USG Flex with Nebula and iptables masquerade

baba
baba Posts: 280  Master Member
First Comment Friend Collector First Anniversary
edited December 2022 in Nebula
Hi all,

is it possible to use iptables with an USG Flex 200 and Nebula?

iptables -t nat -A POSTROUTING -s 10.10.20.100 -d 10.10.30.100 -j MASQUERADE

My vacuum cleaner Roborock S7 does not respond when client is not in the same subnet/vlan.

CLI would be also ok for me if it is permanent :-)

Thanks!

Accepted Solution

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    edited December 2022 Answer ✓
    Hello @baba

    Thanks for sharing captured packets with us. we noticed there is only one-way direction from vlan10 to vlan 30.  The 10.10.30.X didn't respond to the initiated host 10.10.10.X host IP, not sure if it is a limitation for the vacuum cleaner, I mean the vacuum cleaner seems to only respond to the source IP which is from the same subnet. 

    IP Client 1 (Server): 10.10.10.X (vlan 10)
    IP Client 2 (Xiaomi Roborock S7): 10.10.30.X (vlan30)
    Port 54321 Protocol UDP

    Currently, we don't support this similar SNAT behavior just like the masquerade function, thanks again.  


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

All Replies

  • lalaland
    lalaland Posts: 91  Ally Member
    First Answer First Comment Friend Collector Sixth Anniversary
    Do you mean that phone APP and  Roborock S7 must in same subnet for connection?
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Hi @baba,

    Could you share your topology, usage scenario, and purpose with us?
    It's more clear to understand your requirement. Thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • baba
    baba Posts: 280  Master Member
    First Comment Friend Collector First Anniversary
    @lalaland yes correctly. The Roborock API is only accessible within the same subnet.

    @Zyxel_Jeff
    Purpose: The API of the vaccuum cleaner "Xiaomi Roborock S7" is not accessible from other subnets.

    Usage scenario: I want to connect to the api at 10.10.30.100:54321/udp (Client 2) from another subnet (Client 1).

    Topology: USG Flex 200 -> NWA110AX -> Client 1: Server 10.10.20.100 (vlan20), Client 2: Roborock 10.10.30.100 (vlan30)

    Do you need any other information?

    Best, baba



  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hello @baba

    Could you enable Zyxel support for us(as below) and then tell us your org and site name via private message? We would like to check your settings, thanks.





    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    baba said:
    Hi all,

    is it possible to use iptables with an USG Flex 200 and Nebula?

    iptables -t nat -A POSTROUTING -s 10.10.20.100 -d 10.10.30.100 -j MASQUERADE

    Hi @baba

    Currently, we don't support this feature, thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    edited December 2022 Answer ✓
    Hello @baba

    Thanks for sharing captured packets with us. we noticed there is only one-way direction from vlan10 to vlan 30.  The 10.10.30.X didn't respond to the initiated host 10.10.10.X host IP, not sure if it is a limitation for the vacuum cleaner, I mean the vacuum cleaner seems to only respond to the source IP which is from the same subnet. 

    IP Client 1 (Server): 10.10.10.X (vlan 10)
    IP Client 2 (Xiaomi Roborock S7): 10.10.30.X (vlan30)
    Port 54321 Protocol UDP

    Currently, we don't support this similar SNAT behavior just like the masquerade function, thanks again.  


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

Nebula Tips & Tricks