Conditional Source NAT

aduran · February 15, 2022, 1:34pm

Hello everybody.

I have set up a lab with several VyOS routers and having problems with NAT. My home network is 192.168.0/24 with a default gateway 192.168.1.1 which routes to Internet. It is not possible to configure static routes in that router.

I have an ESXi server which host a bunch of virtual machines attached to 10.1.x.0/24 (x from 1 to 4) networks and a VyOS router which routes traffic from the home network to the ESXi networks.

I have also a PC with VirtualBox and in VirtualBox a VyOS router that connects to the home network (bridge adapter, address: 192.168.1.31) and to a host-only network (192.168.238.0/24) with several virtual machines.

Both VyOS routers use SNAT for the outbound traffic since the machines behind the routers need to access the internet and the internet router cannot be configured with static routes that route traffic back to the VyOS routers.

What I want is to perform SNAT only for traffic going to internet and not to the other networks. I guess this could be done (at least in part) by tunneling but I’d prefer other solution. Seems to me like a form of conditional SNAT like, for example:

IF trafic comes from 10.1.1.0/24 AND goes to 192.168.238.0/24 THEN
don’t do SNAT
OTHERWISE
do SNAT

It is possible to configure something like that?

Thanks in advance and best regards,

Antonio

n.fort · February 15, 2022, 2:30pm

There a lot of options you can used in NAT source. Information about NAT on vyos con be found here.

Using ‘tab’ you can see all nat options in vyos cli:

vyos@vyos# set nat source rule 10 
Possible completions:
   description  Rule description
 > destination  NAT destination parameters
   disable      Disable NAT rule
   exclude      Exclude packets matching this rule from NAT
   log          NAT rule logging
   outbound-interface
                Outbound interface for NAT traffic
   protocol     Protocol to NAT
 > source       NAT source parameters
 > translation  Outside NAT IP (used by source NAT only)

You may need to create several rules to achieve what you are looking for. Be aware that rules are processed in order

aduran · February 15, 2022, 3:29pm

Thank you. I didn’t find the information for the exclude option.

This configuration do the trick (I have to add rules for other networks):

nat {
source {
rule 100 {
description “Avoid SNAT to 192.168.1.0/24”
destination {
address 192.168.1.0/24
}
exclude
log
outbound-interface eth0
source {
address 192.168.238.0/24
}
}
rule 500 {
description “SNAT for other traffic”
log
outbound-interface eth0
source {
address 192.168.238.0/24
}
translation {
address masquerade
}
}
}
}

Regards,

Antonio

system · February 17, 2022, 3:30pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.