Hi everyone,
I’m working on a design where a single VyOS system hosts multiple VRFs, each carrying subscriber traffic that needs to be NATed toward the Internet. The goal is to have:
-
a separate CGNAT configuration per VRF,
-
each VRF with its own internal subscriber prefixes,
-
each VRF using its own external public pool,
-
and NAT performed when traffic exits the VRF, before it enters the default/global routing table.
I am using the new NFtables-based nat cgnat subsystem in VyOS rolling.
I can configure a CGNAT instance like this:
set nat cgnat log-allocation
set nat cgnat pool internal <internal-pool> range <internal-range>
set nat cgnat pool external <external-pool> range <external-range>
set nat cgnat rule 10 source pool <internal-pool>
set nat cgnat rule 10 translation pool <external-pool>
This works fine for a single context.
I would like to understand whether VyOS currently supports:
-
VRF-aware CGNAT, where:
-
pools and rules are bound to a specific VRF, and
-
NAT state is isolated per VRF.
-
-
If not, whether there is a recommended way to:
-
send traffic from a VRF into a CGNAT instance dedicated to that VRF,
-
keep translation state isolated between VRFs,
-
and avoid mixing subscriber ranges from different VRFs.
-
-
Whether VRF-scoped CGNAT is planned or under consideration for future development.
Subscriber address ranges may overlap between VRFs, so having a single global CGNAT table is not viable. Each VRF must maintain independent NAT pools and translation state.
Any clarification on current capabilities or best practices would be very helpful.
Thank you!