basil00
commented
3 months ago Is this just the known issue with the combination of the NAT with the FORWARD layer?
Closed DynixDynix closed 3 months ago
basil00
commented
3 months ago Is this just the known issue with the combination of the NAT with the FORWARD layer?
DynixDynix
commented
3 months ago 这只是 NAT 与层组合的已知问题吗
FORWARD?
Yes, it should be because I didn't handle the combination of forwarding layer and network layer properly. It seems that ICS will automatically perform some NAT, which is quite troublesome to handle , But what's very surprising is that, I downloaded your latest version and compiled it to solve all the problems using the ETH layer. I am looking forward to the official version 3.0
basil00
commented
3 months ago NAT+forward layer is a known issue.
The ETH layer is permanently delayed due to unsolvable (?) problems that affect general usage, unfortunately.
DynixDynix
commented
3 months ago NAT+转发层是一个已知问题。
不幸的是,由于影响一般使用的无法解决的(?)问题,ETH 层被永久延迟。
What problem did you encounter in Eth layer? I feel very good using it , And I have implemented my own router, and I am also researching your source code. Perhaps I can provide you with some ideas I hope to continue supporting the ETH layer, which is the ultimate solution for filtering mobile traffic, and I have already implemented a Windows router
majibow
commented
3 months ago I have a workaround for you if you don't specifically need NAT. Its something I have used in the past to implement a country selection firewall filter with WinDivert FORWARD.
This avoids NAT and ICS... all devices will be on the same subnet.
If you need those devices on another subnet you will need to also create some static routes on the computer doing the forwarding.
DynixDynix
commented
3 months ago 如果您不是特别需要 NAT,我可以为您提供一个解决方法。我过去曾用它来通过 WinDivert FORWARD 实现国家/地区选择防火墙过滤器。
- 在路由器上创建静态路由,以将目标地址的流量转移到进行转发的计算机上。
- 在执行转发的计算机上启用许可项:DWORD值 = [0 - 关闭,1 - 开启] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter https://learn.microsoft.com/en-us/故障排除/windows-client/networking/tcpip-and-nbt-configuration-parameters
这避免了 NAT 和 ICS...所有设备将位于相同的子网上。
如果您需要其他子网上的这些设备,您还需要在执行转发的计算机上创建一些静态路由。
Thank you for your prompt I'm not sure if your method is feasible. My goal is to turn the Windows system into a load balancing router that needs to accept all the IP addresses of the network card for NAT
In addition, I have compiled the basil00 beta version of WinDivert3.0, which does not open ICS and directly opens the ETH layer handle for filtering I have achieved the function I wanted, I did not encounter the network disconnection issue he mentioned.
HI,basil00 Thank you for your time I opened Windows ICS and treated my system as a soft router to filter LAN traffic After testing, in certain situations, opening the forwarding layer may cause many strange problems If WINDIVERT-FLAG_SNIFF is not set, even if no data packets are modified, it can cause strange problems Package cannot be sent out, unable to access internal network, etc I have printed some information for your reference
=======Representing the network layer *****Representative forwar layer
This is an unopened process for WINDIVERT_FLAG_SNIFF (I did not modify the packet but injected it directly) 192.168.137.88:42050=======192.168.0.102:65433//LAN device requests LAN proxy server 192.168.0.45:62691=======192.168.0.102:65433//Local WAN port request proxy server 192.168.0.102:65433-------------192.168.0.45:62691//Proxy server sends to local WAN port 192.168.0.102:65433=======192.168.137.88:42050//Proxy server sends to local LAN devices 192.168.0.102:65433=======192.168.137.88:42050 192.168.137.88:42050=======192.168.0.102:65433 192.168.0.45:62691=======192.168.0.102:65433 192.168.137.88:42050=======192.168.0.102:65433 This is the process of opening WINDIVERT_FLAG_SNIFF 192.168.137.88:48878=======192.168.0.102:65433//LAN device requests LAN proxy server 192.168.0.102:65433-------------192.168.0.45:62717//Proxy server sends to local WAN port 192.168.0.45:62717=======192.168.0.102:65433 192.168.0.102:65433-------------192.168.0.45:62717 192.168.0.102:65433=======192.168.137.88:48878 192.168.137.88:48878=======192.168.0.102:65433 192.168.0.45:62717=======192.168.0.102:65433 192.168.137.88:48878=======192.168.0.102:65433
After testing, I feel that opening the forwar handle may cause a change in the network, perhaps due to an injection package issue?But I didn't modify any data packets I think WINDIVERT_FLAG_SNIFF The opened process is correct because the forwarding layer does not need to NAT the data to the network layer to access the external network I hope it can catch your attention Is there any way to make the packet flow the same as opening WINDIVERT_FLAG_SNIFF?