Re: [vpp-dev] SNAT, nat44 with static mapping of whole subnet

[Adrian Imboden]

Hu Filip

Thanks for your response. Your input did get me to the right direction.

For future reference, this is how I got it working (Version 21.10):

comment { === external wan: TenGigabitEtherneta/0/0, "public" ips: 
10.10.100.50, 10.10.100.51 }

comment { === testnet1 lan: TenGigabitEthernetc/0/3, 192.168.10.0/23 }
comment { === testnet2 lan: TenGigabitEthernetc/0/2, 192.168.12.0/23 }


comment { === testnet1 }
ip table add 1
create tap id 1 host-if-name testnet1 host-ip4-addr 192.168.10.1/23
create loopback interface instance 1

set interface ip table loop1 1
set interface ip address loop1 192.168.10.255/23

set int l2 bridge tap1 1
set int l2 bridge loop1 1 bvi
set int l2 bridge TenGigabitEthernetc/0/3 1

comment { === testnet2 }
ip table add 2
create tap id 2 host-if-name testnet2 host-ip4-addr 192.168.12.1/23
create loopback interface instance 2

set interface ip table loop2 2
set interface ip address loop2 192.168.12.255/23

set int l2 bridge tap2 2
set int l2 bridge loop2 2 bvi
set int l2 bridge TenGigabitEthernetc/0/2 2


comment { === nat }
nat44 enable
set interface ip address TenGigabitEtherneta/0/0 10.10.100.50/23
set interface ip address TenGigabitEtherneta/0/0 10.10.100.51/23
set interface nat44 out TenGigabitEtherneta/0/0
nat44 add address 10.10.100.50 tenant-vrf 1
set interface nat44 in loop1
nat44 add address 10.10.100.51 tenant-vrf 2
set interface nat44 in loop2


comment { === enable interfaces }
set int state TenGigabitEtherneta/0/0 up
set int state loop1 up
set int state tap1 up
set int state TenGigabitEthernetc/0/3 up
set int state loop2 up
set int state tap2 up
set int state TenGigabitEthernetc/0/2 up


Thanks and Greetings
Adrian

On 22.01.22 06:10, Filip Varga via lists.fd.io wrote:

Hi,

 From the first look i can see you are not enabling deterministic plugin like 
you are nat44 plugin. Secondly mixing both plugins isn't fully supported. There 
could be probably some issues. I am not completely sure about your use cases 
but using static mappings in this kind of scenario isn't viable solution.

If you just want each subnet to have different outside address. You should 
definitely use PAT - aka dynamic mapping and put all of those inside subnets in 
different VRF's after that add nat address for each vrf.

VRF1 192.168.0/24 -> 10.0.0.1
VRF2 192.168.1/24 - > 10.0.02
etc.

Be sure to set inside - vrf interfaces as inside and outside interface as 
outside.

Use nat44-ed plugin.

Best regards,
Filip

-Original Message-
From: vpp-dev@lists.fd.io  On Behalf Of Adrian Imboden
Sent: Thursday, January 20, 2022 1:55 AM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] SNAT, nat44 with static mapping of whole subnet
Importance: High

Hi all

I'm using vpp only recently and I am very happy with the way it works.

I am currently trying to replace my linux based router with a linux based vpp 
router.

- I use version release 21.10
- I have a small ipv4 /24 network and an additional static ip
- I have multiple subnets (test1, test2 in the example)

What I want to do is:
- Do SNAT
- Map each subnet to a single ipv4 address
- For my test: assume 10.10.100.50-10.10.100.52 are my public ips

What I have now is the following:
```
comment { == setting up testnet1 } create tap id 1 
host-if-name testnet1 host-ip4-addr 192.168.10.1/23 create loopback interface 
instance 1 set interface ip address loop1 192.168.10.255/23

set int l2 bridge tap1 1
set int l2 bridge loop1 1 bvi
set int l2 bridge TenGigabitEthernet8/0/0 1

comment { == setting up testnet2 } create tap id 2 
host-if-name testnet2 host-ip4-addr 192.168.12.1/23 create loopback interface 
instance 2 set interface ip address loop2 192.168.12.255/23

set int l2 bridge tap2 2
set int l2 bridge loop2 2 bvi


set interface ip address TenGigabitEtherneta/0/3 10.10.100.50/23 set interface 
ip address TenGigabitEtherneta/0/3 10.10.100.51/23 set interface ip address 
TenGigabitEtherneta/0/3 10.10.100.52/23

nat44 enable

nat44 add address 10.10.100.50
nat44 add address 10.10.100.51
nat44 add address 10.10.100.52
set interface nat44 out TenGigabitEtherneta/0/3 set interface nat44 in loop1 
set interface nat44 in loop2

ip route add 10.10.100.0/23 via TenGigabitEtherneta/0/3

comment { = port forwarding }
det44 add static mapping udp local 102.168.10.33 1234 external
10.10.100.51 1234


comment { enable all interfaces }
set int state tap1 up
set int state loop1 up
set int state TenGigabitEthernet8/0/0 up
set int state tap2 up
set int state loop2 up
set int state TenGigabitEtherneta/0/3 up
```



Now I have the problem that only 10.10.100.50 gets used (or until the
ports are used up I assume).
det44 would support my use case with:
```
det44 add in 192.168.10.0/23 out 10.10.100.51/32
det44 add in 192.168.20.0/23 out 10.10.100.52/32
```

but det44 does not support port forwarding.

and nat44 only supports mapping each host one by one.
In my case I could add all IPs 

[vpp-dev] SNAT, nat44 with static mapping of whole subnet

[Adrian Imboden]

Hi all

I'm using vpp only recently and I am very happy with the way it works.

I am currently trying to replace my linux based router with a linux 
based vpp router.


- I use version release 21.10
- I have a small ipv4 /24 network and an additional static ip
- I have multiple subnets (test1, test2 in the example)

What I want to do is:
- Do SNAT
- Map each subnet to a single ipv4 address
- For my test: assume 10.10.100.50-10.10.100.52 are my public ips

What I have now is the following:
```
comment { == setting up testnet1 }
create tap id 1 host-if-name testnet1 host-ip4-addr 192.168.10.1/23
create loopback interface instance 1
set interface ip address loop1 192.168.10.255/23

set int l2 bridge tap1 1
set int l2 bridge loop1 1 bvi
set int l2 bridge TenGigabitEthernet8/0/0 1

comment { == setting up testnet2 }
create tap id 2 host-if-name testnet2 host-ip4-addr 192.168.12.1/23
create loopback interface instance 2
set interface ip address loop2 192.168.12.255/23

set int l2 bridge tap2 2
set int l2 bridge loop2 2 bvi


set interface ip address TenGigabitEtherneta/0/3 10.10.100.50/23
set interface ip address TenGigabitEtherneta/0/3 10.10.100.51/23
set interface ip address TenGigabitEtherneta/0/3 10.10.100.52/23

nat44 enable

nat44 add address 10.10.100.50
nat44 add address 10.10.100.51
nat44 add address 10.10.100.52
set interface nat44 out TenGigabitEtherneta/0/3
set interface nat44 in loop1
set interface nat44 in loop2

ip route add 10.10.100.0/23 via TenGigabitEtherneta/0/3

comment { = port forwarding }
det44 add static mapping udp local 102.168.10.33 1234 external 
10.10.100.51 1234



comment { enable all interfaces }
set int state tap1 up
set int state loop1 up
set int state TenGigabitEthernet8/0/0 up
set int state tap2 up
set int state loop2 up
set int state TenGigabitEtherneta/0/3 up
```



Now I have the problem that only 10.10.100.50 gets used (or until the 
ports are used up I assume).

det44 would support my use case with:
```
det44 add in 192.168.10.0/23 out 10.10.100.51/32
det44 add in 192.168.20.0/23 out 10.10.100.52/32
```

but det44 does not support port forwarding.

and nat44 only supports mapping each host one by one.
In my case I could add all IPs (512 IPs per net). Not pretty, but doable.


My questions:
Do I have an error in my thoughts?

Is there something like this planned?:
```
nat44 add static mapping local 192.168.10.0/23 external 10.10.100.51
```

If not, would this addition be ok? If yes, I may invest some coding time :)


Thanks very much and greetings
Adrian

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#20764): https://lists.fd.io/g/vpp-dev/message/20764
Mute This Topic: https://lists.fd.io/mt/88549403/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-