Hi all,
Just to add to the query, I have observed that in interface configuration
is optional for NAT to work. All traffic get NATed if out interface is set
with output-feature.
Thanks,
Rajith
On Thu, 13 Jan 2022 at 7:06 AM, alekcejk via lists.fd.io <alekcejk=
googlemail....@lists.fd.io> wrote:
> Hi all,
>
> I am trying to get setup for mixed NAT and non-NAT traffic.
>
> In GNS3 I created VPP VM with three interfaces (1 external, 2 internal).
>
> External interface GigabitEthernet0/5/0 with public IP address
> 203.0.113.1/30 connected to host with IP 203.0.113.2/30 and route to
> 198.51.100.0/24 via 203.0.113.1
> Internal interface GigabitEthernet0/6/0 with private IP address
> 172.16.0.1/24 connected to host with IP 172.16.0.2/24
> Internal interface GigabitEthernet0/7/0 with public IP address
> 198.51.100.1/25 connected to host with IP 198.51.100.2/25
>
> Internal traffic from/to 198.51.100.0/25 should be forwarded without NAT.
> NAT address 198.51.100.128 should be applied on external interface
> only for internal traffic from 172.16.0.0/24.
>
> Here my setup for VPP 21.01.1 (running on CentOS 8)
>
> /etc/vpp/startup.conf:
> unix {
> nodaemon
> startup-config /etc/vpp/startup-config
> log /var/log/vpp/vpp.log
> full-coredump
> cli-listen /run/vpp/cli.sock
> cli-history-limit 100
> cli-no-banner
> poll-sleep-usec 10
> gid vpp
> }
>
> api-trace {
> on
> }
>
> api-segment {
> gid vpp
> }
>
> dpdk {
> dev 0000:00:05.0
> dev 0000:00:06.0
> dev 0000:00:07.0
> }
>
> plugins {
> plugin default { disable }
> plugin dpdk_plugin.so { enable }
> plugin nat_plugin.so { enable }
> plugin arping_plugin.so { enable }
> plugin ping_plugin.so { enable }
> }
>
> logging {
> default-log-level debug
> default-syslog-log-level debug
> }
>
> ethernet {
> default-mtu 1500
> }
>
> /etc/vpp/startup-config:
> set interface state GigabitEthernet0/5/0 up
> set interface state GigabitEthernet0/6/0 up
> set interface state GigabitEthernet0/7/0 up
> set interface ip address GigabitEthernet0/5/0 203.0.113.1/30
> set interface ip address GigabitEthernet0/6/0 172.16.0.1/24
> set interface ip address GigabitEthernet0/7/0 198.51.100.1/25
> nat44 enable sessions 50000 endpoint-dependent
> nat44 forwarding enable
> nat44 add address 198.51.100.128
> set interface nat44 in GigabitEthernet0/6/0 output-feature
> set interface nat44 out GigabitEthernet0/5/0 output-feature
>
> If I run ping from internal host 172.16.0.2 to external host
> 203.0.113.2 then translation works correctly
> 02:44:23.420497 IP 198.51.100.128 > 203.0.113.2: ICMP echo request, id
> 64233, seq 4, length 64
> 02:44:23.420516 IP 203.0.113.2 > 198.51.100.128: ICMP echo reply, id
> 64233, seq 4, length 64
>
> But if I run ping 203.0.113.2 from internal host 198.51.100.2 then NAT
> also applied even though I didn't set nat in on the
> GigabitEthernet0/7/0
> 02:47:15.242598 IP 198.51.100.128 > 203.0.113.2: ICMP echo request, id
> 22324, seq 127, length 64
> 02:47:15.242620 IP 203.0.113.2 > 198.51.100.128: ICMP echo reply, id
> 22324, seq 127, length 64
>
> vpp# show nat44 interfaces
> NAT44 interfaces:
> GigabitEthernet0/6/0 output-feature in
> GigabitEthernet0/5/0 output-feature out
>
> If I remove "output-feature" then translation not applied at all with
> enabled "nat44 forwarding enable".
>
>
>
> In setup for VPP 21.10 I removed "endpoint-dependent" but if
> "output-feature" will stay on internal interface GigabitEthernet0/6/0
> I see new problem.
>
> Only one correct response received on internal host 172.16.0.2 when
> running ping 203.0.113.2, second response comes with source IP
> 198.51.100.128 instead of 203.0.113.2.
> 03:06:18.420787 IP 172.16.0.2 > 203.0.113.2: ICMP echo request, id
> 405, seq 1, length 64
> 03:06:18.427246 IP 203.0.113.2 > 172.16.0.2: ICMP echo reply, id 405,
> seq 1, length 64
> 03:06:19.424157 IP 172.16.0.2 > 203.0.113.2: ICMP echo request, id
> 405, seq 2, length 64
> 03:06:19.424441 IP 198.51.100.128 > 172.16.0.2: ICMP echo reply, id
> 59651, seq 2, length 64
>
> So I removed "output-feature" from internal interface GigabitEthernet0/6/0
>
> /etc/vpp/startup-config:
> set interface state GigabitEthernet0/5/0 up
> set interface state GigabitEthernet0/6/0 up
> set interface state GigabitEthernet0/7/0 up
> set interface ip address GigabitEthernet0/5/0 203.0.113.1/30
> set interface ip address GigabitEthernet0/6/0 172.16.0.1/24
> set interface ip address GigabitEthernet0/7/0 198.51.100.1/25
> nat44 enable sessions 50000
> nat44 forwarding enable
> nat44 add address 198.51.100.128
> set interface nat44 in GigabitEthernet0/6/0
> set interface nat44 out GigabitEthernet0/5/0 output-feature
>
> vpp# show nat44 interfaces
> NAT44 interfaces:
> GigabitEthernet0/6/0 in
> GigabitEthernet0/5/0 output-feature in out
>
> With this setup NAT also applied to both 172.16.0.0/24 and 198.51.100.0/25
> .
>
> Can someone point me to what is wrong with my settings and what needs
> to be changed in order for the NAT to work as required in my case?
>
> Thanks,
> Alexey
>
>
>
>
--
NOTICE TO
RECIPIENT This e-mail message and any attachments are
confidential and may be
privileged. If you received this e-mail in error,
any review, use,
dissemination, distribution, or copying of this e-mail is
strictly
prohibited. Please notify us immediately of the error by return
e-mail and
please delete this message from your system. For more
information about Rtbrick, please visit us at www.rtbrick.com
<http://www.rtbrick.com>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#20722): https://lists.fd.io/g/vpp-dev/message/20722
Mute This Topic: https://lists.fd.io/mt/88388590/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
