id,summary,reporter,owner,description,type,status,component,version,resolution,keywords,cc,guest,host 6524,NAT setup UDP traffic wrong src IP,jerryhu,,"I have a CentOS guest on a CentOS host with NAT setup. On the guest, I run a syslog event collector listening to udp/514. Using port-forwarding syslog events (UDP unicast) are forwarded to guest. Somehow, the src ip of those event become 10.0.2.2 on guest, which on host, it shows the correct src ip. I also tried ssh port forwarding (TCP), it worked fine. So this is UDP specific issue. Here are tcpdump from both host and guest: On host: {{{ tcpdump -nvp udp port 514 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 18:50:24.661024 IP (tos 0x0, ttl 64, id 25582, offset 0, flags [none], proto: UDP (17), length: 79) 10.155.69.23.syslog > 10.155.69.212.syslog: SYSLOG, length: 51 Facility daemon (3), Severity error (3) Msg: Apr 6 18:52:35 last message repeated 352 times 18:50:24.661197 IP (tos 0x0, ttl 64, id 25583, offset 0, flags [none], proto: UDP (17), length: 117) 10.155.69.23.syslog > 10.155.69.212.syslog: SYSLOG, length: 89 Facility auth (4), Severity info (6) Msg: Apr 6 18:52:35 sshd[34534]: Did not receive ident[|syslog] 18:50:24.745518 IP (tos 0x0, ttl 64, id 25585, offset 0, flags [none], proto: UDP (17), length: 191) 10.155.69.23.syslog > 10.155.69.212.syslog: SYSLOG, length: 163 Facility daemon (3), Severity error (3) Msg: Apr 6 18:52:35 rpd[1318]: RPD_L2VPN_SITE_COLLISIO[|syslog] 18:50:31.825655 IP (tos 0x0, ttl 64, id 42236, offset 0, flags [none], proto: UDP (17), length: 116) 10.155.69.1.syslog > 10.155.69.212.syslog: SYSLOG, length: 88 Facility auth (4), Severity info (6) Msg: Apr 6 18:43:46 sshd[64626]: Did not receive ident[|syslog] 18:50:31.921804 IP (tos 0x0, ttl 64, id 42239, offset 0, flags [none], proto: UDP (17), length: 116) 10.155.69.1.syslog > 10.155.69.212.syslog: SYSLOG, length: 88 Facility auth (4), Severity info (6) Msg: Apr 6 18:43:46 sshd[64624]: Did not receive ident[|syslog] 18:50:33.086459 IP (tos 0x0, ttl 64, id 42251, offset 0, flags [none], proto: UDP (17), length: 117) 10.155.69.1.syslog > 10.155.69.212.syslog: SYSLOG, length: 89 Facility auth (4), Severity info (6) Msg: Apr 6 18:43:47 sshd[64628]: Did not receive ident[|syslog] }}} On guest: {{{ tcpdump -nvp udp port 514 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 18:50:22.252032 IP (tos 0x0, ttl 64, id 24504, offset 0, flags [none], proto: UDP (17), length: 117) 10.0.2.2.514 > 10.0.2.15.514: SYSLOG, length: 89 Facility auth (4), Severity info (6) Msg: Apr 6 18:43:34 sshd[64618]: Did not receive ident[|syslog] 18:50:27.128257 IP (tos 0x0, ttl 64, id 24506, offset 0, flags [none], proto: UDP (17), length: 79) 10.0.2.2.36744 > 10.0.2.15.514: SYSLOG, length: 51 Facility daemon (3), Severity error (3) Msg: Apr 6 18:52:35 last message repeated 352 times 18:50:27.128351 IP (tos 0x0, ttl 64, id 24507, offset 0, flags [none], proto: UDP (17), length: 117) 10.0.2.2.36744 > 10.0.2.15.514: SYSLOG, length: 89 Facility auth (4), Severity info (6) Msg: Apr 6 18:52:35 sshd[34534]: Did not receive ident[|syslog] 18:50:27.213209 IP (tos 0x0, ttl 64, id 24509, offset 0, flags [none], proto: UDP (17), length: 191) 10.0.2.2.36744 > 10.0.2.15.514: SYSLOG, length: 163 Facility daemon (3), Severity error (3) Msg: Apr 6 18:52:35 rpd[1318]: RPD_L2VPN_SITE_COLLISIO[|syslog] 18:50:34.293485 IP (tos 0x0, ttl 64, id 24511, offset 0, flags [none], proto: UDP (17), length: 116) 10.0.2.2.514 > 10.0.2.15.514: SYSLOG, length: 88 }}} ",defect,closed,network/NAT,VirtualBox 3.2.6,fixed,,,Linux,Linux