diff options
Diffstat (limited to 'docs/nat.rst')
-rw-r--r-- | docs/nat.rst | 34 |
1 files changed, 17 insertions, 17 deletions
diff --git a/docs/nat.rst b/docs/nat.rst index 4e21ad3a..a8475978 100644 --- a/docs/nat.rst +++ b/docs/nat.rst @@ -21,7 +21,7 @@ To setup SNAT, we need to know: In the example used for the Quick Start configuration above, we demonstrate the following configuration: -.. code-block:: console +.. code-block:: none set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '192.168.0.0/24' @@ -29,7 +29,7 @@ the following configuration: Which generates the following configuration: -.. code-block:: console +.. code-block:: none rule 100 { outbound-interface eth0 @@ -58,7 +58,7 @@ recommended. A pool of addresses can be defined by using a **-** in the `set nat source rule [n] translation address` statement. -.. code-block:: console +.. code-block:: none set nat source rule 100 translation address '203.0.113.32-203.0.113.63' @@ -108,7 +108,7 @@ To setup a NAT reflection rule, we need to create a rule to NAT connections from the internal network to the same internal network to use the source address of the internal interface. -.. code-block:: console +.. code-block:: none set nat source rule 110 description 'NAT Reflection: INSIDE' set nat source rule 110 destination address '192.168.0.0/24' @@ -118,7 +118,7 @@ address of the internal interface. Which results in a configuration of: -.. code-block:: console +.. code-block:: none rule 110 { description "NAT Reflection: INSIDE" @@ -156,7 +156,7 @@ For other common port numbers, see: http://en.wikipedia.org/wiki/List_of_TCP_and Our configuration commands would be: -.. code-block:: console +.. code-block:: none set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100' set nat destination rule 10 destination port '80' @@ -166,7 +166,7 @@ Our configuration commands would be: Which would generate the following NAT destination configuration: -.. code-block:: console +.. code-block:: none nat { destination { @@ -198,7 +198,7 @@ the destination address has already been translated to 192.168.0.100. So in our firewall policy, we want to allow traffic coming in on the outside interface, destined for TCP port 80 and the IP address of 192.168.0.100. -.. code-block:: console +.. code-block:: none set firewall name OUTSIDE-IN rule 20 action 'accept' set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100' @@ -208,7 +208,7 @@ interface, destined for TCP port 80 and the IP address of 192.168.0.100. This would generate the following configuration: -.. code-block:: console +.. code-block:: none rule 20 { action accept @@ -248,7 +248,7 @@ notion of ports, such as GRE. Here's an extract of a simple 1-to-1 NAT configuration with one internal and one external interface: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 address '192.168.1.1/24' set interfaces ethernet eth0 description 'Inside interface' @@ -305,7 +305,7 @@ VyOS Support NPTv6 support has been added in VyOS 1.2 (Crux) and is available through `nat nptv6` configuration nodes. -.. code-block:: console +.. code-block:: none set rule 10 inside-prefix 'fc00:dead:beef::/48' set rule 10 outside-interface 'eth1' @@ -316,7 +316,7 @@ NPTv6 support has been added in VyOS 1.2 (Crux) and is available through Resulting in the following ip6tables rules: -.. code-block:: console +.. code-block:: none Chain VYOS_DNPT_HOOK (1 references) pkts bytes target prot opt in out source destination @@ -368,14 +368,14 @@ but which are not actually assigned to a real network. We only need a single step for this interface: -.. code-block:: console +.. code-block:: none set interfaces dummy dum0 address '172.29.41.89/32' NAT Configuration ***************** -.. code-block:: console +.. code-block:: none set nat source rule 110 description 'Internal to ASP' set nat source rule 110 destination address '172.27.1.0/24' @@ -408,7 +408,7 @@ The ASP has documented their IPSec requirements: Additionally, we want to use VPNs only on our eth1 interface (the external interface in the image above) -.. code-block:: console +.. code-block:: none set vpn ipsec ike-group my-ike ikev2-reauth 'no' set vpn ipsec ike-group my-ike key-exchange 'ikev1' @@ -433,7 +433,7 @@ We'll use the IKE and ESP groups created above for this VPN. Because we need access to 2 different subnets on the far side, we will need two different tunnels. If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too. -.. code-block:: console +.. code-block:: none set vpn ipsec site-to-site peer 198.51.100.243 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 198.51.100.243 authentication pre-shared-secret 'PASSWORD IS HERE' @@ -454,7 +454,7 @@ If you've completed all the above steps you no doubt want to see if it's all wor Start by checking for IPSec SAs (Security Associations) with: -.. code-block:: console +.. code-block:: none $ show vpn ipsec sa |