Vector

VyOS PLATFORM BLOG

Building an open source network OS for the people, together.

 

NAT with a thousand faces

The familiar use cases for NAT are source NAT/masquerade for allowing private subnets access to the Internet, and port forwarding from the Internet to a host in a private network. However, there are more use cases that are less obvious, in part because they are defined by the relative size of the source/destination and translation address options.

One to one NAT

Very common among cloud providers, but equally useful if your ISP is ready to give you an additional address, but not a routable subnet.

Suppose your ISP gave you two addresses, 203.0.113.114 and 203.0.113.115. You use the .114 address for the router itself and want to map the .115 to a server inside your network that has 192.168.136.100 address.

Here's how to do it:

 interfaces {
ethernet eth0 {
address 203.0.113.114/24
address 203.0.113.115/24
...
}
nat {
destination {
rule 10 {
inbound-interface eth0
destination {
address 203.0.113.115
}
translation {
address 192.168.136.100
}
}
}
source {
rule 10 {
outbound-interface eth0
source {
address 192.168.136.100
}
translation {
address 203.0.113.115
}
}
}
}

One to many NAT

If the network or range specified in translation address is larger than the network in source/destination address, connections from the same host will be translated to more than one address. In source NAT, this is only useful for a bizzare kind of conspicious consumptions like buying a /24 subnet for yourself and using it all for just your desktop.

In destination NAT, however, it can be used as a simple form of L3, non-application aware load balancing.

Suppose you got 10 web servers all in the range of 192.168.136.100 to 192.168.136.110. You want traffic sent to 203.0.113.115 balanced across them. Here's an example:

nat {
destination {
rule 10 {
destination {
address 203.0.113.115
port 80,443
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.136.100-192.168.136.110
}
}
}
source {
rule 10 {
outbound-interface eth0
source {
address 192.168.136.100-192.168.136.110
}
translation {
address 203.0.113.115
}
}
}
}

Many to many NAT

What happens if the source/destination and translation networks are the same size though? In that case, only the network part is translated, while the host part should stay untouched.

This is useful for getting around subnet conflicts.

nat {
destination {
rule 10 {
destination {
address 192.168.136.0/24
}
inbound-interface eth0
translation {
address 10.20.30.0/24
}
}
}
source {
rule 10 {
outbound-interface eth0
source {
address 10.20.30.0/24
}
translation {
address 192.168.136.0/24
}
}
}
}

If you know more variations, please let me know.

comments
0