syntethic task ;-)
STUN can be used only with "full cone NAT, restricted cone NAT, and port restricted cone NAT"… but not with symmetric NAT. STUN is the protocol for clients, but clients, as usually, in real world are using symmetric NAT(unique port for any connection, dynamic translation)! In the real world servers are using full-cone NAT(static translation), and servers, as usually, gets connections from clients, which are already know ip:port…
However, formal answer: most "frequent" using of STUN it is sip client to server keepalive(udp), but there are also other usages:
https://www.rfc-editor.org/rfc/rfc5389#section-14:
14. STUN Usages
At the time of writing, three STUN usages are defined: Interactive
Connectivity Establishment (ICE) [MMUSIC-ICE], Client-initiated
connections for SIP [SIP-OUTBOUND], and NAT Behavior Discovery
[BEHAVE-NAT]. Other STUN usages may be defined in the future.
It's possible using Policy Based Routing (PBR).
But the fact you have 2 interfaces in the same network makes it difficult because you cannot choose witch interface the router will use to reach the next-hop and you can only specify it by IP (and not interface) in Vyatta PBR.
Why do you have both interface in the same LAN? It will cause many issues.
At least you could have one interface with IP in the 99.99.99.0/24 network and the other interface with IP in the 1.1.1.0/24.
Even if both are actually in the same network segment that would dramatically simplify the configuration...
Edit :
OK misunderstood where the 1.1.1.0/24 was placed.
The question remains... why?
This is not a good setup. Whatever the reason behind having 2 interfaces in the same IP network is, there should be a better solution.
In this configuration I don't see how to achieve what you want.
If you set another network between Vyatta eth1 and your gateway (a /30 for example) , then you can do it.
Edit 2 following last comment :
If you want to have your email server NATed to a different IP, to avoid blacklisting, then it's easy to do without bothering with 2 interfaces.
You don't even have to set the IP on the interface, it works with nat rules only.
1 - remove the configuration on eth1
2 - set your nat source rule like:
rule 10 {
description "Mail server"
outbound-interface eth0
source
address 1.1.1.10/32
translation {
address 99.99.99.2
}
rule 20 {
description "all other machines"
outbound-interface eth0
source
address 1.1.1.0/24
translation {
address 99.99.99.1
}
You can even specify only TCP port 25 in rule 10 (add "protocol tcp" and "source port 25")
Of course, the key point here is to have the NAT rule for the mail server having a lower number than the more generic network NAT.
3 - Set a nat destination rule like:
rule 10 {
description "Mail server"
inboud-interface eth0
destination
address 99.99.99.2
port 25 #add 80/443/110/143 if needed
protocol tcp
translation {
address 1.1.1.10
Best Answer
A needs to contact B, A is not behind NAT, B is.
We have to assume that B is behind a hide NAT (overload, NAPT per RFC 2663) and doesn’t have the option of creating a static NAT, otherwise A could open a connection to B using the static NAT and in that case there would be no need for C.
The issue is that B cannot accept inbound connections due to the NAT type. With NAPT there are no open inbound ports. Connections are initiated from B through the NAT and B's IP is translated to the IP configured for the NAT. B's port number may also be translated if it is not free on the NAT.
B could of course initiate the connection to A, but if B is the server it would not know that A was trying to contact it, or what address to use to reach A.
It would help if you understood the methods of NAT traversal that are used to allow A to connect to B and then you can see at no point does anything connect inbound to B, in fitting with the restriction NAT places on inbound connections to B:
One simple method to achieve the connection is Relaying:
Another method is Connection Reversal:
With relaying there is a big overhead on C as it is in the data path for all traffic between A and B. With connection reversal, C is only used to learn A's IP address. Once the connection is set up, traffic between A and B is routed direct, bypassing C.
I think the main point of your confusion is due to the first step in each of these methods. Yes, in your specific example, B could contact A directly if it knew which IP:port to connect to, but it doesn't, so either needs to broker the whole connection through a relay server or use an intermediary server to learn the IP:port and then make that connection outbound itself.
There is a lot more detail in RFC 5128 - State of Peer-to-Peer(P2P) Communication Across Network Address Translators(NATs)
https://www.rfc-editor.org/rfc/rfc5128#page-8
There are many methods explained, this could be a variation on 3.1 Relaying
You could also use 3.2 - Connection Reversal which applies more specifically to your case: