Hi all,
I am trying to get setup for mixed NAT and non-NAT traffic.
In GNS3 I created VPP VM with three interfaces (1 external, 2 internal).
External interface GigabitEthernet0/5/0 with public IP address
203.0.113.1/30 connected to host with IP 203.0.113.2/30 and route to
198.51.100.0/24 via 203.0.113.1
Internal interface GigabitEthernet0/6/0 with private IP address
172.16.0.1/24 connected to host with IP 172.16.0.2/24
Internal interface GigabitEthernet0/7/0 with public IP address
198.51.100.1/25 connected to host with IP 198.51.100.2/25
Internal traffic from/to 198.51.100.0/25 should be forwarded without NAT.
NAT address 198.51.100.128 should be applied on external interface
only for internal traffic from 172.16.0.0/24.
Here my setup for VPP 21.01.1 (running on CentOS 8)
/etc/vpp/startup.conf:
unix {
nodaemon
startup-config /etc/vpp/startup-config
log /var/log/vpp/vpp.log
full-coredump
cli-listen /run/vpp/cli.sock
cli-history-limit 100
cli-no-banner
poll-sleep-usec 10
gid vpp
}
api-trace {
on
}
api-segment {
gid vpp
}
dpdk {
dev 0000:00:05.0
dev 0000:00:06.0
dev 0000:00:07.0
}
plugins {
plugin default { disable }
plugin dpdk_plugin.so { enable }
plugin nat_plugin.so { enable }
plugin arping_plugin.so { enable }
plugin ping_plugin.so { enable }
}
logging {
default-log-level debug
default-syslog-log-level debug
}
ethernet {
default-mtu 1500
}
/etc/vpp/startup-config:
set interface state GigabitEthernet0/5/0 up
set interface state GigabitEthernet0/6/0 up
set interface state GigabitEthernet0/7/0 up
set interface ip address GigabitEthernet0/5/0 203.0.113.1/30
set interface ip address GigabitEthernet0/6/0 172.16.0.1/24
set interface ip address GigabitEthernet0/7/0 198.51.100.1/25
nat44 enable sessions 50000 endpoint-dependent
nat44 forwarding enable
nat44 add address 198.51.100.128
set interface nat44 in GigabitEthernet0/6/0 output-feature
set interface nat44 out GigabitEthernet0/5/0 output-feature
If I run ping from internal host 172.16.0.2 to external host
203.0.113.2 then translation works correctly
02:44:23.420497 IP 198.51.100.128 > 203.0.113.2: ICMP echo request, id
64233, seq 4, length 64
02:44:23.420516 IP 203.0.113.2 > 198.51.100.128: ICMP echo reply, id
64233, seq 4, length 64
But if I run ping 203.0.113.2 from internal host 198.51.100.2 then NAT
also applied even though I didn't set nat in on the
GigabitEthernet0/7/0
02:47:15.242598 IP 198.51.100.128 > 203.0.113.2: ICMP echo request, id
22324, seq 127, length 64
02:47:15.242620 IP 203.0.113.2 > 198.51.100.128: ICMP echo reply, id
22324, seq 127, length 64
vpp# show nat44 interfaces
NAT44 interfaces:
GigabitEthernet0/6/0 output-feature in
GigabitEthernet0/5/0 output-feature out
If I remove "output-feature" then translation not applied at all with
enabled "nat44 forwarding enable".
In setup for VPP 21.10 I removed "endpoint-dependent" but if
"output-feature" will stay on internal interface GigabitEthernet0/6/0
I see new problem.
Only one correct response received on internal host 172.16.0.2 when
running ping 203.0.113.2, second response comes with source IP
198.51.100.128 instead of 203.0.113.2.
03:06:18.420787 IP 172.16.0.2 > 203.0.113.2: ICMP echo request, id
405, seq 1, length 64
03:06:18.427246 IP 203.0.113.2 > 172.16.0.2: ICMP echo reply, id 405,
seq 1, length 64
03:06:19.424157 IP 172.16.0.2 > 203.0.113.2: ICMP echo request, id
405, seq 2, length 64
03:06:19.424441 IP 198.51.100.128 > 172.16.0.2: ICMP echo reply, id
59651, seq 2, length 64
So I removed "output-feature" from internal interface GigabitEthernet0/6/0
/etc/vpp/startup-config:
set interface state GigabitEthernet0/5/0 up
set interface state GigabitEthernet0/6/0 up
set interface state GigabitEthernet0/7/0 up
set interface ip address GigabitEthernet0/5/0 203.0.113.1/30
set interface ip address GigabitEthernet0/6/0 172.16.0.1/24
set interface ip address GigabitEthernet0/7/0 198.51.100.1/25
nat44 enable sessions 50000
nat44 forwarding enable
nat44 add address 198.51.100.128
set interface nat44 in GigabitEthernet0/6/0
set interface nat44 out GigabitEthernet0/5/0 output-feature
vpp# show nat44 interfaces
NAT44 interfaces:
GigabitEthernet0/6/0 in
GigabitEthernet0/5/0 output-feature in out
With this setup NAT also applied to both 172.16.0.0/24 and 198.51.100.0/25.
Can someone point me to what is wrong with my settings and what needs
to be changed in order for the NAT to work as required in my case?
Thanks,
Alexey
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#20702): https://lists.fd.io/g/vpp-dev/message/20702
Mute This Topic: https://lists.fd.io/mt/88388590/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
