From a8409f1eb630b85f18722dfc101605590516aed8 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 21 Dec 2019 18:25:46 +0100 Subject: quick-start: rewrite entire chapter --- docs/nat.rst | 2 ++ 1 file changed, 2 insertions(+) (limited to 'docs/nat.rst') diff --git a/docs/nat.rst b/docs/nat.rst index 714697d3..f2c89a71 100644 --- a/docs/nat.rst +++ b/docs/nat.rst @@ -3,6 +3,8 @@ NAT === +.. _source-nat: + Source NAT ---------- -- cgit v1.2.3 From 373de424d9c3599dc674130393fe7cbaa7713cf7 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 2 Jan 2020 22:16:45 +0100 Subject: nat: use documented section style guide --- docs/nat.rst | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) (limited to 'docs/nat.rst') diff --git a/docs/nat.rst b/docs/nat.rst index f2c89a71..916f6aba 100644 --- a/docs/nat.rst +++ b/docs/nat.rst @@ -1,12 +1,13 @@ .. _nat: +### NAT -=== +### .. _source-nat: Source NAT ----------- +========== Source NAT is typically referred to simply as NAT. To be more correct, what most people refer to as NAT is actually the process of **Port Address @@ -90,7 +91,7 @@ traffic, instead allowing the operator to make the determination on how the traffic is handled. NAT Reflection/Hairpin NAT -^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------------------- .. note:: Avoiding NAT breakage in the absence of split-DNS @@ -137,7 +138,7 @@ Which results in a configuration of: } Destination NAT ---------------- +=============== DNAT is typically referred to as a **Port Forward**. When using VyOS as a NAT router and firewall, a common configuration task is to redirect incoming @@ -230,7 +231,7 @@ This would generate the following configuration: additional rules to permit inbound NAT traffic. 1-to-1 NAT ----------- +========== Another term often used for DNAT is **1-to-1 NAT**. For a 1-to-1 NAT configuration, both DNAT and SNAT are used to NAT all traffic from an external @@ -269,13 +270,12 @@ Firewall rules are written as normal, using the internal IP address as the source of outbound rules and the destination of inbound rules. NPTv6 ------ +===== NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's described in :rfc:`6296`. NPTv6 is supported in linux kernel since version 3.13. -Usage -^^^^^ +**Usage** NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the external IPv6 prefix is dynamic, as it prevents the need for renumbering of internal hosts when the extern prefix changes. @@ -302,7 +302,7 @@ their address to the right subnet when going through your router. * eth2 addr : 2001:db8:e2::1/48 VyOS Support -^^^^^^^^^^^^ +------------ NPTv6 support has been added in VyOS 1.2 (Crux) and is available through `nat nptv6` configuration nodes. @@ -333,13 +333,13 @@ Resulting in the following ip6tables rules: NAT before VPN --------------- +============== Some application service providers (ASPs) operate a VPN gateway to provide access to their internal resources, and require that a connecting organisation translate all traffic to the service provider network to a source address provided by the ASP. Example Network -^^^^^^^^^^^^^^^ +--------------- Here's one example of a network environment for an ASP. The ASP requests that all connections from this company should come from 172.29.41.89 - an address that is assigned by the ASP and not in use at the customer site. @@ -352,7 +352,7 @@ The ASP requests that all connections from this company should come from 172.29. Configuration -^^^^^^^^^^^^^ +------------- The required configuration can be broken down into 4 major pieces: @@ -363,7 +363,7 @@ The required configuration can be broken down into 4 major pieces: Dummy interface -*************** +^^^^^^^^^^^^^^^ The dummy interface allows us to have an equivalent of the Cisco IOS Loopback interface - a router-internal interface we can use for IP addresses the router must know about, but which are not actually assigned to a real network. @@ -375,7 +375,7 @@ We only need a single step for this interface: set interfaces dummy dum0 address '172.29.41.89/32' NAT Configuration -***************** +^^^^^^^^^^^^^^^^^ .. code-block:: none @@ -391,7 +391,7 @@ NAT Configuration set nat source rule 120 translation address '172.29.41.89' IPSec IKE and ESP -***************** +^^^^^^^^^^^^^^^^^ The ASP has documented their IPSec requirements: @@ -429,7 +429,7 @@ Additionally, we want to use VPNs only on our eth1 interface (the external inter set vpn ipsec ipsec-interfaces interface 'eth1' IPSec VPN Tunnels -***************** +^^^^^^^^^^^^^^^^^ We'll use the IKE and ESP groups created above for this VPN. Because we need access to 2 different subnets on the far side, we will need two different tunnels. @@ -450,7 +450,7 @@ If you changed the names of the ESP group and IKE group in the previous step, ma set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 remote prefix '10.125.0.0/16' Testing and Validation -^^^^^^^^^^^^^^^^^^^^^^ +"""""""""""""""""""""" If you've completed all the above steps you no doubt want to see if it's all working. -- cgit v1.2.3 From 3dee0da1e82224e81d90dc64f43e8fa2556d715c Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 2 Jan 2020 22:29:01 +0100 Subject: nat: add overview description about Network Address Translation --- docs/nat.rst | 324 ++++++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 287 insertions(+), 37 deletions(-) (limited to 'docs/nat.rst') diff --git a/docs/nat.rst b/docs/nat.rst index 916f6aba..8aafe300 100644 --- a/docs/nat.rst +++ b/docs/nat.rst @@ -4,22 +4,267 @@ NAT ### +:abbr:`NAT (Network Address Translation)` is a common method of remapping one +IP address space into another by modifying network address information in the +IP header of packets while they are in transit across a traffic routing device. +The technique was originally used as a shortcut to avoid the need to readdress +every host when a network was moved. It has become a popular and essential tool +in conserving global address space in the face of IPv4 address exhaustion. One +Internet-routable IP address of a NAT gateway can be used for an entire private +network. + +IP masquerading is a technique that hides an entire IP address space, usually +consisting of private IP addresses, behind a single IP address in another, +usually public address space. The hidden addresses are changed into a single +(public) IP address as the source address of the outgoing IP packets so they +appear as originating not from the hidden host but from the routing device +itself. Because of the popularity of this technique to conserve IPv4 address +space, the term NAT has become virtually synonymous with IP masquerading. + +As network address translation modifies the IP address information in packets, +NAT implementations may vary in their specific behavior in various addressing +cases and their effect on network traffic. The specifics of NAT behavior are +not commonly documented by vendors of equipment containing NAT implementations. + +The computers on an internal network can use any of the addresses set aside by +the :abbr:`IANA (Internet Assigned Numbers Authority)` for private addressing +(see :rfc:`1918`). These reserved IP addresses are not in use on the Internet, +so an external machine will not directly route to them. The following addresses +are reserved for private use: + +* 10.0.0.0 to 10.255.255.255 (CIDR: 10.0.0.0/8) +* 172.16.0.0 to 172.31.255.255 (CIDR: 172.16.0.0/12) +* 192.168.0.0 to 192.168.255.255 (CIDR: 192.268.0.0/16) + + +If an ISP deploys a :abbr:`CGN (Carrier-grade NAT)`, and uses :rfc:`1918` +address space to number customer gateways, the risk of address collision, and +therefore routing failures, arises when the customer network already uses an +:rfc:`1918` address space. + +This prompted some ISPs to develop a policy within the :abbr:`ARIN (American +Registry for Internet Numbers)` to allocate new private address space for CGNs, +but ARIN deferred to the IETF before implementing the policy indicating that +the matter was not a typical allocation issue but a reservation of addresses +for technical purposes (per :rfc:`2860`). + +IETF published :rfc:`6598`, detailing a shared address space for use in ISP +CGN deployments that can handle the same network prefixes occurring both on +inbound and outbound interfaces. ARIN returned address space to the :abbr:`IANA +(Internet Assigned Numbers Authority)` for this allocation. + +The allocated address block is 100.64.0.0/10. + +Devices evaluating whether an IPv4 address is public must be updated to +recognize the new address space. Allocating more private IPv4 address space for +NAT devices might prolong the transition to IPv6. + +Overview +======== + +Different NAT Types +------------------- + .. _source-nat: -Source NAT -========== +Source NAT (SNAT) +^^^^^^^^^^^^^^^^^ + +Source NAT is the most common form of NAT and is typically referred to simply +as NAT. To be more correct, what most people refer to as NAT is actually the +process of :abbr:`PAT (Port Address Translation)`, or NAT Overload. SNAT is +typically used by internal users/private hosts to access the Internet - the +source address is translated and thus kept private. + +.. _destination-nat: + +Destination NAT (DNAT) +^^^^^^^^^^^^^^^^^^^^^^ + +While :ref:`source-nat` changes the source address of packets, DNAT changes +the destination address of packets passing through the router. DNAT is +typically used when an external (public) host needs to initiate a session with +an internal (private) host. A customer needs to access a private service +behind the routers public IP. A connection is established with the routers +public IP address on a well known port and thus all traffic for this port is +rewritten to address the internal (private) host. + +.. _bidirectional-nat: + +Bidirectional NAT +^^^^^^^^^^^^^^^^^ + +This is a common szenario where both :ref:`source-nat` and +:ref:`destination-nat` are configured at the same time. It's commonly used then +internal (private) hosts need to establish a connection with external resources +and external systems need to acces sinternal (private) resources. + +NAT, Routing, Firewall Interaction +---------------------------------- + +There is a very nice picture/explanation in the Vyatta documentation which +should be rewritten here. + +NAT Ruleset +----------- + +:abbr:`NAT (Network Address Translation)` is configured entirely on a series +of so called `rules`. Rules are numbered and evaluated by the underlaying OS +in numerical order! The rule numbers can be changes by utilizing the +:cfgcmd:`rename` and :cfgcmd`copy` commands. + +.. note:: Changes to the NAT system only affect newly established connections. + Already establiushed ocnnections are not affected. + +.. hint:: When designing your NAT ruleset leave some space between consecutive + rules for later extension. Your ruleset could start with numbers 10, 20, 30. + You thus can later extend the ruleset and place new rules between existing + ones. + +Rules will be created for both :ref:`source-nat` and :ref:`destination-nat`. + +For :ref:`bidirectional-nat` a rule for both :ref:`source-nat` and +:ref:`destination-nat` needs to be created. + +.. _traffic-filters: + +Traffic Filters +--------------- + +Traffic Filters are used to control which packets will have the defined NAT +rules applied. Five different filters can be applied within a NAT rule + +* **outbound-interface** - applicable only to :ref:`source-nat`. It configures + the interface which is used for the outside traffic that this translation rule + applies to. + + Example: + + .. code-block:: none + + set nat source rule 20 outbound-interface eth0 + +* **inbound-interface** - applicable only to :ref:`destination-nat`. It + configures the interface which is used for the inside traffic the the + translation rule applies to. + + Example: + + .. code-block:: none + + set nat destination rule 20 inbound-interface eth1 + +* **protocol** - specify which types of protocols this translation rule applies + to. Only packets matching the specified protocol are NATed. By default this + applies to `all` protocols. + + Example: + + * Set SNAT rule 20 to only NAT TCP and UDP packets + * Set DNAT rule 20 to only NAT UDP packets + + .. code-block:: none + + set nat source rule 20 protocol tcp_udp + set nat destination rule 20 protocol udp + +* **source** - specifies which packets the NAT translation rule applies to + based on the packets source IP address and/or source port. Only matching + packets are considered for NAT. + + Example: + + * Set SNAT rule 20 to only NAT packets arriving from the 192.0.2.0/24 network + * Set SNAT rule 30 to only NAT packets arriving from the 192.0.3.0/24 network + with a source port of 80 and 443 + + .. code-block:: none + + set nat source rule 20 source address 192.0.2.0/24 + set nat source rule 30 source address 192.0.3.0/24 + set nat source rule 30 source port 80,443 -Source NAT is typically referred to simply as NAT. To be more correct, what -most people refer to as NAT is actually the process of **Port Address -Translation (PAT)**, or **NAT Overload**. The process of having many internal -host systems communicate to the Internet using a single or subset of IP -addresses. + +* **destination** - specify which packets the translation will be applied to, + only based on the destination address and/or port number configured. + + .. note:: If no destination is specified the rule will match on any + destination address and port. + + Example: + + * Configure SNAT rule (40) to only NAT packets with a destination address of + 192.0.2.1. + + .. code-block:: none + + set nat source rule 40 destination address 192.0.2.1 + + +Address Conversion +------------------ + +Every NAT rule has a translation command defined. The address defined for the +translation is the addrass used when the address information in a packet is +replaced. + +Source Address +^^^^^^^^^^^^^^ + +For :ref:`source-nat` rules the packets source address will be replaced with +the address specified in the translation command. A port translation can also +be specified and is part of the translation address. + +.. note:: The translation address must be set to one of the available addresses + on the configured `outbound-interface` or it must be set to `masquerade` + which will use the primary IP address of the `outbound-interface` as its + translation address. + +.. note:: When using NAT for a large number of host systems it recommended that + a minimum of 1 IP address is used to NAT every 256 private host systems. + This is due to the limit of 65,000 port numbers available for unique + translations and a reserving an average of 200-300 sessions per host system. + +Example: + +* Define a discrete source IP address of 100.64.0.1 for SNAT rule 20 +* Use address `masquerade` (the interfaces primary address) on rule 30 +* For a large amount of private machines behind the NAT your address pool might + to be bigger. Use any address in the range 100.64.0.10 - 100.64.0.20 on SNAT + rule 40 when doing the translation + + +.. code-block:: none + + set nat source rule 20 translation address 100.64.0.1 + set nat source rule 30 translation address 'masquerade' + set nat source rule 40 translation address 100.64.0.10-100.64.0.20 + + +Destination Address +^^^^^^^^^^^^^^^^^^^ + +For :ref:`destination-nat` rules the packets destination address will be +replaced by the specified address in the `translation address` command. + +Example: + +* DNAT rule 10 replaces the destination address of an inbound packet with + 192.0.2.10 + +.. code-block:: none + + set nat destination rule 10 translation address 192.0.2.10 + + +Configuration Examples +====================== To setup SNAT, we need to know: -* The internal IP addresses we want to translate; -* The outgoing interface to perform the translation on; -* The external IP address to translate to. +* The internal IP addresses we want to translate +* The outgoing interface to perform the translation on +* The external IP address to translate to In the example used for the Quick Start configuration above, we demonstrate the following configuration: @@ -138,7 +383,7 @@ Which results in a configuration of: } Destination NAT -=============== +--------------- DNAT is typically referred to as a **Port Forward**. When using VyOS as a NAT router and firewall, a common configuration task is to redirect incoming @@ -231,7 +476,7 @@ This would generate the following configuration: additional rules to permit inbound NAT traffic. 1-to-1 NAT -========== +---------- Another term often used for DNAT is **1-to-1 NAT**. For a 1-to-1 NAT configuration, both DNAT and SNAT are used to NAT all traffic from an external @@ -245,9 +490,6 @@ internal IP to a reserved external IP. This dedicates an external IP address to an internal IP address and is useful for protocols which don't have the notion of ports, such as GRE. -1-to-1 NAT example ------------------- - Here's an extract of a simple 1-to-1 NAT configuration with one internal and one external interface: @@ -270,15 +512,16 @@ Firewall rules are written as normal, using the internal IP address as the source of outbound rules and the destination of inbound rules. NPTv6 -===== +----- NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's described in :rfc:`6296`. NPTv6 is supported in linux kernel since version 3.13. **Usage** -NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the external IPv6 prefix is dynamic, -as it prevents the need for renumbering of internal hosts when the extern prefix changes. +NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the +external IPv6 prefix is dynamic, as it prevents the need for renumbering of +internal hosts when the extern prefix changes. Let's assume the following network configuration: @@ -302,7 +545,7 @@ their address to the right subnet when going through your router. * eth2 addr : 2001:db8:e2::1/48 VyOS Support ------------- +^^^^^^^^^^^^ NPTv6 support has been added in VyOS 1.2 (Crux) and is available through `nat nptv6` configuration nodes. @@ -333,16 +576,20 @@ Resulting in the following ip6tables rules: NAT before VPN -============== +-------------- -Some application service providers (ASPs) operate a VPN gateway to provide access to their internal resources, -and require that a connecting organisation translate all traffic to the service provider network to a source address provided by the ASP. +Some application service providers (ASPs) operate a VPN gateway to provide +access to their internal resources, and require that a connecting organisation +translate all traffic to the service provider network to a source address +provided by the ASP. Example Network ---------------- +^^^^^^^^^^^^^^^ Here's one example of a network environment for an ASP. -The ASP requests that all connections from this company should come from 172.29.41.89 - an address that is assigned by the ASP and not in use at the customer site. +The ASP requests that all connections from this company should come from +172.29.41.89 - an address that is assigned by the ASP and not in use at the +customer site. .. figure:: _static/images/nat_before_vpn_topology.png :scale: 100 % @@ -352,7 +599,7 @@ The ASP requests that all connections from this company should come from 172.29. Configuration -------------- +^^^^^^^^^^^^^ The required configuration can be broken down into 4 major pieces: @@ -363,10 +610,11 @@ The required configuration can be broken down into 4 major pieces: Dummy interface -^^^^^^^^^^^^^^^ +""""""""""""""" -The dummy interface allows us to have an equivalent of the Cisco IOS Loopback interface - a router-internal interface we can use for IP addresses the router must know about, -but which are not actually assigned to a real network. +The dummy interface allows us to have an equivalent of the Cisco IOS Loopback +interface - a router-internal interface we can use for IP addresses the router +must know about, but which are not actually assigned to a real network. We only need a single step for this interface: @@ -375,7 +623,7 @@ We only need a single step for this interface: set interfaces dummy dum0 address '172.29.41.89/32' NAT Configuration -^^^^^^^^^^^^^^^^^ +""""""""""""""""" .. code-block:: none @@ -391,8 +639,7 @@ NAT Configuration set nat source rule 120 translation address '172.29.41.89' IPSec IKE and ESP -^^^^^^^^^^^^^^^^^ - +""""""""""""""""" The ASP has documented their IPSec requirements: @@ -408,7 +655,8 @@ The ASP has documented their IPSec requirements: * DH Group 14 -Additionally, we want to use VPNs only on our eth1 interface (the external interface in the image above) +Additionally, we want to use VPNs only on our eth1 interface (the external +interface in the image above) .. code-block:: none @@ -429,11 +677,12 @@ Additionally, we want to use VPNs only on our eth1 interface (the external inter set vpn ipsec ipsec-interfaces interface 'eth1' IPSec VPN Tunnels -^^^^^^^^^^^^^^^^^ +""""""""""""""""" -We'll use the IKE and ESP groups created above for this VPN. -Because we need access to 2 different subnets on the far side, we will need two different tunnels. -If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too. +We'll use the IKE and ESP groups created above for this VPN. Because we need +access to 2 different subnets on the far side, we will need two different +tunnels. If you changed the names of the ESP group and IKE group in the previous +step, make sure you use the correct names here too. .. code-block:: none @@ -452,7 +701,8 @@ If you changed the names of the ESP group and IKE group in the previous step, ma Testing and Validation """""""""""""""""""""" -If you've completed all the above steps you no doubt want to see if it's all working. +If you've completed all the above steps you no doubt want to see if it's all +working. Start by checking for IPSec SAs (Security Associations) with: -- cgit v1.2.3 From 334675c997dba7c021adebc98334d25d14abe5df Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 3 Jan 2020 16:33:03 +0100 Subject: nat: fix wrong call to cfgcmd --- docs/nat.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/nat.rst') diff --git a/docs/nat.rst b/docs/nat.rst index 8aafe300..0b09710b 100644 --- a/docs/nat.rst +++ b/docs/nat.rst @@ -111,7 +111,7 @@ NAT Ruleset :abbr:`NAT (Network Address Translation)` is configured entirely on a series of so called `rules`. Rules are numbered and evaluated by the underlaying OS in numerical order! The rule numbers can be changes by utilizing the -:cfgcmd:`rename` and :cfgcmd`copy` commands. +:cfgcmd:`rename` and :cfgcmd:`copy` commands. .. note:: Changes to the NAT system only affect newly established connections. Already establiushed ocnnections are not affected. -- cgit v1.2.3 From 92c9eccd72793623490777bae9d71a498621ef0e Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 3 Jan 2020 16:44:21 +0100 Subject: nat: update hairpin/reflection example --- docs/nat.rst | 98 ++++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 72 insertions(+), 26 deletions(-) (limited to 'docs/nat.rst') diff --git a/docs/nat.rst b/docs/nat.rst index 0b09710b..9607be3d 100644 --- a/docs/nat.rst +++ b/docs/nat.rst @@ -335,10 +335,10 @@ protocol behavior. For this reason, VyOS does not globally drop invalid state traffic, instead allowing the operator to make the determination on how the traffic is handled. -NAT Reflection/Hairpin NAT --------------------------- +.. _hairpin_nat_reflection: -.. note:: Avoiding NAT breakage in the absence of split-DNS +Hairpin NAT/NAT Reflection +-------------------------- A typical problem with using NAT and hosting public servers is the ability for internal systems to reach an internal server using it's external IP address. @@ -346,41 +346,87 @@ The solution to this is usually the use of split-DNS to correctly point host systems to the internal address when requests are made internally. Because many smaller networks lack DNS infrastructure, a work-around is commonly deployed to facilitate the traffic by NATing the request from internal hosts -to the source address of the internal interface on the firewall. This technique -is commonly referred to as **NAT Reflection**, or **Hairpin NAT**. +to the source address of the internal interface on the firewall. -In this example, we will be using the example Quick Start configuration above -as a starting point. +This technique is commonly referred to as NAT Reflection or Hairpin NAT. + +Example: + +* Redirect Microsoft RDP traffic from the outside (WAN, external) world via + :ref:`destination-nat` in rule 100 to the internal, private host 192.0.2.40. -To setup a NAT reflection rule, we need to create a rule to NAT connections -from the internal network to the same internal network to use the source -address of the internal interface. +* Redirect Microsoft RDP traffic from the internal (LAN, private) network via + :ref:`destination-nat` in rule 110 to the internal, private host 192.0.2.40. + We also need a :ref:`source-nat` rule 110 for the reverse path of the traffic. + The internal network 192.0.2.0/24 is reachable via interfache `eth0.10`. .. code-block:: none + set nat destination rule 100 description 'Regular destination NAT from external' + set nat destination rule 100 destination port '3389' + set nat destination rule 100 inbound-interface 'pppoe0' + set nat destination rule 100 protocol 'tcp' + set nat destination rule 100 translation address '192.0.2.40' + + set nat destination rule 110 description 'NAT Reflection: INSIDE' + set nat destination rule 110 destination port '3389' + set nat destination rule 110 inbound-interface 'eth0.10' + set nat destination rule 110 protocol 'tcp' + set nat destination rule 110 translation address '192.0.2.40' + set nat source rule 110 description 'NAT Reflection: INSIDE' - set nat source rule 110 destination address '192.168.0.0/24' - set nat source rule 110 outbound-interface 'eth1' - set nat source rule 110 source address '192.168.0.0/24' + set nat source rule 110 destination address '192.0.2.0/24' + set nat source rule 110 outbound-interface 'eth0.10' + set nat source rule 110 protocol 'tcp' + set nat source rule 110 source address '192.0.2.0/24' set nat source rule 110 translation address 'masquerade' Which results in a configuration of: .. code-block:: none - rule 110 { - description "NAT Reflection: INSIDE" - destination { - address 192.168.0.0/24 - } - outbound-interface eth1 - source { - address 192.168.0.0/24 - } - translation { - address masquerade - } - } + vyos@vyos# show nat + destination { + rule 100 { + description "Regular destination NAT from external" + destination { + port 3389 + } + inbound-interface pppoe0 + protocol tcp + translation { + address 192.0.2.40 + } + } + rule 110 { + description "NAT Reflection: INSIDE" + destination { + port 3389 + } + inbound-interface eth0.10 + protocol tcp + translation { + address 192.0.2.40 + } + } + } + source { + rule 110 { + description "NAT Reflection: INSIDE" + destination { + address 192.0.2.0/24 + } + outbound-interface eth0.10 + protocol tcp + source { + address 192.0.2.0/24 + } + translation { + address masquerade + } + } + } + Destination NAT --------------- -- cgit v1.2.3