I have some problems with NAT , especially the many-to-many function.
Does anybody knows how to dynamically NAT multiple addresses from IN interface to a large pool on the OUT interface without define all those translated addresses on the OUT interface ?
I have read the Vyatta manual (and test the system) and it seems to be the only solution to achieve this goal, but in my case there is to much addresses to define on the interface and it’s not very practical. I choose to test VyOS, but the problem remain the same…
Thanks in advance.
(sorry for my English, i’m french.)
If you need to translate pools of different size (say, /24 network to /28 network) then try to comment lines 306-310 in /opt/vyatta/share/perl5/Vyatta/SrcNatRule.pm to remove subnets match check:
# if (!($outside_addr_mask == $src_addr_mask)) {
# return ("\nsource address should be a subnet with the same network prefix as translation address" .
# "\nwhen translation address is defined with a prefix for static network mapping "
# , undef);
# }
Iptables rule looks ok without this check, but I haven’t tried it in work, so keep a backup of original file
And AFAIR iptables NAT will make unique src<->dst IP address pair for every connections, even if there were previous entries with same source address.
UP: it seems that it should work without sources modification for different pools if you specify translation address as a range:
I’ve already tried this NAT rule, and the translation works.
In fact, addresses pool from the IN interface are translated to addresses pool on the OUT interface but connections cannot be established because of a ARP non response on the OUT interface. It seems that I have to manually define all translated addresses on the OUT interface but maybe someone knows how to bypass it. I’ve also tried the “set interfaces ethernet ethx ip enable-proxy-arp” command with the same result (no ARP response).
Looking to Cisco’s IOS, they’re adding aliases to NAT interface to solve this problem by default (user can disable this behaviour by specifying no-alias option to NAT rule, but I’ve never seen this keyword in use).
It’s not a problem to add such behavior to VyOS, but I’m in doubt that NAT submodule shall add or remove any address aliases, because it will make implicit relationships between different parts of OS and it’ll become a little bit tricky to make things consistent especially for PPP-like interfaces.
I think the clever algorithm will be:
User defines address ranges with a commands like this:
# Address range assignment
# Here mask is specified only once to make sure that range belongs to subnet
set interface eth0 address 192.168.2.10-192.168.2.45/24
# Next range
set interface eth0 address 192.168.3.80-192.168.3.94/25
# And so on
When he commits the changes, VyOS will parse interfaces block first and create necessary aliases. Next, it will add NAT rule.
This will work ok, but this solution has one “underwater stone”: all open services (ssh, dns, etc) at VyOS router will become implicitly open at ALL interface aliases by default, so user needs to setup listen-addresses correctly.
Thnx a lot! Has tortured about 3 hours to understand why snat local network subnet to address range doesnt work! After set address range on pseudo interface - all ok!!! Thank you!
Another question about snat many to many, I have set pseudo interface peth4 and link it to eth4, config below:
ethernet eth4 {
address 10.192.168.61/26
description “_”
mtu 1500
}
management false
pseudo-ethernet peth4 {
address 10.192.168.1/26
address 10.192.168.2/26
address 10.192.168.3/26
address 10.192.168.4/26
address 10.192.168.5/26
address 10.192.168.6/26
address 10.192.168.7/26
link eth4
mac 00:21:9b:39:3b:f0
}
[edit]
show service nat rule 10
outbound-interface eth4
outside-address {
address 10.192.168.1-10.192.168.60
}
source {
address 10.33.0.0/16
}
type source
[edit]
During nat 10.192.168.6 was assigned on my connection. First 5 or 6 pings passes and after that appearing problem with ARP and MAC and ping packets dont pass to 10.192.168.62.
11.411384 10.192.168.6 -> 10.192.168.62 ICMP Echo (ping) request
11.411478 10.192.168.62 -> 10.192.168.6 ICMP Echo (ping) reply
12.412440 10.192.168.6 -> 10.192.168.62 ICMP Echo (ping) request
12.412569 00:21:9b:38:3b:f7 -> ff:ff:ff:ff:ff:ff ARP Who has 10.192.168.6? Tell 10.192.168.62
13.243170 00:21:9b:38:3b:f7 -> ff:ff:ff:ff:ff:ff ARP Who has 10.192.168.6? Tell 10.192.168.62
14.241587 00:21:9b:38:3b:f7 -> ff:ff:ff:ff:ff:ff ARP Who has 10.192.168.6? Tell 10.192.168.62
I’m trying to configure LS-NAT with vyos.
The WAN interface requires 1024 IPaddresses, so I added alias by referring to the following post.
# Address range assignment
# Here mask is specified only once to make sure that range belongs to subnet
set interface eth0 address 192.168.2.10-192.168.2.45/24
However, it seems that the IPaddress defined in the range as shown below is regarded as an invalid value.
vyos@CGN01# set interfaces ethernet eth2 address 200.0.0.101-200.0.0.254/24
Invalid value
Value validation failed
Set failed
The dump of show version is as follows. Does anyone know a cool solution?
Version: VyOS 1.3-rolling-202011270217
Release Train: equuleus
Built by: autobuild@vyos.net
Built on: Fri 27 Nov 2020 02:17 UTC
Build UUID: c357c08c-8972-49f8-a13b-a661a1eb51ec
Build Commit ID: 2228df50afbc71
Architecture: x86_64
Boot via: installed image
System type: KVM guest
Hardware vendor: Red Hat
Hardware model: KVM
Hardware S/N: Unknown
Hardware UUID: Unknown
