WeOSStateless NAT HowTo
Introduction
This document details some common use-cases for stateless NAT and how to configure them using WeOS.
For more information, see the Stateless NAT Configuration Guide.
Single Private Network
The below figure shows a sample network where the NAT GW translates the private network (192.168.1.0/24) to the 10.0.2.0/24 network on the public side and vice versa.
.--.-.
( ( )__
(_, \ ) ,_) Internet/Intranet
'-'--`--'
|
.-+-.
| R |
'-+-'
|.1
|
^ |.33 10.0.0.0/24
| .---+--.
Public | | vlan2
------ | GW |
Private | | vlan1
| '---+--'
V |.1 (10.0.2.0/24)
| 192.168.1.0/24
---+------+---+----------+---------
| | |
|.11 |.5 |.139
.-+--. .-+--. .-+--.
| H1 | | H2 | | H3 |
'----' '----' '----'
Figure 1: Basic stateless NAT setup
Assumptions:
* The NAT gateway is already set up with two VLAN interfaces,
with relevant addresses and IP forwarding enabled
* The upper router (R) has a route to the 10.0.2.0/24 network via
10.0.0.33, the IP address of the NAT GW.
The additional configuration for setting up stateless NAT is as follows:
example:/#> configure example:/config/#> ip example:/config/ip/#> stateless-nat example:/config/ip/stateless-nat/#> dnat in vlan2 dst 10.0.2.0/24 to-dst 192.168.1.0 Would you like routes to be added for NAT rules (y/N)? n You will have to manually add routes for your NAT rules! example:/config/ip/stateless-nat/#> leave Configuration activated. Remember "copy run start" to save to flash (NVRAM). example:/#> copy run start example:/#>
Multiple Private Networks
The network below illustrates a case where a private network (192.168.1.0/24) is used in one setup and then replicated. When connecting these networks together, stateless NAT can be used to achieve connectivity across all private networks.
.--.-.
( ( )__
(_, \ ) ,_) Internet
'-'--`--'
|
.-+-.
| R | (optional)
'---'
|.100
| 10.0.0.0/24
---+-----+------------+-----------------+---------------
^ |.1 |.2 |.3
| .--+--. vlan2 .--+--. vlan2 .--+--. vlan2
Public | | | | | |
------- | GW1 | | GW2 | | GW3 |
Private | | | | | |
| '--+--' vlan1 '--+--' vlan1 '--+--' vlan1
V |.1 |.1 |.1
-------+--------- -------+--------- ------+---------
192.168.1.0/24 192.168.1.0/24 192.168.1.0/24
=> 10.0.1.0/24 => 10.0.2.0/24 => 10.0.3.0/24
Private Net #1 Private Net #2 Private Net #3
Figure 2: Multiple similar private networks
All private networks use subnet 192.168.1.0/24 internally. From the outside, above their respective NAT GW, they are:
- Private Net #1 is known as 10.0.1.0/24
- Private Net #2 is known as 10.0.2.0/24
- Private Net #3 is known as 10.0.3.0/24
For full reachability NAT GW1 must have routes for to 10.0.2.0/24 via
10.0.0.2 and 10.0.3.0/24 via 10.0.0.3, etc. In this example there
is also an additional router towards the Internet (R), meaning NAT GW1
has its default route pointing to 10.0.0.100. Similar routes must
be set up for NAT GW2, NAT GW3, and the (optional) Upper Router (R).
nat-gw1:/config/ip/#> route 10.0.2.0/24 10.0.0.2 nat-gw1:/config/ip/#> route 10.0.3.0/24 10.0.0.3 nat-gw1:/config/ip/#> route default 10.0.0.100
The stateless NAT configuration at NAT GW1 is as follows:
nat-gw1:/config/ip/#> stateless-nat nat-gw1:/config/ip/stateless-nat/#> dnat in vlan2 dst 10.0.1.0/24 to-dst 192.168.1.0 Would you like routes to be added for NAT rules (y/N)? n You will have to manually add routes for your NAT rules! nat-gw1:/config/ip/stateless-nat/#>
After configuring all NAT GWs, and optionally Upper Router (R), a host
on private network #1 can ping a remote host (192.168.1.33) on private
network #3, using its public address (10.0.3.33).
host-on-net1:~$ ping -c 3 10.0.3.33 PING 10.0.3.33 (10.0.3.33) 56(84) bytes of data. 64 bytes from 10.0.3.33: icmp_seq=1 ttl=62 time=1.25 ms 64 bytes from 10.0.3.33: icmp_seq=2 ttl=62 time=1.11 ms 64 bytes from 10.0.3.33: icmp_seq=3 ttl=62 time=1.12 ms --- 10.0.3.33 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 1.115/1.164/1.250/0.072 ms host-on-net1:~$
Multiple Private Networks using Proxy ARP
The network below illustrates almost the exact same case, except that
all NAT gateways and the Upper Router (R) reside on a /16 subnet
rather than a /24 subnet. Note that the 10.0.0.0/16 subnet covers all
of the /24 networks (10.0.1.0/24, etc). used for translation of the
private networks.
.--.-.
( ( )__
(_, \ ) ,_) Internet
'-'--`--'
|
.-+-.
| R | (optional)
'---'
|.100
| 10.0.0.0/16
---+-----+------------+-----------------+---------------
^ |.1 |.2 |.3
| .--+--. vlan2 .--+--. vlan2 .--+--. vlan2
Public | | | | | |
------- | GW1 | | GW2 | | GW3 |
Private | | | | | |
| '--+--' vlan1 '--+--' vlan1 '--+--' vlan1
V |.1 |.1 |.1
-------+--------- -------+--------- ------+---------
192.168.1.0/24 192.168.1.0/24 192.168.1.0/24
=> 10.0.1.0/24 => 10.0.2.0/24 => 10.0.3.0/24
Private Net #1 Private Net #2 Private Net #3
Figure 3: Multiple similar private networks with simplified routing
As before, all private networks use subnet 192.168.1.0/24 internally. From the outside it looks as if each private network represents a slice of the larger 10.0.0.0/16 subnet:
- Private Net #1 is known as 10.0.1.0/24
- Private Net #2 is known as 10.0.2.0/24
- Private Net #3 is known as 10.0.3.0/24
The purpose here is to avoid configuring individual routes to every Private Network at the NAT Gateways. With many private networks this can otherwise be a real hassle. Instead, the NAT gateways need to use Proxy ARP on their upper interface to ensure the traffic to their private network will reach them. In order for NAT GW1 to proxy-ARP for traffic toward 10.0.1.0/24, it needs a route to that subnet. Such a route can be added automatically, to the loopback interface, by answering Yes when adding the DNAT rule (see below).
The following example shows the route, stateless NAT and proxy ARP configuration at NAT GW1.
nat-gw1:/config/ip/#> route default 10.0.0.100 nat-gw1:/config/ip/#> stateless-nat nat-gw1:/config/ip/stateless-nat/#> dnat in vlan2 dst 10.0.1.0/24 to-dst 192.168.1.0 Would you like routes to be added for NAT rules (y/N)? y Added routes for NAT rules! nat-gw1:/config/ip/stateless-nat/#> end nat-gw1:/config/ip/#> show route Network Netmask Gateway Interface Distance ============================================================================== 10.0.1.0 255.255.255.0 * lo 254 0.0.0.0 0.0.0.0 10.0.0.100 * 0 nat-gw1:/config/ip/#> end nat-gw1:/config/#> iface vlan2 nat-gw1:/config/iface-vlan2/#> proxy-arp nat-gw1:/config/iface-vlan2/#>
Having configured all NAT GWs, and optionally Upper Router (R), a host
on private network #1 can ping a remote host (192.168.1.33) on network
#3, using its public address (10.0.3.33).
host-on-net1:~$ ping -c 3 10.0.3.33 PING 10.0.3.33 (10.0.3.33) 56(84) bytes of data. 64 bytes from 10.0.3.33: icmp_seq=1 ttl=62 time=1.29 ms 64 bytes from 10.0.3.33: icmp_seq=2 ttl=62 time=1.09 ms 64 bytes from 10.0.3.33: icmp_seq=3 ttl=62 time=1.09 ms --- 10.0.3.33 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 1.097/1.164/1.296/0.093 ms host-on-net1:~$