summaryrefslogtreecommitdiff
path: root/docs/nat.rst
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2020-01-04 14:12:53 +0100
committerRobert Göhler <github@ghlr.de>2020-01-04 14:12:53 +0100
commit52595595f76d85b20477b61a886a9ff09f17e604 (patch)
treeb33d14410f79ee8c716f22bd765cf9722cd196cf /docs/nat.rst
parent156eef177980052027db572e4b60d984626e0081 (diff)
parenta4fbdcf4b01c8a1806576bcd62a6f166b5645dc6 (diff)
downloadvyos-documentation-52595595f76d85b20477b61a886a9ff09f17e604.tar.gz
vyos-documentation-52595595f76d85b20477b61a886a9ff09f17e604.zip
Merge branch 'master' into newdirectives
Diffstat (limited to 'docs/nat.rst')
-rw-r--r--docs/nat.rst418
1 files changed, 358 insertions, 60 deletions
diff --git a/docs/nat.rst b/docs/nat.rst
index 714697d3..9607be3d 100644
--- a/docs/nat.rst
+++ b/docs/nat.rst
@@ -1,22 +1,270 @@
.. _nat:
+###
NAT
-===
+###
+
+:abbr:`NAT (Network Address Translation)` is a common method of remapping one
+IP address space into another by modifying network address information in the
+IP header of packets while they are in transit across a traffic routing device.
+The technique was originally used as a shortcut to avoid the need to readdress
+every host when a network was moved. It has become a popular and essential tool
+in conserving global address space in the face of IPv4 address exhaustion. One
+Internet-routable IP address of a NAT gateway can be used for an entire private
+network.
+
+IP masquerading is a technique that hides an entire IP address space, usually
+consisting of private IP addresses, behind a single IP address in another,
+usually public address space. The hidden addresses are changed into a single
+(public) IP address as the source address of the outgoing IP packets so they
+appear as originating not from the hidden host but from the routing device
+itself. Because of the popularity of this technique to conserve IPv4 address
+space, the term NAT has become virtually synonymous with IP masquerading.
+
+As network address translation modifies the IP address information in packets,
+NAT implementations may vary in their specific behavior in various addressing
+cases and their effect on network traffic. The specifics of NAT behavior are
+not commonly documented by vendors of equipment containing NAT implementations.
+
+The computers on an internal network can use any of the addresses set aside by
+the :abbr:`IANA (Internet Assigned Numbers Authority)` for private addressing
+(see :rfc:`1918`). These reserved IP addresses are not in use on the Internet,
+so an external machine will not directly route to them. The following addresses
+are reserved for private use:
+
+* 10.0.0.0 to 10.255.255.255 (CIDR: 10.0.0.0/8)
+* 172.16.0.0 to 172.31.255.255 (CIDR: 172.16.0.0/12)
+* 192.168.0.0 to 192.168.255.255 (CIDR: 192.268.0.0/16)
+
+
+If an ISP deploys a :abbr:`CGN (Carrier-grade NAT)`, and uses :rfc:`1918`
+address space to number customer gateways, the risk of address collision, and
+therefore routing failures, arises when the customer network already uses an
+:rfc:`1918` address space.
+
+This prompted some ISPs to develop a policy within the :abbr:`ARIN (American
+Registry for Internet Numbers)` to allocate new private address space for CGNs,
+but ARIN deferred to the IETF before implementing the policy indicating that
+the matter was not a typical allocation issue but a reservation of addresses
+for technical purposes (per :rfc:`2860`).
+
+IETF published :rfc:`6598`, detailing a shared address space for use in ISP
+CGN deployments that can handle the same network prefixes occurring both on
+inbound and outbound interfaces. ARIN returned address space to the :abbr:`IANA
+(Internet Assigned Numbers Authority)` for this allocation.
+
+The allocated address block is 100.64.0.0/10.
+
+Devices evaluating whether an IPv4 address is public must be updated to
+recognize the new address space. Allocating more private IPv4 address space for
+NAT devices might prolong the transition to IPv6.
+
+Overview
+========
+
+Different NAT Types
+-------------------
+
+.. _source-nat:
+
+Source NAT (SNAT)
+^^^^^^^^^^^^^^^^^
+
+Source NAT is the most common form of NAT and is typically referred to simply
+as NAT. To be more correct, what most people refer to as NAT is actually the
+process of :abbr:`PAT (Port Address Translation)`, or NAT Overload. SNAT is
+typically used by internal users/private hosts to access the Internet - the
+source address is translated and thus kept private.
+
+.. _destination-nat:
+
+Destination NAT (DNAT)
+^^^^^^^^^^^^^^^^^^^^^^
+
+While :ref:`source-nat` changes the source address of packets, DNAT changes
+the destination address of packets passing through the router. DNAT is
+typically used when an external (public) host needs to initiate a session with
+an internal (private) host. A customer needs to access a private service
+behind the routers public IP. A connection is established with the routers
+public IP address on a well known port and thus all traffic for this port is
+rewritten to address the internal (private) host.
+
+.. _bidirectional-nat:
+
+Bidirectional NAT
+^^^^^^^^^^^^^^^^^
+
+This is a common szenario where both :ref:`source-nat` and
+:ref:`destination-nat` are configured at the same time. It's commonly used then
+internal (private) hosts need to establish a connection with external resources
+and external systems need to acces sinternal (private) resources.
+
+NAT, Routing, Firewall Interaction
+----------------------------------
+
+There is a very nice picture/explanation in the Vyatta documentation which
+should be rewritten here.
+
+NAT Ruleset
+-----------
+
+:abbr:`NAT (Network Address Translation)` is configured entirely on a series
+of so called `rules`. Rules are numbered and evaluated by the underlaying OS
+in numerical order! The rule numbers can be changes by utilizing the
+:cfgcmd:`rename` and :cfgcmd:`copy` commands.
+
+.. note:: Changes to the NAT system only affect newly established connections.
+ Already establiushed ocnnections are not affected.
+
+.. hint:: When designing your NAT ruleset leave some space between consecutive
+ rules for later extension. Your ruleset could start with numbers 10, 20, 30.
+ You thus can later extend the ruleset and place new rules between existing
+ ones.
+
+Rules will be created for both :ref:`source-nat` and :ref:`destination-nat`.
+
+For :ref:`bidirectional-nat` a rule for both :ref:`source-nat` and
+:ref:`destination-nat` needs to be created.
+
+.. _traffic-filters:
+
+Traffic Filters
+---------------
+
+Traffic Filters are used to control which packets will have the defined NAT
+rules applied. Five different filters can be applied within a NAT rule
+
+* **outbound-interface** - applicable only to :ref:`source-nat`. It configures
+ the interface which is used for the outside traffic that this translation rule
+ applies to.
+
+ Example:
+
+ .. code-block:: none
+
+ set nat source rule 20 outbound-interface eth0
+
+* **inbound-interface** - applicable only to :ref:`destination-nat`. It
+ configures the interface which is used for the inside traffic the the
+ translation rule applies to.
+
+ Example:
+
+ .. code-block:: none
+
+ set nat destination rule 20 inbound-interface eth1
+
+* **protocol** - specify which types of protocols this translation rule applies
+ to. Only packets matching the specified protocol are NATed. By default this
+ applies to `all` protocols.
+
+ Example:
+
+ * Set SNAT rule 20 to only NAT TCP and UDP packets
+ * Set DNAT rule 20 to only NAT UDP packets
+
+ .. code-block:: none
+
+ set nat source rule 20 protocol tcp_udp
+ set nat destination rule 20 protocol udp
+
+* **source** - specifies which packets the NAT translation rule applies to
+ based on the packets source IP address and/or source port. Only matching
+ packets are considered for NAT.
+
+ Example:
+
+ * Set SNAT rule 20 to only NAT packets arriving from the 192.0.2.0/24 network
+ * Set SNAT rule 30 to only NAT packets arriving from the 192.0.3.0/24 network
+ with a source port of 80 and 443
+
+ .. code-block:: none
+
+ set nat source rule 20 source address 192.0.2.0/24
+ set nat source rule 30 source address 192.0.3.0/24
+ set nat source rule 30 source port 80,443
+
+
+* **destination** - specify which packets the translation will be applied to,
+ only based on the destination address and/or port number configured.
+
+ .. note:: If no destination is specified the rule will match on any
+ destination address and port.
+
+ Example:
+
+ * Configure SNAT rule (40) to only NAT packets with a destination address of
+ 192.0.2.1.
+
+ .. code-block:: none
+
+ set nat source rule 40 destination address 192.0.2.1
-Source NAT
-----------
-Source NAT is typically referred to simply as NAT. To be more correct, what
-most people refer to as NAT is actually the process of **Port Address
-Translation (PAT)**, or **NAT Overload**. The process of having many internal
-host systems communicate to the Internet using a single or subset of IP
-addresses.
+Address Conversion
+------------------
+
+Every NAT rule has a translation command defined. The address defined for the
+translation is the addrass used when the address information in a packet is
+replaced.
+
+Source Address
+^^^^^^^^^^^^^^
+
+For :ref:`source-nat` rules the packets source address will be replaced with
+the address specified in the translation command. A port translation can also
+be specified and is part of the translation address.
+
+.. note:: The translation address must be set to one of the available addresses
+ on the configured `outbound-interface` or it must be set to `masquerade`
+ which will use the primary IP address of the `outbound-interface` as its
+ translation address.
+
+.. note:: When using NAT for a large number of host systems it recommended that
+ a minimum of 1 IP address is used to NAT every 256 private host systems.
+ This is due to the limit of 65,000 port numbers available for unique
+ translations and a reserving an average of 200-300 sessions per host system.
+
+Example:
+
+* Define a discrete source IP address of 100.64.0.1 for SNAT rule 20
+* Use address `masquerade` (the interfaces primary address) on rule 30
+* For a large amount of private machines behind the NAT your address pool might
+ to be bigger. Use any address in the range 100.64.0.10 - 100.64.0.20 on SNAT
+ rule 40 when doing the translation
+
+
+.. code-block:: none
+
+ set nat source rule 20 translation address 100.64.0.1
+ set nat source rule 30 translation address 'masquerade'
+ set nat source rule 40 translation address 100.64.0.10-100.64.0.20
+
+
+Destination Address
+^^^^^^^^^^^^^^^^^^^
+
+For :ref:`destination-nat` rules the packets destination address will be
+replaced by the specified address in the `translation address` command.
+
+Example:
+
+* DNAT rule 10 replaces the destination address of an inbound packet with
+ 192.0.2.10
+
+.. code-block:: none
+
+ set nat destination rule 10 translation address 192.0.2.10
+
+
+Configuration Examples
+======================
To setup SNAT, we need to know:
-* The internal IP addresses we want to translate;
-* The outgoing interface to perform the translation on;
-* The external IP address to translate to.
+* The internal IP addresses we want to translate
+* The outgoing interface to perform the translation on
+* The external IP address to translate to
In the example used for the Quick Start configuration above, we demonstrate
the following configuration:
@@ -87,10 +335,10 @@ protocol behavior. For this reason, VyOS does not globally drop invalid state
traffic, instead allowing the operator to make the determination on how the
traffic is handled.
-NAT Reflection/Hairpin NAT
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+.. _hairpin_nat_reflection:
-.. note:: Avoiding NAT breakage in the absence of split-DNS
+Hairpin NAT/NAT Reflection
+--------------------------
A typical problem with using NAT and hosting public servers is the ability for
internal systems to reach an internal server using it's external IP address.
@@ -98,41 +346,87 @@ The solution to this is usually the use of split-DNS to correctly point host
systems to the internal address when requests are made internally. Because
many smaller networks lack DNS infrastructure, a work-around is commonly
deployed to facilitate the traffic by NATing the request from internal hosts
-to the source address of the internal interface on the firewall. This technique
-is commonly referred to as **NAT Reflection**, or **Hairpin NAT**.
+to the source address of the internal interface on the firewall.
-In this example, we will be using the example Quick Start configuration above
-as a starting point.
+This technique is commonly referred to as NAT Reflection or Hairpin NAT.
+
+Example:
-To setup a NAT reflection rule, we need to create a rule to NAT connections
-from the internal network to the same internal network to use the source
-address of the internal interface.
+* Redirect Microsoft RDP traffic from the outside (WAN, external) world via
+ :ref:`destination-nat` in rule 100 to the internal, private host 192.0.2.40.
+
+* Redirect Microsoft RDP traffic from the internal (LAN, private) network via
+ :ref:`destination-nat` in rule 110 to the internal, private host 192.0.2.40.
+ We also need a :ref:`source-nat` rule 110 for the reverse path of the traffic.
+ The internal network 192.0.2.0/24 is reachable via interfache `eth0.10`.
.. code-block:: none
+ set nat destination rule 100 description 'Regular destination NAT from external'
+ set nat destination rule 100 destination port '3389'
+ set nat destination rule 100 inbound-interface 'pppoe0'
+ set nat destination rule 100 protocol 'tcp'
+ set nat destination rule 100 translation address '192.0.2.40'
+
+ set nat destination rule 110 description 'NAT Reflection: INSIDE'
+ set nat destination rule 110 destination port '3389'
+ set nat destination rule 110 inbound-interface 'eth0.10'
+ set nat destination rule 110 protocol 'tcp'
+ set nat destination rule 110 translation address '192.0.2.40'
+
set nat source rule 110 description 'NAT Reflection: INSIDE'
- set nat source rule 110 destination address '192.168.0.0/24'
- set nat source rule 110 outbound-interface 'eth1'
- set nat source rule 110 source address '192.168.0.0/24'
+ set nat source rule 110 destination address '192.0.2.0/24'
+ set nat source rule 110 outbound-interface 'eth0.10'
+ set nat source rule 110 protocol 'tcp'
+ set nat source rule 110 source address '192.0.2.0/24'
set nat source rule 110 translation address 'masquerade'
Which results in a configuration of:
.. code-block:: none
- rule 110 {
- description "NAT Reflection: INSIDE"
- destination {
- address 192.168.0.0/24
- }
- outbound-interface eth1
- source {
- address 192.168.0.0/24
- }
- translation {
- address masquerade
- }
- }
+ vyos@vyos# show nat
+ destination {
+ rule 100 {
+ description "Regular destination NAT from external"
+ destination {
+ port 3389
+ }
+ inbound-interface pppoe0
+ protocol tcp
+ translation {
+ address 192.0.2.40
+ }
+ }
+ rule 110 {
+ description "NAT Reflection: INSIDE"
+ destination {
+ port 3389
+ }
+ inbound-interface eth0.10
+ protocol tcp
+ translation {
+ address 192.0.2.40
+ }
+ }
+ }
+ source {
+ rule 110 {
+ description "NAT Reflection: INSIDE"
+ destination {
+ address 192.0.2.0/24
+ }
+ outbound-interface eth0.10
+ protocol tcp
+ source {
+ address 192.0.2.0/24
+ }
+ translation {
+ address masquerade
+ }
+ }
+ }
+
Destination NAT
---------------
@@ -242,9 +536,6 @@ internal IP to a reserved external IP. This dedicates an external IP address
to an internal IP address and is useful for protocols which don't have the
notion of ports, such as GRE.
-1-to-1 NAT example
-------------------
-
Here's an extract of a simple 1-to-1 NAT configuration with one internal and
one external interface:
@@ -272,11 +563,11 @@ NPTv6
NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's
described in :rfc:`6296`. NPTv6 is supported in linux kernel since version 3.13.
-Usage
-^^^^^
+**Usage**
-NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the external IPv6 prefix is dynamic,
-as it prevents the need for renumbering of internal hosts when the extern prefix changes.
+NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the
+external IPv6 prefix is dynamic, as it prevents the need for renumbering of
+internal hosts when the extern prefix changes.
Let's assume the following network configuration:
@@ -333,14 +624,18 @@ Resulting in the following ip6tables rules:
NAT before VPN
--------------
-Some application service providers (ASPs) operate a VPN gateway to provide access to their internal resources,
-and require that a connecting organisation translate all traffic to the service provider network to a source address provided by the ASP.
+Some application service providers (ASPs) operate a VPN gateway to provide
+access to their internal resources, and require that a connecting organisation
+translate all traffic to the service provider network to a source address
+provided by the ASP.
Example Network
^^^^^^^^^^^^^^^
Here's one example of a network environment for an ASP.
-The ASP requests that all connections from this company should come from 172.29.41.89 - an address that is assigned by the ASP and not in use at the customer site.
+The ASP requests that all connections from this company should come from
+172.29.41.89 - an address that is assigned by the ASP and not in use at the
+customer site.
.. figure:: _static/images/nat_before_vpn_topology.png
:scale: 100 %
@@ -361,10 +656,11 @@ The required configuration can be broken down into 4 major pieces:
Dummy interface
-***************
+"""""""""""""""
-The dummy interface allows us to have an equivalent of the Cisco IOS Loopback interface - a router-internal interface we can use for IP addresses the router must know about,
-but which are not actually assigned to a real network.
+The dummy interface allows us to have an equivalent of the Cisco IOS Loopback
+interface - a router-internal interface we can use for IP addresses the router
+must know about, but which are not actually assigned to a real network.
We only need a single step for this interface:
@@ -373,7 +669,7 @@ We only need a single step for this interface:
set interfaces dummy dum0 address '172.29.41.89/32'
NAT Configuration
-*****************
+"""""""""""""""""
.. code-block:: none
@@ -389,8 +685,7 @@ NAT Configuration
set nat source rule 120 translation address '172.29.41.89'
IPSec IKE and ESP
-*****************
-
+"""""""""""""""""
The ASP has documented their IPSec requirements:
@@ -406,7 +701,8 @@ The ASP has documented their IPSec requirements:
* DH Group 14
-Additionally, we want to use VPNs only on our eth1 interface (the external interface in the image above)
+Additionally, we want to use VPNs only on our eth1 interface (the external
+interface in the image above)
.. code-block:: none
@@ -427,11 +723,12 @@ Additionally, we want to use VPNs only on our eth1 interface (the external inter
set vpn ipsec ipsec-interfaces interface 'eth1'
IPSec VPN Tunnels
-*****************
+"""""""""""""""""
-We'll use the IKE and ESP groups created above for this VPN.
-Because we need access to 2 different subnets on the far side, we will need two different tunnels.
-If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too.
+We'll use the IKE and ESP groups created above for this VPN. Because we need
+access to 2 different subnets on the far side, we will need two different
+tunnels. If you changed the names of the ESP group and IKE group in the previous
+step, make sure you use the correct names here too.
.. code-block:: none
@@ -448,9 +745,10 @@ If you changed the names of the ESP group and IKE group in the previous step, ma
set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 remote prefix '10.125.0.0/16'
Testing and Validation
-^^^^^^^^^^^^^^^^^^^^^^
+""""""""""""""""""""""
-If you've completed all the above steps you no doubt want to see if it's all working.
+If you've completed all the above steps you no doubt want to see if it's all
+working.
Start by checking for IPSec SAs (Security Associations) with: