SNAT to everything but routed subnet

I have two routers setup to pass traffic between them. The issue is, I don’t want source NAT to occur when traffic goes to the other router. Is that possible?

Here is my config

vyos@vyos# run show configuration
interfaces {
ethernet eth0 {
address dhcp
description WAN
hw-id 00:50:56:92:d2:0f
}
ethernet eth1 {
address 172.16.1.254/24
description LAN
hw-id 00:50:56:92:a4:2c
}
loopback lo {
}
}
nat {
source {
rule 100 {
outbound-interface {
name eth0
}
source {
address 172.16.1.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 172.16.2.0/24 {
next-hop 10.10.10.165 {
}
}
}
}
service {

}
ssh {
    listen-address 172.16.1.254
    port 22
}

}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
}
}
syslog {
global {
facility all {
level info
}
facility local7 {
level debug
}
}
}
}
[edit]

1. Run command show configuration commands | no-more | strip-private to get output will be better for review.
2. A diagram to show the topology will be better.
3. You can set static routing or dynamic routing to get your aim.

two-hosts-two-routers-ip-mac-addresses877×422 38.9 KB

This is essentially my config but my IPs are different. I want the traffic between 192.168.1.1 and 192.168.2.2 to keep their source IPs but if the traffic is going out to a 192.168.12.x address or the Internet then it needs to be translated since those hosts arent going to know how to get back to me. I have no control over that network.

Router 1

set interfaces ethernet eth0 address ‘dhcp’
set interfaces ethernet eth0 description ‘WAN’
set interfaces ethernet eth0 hw-id ‘xx:xx:xx:xx:xx:0f’
set interfaces ethernet eth1 address ‘xxx.xxx.1.254/24’
set interfaces ethernet eth1 description ‘LAN’
set interfaces ethernet eth1 hw-id ‘xx:xx:xx:xx:xx:2c’
set interfaces loopback lo
set nat source rule 100 outbound-interface name ‘eth0’
set nat source rule 100 source address ‘xxx.xxx.1.0/24’
set nat source rule 100 translation address ‘masquerade’
set protocols static route xxx.xxx.2.0/24 next-hop xxx.xxx.10.165
set service ntp allow-client xxxxxx ‘xxx.xxx.0.0/0’
set service ntp allow-client xxxxxx ‘::/0’
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ssh listen-address ‘xxx.xxx.1.254’
set service ssh port ‘22’
set system config-management commit-revisions ‘100’
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed ‘115200’
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system syslog global facility all level ‘info’
set system syslog global facility local7 level ‘debug’

Router 2

vyos@vyos2:~$ show configuration commands | no-more | strip-private
set interfaces ethernet eth2 address ‘dhcp’
set interfaces ethernet eth2 description ‘WAN’
set interfaces ethernet eth2 hw-id ‘xx:xx:xx:xx:xx:ee’
set interfaces ethernet eth3 address ‘xxx.xxx.2.254/24’
set interfaces ethernet eth3 description ‘LAN’
set interfaces ethernet eth3 hw-id ‘xx:xx:xx:xx:xx:21’
set interfaces loopback lo
set nat source rule 100 outbound-interface name ‘eth2’
set nat source rule 100 source address ‘xxx.xxx.2.0/24’
set nat source rule 100 translation address ‘masquerade’
set protocols static route xxx.xxx.1.0/24 next-hop xxx.xxx.10.161
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.2.0/24 default -router ‘xxx.xxx.2.254’
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.2.0/24 domain- name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.2.0/24 name-se rver ‘xxx.xxx.1.40’
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.2.0/24 range 0 start ‘xxx.xxx.2.101’
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.2.0/24 range 0 stop ‘xxx.xxx.2.150’
set service ntp allow-client xxxxxx ‘xxx.xxx.0.0/0’
set service ntp allow-client xxxxxx ‘::/0’
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ssh listen-address ‘xxx.xxx.2.254’
set service ssh port ‘22’
set system config-management commit-revisions ‘100’
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed ‘115200’
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system syslog global facility all level ‘info’
set system syslog global facility local7 level ‘debug’

where is the default static routing ?

For NAT masquerading all internet connections, but not applying to specific source/destination, usually what is done is:

1. Define exlcude NAT rules
2. Masquerade everything else.

For example:

## First exclude what you don't want to snat:
set nat source rule 100 outbound-interface name ‘eth2’
set nat source rule 100 source address ‘x.x.x.x/x’
set nat source rule 100 destination address ‘y.y.y.y/y’
set nat source rule 100 exclude

## Apply snat:
set nat source rule 100 outbound-interface name ‘eth2’
set nat source rule 100 source address ‘xxx.xxx.2.0/24’
set nat source rule 100 translation address ‘masquerade’

The exclude is top for bigger setup. If it is only one network you want to exclude you can use the destination in den snat rule and negate the network. So to read destination not network.

If it will get more networks I would then switch to exclude rules before the snat rule.

The apply SNAT stuff should have a higher rule number doesnt it?