Dynamic NAT

Greetings!

Maybe this has been asked before, but my search turned up nothing recent. I’m trying to investigate if dynamic NAT works (and if so, how it works) in VyOS. I found this very old article for Vyatta, but the syntax doesn’t seem to be the same: http://openmaniak.com/vyatta_case6.php

Basically, it says something like this:

set service nat rule 1 edit service nat rule 1 set type source set translation-type dynamic set outbound-interface eth0 set protocols all set source network 10.0.0.0/24 set destination network 0.0.0.0/0 set outside-address address 60.0.0.0/28

However, I fail to see where I could specify the “dynamic” translation type in VyOS 1.1.6.

What I’m trying to achieve is to have internal RFC 1918 addresses for all my clients (e.g. 10.1.1.0/24), possibly over several internal subnets, and dynamically 1:1 NAT from a (or multiple possibly smaller) pool(s) of public addresses (currently a single /22, but that could change). Our ISP requires that all users are assigned public addresses in case of abuse reports, so I cannot masquerade them but I need to segment them internally to allow/deny access to certain internal “zones”. Perhaps I’m using the wrong approach for this? I imagine that a bit more complex version of this is what I’m looking for, with multiple pools on both sides: http://www.firewall.cx/networking-topics/network-address-translation-nat/231-nat-dynamic-part-1.html

I understand that I could possibly run out of public addresses using this approach, but in that case I’m fine with the clients being denied access.

Thanks in advance!

I think you can just give the source NAT rule a range of IP addresses to choose from for a “many-to-many” NAT scenario

set nat source rule 11 translation address 60.0.0.128-60.0.0.254

Possible completions:
<x.x.x.x>-<x.x.x.x> NAT to the specified IP range

if you have the same size internal and external blocks you can do “one-to-one” “mapping” and give a network address

set nat source rule 11 translation address 60.0.0.0/24

Possible completions:
<x.x.x.x/x> NAT to the specified network address. Host part of the address will remain unchanged

10.0.0.243 would translate to 60.0.0.243
10.0.0.244 would translate to 60.0.0.244
etc.