NAT

From VyOS Wiki
Jump to: navigation, search

There are two types of NAT, source and destination NAT, and the names can be slightly confusing, as they refer to the field of the raw IP Packet that they're changing.

However, for most people, 'source' can be thought of as 'outgoing', and 'destination' can be thought of as 'incoming'.

Source NAT (Outgoing)

This is often used in smaller networks, where you only have one Public IP, and want to make all your internal traffic use your Public IP address.

Example Configuration

This assumes that you have your internal network on eth1, and are using the address space 172.16.17.1/24 on that network (This is configured in the DHCP Server documentation).

set nat source rule 100 outbound-interface pppoe0
set nat source rule 100 translation address masquerade

Explanation

Rule '100' is an example rule, and does not have any significance (this is different to - for example - Cisco IOS, where the rule numbers less than 100 are treated differently to rule numbers higher than 100). The rules are simply processed in order of appearance.

  • set nat source rule 100 outbound-interface pppoe0
For any traffic that is leaving interface pppoe0
  • set nat source rule 100 translation address masquerade
Change it so it appears to be coming from the IP address of the interface.

These two lines are normally sufficient for most scenarios.

Destination NAT (Incoming)

If you want to ensure that certain traffic always arrives at a specific machine inside your network, you can use Destination NAT. However, this is usually only for exceptional circumstances, as the traffic flows are automatically computed and used, without needing user configuration.

A common issue, however, can be running a VoIP server inside your network. This will require several ports to be explicitly forwarded, to remove any potential for NAT trying to 'fix' the packets as they traverse the system.

Example VoIP NAT Configuration

In this example, 172.16.17.100 is a FreePBX server, which is running UCP on port 443 (TCP), SIP on UDP port 5060, and RTP on UDP ports 10000 through to 20000.

set nat destination rule 100 description "FreePBX User Control Panel (https)"
set nat destination rule 100 inbound-interface pppoe0
set nat destination rule 100 destination port 443
set nat destination rule 100 protocol tcp
set nat destination rule 100 translation address 172.16.17.100
set nat destination rule 101 description "FreePBX SIP and RTP"
set nat destination rule 101 inbound-interface pppoe0
set nat destination rule 101 destination port "5060,10000-20000"
set nat destination rule 101 protocol udp
set nat destination rule 101 translation address 172.16.17.100

Explanation

This is broken into two rules, rule 100 and 101. Rule 100 handles TCP Traffic (for the FreePBX User Control Panel which is run over HTTPS), and rule 101 handles UDP traffic (for SIP and RTP).

The NAT match is based on protocol and port.

  • set nat destination rule 100 inbound-interface pppoe0
When traffic arrives at interface pppoe0
  • set nat destination rule 100 destination port 443
With the destination of port 443
  • set nat destination rule 100 protocol tcp
That is TCP Traffic
  • set nat destination rule 100 translation address 172.16.17.100
Send it to 172.16.17.100

This is equivalent with rule 101, with the difference being that it matches UDP traffic that is being sent to port 5060, or, any port in the range of 10000 to 20000 inclusive.


Special Constellations

SNAT some Networks

This is common in corporate datacenter networks. In that case you may want to NAT the Internet but not one or more Networks. These cases expect the routing set up properly and networks are able to reach each other.

SNAT everything except one Network

Example: an internal Network has Network 10.27.0.0/16 (to be NAT-ed as no internet access is available) and public Network 210.0.0.0/8 (Traffic should not be NAT-ed because the internal Network is reachable from the Public addresses). As base, do everything as usual but set a special value as destination parameter

set nat source rule 100 source 10.27.0.0/16
set nat source rule 100 outbound-interface eth1
set nat source rule 100 translation masquerade
set nat source rule 100 destination !210.0.0.0/8 # ! means everything except

Alternatively, the same approach as for multiple network would work too.

SNAT everything except multiple Networks

Example: an internal Network has Network 10.27.0.0/16 (to be NAT-ed as no internet access is available), a public Network 210.0.0.0/8 and a second network 212.0.0.0/8 (Traffic should not be NAT-ed because the internal Network is reachable from the Public addresses). 211.0.0.0/8 is part of the internet and has to NAT-ed.

Here the approach for single networks would not work as vyos is currently not capable of handling multiple destination addresses in one rule. If splitting to multiple rules, the traffic matching the second rule would never match as the second network is not inside the first one.

Solution: excluding networks from NAT and using a default rule:

set nat source rule 100 source 10.27.0.0/16
set nat source rule 100 destination 210.0.0.0/8
set nat source rule 100 outbound-interface eth1
set nat source rule 100 exclude
set nat source rule 200 source 10.27.0.0/16
set nat source rule 200 destination 212.0.0.0/8
set nat source rule 200 outbound-interface eth1
set nat source rule 200 exclude
set nat source rule 9000 source 10.27.0.0/16
set nat source rule 9000 outbound-interface eth1
set nat source rule 9000 translation masquerade

Caveats

NAT matching is first-match, regardless of the specificity of the rules included in the configuration.

As a practical rule, consider including all 1:1 NAT always at the top, and general-traffic rules at the bottom.

Since rule numbering spans from 1 to 9999 there is plenty of room to allocate/aggregate various grouping of NAT requeriments effectively.