Hi Keun, The network setup and the source NAT rule look fine. I can think of a few things that you might want to try.
1. After committing the source NAT rule, go to the Linux shell and do a 'iptables -t nat -L -vn' to list the NAT rules in the iptables. If the corresponding source NAT rule is not in iptables, then it may be a problem with the CLI. 2. While lan_host is sending packets to wan_host ('ping' should be sufficient since the source NAT rule has protocol "all"), try to capture packets on each interface on vyatta2. If the packets from lan_host to wan_host are not going into vyatta2's eth0 and coming out of vyatta2's eth1, then it may be a network issue. 3. While lan_host is sending packets to wan_host, look at the output of 'iptables -t nat -L -vn'. If NAT is working correctly, then the source NAT rule's counter should go up as packets from lan_host to wan_host pass through the router. 4. Depending on the version of the code you downloaded/built, there may be NOTRACK rules in the "raw" table. Do a 'iptables -t raw -L -vn' and you should see either no rules at all, or the rules should result in all packets being "ACCEPT"ed (since you enabled NAT). If packets are actually going to the NOTRACK target, then that's probably why NAT is not functioning. (You can look at the counters while lan_host is sending packets to determine where the packets are going.) Hope this helps. An-Cheng Keun Lee wrote: > The network setup is as follows. The WAN side has a single > host 'wan_host' for testing purpose. wan_host will be > replaced by a T1 or DSL modem. > > > > eth1 eth0 > +-----------+ +---------+ +----------+ > | wan_host |---------| vyatta2 |----------| lan_host | > +-----------+ +---------+ +----------+ > ^ ^ ^ > | | 192.168.254.22 > 216.135.138.219/29 | > 192.168.254.200/24 > > > I want the packets from lan_host to wan_host masquaraded by vyatta2. > The nat rules are: > > nat { > rule 1 { > type: "source" > outbound-interface: "eth1" > protocols: "all" > source { > network: 192.168.254.0/24 > } > outside-address { > address: 216.135.138.219 > } > } > rule 5 { > type: "destination" > inbound-interface: "eth1" > protocols: "tcp" > source { > network: 0.0.0.0/0 > } > destination { > address: 216.135.138.219 > port-name https > } > inside-address { > address: 192.168.254.209 > } > } > .... more port forwarding rules follow ... > > To test the NAT: > > @lan_host (192.168.254.22): telnet wan_host http > > @wan_host: tcpdump -i eth0 > ...IP 192.168.254.22.42767 > 216.135.138.217.www: ...... > > I expected that the source address 192.168.254.22 would be > translated to 216.135.138.219, but there was no translation. > > Hope this helps. --Keun > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users