Setting up a NAT
Source NAT refers to the translation of traffic travelling from the internal to the external network.
Continuing on from the initial scenario, lets now assume that we wish to apply IP masquerading.
Apply IP masquerading on eth1 (the external interface)
set nat source rule 100 outbound-interface eth1 set nat source rule 100 source address 10.0.0.0/24 set nat source rule 100 translation address masquerade
If we wish to instead translate to a set IP address of 203.0.113.32.
set nat source rule 100 translation address 203.0.113.32
And if we wanted a range of IP addresses, 203.0.113.32-203.0.113.63
set nat source rule 100 translation address 203.0.113.32-203.0.113.63
Don't forget to commit and save.
Destination NAT refers to the translation of traffic travelling from the external to the internal network.
In this example we use it to forward traffic to different locations.
Continuing on from our scenario (IP masquerading in use), lets now assume a web server is attached to the VyOS machine, and has an private IP of 10.0.0.2/24. We wish to be able to access this through the VyOS machine's external IP. We could create a NAT rule which would forward traffic from port 80 of the VyOS machine to port 80 of the web server.
The destination port is where the incoming port on the VyOS machine, and the translation address and port is what it gets translated to.
edit nat destination rule 10 set description 'Web server' set destination port 80 set inbound-interface eth1 set protocol tcp set translation address 10.0.0.2 set translation port 80 top
A firewall rule is also required, to let in traffic through port 80.
edit firewall name eth1-local rule 40 set action accept set description 'Allow http' set destination port 80 set protocol tcp top
Finally, we commit and save.
However, for this to completely work, the web server must have its default gateway set to the VyOS machine. This is done on the web server (10.0.0.1 in this example, assuming the web server is running linux).
sudo route add default gw 10.0.0.1
Say we now wish to directly apply a 1-to-1 NAT between the VyOS machine (22.214.171.124) and the web server (10.0.0.2).
set nat destination rule 20 description '1-to-1 NAT' set nat destination rule 20 destination address 126.96.36.199 set nat destination rule 20 inbound-interface eth1 set nat destination rule 20 translation address 10.0.0.2 set nat source rule 20 description '1-to-1 NAT' set nat source rule 20 outbound-interface eth1 set nat source rule 20 source address 10.0.0.2 set nat source rule 20 translation address 188.8.131.52 commit save