summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Vollmar <nvollmar@gmail.com>2024-05-10 14:23:31 +0200
committerGitHub <noreply@github.com>2024-05-10 14:23:31 +0200
commitfd4b7ff7fcddf8da651d767cb150c5f7d9091ae8 (patch)
treea424f6b6244914a7df050a0da5631baba8a39430
parent6a604b7beb7b53bd89140c13bd7bcfe1a583d9f0 (diff)
downloadvyos-documentation-fd4b7ff7fcddf8da651d767cb150c5f7d9091ae8.tar.gz
vyos-documentation-fd4b7ff7fcddf8da651d767cb150c5f7d9091ae8.zip
firewall: add missing interface name node
-rw-r--r--docs/configuration/nat/nat44.rst62
1 files changed, 41 insertions, 21 deletions
diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst
index c660f8f4..2ec0c9b8 100644
--- a/docs/configuration/nat/nat44.rst
+++ b/docs/configuration/nat/nat44.rst
@@ -148,23 +148,35 @@ rule.
* **outbound-interface** - applicable only to :ref:`source-nat`. It
configures the interface which is used for the outside traffic that
- this translation rule applies to.
+ this translation rule applies to. Interface groups, inverted
+ selection and wildcard, are also supported.
- Example:
+ Examples:
.. code-block:: none
- set nat source rule 20 outbound-interface eth0
+ set nat source rule 20 outbound-interface name eth0
+ set nat source rule 30 outbound-interface name bond1*
+ set nat source rule 20 outbound-interface name !vtun2
+ set nat source rule 20 outbound-interface group GROUP1
+ set nat source rule 20 outbound-interface group !GROUP2
+
* **inbound-interface** - applicable only to :ref:`destination-nat`. It
configures the interface which is used for the inside traffic the
- translation rule applies to.
+ translation rule applies to. Interface groups, inverted
+ selection and wildcard, are also supported.
Example:
.. code-block:: none
- set nat destination rule 20 inbound-interface eth1
+ set nat destination rule 20 inbound-interface name eth0
+ set nat destination rule 30 inbound-interface name bond1*
+ set nat destination rule 20 inbound-interface name !vtun2
+ set nat destination rule 20 inbound-interface group GROUP1
+ set nat destination rule 20 inbound-interface group !GROUP2
+
* **protocol** - specify which types of protocols this translation rule
applies to. Only packets matching the specified protocol are NATed.
@@ -323,7 +335,7 @@ demonstrate the following configuration:
.. code-block:: none
- set nat source rule 100 outbound-interface 'eth0'
+ set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address 'masquerade'
@@ -332,7 +344,9 @@ Which generates the following configuration:
.. code-block:: none
rule 100 {
- outbound-interface eth0
+ outbound-interface {
+ name eth0
+ }
source {
address 192.168.0.0/24
}
@@ -424,19 +438,19 @@ Example:
set nat destination rule 100 description 'Regular destination NAT from external'
set nat destination rule 100 destination port '3389'
- set nat destination rule 100 inbound-interface 'pppoe0'
+ set nat destination rule 100 inbound-interface name 'pppoe0'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation address '192.0.2.40'
set nat destination rule 110 description 'NAT Reflection: INSIDE'
set nat destination rule 110 destination port '3389'
- set nat destination rule 110 inbound-interface 'eth0.10'
+ set nat destination rule 110 inbound-interface name 'eth0.10'
set nat destination rule 110 protocol 'tcp'
set nat destination rule 110 translation address '192.0.2.40'
set nat source rule 110 description 'NAT Reflection: INSIDE'
set nat source rule 110 destination address '192.0.2.0/24'
- set nat source rule 110 outbound-interface 'eth0.10'
+ set nat source rule 110 outbound-interface name 'eth0.10'
set nat source rule 110 protocol 'tcp'
set nat source rule 110 source address '192.0.2.0/24'
set nat source rule 110 translation address 'masquerade'
@@ -452,7 +466,9 @@ Which results in a configuration of:
destination {
port 3389
}
- inbound-interface pppoe0
+ inbound-interface {
+ name pppoe0
+ }
protocol tcp
translation {
address 192.0.2.40
@@ -463,7 +479,9 @@ Which results in a configuration of:
destination {
port 3389
}
- inbound-interface eth0.10
+ inbound-interface {
+ name eth0.10
+ }
protocol tcp
translation {
address 192.0.2.40
@@ -476,7 +494,9 @@ Which results in a configuration of:
destination {
address 192.0.2.0/24
}
- outbound-interface eth0.10
+ outbound-interface {
+ name eth0.10
+ }
protocol tcp
source {
address 192.0.2.0/24
@@ -515,7 +535,7 @@ Our configuration commands would be:
set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100'
set nat destination rule 10 destination port '80'
- set nat destination rule 10 inbound-interface 'eth0'
+ set nat destination rule 10 inbound-interface name 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '192.168.0.100'
@@ -530,7 +550,9 @@ Which would generate the following NAT destination configuration:
destination {
port 80
}
- inbound-interface eth0
+ inbound-interface {
+ name eth0
+ }
protocol tcp
translation {
address 192.168.0.100
@@ -610,10 +632,10 @@ and one external interface:
set interfaces ethernet eth1 description 'Outside interface'
set nat destination rule 2000 description '1-to-1 NAT example'
set nat destination rule 2000 destination address '192.0.2.30'
- set nat destination rule 2000 inbound-interface 'eth1'
+ set nat destination rule 2000 inbound-interface name 'eth1'
set nat destination rule 2000 translation address '192.168.1.10'
set nat source rule 2000 description '1-to-1 NAT example'
- set nat source rule 2000 outbound-interface 'eth1'
+ set nat source rule 2000 outbound-interface name 'eth1'
set nat source rule 2000 source address '192.168.1.10'
set nat source rule 2000 translation address '192.0.2.30'
@@ -639,7 +661,7 @@ We will use source and destination address for hash generation.
.. code-block:: none
- set nat destination rule 10 inbound-interface eth0
+ set nat destination rule 10 inbound-interface name eth0
set nat destination rule 10 protocol tcp
set nat destination rule 10 destination port 80
set nat destination rule 10 load-balance hash source-address
@@ -655,7 +677,7 @@ We will generate the hash randomly.
.. code-block:: none
- set nat source rule 10 outbound-interface eth0
+ set nat source rule 10 outbound-interface name eth0
set nat source rule 10 source address 10.0.0.0/8
set nat source rule 10 load-balance hash random
set nat source rule 10 load-balance backend 192.0.2.251 weight 33
@@ -709,12 +731,10 @@ NAT Configuration
set nat source rule 110 description 'Internal to ASP'
set nat source rule 110 destination address '172.27.1.0/24'
- set nat source rule 110 outbound-interface 'any'
set nat source rule 110 source address '192.168.43.0/24'
set nat source rule 110 translation address '172.29.41.89'
set nat source rule 120 description 'Internal to ASP'
set nat source rule 120 destination address '10.125.0.0/16'
- set nat source rule 120 outbound-interface 'any'
set nat source rule 120 source address '192.168.43.0/24'
set nat source rule 120 translation address '172.29.41.89'