2

I have two virtual machines (server, client) with wireguard vpn. When i try ping any IPv6 resource from client packets doesn't return to client.

Tcpdump show me ICMP Reply packets in enp0s3 interface (server), not in wg0 (vpn interface on server). But if disable nftables and start ip6tables, all works. After this step i disable ip6tables and enable nftables... All continue works...

Software versions:

NixOS: 17.09.git.ebaff59 (Hummingbird)
WireGuard: 0.0.20170706
Nftables: 0.7

Build ISO images with next commands:

Server:

nix-build -A config.system.build.isoImage -I nixos-config=./wireguard_server_10.nix ./nixpkgs/nixos/default.nix

Client:

nix-build -A config.system.build.isoImage -I nixos-config=./wireguard_client_20.nix ./nixpkgs/nixos/default.nix

Here nix files:

Create virtual machines with next commands:

Server:

virt-install \
--name NixOSVS10 \
--ram 1024 \
--vcpus 1 \
--cdrom /tmp/nixos_10.iso \
--os-type linux \
--nodisk \
--network bridge=br0 \
--graphics vnc,password="ABCDEF",port=5910,listen=2a01:4f8:xx:xx::13 \
--autostart \
--noautoconsole

Client:

virt-install \
--name NixOSVS20 \
--ram 1024 \
--vcpus 1 \
--cdrom /tmp/nixos_20.iso \
--os-type linux \
--nodisk \
--network bridge=br0 \
--graphics vnc,password="ABCDEF",port=5920,listen=2a01:4f8:xx:xx::13 \
--autostart \
--noautoconsole

Nftables rules:

Server:

Client:

Output for ip a, ip -6 route, route -6, wg, sysctl -a, dmesg, lsmod.

Server:

Client:

Tcpdump logs from client. Ping IPv6 address 2001:19f0:7400:87a2::64 (https://ipv6.net/)

Output from /proc/net/nf_conntrack:

With nftables:

With ip6tables:

Snat doesn't work correctly in nftables. But work after next steps:

[root@nixos:~]# systemctl stop nftables
[root@nixos:~]# ip6tables -t nat -A POSTROUTING -o enp0s3 -j SNAT --to-source 2a01:4f8:xx:xx::10
Sorcus
  • 27
  • 1
  • 5
  • am I just not seeing it, or did you ask a question about nftables without including your ruleset? – Zoredache Jul 10 '17 at 21:14
  • Ok, now edited... – Sorcus Jul 10 '17 at 21:24
  • So your nft snat is `ip6 saddr fc00::/64 oif enp0s3 nftrace set 1 counter snat 2a01:4f8:xx:xx::10` and your iptables is this `ip6tables -t nat -A POSTROUTING -o enp0s3 -j SNAT --to-source 2a01:4f8:xx:xx::10`? You have different rules. The nft rule requires a certain source address range. What happens if you change your nft rule to actually match the iptables rule? – Zoredache Jul 10 '17 at 21:25
  • Nothing changed. Doesn't work. – Sorcus Jul 10 '17 at 21:45
  • Current nftables rules - https://gist.github.com/MrSorcus/54684d8cd7a5e722a6f592b671432b0a – Sorcus Jul 10 '17 at 21:51
  • In that most recent set of rules in the comment the POSTROUTING chain doesn't have the `type nat hook postrouting priority 0;` line. If you don't set a chain to be hooked to anything, I don't think it will actually do anything. – Zoredache Jul 10 '17 at 22:40
  • And what i should do? I used information from here - https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT) – Sorcus Jul 10 '17 at 22:50
  • No ideas? What could be the problem? – Sorcus Jul 11 '17 at 23:12
  • Unfortunately my knowledge of nftables is relatively week, I have just started playing around with it. – Zoredache Jul 12 '17 at 03:04
  • With git-version of nftables, libmnl & libnftnl doesn't work too... – Sorcus Jul 12 '17 at 17:52

1 Answers1

-1

Solved. http://marc.info/?l=netfilter-devel&m=150027256708621&w=2

You are probably lacking the reply NAT chain, which needs to be registered.

https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)

I'm updating right now the wiki to put this in bold.

Community
  • 1
Sorcus
  • 27
  • 1
  • 5