I have a scenario which I am testing and would like to use VyOS and not plain Debian or another Linux Distro.
To illustrate and help understand visually we can relate to the next article: What Is NAT? What Are the NAT Types? - Huawei
The available types of NAT are:
Full CONE
Restricted CONE NAT
Symetric NAT
Port Restricted NAT
I have a scenario which I have a Router that uses NAT for ipv4 and I have defined a DMZ host on it.
I have two sites and both of them have the same device with the exact same setup.
I have a RouterOS device in as the DMZ host in each location and I have a wireguard connection between the sites.
For some reason the NAT is causing for one side of the wireguard to stop receiving traffic.
This is not a VyOS issue but it’s related since in my tests VyOS has the same issues if I replace the RouterOS with a VyOS device.
The first thing I would like to do is simulate this in lab so it can be learned by others.
If there would be a solution eventually from this lab, then everyone will benefit.
What NAT from the four above I can implement on-top of VyOS and how?
vyos@vyos# set nat
Possible completions:
> destination Destination NAT settings
> source Source NAT settings
> static Static NAT (one-to-one)
vyos@vyos# set nat destination rule 1 translation options
Possible completions:
address-mapping Address mapping options (default: random)
port-mapping Port mapping options (default: none)
vyos@vyos# set nat destination rule 1 translation options address-mapping
Possible completions:
persistent Gives a client the same source or destination-address for each connection
random Random source or destination address allocation for each connection (default)
vyos@vyos# set nat destination rule 1 translation options port-mapping
Possible completions:
random Randomize source port mapping
fully-random Full port randomization
none Do not apply port randomization (default)
vyos@vyos# set nat source rule 1 translation options
Possible completions:
address-mapping Address mapping options (default: random)
port-mapping Port mapping options (default: none)
vyos@vyos# set nat source rule 1 translation options address-mapping
Possible completions:
persistent Gives a client the same source or destination-address for each connection
random Random source or destination address allocation for each connection (default)
vyos@vyos# set nat source rule 1 translation options port-mapping
Possible completions:
random Randomize source port mapping
fully-random Full port randomization
none Do not apply port randomization (default)
More practical:
Make sure your NAT rules hit the correct traffic.
So traffic originating from the DMZ host shouldn’t hit the masquerade rule.
Either by a source IP mask on masquerade , or a nat exclusion or more specific DMZ only rule before the masquerade