NAT¶
NAT provides a way to translate IPv4 addresses and ports while crossing the device. This technique is typically used to conserve addresses now that IPv4 addresses become a scarce resource.
Note
NAT rules not configured by the management system will not be displayed by show state and will be lost when a new NAT configuration is committed.
Caution
NAT and CG-NAT are exclusive. If CG-NAT is enabled, NAT must be disabled on ports bound to the fast path.
See also
The command reference for details.
Relation with IP packet filtering¶
When configuring NAT along with IP packet filtering, you should know that:
source NAT happens in
postrouting
chain, aftermangle
tabledestination NAT happens in
prerouting
chain, afterraw
andmangle
tablesconnection tracking (conntracks) keeps track of how the packet should be changed in the two directions
See also
IP packet filtering for details.
Source NAT¶
Source NAT changes the source IPv4 address or port of an outgoing packet.
Note
A destination NAT rule is not needed to do source NAT. Connection tracking keeps track of how the packet should be changed in the two directions, so a source NAT rule is enough. A destination NAT rule can be added if the NAT connection can be opened from both sides.
Here is an example of a rule which matches the packets with source address
1.1.1.1
output to public
interface, and translates their source address to
2.2.2.2
:
vrouter running config# vrf main
vrouter running vrf main# nat
vrouter running nat# source-rule 1 source address 1.1.1.1/32 outbound-interface public translate-to address 2.2.2.2
vrouter running nat# commit
To display the applied configuration:
vrouter running config# show state vrf main nat
nat
source-rule 1 source address 1.1.1.1/32 outbound-interface public translate-to address 2.2.2.2
..
The same configuration can be made using this NETCONF XML configuration:
vrouter running config# show config xml absolute vrf main nat
<config xmlns="urn:6wind:vrouter">
<vrf>
<name>main</name>
<nat xmlns="urn:6wind:vrouter/nat">
<source-rule>
<id>1</id>
<source>
<address>
<value>1.1.1.1/32</value>
</address>
</source>
<outbound-interface>
<name>public</name>
</outbound-interface>
<translate-to>
<address>
<value>2.2.2.2</value>
</address>
</translate-to>
</source-rule>
</nat>
</vrf>
</config>
Masquerading¶
Masquerading is a kind of source NAT. It is a way to use one public IPv4 address visible on the Internet for an entire private network, using the IPv4 address of the device public interface.
Here is an example of a rule which matches the packets sent via public
interface, and translates their source address to the IPv4 address of public
interface:
vrouter running config# vrf main
vrouter running vrf main# nat
vrouter running nat# source-rule 1 outbound-interface public translate-to output-address
vrouter running nat# commit
To display the applied configuration:
vrouter running config# show state vrf main nat
nat
source-rule 1 outbound-interface public translate-to output-address
..
The same configuration can be made using this NETCONF XML configuration:
vrouter running config# show config xml absolute vrf main nat
<config xmlns="urn:6wind:vrouter">
<vrf>
<name>main</name>
<nat xmlns="urn:6wind:vrouter/nat">
<source-rule>
<id>1</id>
<outbound-interface>
<name>public</name>
</outbound-interface>
<translate-to>
<output-address/>
</translate-to>
</source-rule>
</nat>
</vrf>
</config>
Destination NAT¶
Destination NAT changes the destination IPv4 address or port of an incoming packet.
Note
A source NAT rule is not needed to do destination NAT. Connection tracking keeps track of how the packet should be changed in the two directions, so a destination NAT rule is enough. A source NAT rule can be added if the NAT connection can be opened from both sides.
Here is an example of a rule which matches the tcp
packets with destination
port 8080
received from public
interface, and translates their destination
address to 2.2.2.2
, and their destination port to 80
:
vrouter running config# vrf main
vrouter running vrf main# nat
vrouter running nat# destination-rule 1 protocol tcp destination port 8080 inbound-interface public translate-to address 2.2.2.2 port 80
vrouter running nat# commit
To display the applied configuration:
vrouter running config# show state vrf main nat
nat
destination-rule 1 protocol tcp destination port 8080 inbound-interface public translate-to address 2.2.2.2 port 80
..
The same configuration can be made using this NETCONF XML configuration:
vrouter running config# show config xml absolute vrf main nat
<config xmlns="urn:6wind:vrouter">
<vrf>
<name>main</name>
<nat xmlns="urn:6wind:vrouter/nat">
<destination-rule>
<id>1</id>
<protocol>
<value>tcp</value>
</protocol>
<destination>
<port>
<value>8080</value>
</port>
</destination>
<inbound-interface>
<name>public</name>
</inbound-interface>
<translate-to>
<address>
<value>2.2.2.2</value>
<port>80</port>
</address>
</translate-to>
</destination-rule>
</nat>
</vrf>
</config>