Uploaded image for project: 'CloudStack'
  1. CloudStack
  2. CLOUDSTACK-8451

Static Nat show wrong remote IP in VM behind VPC



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 4.4.3, 4.3.2, 4.5.1
    • None
    • Security Level: Public (Anyone can view this level - this is the default.)
    • None
    • Ubuntu 14.04, ACS 4.5.1-SNAPSHOT


      When configuring Port FOrwarding or Static NAT on VPC VR, and connect from outside world to VPC IP address, traffic gets forwarded to VM behind VPC.

      But if you run "netstat -antup | grep $PORT" (where port is i.e. ssh port) - given result will show that remote connections come from the Source NAT IP of the VR, instead of the real remote client IP.

      private VM:
      Source NAT IP on VPC VR:
      Additional Public IP on VPC VR.
      Remote client public IP: (external to VPC)
      from SSH to port 22 (or any other port)
      inside do "netstat -antup | grep 22"
      Result: Remote IP show is instead of

      We found a solution (somwhat tested, and not sure if this would break anything...)

      Problem is in VRs iptables NAT table, POSTROUTING chain, rule:
      SNAT all – * eth2 to:

      where is public IP of VR
      eth2: is Public Interface of VR
      When this rule is deleted, NAT is working fine.

      This is serious issue for anyone using VPC, since there is no way to see real remote client IP, and this no firewall funtionality inside VM, SIP doesnt work, web server logs are useless etc.

      I also experienced this problem with 4.3.x releases.

      EDIT: this happens when using vlan://untagged for Public network - eth2 device gets passed to VR, and offending iptables rule is created.

      When using tagged vlan for Public network - everything is fine.




            Unassigned Unassigned
            andrija Andrija Panic
            0 Vote for this issue
            2 Start watching this issue