I use vyatta for a a NAT between two different networks. Here is an excerpt of my configuration:
interfaces {
ethernet eth0 { address 192.168.11.11/24 address 192.168.11.9/24 address 192.168.11.10/24 address 192.168.11.12/24 address 192.168.11.13/24 address 192.168.11.14/24 description "vlan verso asa" duplex auto hw-id 00:50:56:9a:7d:ce smp_affinity auto speed auto } ethernet eth1 { address 192.168.3.1/24 duplex auto hw-id 00:50:56:9a:2e:6a smp_affinity auto speed auto }
...
}
nat {
source { rule 10 { outbound-interface eth0 source { address 192.168.3.0/24 } translation { address 192.168.11.11 } }
...
}
protocols {
static { route 0.0.0.0/0 { next-hop 192.168.11.1 { } }
...
service {
dhcp-server { disabled false shared-network-name ospitito { authoritative disable subnet 192.168.3.0/24 { default-router 192.168.3.1 dns-server 194.153.187.20 dns-server 8.8.8.8 domain-name jacobacci.com lease 86400 start 192.168.3.16 { stop 192.168.3.254 } } } }
...
eth0 is connected to a firewall (192.168.11.1), and no other device is connected to that vlan, while a bunch of PCs reside on eth1, ip addresses assigned via DHCP.
normally, connections from 192.168.3.x undergo nat, but sometimes a packet is forwarded to 192.168.11.1 WITHOUT being natted.
issuing a simultaneous
tcpdump -v -i eth0 src net 192.168.3.0/24
tcpdump -v -i eth1 src net 192.168.3.0/24
displays that only a small percentage of packets leak unnatted (and they're refused by the firewall, so that the client retries the connection after a little, and this time they're natted regularly. packets belong to many clients (not a particular one), and I noticed packets fot tcp ports 80 and 443 (while in the mix arriving on eth1, there are often packets for udp port 53
cat /proc/net/ip_conntrack displays that I'm well below any reasonable limit of connections
a tcpdump -e displays that this is not a L2 issue, since teh packets leaking from eth0 displays the mac-address of the vyos box...
a reboot and even a vyos upgrade did not help.
I did not notice the problem in the past, but I can not be sure; I discovered it by change while reviewing the log files for the external firewall.
I'm becoming crazy...