Hi,
my Astaro (9.106-17) is placed on it's WAN-Interface behind another router.
The Astaro is the only device behind the other router and there's just one link
between them.
On the Astaro for all internal networks masquerading is switch on by rules like
'Internal network XX' to WAN-Interface.
Everything worked unsuspicious and quite well until yesterday.
On the external router I switched on a feature called Backroute Verify on the interface to the Astaro.. This means that incoming data packets are only accepted over this interface if outgoing response packets are routed over the same interface.
The subnet between the external router and the Astaro is 10.15.95.0/24.
Astaro has 10.15.95.10. the other has 10.15.95.20
Therefore the external router drops all packets not coming from an address within that subnet. This should be no problem since masquerading is turned on.
The other router logs dropped packets.
In the logs I can see a lot of of dropped packets from source addresses
behind the Astaro.
How can this happen with masquerading turned on?
It seems like the Astaro doesn' substitute the source address with it's own WAN address.
Surfing, Mailing everything seems to work from inside the Astaros's internal LANs.
But some TCP messages [RST or FIN,ACK odr RST,ACK] go trough. TCP Seq is always '1'.
Only these types of packets. No TCP payload packets and also no UDP.
I can see the with Wireshark too.
I've no clue.
What can I check?
Best regards
Xavier
-----------------------------
Sorry, by posting this messages there appear also some payload packets with internal addresses on the WAN Interface.
This thread was automatically locked due to age.
