Hello,
you have the following:
+--(UPF1)--N6--(DN1)
(gNB)-- N3 --(UPFb)-- N9 -+
+--(UPF2)--N6--(DN2)
Firstly, on N3 interface, there is only GTP encapsulated traffic. In the GTP outer PDU, the source IP Address is always either the gNB or the Intermediate UPF. Thereforce MASQUERADE is never required on N3 interface. The same applies to N9 interface where there is only GTP from/destined to UPF.
Now the behavior of UPFs:
- When your UPF receive GTP encapsulated PDUs destined to the Data Network it performs desencapsulation and forward them on the N6 interface.
- When your UPF receive IP packets it looks in its routing tables and choose to encapsulate the packet using GTP and to send the resulting packet to the next GTP Peer (Intermediate UPF or gNB).
This works very well if you have a public IPv4 bloc and you assign part of it as the pool to use for UEs.
But, because you do not have this public IPv4 bloc, your UEs are assigned IP Address from a private IPv4 subnet (10/8, 172.16/12, 192.168/16) so your Data Network cannot have route to your UEs. To let them respond to your packets:
- the UPF must replace the source IP Address on packets destined to the Data Network with the UPF one
- the UPF must replace the destination IP Address on packets received by the UPF from Data Network with the correct UE IP Address.
This is called MASQUERADE, and you only need to use it on interfaces that can directly reach a Data Network (ie. N6).
TL;DR:
- on UPF1 and UPF2:
iptables -t nat -A POSTROUTING -o n6 -j MASQUERADE
- on UPFb: nothing
