Page MenuHomeVyOS Platform
Create Task
Maniphest T538

Support for network mapping in NAT
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Static NAT can currently be done on VyOS, but they're a pain if you have a lot of them.

For example -

Headquarters                    Local Vyos             Remote Office Vyos        Remote Offices
                      >--- tun0 169.254.254.1/30 <--> tun0 169.254.254.2/30 --- 192.168.1.0/24
Corp 172.16.0.0/12    >--- tun1 169.254.254.5/30 <--> tun0 169.254.254.6/30 --- 192.168.1.0/24
                      >--- tun2 169.254.254.9/30 <--> tun0 169.254.254.10/30 --- 192.168.1.0/24

In this particular situation the remote offices always have to have the same ip scheme.

To make each office reachable by headquarters, we need a static nat in place.
Traffic is received for the nat address at the remote office tun and translated to the internal address.
Traffic from the internal address destined to the corp network is translated to the nat address.

Remote Office 1
10.0.1.0/24

Corp >> 10.0.1.10 <--> tunnel0 <--> 192.168.1.10
192.168.1.10 <--> tunnel0 <--> 10.0.1.10 >> Corp

Remote Office 2
10.0.2.0/24

Corp >> 10.0.2.10 <--> tunnel1 <--> 192.168.1.10
192.168.1.10 <--> tunnel0 <--> 10.0.2.10 >> Corp

Remote Office 3
10.0.3.0/24

Corp >> 10.0.3.10 <--> tunnel2 <--> 192.168.1.10
192.168.1.10 <--> tunnel0 <--> 10.0.3.10 >> Corp

Now you can easily connect to all your offices, even though they have the same IP scheme at each location.

Currently you can do this with a combination of both a source nat and destination nat, as such -

vyos@vyos# show nat 
 destination {
     rule 10 {
         destination {
             address 10.0.1.10
         }
         inbound-interface tun0
         translation {
             address 192.168.1.10
         }
     }
 }
 source {
     rule 10 {
         outbound-interface tun0
         source {
             address 192.168.1.10
         }
         translation {
             address 10.0.1.10
         }
     }
 }

This gets to be pretty intense after 100 static nats, or 200 nat rules overall.

It be nice if we could take a more Juniper approach and do something like this -

static {
    rule 10 {
        destination {
            address 10.0.1.10
        }
        inbound-interface tun0
        translation {
            address 192.168.1.10
        }
    }
}

At which point it would create both the source and destination nat.

And of course, i can't bring this up without also saying we should incorporate zone based nats.

static {
    rule 10 {
        destination {
            address 10.0.1.10
        }
        inbound-zone VPN
        translation {
            address 192.168.1.10
        }
    }
}

That way if you had redundant tunnels (e.g. vtun0 <-> Corp Vyos 1 & vtun1 <-> Corp Vyos 2) you wouldn't have to double up on the number of nat rules.
Of course, that would only apply if the firewall config was zone based traffic.

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects

Event Timeline

xrpixer created this task.Feb 6 2018, 4:17 AM
syncer triaged this task as Wishlist priority.Feb 27 2018, 2:20 PM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 2.0.x.
kevinrausch subscribed.Jan 29 2019, 5:46 AM
pasik subscribed.Mar 12 2019, 6:15 PM
syncer assigned this task to zsdc.Mar 2 2020, 2:46 AM
c-po subscribed.EditedMar 2 2020, 5:07 AM

Should be pretty straight forward once we have migrated vyatta-nat to XML/Python. On first glance the rewrite looks easy as it just operates on the NAT table.

jjakob mentioned this in T2198: Rewrite NAT in new XML/Python style.May 1 2020, 11:06 AM
dmbaturin edited projects, added VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus.Dec 10 2020, 12:02 PM
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
dmbaturin edited a custom field.Jan 27 2021, 7:00 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
eronlloyd subscribed.Aug 1 2021, 9:06 PM
eronlloyd added a comment.Feb 21 2022, 11:31 AM

+1

mpueschel subscribed.Aug 5 2022, 1:56 PM
Viacheslav subscribed.EditedAug 13 2022, 12:21 AM

PR https://github.com/vyos/vyos-1x/pull/1466
Let me know if there is what you are expecting,
requires more tests

set nat static rule 10 destination address '10.0.1.1'
set nat static rule 10 inbound-interface 'eth0'
set nat static rule 10 translation address '192.168.1.1'

set nat static rule 20 destination address '203.0.113.0/24'
set nat static rule 20 inbound-interface 'eth0'
set nat static rule 20 translation address '192.0.2.0/24'

Nftables:

vyos@r14# sudo nft list table vyos_static_nat
table ip vyos_static_nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		counter packets 3 bytes 252 jump VYOS_PRE_DNAT_HOOK
		iifname "eth0" ip daddr 10.0.1.1 counter packets 0 bytes 0 dnat to 192.168.1.1 comment "STATIC-NAT-10"
		iifname "eth0" counter packets 3 bytes 252 dnat ip prefix to ip daddr map { 203.0.113.0/24 : 192.0.2.0/24 } comment "STATIC-NAT-20"
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 5 bytes 404 jump VYOS_PRE_SNAT_HOOK
		oifname "eth0" ip saddr 192.168.1.1 counter packets 0 bytes 0 snat to 10.0.1.1 comment "STATIC-NAT-10"
		oifname "eth0" counter packets 2 bytes 152 snat ip prefix to ip saddr map { 192.0.2.0/24 : 203.0.113.0/24 } comment "STATIC-NAT-20"
	}

	chain VYOS_PRE_DNAT_HOOK {
		return
	}

	chain VYOS_PRE_SNAT_HOOK {
		return
	}
}
[edit]
vyos@r14#
Restricted Repository Identity mentioned this in rVYOSONEX735767f09f89: Merge pull request #1466 from sever-sever/T538.Sep 1 2022, 5:35 PM
Viacheslav mentioned this in rVYOSONEX3489089000a4: nat: T538: Move nat configs to /run directory.Sep 1 2022, 5:35 PM
Viacheslav mentioned this in rVYOSONEX69bcdb9a680b: nat: T538: Add static NAT one-to-one.
dmbaturin renamed this task from Possible to implement Static NAT? to Support for network mapping in NAT.Oct 7 2022, 2:14 PM
dmbaturin set Issue type to Unspecified (please specify).
dmbaturin changed Issue type from Unspecified (please specify) to improvement.
Viacheslav closed this task as Resolved.Oct 10 2022, 5:54 PM
Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.
dmbaturin set Issue type to Feature (new functionality).Fri, Nov 8, 10:50 AM