I need to create VXLAN connections between two computers A (on Debian with IP 192.168.30.1) and B (on archlinux with IP 192.168.30.3)
For that, I did:
sudo ip link add vxlan1 type vxlan id 1 nolearning remote 192.168.30.3 dstport 33333 dev ens4
sudo ip link set vxlan1 up
sudo ip addr add 10.0.0.106/24 dev vxlan1
sudo ip link add vxlan2 type vxlan id 1 nolearning remote 111.111.111.111 dstport 33333 dev ens3
sudo ip link set vxlan2 up
sudo ip addr add 10.0.0.107/24 dev vxlan2
Moreover, on PC B I create a DNAT rule:
sudo iptables -w -t nat -A OUTPUT -s 192.168.30.3 -d 111.111.111.111 -p udp --dport 33333 -j DNAT --to-destination 192.168.30.1:33333
Then I did:
- On PC A:
ping 10.0.0.107
. This works as expected with ping replies.
- On PC B:
ping 10.0.0.106
. This works as expected with ping replies.
- On PC A:
nc -u -lp 12345
. On PC B: nc -u 10.0.0.106 12345
. I expected to read data on the netcat application on PC A when sending data with the netcat command from PC B. However I read nothing.
My problem is then at the last point. Why my netcat listener does not receive anything.
By using wireshark on PC A I get:
[
Some extra information
PC A runs with 'Linux debian 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux' (this is the result of uname -a
command)
PC A IP on ens4 is 192.168.30.1/24
PC B runs with 'Linux archlinux 5.13.9-arch1-1 #1 SMP PREEMPT Sun, 08 Aug 2021 11:25:35 +0000 x86_64 GNU/Linux' (this is the result of uname -a
command)
PC B IP on ens3 is 192.168.30.3/24
the two machines are Qemu VMs started with GNS3
nat and filter tables of netfilter on PC A is empty:
seb@debian:~$ sudo iptables -t nat -L ; sudo iptables -t filter -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
- On PC B I only have the DNAT rule and a rule to drop ICMP packet of type 'port unreachable' (This is a rule I added for another purpose):
[seb@archlinux vxlan]$ sudo iptables -t nat -L -n ; sudo iptables -t filter -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT udp -- 192.168.30.3 111.111.111.111 udp dpt:33333 to:192.168.30.1:33333
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3