I am developing a device, in terms of usage and network connectivity it is similar to a printer with an Ethernet port. This device should also work in p2p scenarios, i.e. when the Ethernet port of the device is connected directly to an Ethernet port of a notebook, in absence of a DHCP server. In this case, both devices obtain a Link-Local address in the 169.254.x.x address range. So far, so good, this works.
My device has a somewhat complex internal Ethernet topology with multiple different boards that all have their own IP address in a tiny internal network. But none of that concerns the user of the device – the user only sees and talks to one single IP address. This is done using NAT and masquerade. The device has one single entry point with one external IP address and there’s port forwarding to serve different boards and functions. This also seems to work well as a concept.
Now here’s the problem: NAT masquerade refuses to work with Link-Local IP addresses. It just won’t properly rewrite the source address the way I instructed it to on this interface (instead, it just takes the first IP address it finds on another Ethernet interface, usually the internal one, which is extremely undesirable). I now think I tracked it down to the so-called scope of the address: http://linux-ip.net/html/tools-ip-address.html#tb-tools-ip-addr-scope . This scope must be global, or else NAT masquerade seems to ignore it. I don’t exactly know where this behavior comes from, so I’d like to know more about this.
-
How can I coerce NAT masquerade to ignore this unwanted
scopefiltering? I’m usingfirewalldbut can also directly useiptables. The issue happens on both. -
Alternatively, how can I configure this
scopetoglobaleven though I’m using a Link-Local address? I am using Network Manager withipv4.methodset tolink-localon that interface and I need NAT masquerade to work reliably.
