NAT

NAT provides a way to translate IPv4 addresses and ports while crossing the device. This technique is typically used to conserve addresses now that IPv4 addresses become a scarce resource.

Note

NAT rules not configured by the management system will not be displayed by show state and will be lost when a new NAT configuration is committed.

Caution

NAT and CG-NAT are exclusive. If CG-NAT is enabled, NAT must be disabled on ports bound to the fast path.

See also

The command reference for details.

Relation with IP packet filtering

When configuring NAT along with IP packet filtering, you should know that:

  • source NAT happens in postrouting chain, after mangle table

  • destination NAT happens in prerouting chain, after raw and mangle tables

  • connection tracking (conntracks) keeps track of how the packet should be changed in the two directions

See also

IP packet filtering for details.

Source NAT

Source NAT changes the source IPv4 address or port of an outgoing packet.

Note

A destination NAT rule is not needed to do source NAT. Connection tracking keeps track of how the packet should be changed in the two directions, so a source NAT rule is enough. A destination NAT rule can be added if the NAT connection can be opened from both sides.

Here is an example of a rule which matches the packets with source address 1.1.1.1 output to public interface, and translates their source address to 2.2.2.2:

vrouter running config# vrf main
vrouter running vrf main# nat
vrouter running nat# source-rule 1 source address 1.1.1.1/32 outbound-interface public translate-to address 2.2.2.2
vrouter running nat# commit

To display the applied configuration:

vrouter running config# show state vrf main nat
nat
    source-rule 1 source address 1.1.1.1/32 outbound-interface public translate-to address 2.2.2.2
    ..

The same configuration can be made using this NETCONF XML configuration:

vrouter running config# show config xml absolute vrf main nat
<config xmlns="urn:6wind:vrouter">
  <vrf>
    <name>main</name>
    <nat xmlns="urn:6wind:vrouter/nat">
      <source-rule>
        <id>1</id>
        <source>
          <address>
            <value>1.1.1.1/32</value>
          </address>
        </source>
        <outbound-interface>
          <name>public</name>
        </outbound-interface>
        <translate-to>
          <address>
            <value>2.2.2.2</value>
          </address>
        </translate-to>
      </source-rule>
    </nat>
  </vrf>
</config>

Masquerading

Masquerading is a kind of source NAT. It is a way to use one public IPv4 address visible on the Internet for an entire private network, using the IPv4 address of the device public interface.

Here is an example of a rule which matches the packets sent via public interface, and translates their source address to the IPv4 address of public interface:

vrouter running config# vrf main
vrouter running vrf main# nat
vrouter running nat# source-rule 1 outbound-interface public translate-to output-address
vrouter running nat# commit

To display the applied configuration:

vrouter running config# show state vrf main nat
nat
    source-rule 1 outbound-interface public translate-to output-address
    ..

The same configuration can be made using this NETCONF XML configuration:

vrouter running config# show config xml absolute vrf main nat
<config xmlns="urn:6wind:vrouter">
  <vrf>
    <name>main</name>
    <nat xmlns="urn:6wind:vrouter/nat">
      <source-rule>
        <id>1</id>
        <outbound-interface>
          <name>public</name>
        </outbound-interface>
        <translate-to>
          <output-address/>
        </translate-to>
      </source-rule>
    </nat>
  </vrf>
</config>

Destination NAT

Destination NAT changes the destination IPv4 address or port of an incoming packet.

Note

A source NAT rule is not needed to do destination NAT. Connection tracking keeps track of how the packet should be changed in the two directions, so a destination NAT rule is enough. A source NAT rule can be added if the NAT connection can be opened from both sides.

Here is an example of a rule which matches the tcp packets with destination port 8080 received from public interface, and translates their destination address to 2.2.2.2, and their destination port to 80:

vrouter running config# vrf main
vrouter running vrf main# nat
vrouter running nat# destination-rule 1 protocol tcp destination port 8080 inbound-interface public translate-to address 2.2.2.2 port 80
vrouter running nat# commit

To display the applied configuration:

vrouter running config# show state vrf main nat
nat
    destination-rule 1 protocol tcp destination port 8080 inbound-interface public translate-to address 2.2.2.2 port 80
    ..

The same configuration can be made using this NETCONF XML configuration:

vrouter running config# show config xml absolute vrf main nat
<config xmlns="urn:6wind:vrouter">
  <vrf>
    <name>main</name>
    <nat xmlns="urn:6wind:vrouter/nat">
      <destination-rule>
        <id>1</id>
        <protocol>
          <value>tcp</value>
        </protocol>
        <destination>
          <port>
            <value>8080</value>
          </port>
        </destination>
        <inbound-interface>
          <name>public</name>
        </inbound-interface>
        <translate-to>
          <address>
            <value>2.2.2.2</value>
            <port>80</port>
          </address>
        </translate-to>
      </destination-rule>
    </nat>
  </vrf>
</config>