summaryrefslogtreecommitdiff
path: root/docs/configuration/nat/nat44.rst
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2023-10-12 21:07:31 +0200
committerGitHub <noreply@github.com>2023-10-12 21:07:31 +0200
commitc2c8d3628661dadf42f86d884e6c7c3205f6b1d9 (patch)
treef1c7d83b38f16e195fba921fe6d59ae5a8863f2d /docs/configuration/nat/nat44.rst
parente0fa88b183d5851f2b1466cf032be23a9a25b50a (diff)
parent54525f31cee8bf9546d4a564cf12459a8c381cea (diff)
downloadvyos-documentation-c2c8d3628661dadf42f86d884e6c7c3205f6b1d9.tar.gz
vyos-documentation-c2c8d3628661dadf42f86d884e6c7c3205f6b1d9.zip
Merge pull request #1112 from vyos/revert-1111-nat_interfaces_group
Revert "NAT: add interface-group documentation. "
Diffstat (limited to 'docs/configuration/nat/nat44.rst')
-rw-r--r--docs/configuration/nat/nat44.rst108
1 files changed, 43 insertions, 65 deletions
diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst
index 9c1d1423..c660f8f4 100644
--- a/docs/configuration/nat/nat44.rst
+++ b/docs/configuration/nat/nat44.rst
@@ -148,35 +148,23 @@ rule.
* **outbound-interface** - applicable only to :ref:`source-nat`. It
configures the interface which is used for the outside traffic that
- this translation rule applies to. Interface groups, inverted
- selection and wildcard, are also supported.
+ this translation rule applies to.
- Examples:
+ Example:
.. code-block:: none
- set nat source rule 20 outbound-interface interface-name eth0
- set nat source rule 30 outbound-interface interface-name bond1*
- set nat source rule 20 outbound-interface interface-name !vtun2
- set nat source rule 20 outbound-interface interface-group GROUP1
- set nat source rule 20 outbound-interface interface-group !GROUP2
-
+ set nat source rule 20 outbound-interface eth0
* **inbound-interface** - applicable only to :ref:`destination-nat`. It
configures the interface which is used for the inside traffic the
- translation rule applies to. Interface groups, inverted
- selection and wildcard, are also supported.
+ translation rule applies to.
Example:
.. code-block:: none
- set nat destination rule 20 inbound-interface interface-name eth0
- set nat destination rule 30 inbound-interface interface-name bond1*
- set nat destination rule 20 inbound-interface interface-name !vtun2
- set nat destination rule 20 inbound-interface interface-group GROUP1
- set nat destination rule 20 inbound-interface interface-group !GROUP2
-
+ set nat destination rule 20 inbound-interface eth1
* **protocol** - specify which types of protocols this translation rule
applies to. Only packets matching the specified protocol are NATed.
@@ -335,7 +323,7 @@ demonstrate the following configuration:
.. code-block:: none
- set nat source rule 100 outbound-interface interface-name 'eth0'
+ set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address 'masquerade'
@@ -344,9 +332,7 @@ Which generates the following configuration:
.. code-block:: none
rule 100 {
- outbound-interface {
- interface-name eth0
- }
+ outbound-interface eth0
source {
address 192.168.0.0/24
}
@@ -438,19 +424,19 @@ Example:
set nat destination rule 100 description 'Regular destination NAT from external'
set nat destination rule 100 destination port '3389'
- set nat destination rule 100 inbound-interface interface-name 'pppoe0'
+ set nat destination rule 100 inbound-interface 'pppoe0'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation address '192.0.2.40'
set nat destination rule 110 description 'NAT Reflection: INSIDE'
set nat destination rule 110 destination port '3389'
- set nat destination rule 110 inbound-interface interface-name 'eth0.10'
+ set nat destination rule 110 inbound-interface 'eth0.10'
set nat destination rule 110 protocol 'tcp'
set nat destination rule 110 translation address '192.0.2.40'
set nat source rule 110 description 'NAT Reflection: INSIDE'
set nat source rule 110 destination address '192.0.2.0/24'
- set nat source rule 110 outbound-interface interface-name 'eth0.10'
+ set nat source rule 110 outbound-interface 'eth0.10'
set nat source rule 110 protocol 'tcp'
set nat source rule 110 source address '192.0.2.0/24'
set nat source rule 110 translation address 'masquerade'
@@ -466,9 +452,7 @@ Which results in a configuration of:
destination {
port 3389
}
- inbound-interface {
- interface-name pppoe0
- }
+ inbound-interface pppoe0
protocol tcp
translation {
address 192.0.2.40
@@ -479,9 +463,7 @@ Which results in a configuration of:
destination {
port 3389
}
- inbound-interface {
- interface-name eth0.10
- }
+ inbound-interface eth0.10
protocol tcp
translation {
address 192.0.2.40
@@ -494,9 +476,7 @@ Which results in a configuration of:
destination {
address 192.0.2.0/24
}
- outbound-interface {
- interface-name eth0.10
- }
+ outbound-interface eth0.10
protocol tcp
source {
address 192.0.2.0/24
@@ -535,7 +515,7 @@ Our configuration commands would be:
set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100'
set nat destination rule 10 destination port '80'
- set nat destination rule 10 inbound-interface interface-name 'eth0'
+ set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '192.168.0.100'
@@ -550,9 +530,7 @@ Which would generate the following NAT destination configuration:
destination {
port 80
}
- inbound-interface {
- interface-name eth0
- }
+ inbound-interface eth0
protocol tcp
translation {
address 192.168.0.100
@@ -568,45 +546,43 @@ Which would generate the following NAT destination configuration:
This establishes our Port Forward rule, but if we created a firewall
policy it will likely block the traffic.
-Firewall rules for Destination NAT
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-It is important to note that when creating firewall rules, the DNAT
+It is important to note that when creating firewall rules that the DNAT
translation occurs **before** traffic traverses the firewall. In other
words, the destination address has already been translated to
192.168.0.100.
-So in our firewall ruleset, we want to allow traffic which previously matched
-a destination nat rule. In order to avoid creating many rules, one for each
-destination nat rule, we can accept all **'dnat'** connections with one simple
-rule, using ``connection-status`` matcher:
+So in our firewall policy, we want to allow traffic coming in on the
+outside interface, destined for TCP port 80 and the IP address of
+192.168.0.100.
.. code-block:: none
- set firewall ipv4 forward filter rule 10 action accept
- set firewall ipv4 forward filter rule 10 connection-status nat destination
- set firewall ipv4 forward filter rule 10 state new enable
+ set firewall name OUTSIDE-IN rule 20 action 'accept'
+ set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100'
+ set firewall name OUTSIDE-IN rule 20 destination port '80'
+ set firewall name OUTSIDE-IN rule 20 protocol 'tcp'
+ set firewall name OUTSIDE-IN rule 20 state new 'enable'
This would generate the following configuration:
.. code-block:: none
- ipv4 {
- forward {
- filter {
- rule 10 {
- action accept
- connection-status {
- nat destination
- }
- state {
- new enable
- }
- }
- }
+ rule 20 {
+ action accept
+ destination {
+ address 192.168.0.100
+ port 80
+ }
+ protocol tcp
+ state {
+ new enable
}
}
+.. note::
+
+ If you have configured the `INSIDE-OUT` policy, you will need to add
+ additional rules to permit inbound NAT traffic.
1-to-1 NAT
----------
@@ -634,10 +610,10 @@ and one external interface:
set interfaces ethernet eth1 description 'Outside interface'
set nat destination rule 2000 description '1-to-1 NAT example'
set nat destination rule 2000 destination address '192.0.2.30'
- set nat destination rule 2000 inbound-interface interface-name 'eth1'
+ set nat destination rule 2000 inbound-interface 'eth1'
set nat destination rule 2000 translation address '192.168.1.10'
set nat source rule 2000 description '1-to-1 NAT example'
- set nat source rule 2000 outbound-interface interface-name 'eth1'
+ set nat source rule 2000 outbound-interface 'eth1'
set nat source rule 2000 source address '192.168.1.10'
set nat source rule 2000 translation address '192.0.2.30'
@@ -663,7 +639,7 @@ We will use source and destination address for hash generation.
.. code-block:: none
- set nat destination rule 10 inbound-interface inbound-interface eth0
+ set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 protocol tcp
set nat destination rule 10 destination port 80
set nat destination rule 10 load-balance hash source-address
@@ -679,7 +655,7 @@ We will generate the hash randomly.
.. code-block:: none
- set nat source rule 10 outbound-interface interface-name eth0
+ set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 10.0.0.0/8
set nat source rule 10 load-balance hash random
set nat source rule 10 load-balance backend 192.0.2.251 weight 33
@@ -733,10 +709,12 @@ NAT Configuration
set nat source rule 110 description 'Internal to ASP'
set nat source rule 110 destination address '172.27.1.0/24'
+ set nat source rule 110 outbound-interface 'any'
set nat source rule 110 source address '192.168.43.0/24'
set nat source rule 110 translation address '172.29.41.89'
set nat source rule 120 description 'Internal to ASP'
set nat source rule 120 destination address '10.125.0.0/16'
+ set nat source rule 120 outbound-interface 'any'
set nat source rule 120 source address '192.168.43.0/24'
set nat source rule 120 translation address '172.29.41.89'