Dynamic NAT


#1

Greetings!

Maybe this has been asked before, but my search turned up nothing recent. I’m trying to investigate if dynamic NAT works (and if so, how it works) in VyOS. I found this very old article for Vyatta, but the syntax doesn’t seem to be the same: http://openmaniak.com/vyatta_case6.php

Basically, it says something like this:

set service nat rule 1 edit service nat rule 1 set type source set translation-type dynamic set outbound-interface eth0 set protocols all set source network 10.0.0.0/24 set destination network 0.0.0.0/0 set outside-address address 60.0.0.0/28

However, I fail to see where I could specify the “dynamic” translation type in VyOS 1.1.6.

What I’m trying to achieve is to have internal RFC 1918 addresses for all my clients (e.g. 10.1.1.0/24), possibly over several internal subnets, and dynamically 1:1 NAT from a (or multiple possibly smaller) pool(s) of public addresses (currently a single /22, but that could change). Our ISP requires that all users are assigned public addresses in case of abuse reports, so I cannot masquerade them but I need to segment them internally to allow/deny access to certain internal “zones”. Perhaps I’m using the wrong approach for this? I imagine that a bit more complex version of this is what I’m looking for, with multiple pools on both sides: http://www.firewall.cx/networking-topics/network-address-translation-nat/231-nat-dynamic-part-1.html

I understand that I could possibly run out of public addresses using this approach, but in that case I’m fine with the clients being denied access.

Thanks in advance!


#2

I think you can just give the source NAT rule a range of IP addresses to choose from for a “many-to-many” NAT scenario

set nat source rule 11 translation address 60.0.0.128-60.0.0.254

Possible completions:
<x.x.x.x>-<x.x.x.x> NAT to the specified IP range

if you have the same size internal and external blocks you can do “one-to-one” “mapping” and give a network address

set nat source rule 11 translation address 60.0.0.0/24

Possible completions:
<x.x.x.x/x> NAT to the specified network address. Host part of the address will remain unchanged

10.0.0.243 would translate to 60.0.0.243
10.0.0.244 would translate to 60.0.0.244
etc.