USG Flex with Nebula and iptables masquerade

Options
baba
baba Posts: 280  Master Member
First Anniversary 10 Comments Friend Collector
edited December 2022 in Nebula
Hi all,

is it possible to use iptables with an USG Flex 200 and Nebula?

iptables -t nat -A POSTROUTING -s 10.10.20.100 -d 10.10.30.100 -j MASQUERADE

My vacuum cleaner Roborock S7 does not respond when client is not in the same subnet/vlan.

CLI would be also ok for me if it is permanent :-)

Thanks!

Accepted Solution

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2022 Answer ✓
    Options
    Hello @baba

    Thanks for sharing captured packets with us. we noticed there is only one-way direction from vlan10 to vlan 30.  The 10.10.30.X didn't respond to the initiated host 10.10.10.X host IP, not sure if it is a limitation for the vacuum cleaner, I mean the vacuum cleaner seems to only respond to the source IP which is from the same subnet. 

    IP Client 1 (Server): 10.10.10.X (vlan 10)
    IP Client 2 (Xiaomi Roborock S7): 10.10.30.X (vlan30)
    Port 54321 Protocol UDP

    Currently, we don't support this similar SNAT behavior just like the masquerade function, thanks again.  

All Replies

  • lalaland
    lalaland Posts: 90  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Do you mean that phone APP and  Roborock S7 must in same subnet for connection?
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @baba,

    Could you share your topology, usage scenario, and purpose with us?
    It's more clear to understand your requirement. Thanks.
  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    Options
    @lalaland yes correctly. The Roborock API is only accessible within the same subnet.

    @Zyxel_Jeff
    Purpose: The API of the vaccuum cleaner "Xiaomi Roborock S7" is not accessible from other subnets.

    Usage scenario: I want to connect to the api at 10.10.30.100:54321/udp (Client 2) from another subnet (Client 1).

    Topology: USG Flex 200 -> NWA110AX -> Client 1: Server 10.10.20.100 (vlan20), Client 2: Roborock 10.10.30.100 (vlan30)

    Do you need any other information?

    Best, baba



  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hello @baba

    Could you enable Zyxel support for us(as below) and then tell us your org and site name via private message? We would like to check your settings, thanks.




  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    baba said:
    Hi all,

    is it possible to use iptables with an USG Flex 200 and Nebula?

    iptables -t nat -A POSTROUTING -s 10.10.20.100 -d 10.10.30.100 -j MASQUERADE

    Hi @baba

    Currently, we don't support this feature, thanks.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2022 Answer ✓
    Options
    Hello @baba

    Thanks for sharing captured packets with us. we noticed there is only one-way direction from vlan10 to vlan 30.  The 10.10.30.X didn't respond to the initiated host 10.10.10.X host IP, not sure if it is a limitation for the vacuum cleaner, I mean the vacuum cleaner seems to only respond to the source IP which is from the same subnet. 

    IP Client 1 (Server): 10.10.10.X (vlan 10)
    IP Client 2 (Xiaomi Roborock S7): 10.10.30.X (vlan30)
    Port 54321 Protocol UDP

    Currently, we don't support this similar SNAT behavior just like the masquerade function, thanks again.  

Categories

Nebula Tips & Tricks


    Read more

    Nebula Help Center

    EnglishTiếng ViệtРусскийไทย中文(台灣)