There are two types of NAT, source and destination NAT, and the names can be slightly confusing, as they refer to the field of the raw IP Packet that they're changing.
However, for most people, 'source' can be thought of as 'outgoing', and 'destination' can be thought of as 'incoming'.
Source NAT (Outgoing)
This is often used in smaller networks, where you only have one Public IP, and want to make all your internal traffic use your Public IP address.
This assumes that you have your internal network on eth1, and are using the address space 172.16.17.1/24 on that network (This is configured in the DHCP Server documentation).
set nat source rule 100 outbound-interface pppoe0 set nat source rule 100 translation address masquerade
Rule '100' is an example rule, and does not have any significance (this is different to - for example - Cisco IOS, where the rule numbers less than 100 are treated differently to rule numbers higher than 100). The rules are simply processed in order of appearance.
set nat source rule 100 outbound-interface pppoe0
- For any traffic that is leaving interface pppoe0
set nat source rule 100 translation address masquerade
- Change it so it appears to be coming from the IP address of the interface.
These two lines are normally sufficient for most scenarios.
Destination NAT (Incoming)
If you want to ensure that certain traffic always arrives at a specific machine inside your network, you can use Destination NAT. However, this is usually only for exceptional circumstances, as the traffic flows are automatically computed and used, without needing user configuration.
A common issue, however, can be running a VoIP server inside your network. This will require several ports to be explicitly forwarded, to remove any potential for NAT trying to 'fix' the packets as they traverse the system.
Example VoIP NAT Configuration
In this example, 172.16.17.100 is a FreePBX server, which is running UCP on port 443 (TCP), SIP on UDP port 5060, and RTP on UDP ports 10000 through to 20000.
set nat destination rule 100 description "FreePBX User Control Panel (https)" set nat destination rule 100 inbound-interface pppoe0 set nat destination rule 100 destination port 443 set nat destination rule 100 protocol tcp set nat destination rule 100 translation address 172.16.17.100
set nat destination rule 101 description "FreePBX SIP and RTP" set nat destination rule 101 inbound-interface pppoe0 set nat destination rule 101 destination port "5060,10000-20000" set nat destination rule 101 protocol udp set nat destination rule 101 translation address 172.16.17.100
This is broken into two rules, rule 100 and 101. Rule 100 handles TCP Traffic (for the FreePBX User Control Panel which is run over HTTPS), and rule 101 handles UDP traffic (for SIP and RTP).
The NAT match is based on
set nat destination rule 100 inbound-interface pppoe0
- When traffic arrives at interface pppoe0
set nat destination rule 100 destination port 443
- With the destination of port 443
set nat destination rule 100 protocol tcp
- That is TCP Traffic
set nat destination rule 100 translation address 172.16.17.100
- Send it to 172.16.17.100
This is equivalent with rule 101, with the difference being that it matches UDP traffic that is being sent to port 5060, or, any port in the range of 10000 to 20000 inclusive.
SNAT some Networks
This is common in corporate datacenter networks. In that case you may want to NAT the Internet but not one or more Networks. These cases expect the routing set up properly and networks are able to reach each other.
SNAT everything except one Network
Example: an internal Network has Network 10.27.0.0/16 (to be NAT-ed as no internet access is available) and public Network 184.108.40.206/8 (Traffic should not be NAT-ed because the internal Network is reachable from the Public addresses). As base, do everything as usual but set a special value as destination parameter
set nat source rule 100 source 10.27.0.0/16 set nat source rule 100 outbound-interface eth1 set nat source rule 100 translation masquerade set nat source rule 100 destination !220.127.116.11/8 # ! means everything except
Alternatively, the same approach as for multiple network would work too.
SNAT everything except multiple Networks
Example: an internal Network has Network 10.27.0.0/16 (to be NAT-ed as no internet access is available), a public Network 18.104.22.168/8 and a second network 22.214.171.124/8 (Traffic should not be NAT-ed because the internal Network is reachable from the Public addresses). 126.96.36.199/8 is part of the internet and has to NAT-ed.
Here the approach for single networks would not work as vyos is currently not capable of handling multiple destination addresses in one rule. If splitting to multiple rules, the traffic matching the second rule would never match as the second network is not inside the first one.
Solution: excluding networks from NAT and using a default rule:
set nat source rule 100 source 10.27.0.0/16 set nat source rule 100 destination 188.8.131.52/8 set nat source rule 100 outbound-interface eth1 set nat source rule 100 exclude set nat source rule 200 source 10.27.0.0/16 set nat source rule 200 destination 184.108.40.206/8 set nat source rule 200 outbound-interface eth1 set nat source rule 200 exclude set nat source rule 9000 source 10.27.0.0/16 set nat source rule 9000 outbound-interface eth1 set nat source rule 9000 translation masquerade
NAT matching is first-match, regardless of the specificity of the rules included in the configuration.
As a practical rule, consider including all 1:1 NAT always at the top, and general-traffic rules at the bottom.
Since rule numbering spans from 1 to 9999 there is plenty of room to allocate/aggregate various grouping of NAT requeriments effectively.