37622 > 192.168.10.10.22: Flags [P.], seq 1645:2853, ack 1163, win 251, length 1208
12:05:26.552151 veth101i0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:2853}], length 0
12:05:26.552159 fwln101i0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:2853}], length 0
12:05:26.552162 fwpr101p0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:2853}], length 0
12:05:26.552165 fwpr100p0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:2853}], length 0
12:05:26.552168 fwln100i0 P IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:2853}], length 0
12:05:26.552171 veth100i0 Out IP 192.168.10.10.22 > 192.168.10.5.37622: Flags [.], ack 29, win 502, options [nop,nop,sack 1 {1489:2853}], length 0

Rainwolf · Wednesday at 20:50

the question is of course whether it has to be nat everywhere?

i don't think so, i have now done it completely with routes. let's see if i still have problems.

Rainwolf · 2025-02-21T15:57:21+0100

the problem could be traced back to an opnsense setting.

Firewall optimization
Aggressive has caused the Nat problem.

https://docs.opnsense.org/manual/firewall_settings.html#firewall-optimization

Search

Search

[SOLVED] Strange Nat Errors

Rainwolf

New Member

Rainwolf

New Member

Rainwolf

New Member

Rainwolf

New Member

Rainwolf

New Member

We value your privacy