NAT

See also NAT/Theory for fundamentals of network addresses translation, and NAT/Protocols for specific protocols configuration.

= Overview =

Vyatta supports various options for network addresses translation.

Translation can be of one of the following types:
 * Destination (DNAT). A connection coming to router is forwarded inside the network.
 * Source (SNAT). A connection originated from the local network is forwarded outside with source address substituted with specified address.
 * Masquerade. A connection from the local network is forwarded outside with the source address substituted with specified interface address. It's very similar to source, but will work even if WAN interface address is not static.

Also translation can be:
 * One to one. Original source or destination address is substituted with a specified one.
 * One to many. Address after translation for a connection with specified address is picked from a subnet or range.
 * Many to many. Address after translation for a connection with address from a specified range/subnet is picked from another subnet/range.

Decision to do a translation can be done according to the following connection parameters:
 * Network interface.
 * Source or destination address.
 * Source or destination port.
 * Protocol.

= Configuration =

NAT is configured under the configuration node "service nat". It will work right after a rule created, there is no need to explicitly enable it. To access it you may type "edit service nat" in the CLI or use prefix "set service nat" for your commands.

Every translation is described by a rule. Rules are numbered with integers and can have a number from 1 to 1024. It's a good idea to leave a gap between numbers (e.g. create rules 10, 20, 30 etc. instead of 1, 2, 3) to make it easier to group logically connected rules.

For the following examples we will take this simple network:

= Source NAT =

Source NAT is typically used for providing access to the Internet for a local network with only one public (routed) address. The following example demonstrates a rule to give access to only the host 172.16.2.100. This will be one to one SNAT. edit service nat set rule 10 description "LAN host to WAN" set rule 10 type source set rule 10 source address 172.16.2.100 set rule 10 outbound interface eth0 set rule 10 outside-address address 1.2.3.4 commit Configuration node will be: rule 10 { description "LAN host to WAN" outbound-interface eth0 outside-address { address 1.2.3.4 }    source { address 172.16.2.100 }    type source } Literally it means "All connections from the source address 172.16.2.100 must be translated to source address 1.2.3.4 and originated from the interface eth0".

For the "source address" option you may specify address range or subnet. To give access for the whole local network you should use "source address 172.16.2.0/24", and to give it only to hosts with addresses from 172.16.2.5 to 172.16.2.10 use "source address 172.16.2.5-172.16.2.10".

If you have a little subnet, which is not enough to give all your hosts puclic addresses, you may use many to many SNAT. To do it specify "outside-address address 1.2.3.4-14" for address range, or the whole your subnet and prefix length (like 1.2.3.4/29).

Conditional SNAT
Translation can be done only for specific connections. For example, you may create the following rule to originate all SMTP connections from your LAN from only one external address. edit service nat set rule 10 description "SMTP" set rule 10 type source set rule 10 source address 172.16.2.0/24 set rule 10 outbound interface eth0 set rule 10 outside-address address 1.2.3.8 set rule 10 protocol tcp set rule 10 destination port smtp commit Note that if you want to specify the port you need to specify protocol tcp, udp or tcp_udp for both of them. It's because any IP protocol can be speficied (e.g. gre, ospf, icmp), and most part of them don't know what is "port". Protocol can be specified by it's name or number.

TCP or UDP port numbers can be specified by either numbers or names.

You also may specify "source port " to do translation only for connections from specific port.