Hi Keun,
The network setup and the source NAT rule look fine. I can think of a few
things that you might want to try.
1. After committing the source NAT rule, go to the Linux shell and do a
'iptables -t nat -L -vn' to list the NAT rules in the iptables. If the
corresponding source NAT rule is not in iptables, then it may be a problem with
the CLI.
2. While lan_host is sending packets to wan_host ('ping' should be sufficient
since the source NAT rule has protocol "all"), try to capture packets on each
interface on vyatta2. If the packets from lan_host to wan_host are not going
into vyatta2's eth0 and coming out of vyatta2's eth1, then it may be a network
issue.
3. While lan_host is sending packets to wan_host, look at the output of
'iptables -t nat -L -vn'. If NAT is working correctly, then the source NAT
rule's counter should go up as packets from lan_host to wan_host pass through
the router.
4. Depending on the version of the code you downloaded/built, there may be
NOTRACK rules in the "raw" table. Do a 'iptables -t raw -L -vn' and you should
see either no rules at all, or the rules should result in all packets being
"ACCEPT"ed (since you enabled NAT). If packets are actually going to the
NOTRACK target, then that's probably why NAT is not functioning. (You can look
at the counters while lan_host is sending packets to determine where the
packets are going.)
Hope this helps.
An-Cheng
Keun Lee wrote:
> The network setup is as follows. The WAN side has a single
> host 'wan_host' for testing purpose. wan_host will be
> replaced by a T1 or DSL modem.
>
>
>
> eth1 eth0
> +-----------+ +---------+ +----------+
> | wan_host |---------| vyatta2 |----------| lan_host |
> +-----------+ +---------+ +----------+
> ^ ^ ^
> | | 192.168.254.22
> 216.135.138.219/29 |
> 192.168.254.200/24
>
>
> I want the packets from lan_host to wan_host masquaraded by vyatta2.
> The nat rules are:
>
> nat {
> rule 1 {
> type: "source"
> outbound-interface: "eth1"
> protocols: "all"
> source {
> network: 192.168.254.0/24
> }
> outside-address {
> address: 216.135.138.219
> }
> }
> rule 5 {
> type: "destination"
> inbound-interface: "eth1"
> protocols: "tcp"
> source {
> network: 0.0.0.0/0
> }
> destination {
> address: 216.135.138.219
> port-name https
> }
> inside-address {
> address: 192.168.254.209
> }
> }
> .... more port forwarding rules follow ...
>
> To test the NAT:
>
> @lan_host (192.168.254.22): telnet wan_host http
>
> @wan_host: tcpdump -i eth0
> ...IP 192.168.254.22.42767 > 216.135.138.217.www: ......
>
> I expected that the source address 192.168.254.22 would be
> translated to 216.135.138.219, but there was no translation.
>
> Hope this helps. --Keun
>
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
