summaryrefslogtreecommitdiff
path: root/docs/nat.rst
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-01-02 22:29:01 +0100
committerChristian Poessinger <christian@poessinger.com>2020-01-02 22:29:01 +0100
commit3dee0da1e82224e81d90dc64f43e8fa2556d715c (patch)
tree6d62c82026866f14cd8af74a2df3516446f245cb /docs/nat.rst
parent373de424d9c3599dc674130393fe7cbaa7713cf7 (diff)
downloadvyos-documentation-3dee0da1e82224e81d90dc64f43e8fa2556d715c.tar.gz
vyos-documentation-3dee0da1e82224e81d90dc64f43e8fa2556d715c.zip
nat: add overview description about Network Address Translation
Diffstat (limited to 'docs/nat.rst')
-rw-r--r--docs/nat.rst324
1 files changed, 287 insertions, 37 deletions
diff --git a/docs/nat.rst b/docs/nat.rst
index 916f6aba..8aafe300 100644
--- a/docs/nat.rst
+++ b/docs/nat.rst
@@ -4,22 +4,267 @@
NAT
###
+:abbr:`NAT (Network Address Translation)` is a common method of remapping one
+IP address space into another by modifying network address information in the
+IP header of packets while they are in transit across a traffic routing device.
+The technique was originally used as a shortcut to avoid the need to readdress
+every host when a network was moved. It has become a popular and essential tool
+in conserving global address space in the face of IPv4 address exhaustion. One
+Internet-routable IP address of a NAT gateway can be used for an entire private
+network.
+
+IP masquerading is a technique that hides an entire IP address space, usually
+consisting of private IP addresses, behind a single IP address in another,
+usually public address space. The hidden addresses are changed into a single
+(public) IP address as the source address of the outgoing IP packets so they
+appear as originating not from the hidden host but from the routing device
+itself. Because of the popularity of this technique to conserve IPv4 address
+space, the term NAT has become virtually synonymous with IP masquerading.
+
+As network address translation modifies the IP address information in packets,
+NAT implementations may vary in their specific behavior in various addressing
+cases and their effect on network traffic. The specifics of NAT behavior are
+not commonly documented by vendors of equipment containing NAT implementations.
+
+The computers on an internal network can use any of the addresses set aside by
+the :abbr:`IANA (Internet Assigned Numbers Authority)` for private addressing
+(see :rfc:`1918`). These reserved IP addresses are not in use on the Internet,
+so an external machine will not directly route to them. The following addresses
+are reserved for private use:
+
+* 10.0.0.0 to 10.255.255.255 (CIDR: 10.0.0.0/8)
+* 172.16.0.0 to 172.31.255.255 (CIDR: 172.16.0.0/12)
+* 192.168.0.0 to 192.168.255.255 (CIDR: 192.268.0.0/16)
+
+
+If an ISP deploys a :abbr:`CGN (Carrier-grade NAT)`, and uses :rfc:`1918`
+address space to number customer gateways, the risk of address collision, and
+therefore routing failures, arises when the customer network already uses an
+:rfc:`1918` address space.
+
+This prompted some ISPs to develop a policy within the :abbr:`ARIN (American
+Registry for Internet Numbers)` to allocate new private address space for CGNs,
+but ARIN deferred to the IETF before implementing the policy indicating that
+the matter was not a typical allocation issue but a reservation of addresses
+for technical purposes (per :rfc:`2860`).
+
+IETF published :rfc:`6598`, detailing a shared address space for use in ISP
+CGN deployments that can handle the same network prefixes occurring both on
+inbound and outbound interfaces. ARIN returned address space to the :abbr:`IANA
+(Internet Assigned Numbers Authority)` for this allocation.
+
+The allocated address block is 100.64.0.0/10.
+
+Devices evaluating whether an IPv4 address is public must be updated to
+recognize the new address space. Allocating more private IPv4 address space for
+NAT devices might prolong the transition to IPv6.
+
+Overview
+========
+
+Different NAT Types
+-------------------
+
.. _source-nat:
-Source NAT
-==========
+Source NAT (SNAT)
+^^^^^^^^^^^^^^^^^
+
+Source NAT is the most common form of NAT and is typically referred to simply
+as NAT. To be more correct, what most people refer to as NAT is actually the
+process of :abbr:`PAT (Port Address Translation)`, or NAT Overload. SNAT is
+typically used by internal users/private hosts to access the Internet - the
+source address is translated and thus kept private.
+
+.. _destination-nat:
+
+Destination NAT (DNAT)
+^^^^^^^^^^^^^^^^^^^^^^
+
+While :ref:`source-nat` changes the source address of packets, DNAT changes
+the destination address of packets passing through the router. DNAT is
+typically used when an external (public) host needs to initiate a session with
+an internal (private) host. A customer needs to access a private service
+behind the routers public IP. A connection is established with the routers
+public IP address on a well known port and thus all traffic for this port is
+rewritten to address the internal (private) host.
+
+.. _bidirectional-nat:
+
+Bidirectional NAT
+^^^^^^^^^^^^^^^^^
+
+This is a common szenario where both :ref:`source-nat` and
+:ref:`destination-nat` are configured at the same time. It's commonly used then
+internal (private) hosts need to establish a connection with external resources
+and external systems need to acces sinternal (private) resources.
+
+NAT, Routing, Firewall Interaction
+----------------------------------
+
+There is a very nice picture/explanation in the Vyatta documentation which
+should be rewritten here.
+
+NAT Ruleset
+-----------
+
+:abbr:`NAT (Network Address Translation)` is configured entirely on a series
+of so called `rules`. Rules are numbered and evaluated by the underlaying OS
+in numerical order! The rule numbers can be changes by utilizing the
+:cfgcmd:`rename` and :cfgcmd`copy` commands.
+
+.. note:: Changes to the NAT system only affect newly established connections.
+ Already establiushed ocnnections are not affected.
+
+.. hint:: When designing your NAT ruleset leave some space between consecutive
+ rules for later extension. Your ruleset could start with numbers 10, 20, 30.
+ You thus can later extend the ruleset and place new rules between existing
+ ones.
+
+Rules will be created for both :ref:`source-nat` and :ref:`destination-nat`.
+
+For :ref:`bidirectional-nat` a rule for both :ref:`source-nat` and
+:ref:`destination-nat` needs to be created.
+
+.. _traffic-filters:
+
+Traffic Filters
+---------------
+
+Traffic Filters are used to control which packets will have the defined NAT
+rules applied. Five different filters can be applied within a NAT rule
+
+* **outbound-interface** - applicable only to :ref:`source-nat`. It configures
+ the interface which is used for the outside traffic that this translation rule
+ applies to.
+
+ Example:
+
+ .. code-block:: none
+
+ set nat source rule 20 outbound-interface eth0
+
+* **inbound-interface** - applicable only to :ref:`destination-nat`. It
+ configures the interface which is used for the inside traffic the the
+ translation rule applies to.
+
+ Example:
+
+ .. code-block:: none
+
+ set nat destination rule 20 inbound-interface eth1
+
+* **protocol** - specify which types of protocols this translation rule applies
+ to. Only packets matching the specified protocol are NATed. By default this
+ applies to `all` protocols.
+
+ Example:
+
+ * Set SNAT rule 20 to only NAT TCP and UDP packets
+ * Set DNAT rule 20 to only NAT UDP packets
+
+ .. code-block:: none
+
+ set nat source rule 20 protocol tcp_udp
+ set nat destination rule 20 protocol udp
+
+* **source** - specifies which packets the NAT translation rule applies to
+ based on the packets source IP address and/or source port. Only matching
+ packets are considered for NAT.
+
+ Example:
+
+ * Set SNAT rule 20 to only NAT packets arriving from the 192.0.2.0/24 network
+ * Set SNAT rule 30 to only NAT packets arriving from the 192.0.3.0/24 network
+ with a source port of 80 and 443
+
+ .. code-block:: none
+
+ set nat source rule 20 source address 192.0.2.0/24
+ set nat source rule 30 source address 192.0.3.0/24
+ set nat source rule 30 source port 80,443
-Source NAT is typically referred to simply as NAT. To be more correct, what
-most people refer to as NAT is actually the process of **Port Address
-Translation (PAT)**, or **NAT Overload**. The process of having many internal
-host systems communicate to the Internet using a single or subset of IP
-addresses.
+
+* **destination** - specify which packets the translation will be applied to,
+ only based on the destination address and/or port number configured.
+
+ .. note:: If no destination is specified the rule will match on any
+ destination address and port.
+
+ Example:
+
+ * Configure SNAT rule (40) to only NAT packets with a destination address of
+ 192.0.2.1.
+
+ .. code-block:: none
+
+ set nat source rule 40 destination address 192.0.2.1
+
+
+Address Conversion
+------------------
+
+Every NAT rule has a translation command defined. The address defined for the
+translation is the addrass used when the address information in a packet is
+replaced.
+
+Source Address
+^^^^^^^^^^^^^^
+
+For :ref:`source-nat` rules the packets source address will be replaced with
+the address specified in the translation command. A port translation can also
+be specified and is part of the translation address.
+
+.. note:: The translation address must be set to one of the available addresses
+ on the configured `outbound-interface` or it must be set to `masquerade`
+ which will use the primary IP address of the `outbound-interface` as its
+ translation address.
+
+.. note:: When using NAT for a large number of host systems it recommended that
+ a minimum of 1 IP address is used to NAT every 256 private host systems.
+ This is due to the limit of 65,000 port numbers available for unique
+ translations and a reserving an average of 200-300 sessions per host system.
+
+Example:
+
+* Define a discrete source IP address of 100.64.0.1 for SNAT rule 20
+* Use address `masquerade` (the interfaces primary address) on rule 30
+* For a large amount of private machines behind the NAT your address pool might
+ to be bigger. Use any address in the range 100.64.0.10 - 100.64.0.20 on SNAT
+ rule 40 when doing the translation
+
+
+.. code-block:: none
+
+ set nat source rule 20 translation address 100.64.0.1
+ set nat source rule 30 translation address 'masquerade'
+ set nat source rule 40 translation address 100.64.0.10-100.64.0.20
+
+
+Destination Address
+^^^^^^^^^^^^^^^^^^^
+
+For :ref:`destination-nat` rules the packets destination address will be
+replaced by the specified address in the `translation address` command.
+
+Example:
+
+* DNAT rule 10 replaces the destination address of an inbound packet with
+ 192.0.2.10
+
+.. code-block:: none
+
+ set nat destination rule 10 translation address 192.0.2.10
+
+
+Configuration Examples
+======================
To setup SNAT, we need to know:
-* The internal IP addresses we want to translate;
-* The outgoing interface to perform the translation on;
-* The external IP address to translate to.
+* The internal IP addresses we want to translate
+* The outgoing interface to perform the translation on
+* The external IP address to translate to
In the example used for the Quick Start configuration above, we demonstrate
the following configuration:
@@ -138,7 +383,7 @@ Which results in a configuration of:
}
Destination NAT
-===============
+---------------
DNAT is typically referred to as a **Port Forward**. When using VyOS as a NAT
router and firewall, a common configuration task is to redirect incoming
@@ -231,7 +476,7 @@ This would generate the following configuration:
additional rules to permit inbound NAT traffic.
1-to-1 NAT
-==========
+----------
Another term often used for DNAT is **1-to-1 NAT**. For a 1-to-1 NAT
configuration, both DNAT and SNAT are used to NAT all traffic from an external
@@ -245,9 +490,6 @@ internal IP to a reserved external IP. This dedicates an external IP address
to an internal IP address and is useful for protocols which don't have the
notion of ports, such as GRE.
-1-to-1 NAT example
-------------------
-
Here's an extract of a simple 1-to-1 NAT configuration with one internal and
one external interface:
@@ -270,15 +512,16 @@ Firewall rules are written as normal, using the internal IP address as the
source of outbound rules and the destination of inbound rules.
NPTv6
-=====
+-----
NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's
described in :rfc:`6296`. NPTv6 is supported in linux kernel since version 3.13.
**Usage**
-NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the external IPv6 prefix is dynamic,
-as it prevents the need for renumbering of internal hosts when the extern prefix changes.
+NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the
+external IPv6 prefix is dynamic, as it prevents the need for renumbering of
+internal hosts when the extern prefix changes.
Let's assume the following network configuration:
@@ -302,7 +545,7 @@ their address to the right subnet when going through your router.
* eth2 addr : 2001:db8:e2::1/48
VyOS Support
-------------
+^^^^^^^^^^^^
NPTv6 support has been added in VyOS 1.2 (Crux) and is available through
`nat nptv6` configuration nodes.
@@ -333,16 +576,20 @@ Resulting in the following ip6tables rules:
NAT before VPN
-==============
+--------------
-Some application service providers (ASPs) operate a VPN gateway to provide access to their internal resources,
-and require that a connecting organisation translate all traffic to the service provider network to a source address provided by the ASP.
+Some application service providers (ASPs) operate a VPN gateway to provide
+access to their internal resources, and require that a connecting organisation
+translate all traffic to the service provider network to a source address
+provided by the ASP.
Example Network
----------------
+^^^^^^^^^^^^^^^
Here's one example of a network environment for an ASP.
-The ASP requests that all connections from this company should come from 172.29.41.89 - an address that is assigned by the ASP and not in use at the customer site.
+The ASP requests that all connections from this company should come from
+172.29.41.89 - an address that is assigned by the ASP and not in use at the
+customer site.
.. figure:: _static/images/nat_before_vpn_topology.png
:scale: 100 %
@@ -352,7 +599,7 @@ The ASP requests that all connections from this company should come from 172.29.
Configuration
--------------
+^^^^^^^^^^^^^
The required configuration can be broken down into 4 major pieces:
@@ -363,10 +610,11 @@ The required configuration can be broken down into 4 major pieces:
Dummy interface
-^^^^^^^^^^^^^^^
+"""""""""""""""
-The dummy interface allows us to have an equivalent of the Cisco IOS Loopback interface - a router-internal interface we can use for IP addresses the router must know about,
-but which are not actually assigned to a real network.
+The dummy interface allows us to have an equivalent of the Cisco IOS Loopback
+interface - a router-internal interface we can use for IP addresses the router
+must know about, but which are not actually assigned to a real network.
We only need a single step for this interface:
@@ -375,7 +623,7 @@ We only need a single step for this interface:
set interfaces dummy dum0 address '172.29.41.89/32'
NAT Configuration
-^^^^^^^^^^^^^^^^^
+"""""""""""""""""
.. code-block:: none
@@ -391,8 +639,7 @@ NAT Configuration
set nat source rule 120 translation address '172.29.41.89'
IPSec IKE and ESP
-^^^^^^^^^^^^^^^^^
-
+"""""""""""""""""
The ASP has documented their IPSec requirements:
@@ -408,7 +655,8 @@ The ASP has documented their IPSec requirements:
* DH Group 14
-Additionally, we want to use VPNs only on our eth1 interface (the external interface in the image above)
+Additionally, we want to use VPNs only on our eth1 interface (the external
+interface in the image above)
.. code-block:: none
@@ -429,11 +677,12 @@ Additionally, we want to use VPNs only on our eth1 interface (the external inter
set vpn ipsec ipsec-interfaces interface 'eth1'
IPSec VPN Tunnels
-^^^^^^^^^^^^^^^^^
+"""""""""""""""""
-We'll use the IKE and ESP groups created above for this VPN.
-Because we need access to 2 different subnets on the far side, we will need two different tunnels.
-If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too.
+We'll use the IKE and ESP groups created above for this VPN. Because we need
+access to 2 different subnets on the far side, we will need two different
+tunnels. If you changed the names of the ESP group and IKE group in the previous
+step, make sure you use the correct names here too.
.. code-block:: none
@@ -452,7 +701,8 @@ If you changed the names of the ESP group and IKE group in the previous step, ma
Testing and Validation
""""""""""""""""""""""
-If you've completed all the above steps you no doubt want to see if it's all working.
+If you've completed all the above steps you no doubt want to see if it's all
+working.
Start by checking for IPSec SAs (Security Associations) with: