diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-01-03 16:44:21 +0100 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-01-03 16:44:21 +0100 |
commit | 92c9eccd72793623490777bae9d71a498621ef0e (patch) | |
tree | cc8e82bb89d662d13c989c548daec3042534757e | |
parent | 334675c997dba7c021adebc98334d25d14abe5df (diff) | |
download | vyos-documentation-92c9eccd72793623490777bae9d71a498621ef0e.tar.gz vyos-documentation-92c9eccd72793623490777bae9d71a498621ef0e.zip |
nat: update hairpin/reflection example
-rw-r--r-- | docs/nat.rst | 98 |
1 files changed, 72 insertions, 26 deletions
diff --git a/docs/nat.rst b/docs/nat.rst index 0b09710b..9607be3d 100644 --- a/docs/nat.rst +++ b/docs/nat.rst @@ -335,10 +335,10 @@ protocol behavior. For this reason, VyOS does not globally drop invalid state traffic, instead allowing the operator to make the determination on how the traffic is handled. -NAT Reflection/Hairpin NAT --------------------------- +.. _hairpin_nat_reflection: -.. note:: Avoiding NAT breakage in the absence of split-DNS +Hairpin NAT/NAT Reflection +-------------------------- A typical problem with using NAT and hosting public servers is the ability for internal systems to reach an internal server using it's external IP address. @@ -346,41 +346,87 @@ The solution to this is usually the use of split-DNS to correctly point host systems to the internal address when requests are made internally. Because many smaller networks lack DNS infrastructure, a work-around is commonly deployed to facilitate the traffic by NATing the request from internal hosts -to the source address of the internal interface on the firewall. This technique -is commonly referred to as **NAT Reflection**, or **Hairpin NAT**. +to the source address of the internal interface on the firewall. -In this example, we will be using the example Quick Start configuration above -as a starting point. +This technique is commonly referred to as NAT Reflection or Hairpin NAT. + +Example: + +* Redirect Microsoft RDP traffic from the outside (WAN, external) world via + :ref:`destination-nat` in rule 100 to the internal, private host 192.0.2.40. -To setup a NAT reflection rule, we need to create a rule to NAT connections -from the internal network to the same internal network to use the source -address of the internal interface. +* Redirect Microsoft RDP traffic from the internal (LAN, private) network via + :ref:`destination-nat` in rule 110 to the internal, private host 192.0.2.40. + We also need a :ref:`source-nat` rule 110 for the reverse path of the traffic. + The internal network 192.0.2.0/24 is reachable via interfache `eth0.10`. .. code-block:: none + set nat destination rule 100 description 'Regular destination NAT from external' + set nat destination rule 100 destination port '3389' + set nat destination rule 100 inbound-interface 'pppoe0' + set nat destination rule 100 protocol 'tcp' + set nat destination rule 100 translation address '192.0.2.40' + + set nat destination rule 110 description 'NAT Reflection: INSIDE' + set nat destination rule 110 destination port '3389' + set nat destination rule 110 inbound-interface 'eth0.10' + set nat destination rule 110 protocol 'tcp' + set nat destination rule 110 translation address '192.0.2.40' + set nat source rule 110 description 'NAT Reflection: INSIDE' - set nat source rule 110 destination address '192.168.0.0/24' - set nat source rule 110 outbound-interface 'eth1' - set nat source rule 110 source address '192.168.0.0/24' + set nat source rule 110 destination address '192.0.2.0/24' + set nat source rule 110 outbound-interface 'eth0.10' + set nat source rule 110 protocol 'tcp' + set nat source rule 110 source address '192.0.2.0/24' set nat source rule 110 translation address 'masquerade' Which results in a configuration of: .. code-block:: none - rule 110 { - description "NAT Reflection: INSIDE" - destination { - address 192.168.0.0/24 - } - outbound-interface eth1 - source { - address 192.168.0.0/24 - } - translation { - address masquerade - } - } + vyos@vyos# show nat + destination { + rule 100 { + description "Regular destination NAT from external" + destination { + port 3389 + } + inbound-interface pppoe0 + protocol tcp + translation { + address 192.0.2.40 + } + } + rule 110 { + description "NAT Reflection: INSIDE" + destination { + port 3389 + } + inbound-interface eth0.10 + protocol tcp + translation { + address 192.0.2.40 + } + } + } + source { + rule 110 { + description "NAT Reflection: INSIDE" + destination { + address 192.0.2.0/24 + } + outbound-interface eth0.10 + protocol tcp + source { + address 192.0.2.0/24 + } + translation { + address masquerade + } + } + } + Destination NAT --------------- |