Setting up a NAT

Source NAT

Source NAT refers to the translation of traffic travelling from the internal to the external network.

Continuing on from the initial scenario, lets now assume that we wish to apply IP masquerading.

Apply IP masquerading on eth1 (the external interface)

set nat source rule 100 outbound-interface eth1
set nat source rule 100 source address 10.0.0.0/24
set nat source rule 100 translation address masquerade

If we wish to instead translate to a set IP address of 203.0.113.32.

set nat source rule 100 translation address 203.0.113.32

And if we wanted a range of IP addresses, 203.0.113.32-203.0.113.63

set nat source rule 100 translation address 203.0.113.32-203.0.113.63

Don't forget to commit and save.

commit
save

Destination NAT

Destination NAT refers to the translation of traffic travelling from the external to the internal network.

In this example we use it to forward traffic to different locations.

Continuing on from our scenario (IP masquerading in use), lets now assume a web server is attached to the VyOS machine, and has an private IP of 10.0.0.2/24. We wish to be able to access this through the VyOS machine's external IP. We could create a NAT rule which would forward traffic from port 80 of the VyOS machine to port 80 of the web server.

The destination port is where the incoming port on the VyOS machine, and the translation address and port is what it gets translated to.

edit nat destination rule 10
set description 'Web server'
set destination port 80
set inbound-interface eth1
set protocol tcp
set translation address 10.0.0.2
set translation port 80

top

A firewall rule is also required, to let in traffic through port 80.

edit firewall name eth1-local rule 40
set action accept
set description 'Allow http'
set destination port 80
set protocol tcp

top

Finally, we commit and save.

commit
save

However, for this to completely work, the web server must have its default gateway set to the VyOS machine. This is done on the web server (10.0.0.1 in this example, assuming the web server is running linux).

sudo route add default gw 10.0.0.1

1-to-1 NAT

Say we now wish to directly apply a 1-to-1 NAT between the VyOS machine (23.90.55.23) and the web server (10.0.0.2).

set nat destination rule 20 description '1-to-1 NAT'
set nat destination rule 20 destination address 23.90.55.23
set nat destination rule 20 inbound-interface eth1
set nat destination rule 20 translation address 10.0.0.2
set nat source rule 20 description '1-to-1 NAT'
set nat source rule 20 outbound-interface eth1
set nat source rule 20 source address 10.0.0.2
set nat source rule 20 translation address 23.90.55.23

commit
save