Vyatta NAT – Mail Server Behind NAT with Two WAN Connections

nat;routingvyatta

I have a Vyatta router with eth0 and eth1 on the same network segment ex. 99.99.99.0/24 where eth0 is .1 and eth1 is .2 and this is the wan network segment.

The traffic to the default gateway is through eth0.

Also there is an internal network ex. 1.1.1.0/24 with an email server on it .10.

What I want to achieve is all the internal traffic to be NAT-ed through eth0 except the mail traffic wHich I want to be through eth1.

Best Answer

It's possible using Policy Based Routing (PBR).

But the fact you have 2 interfaces in the same network makes it difficult because you cannot choose witch interface the router will use to reach the next-hop and you can only specify it by IP (and not interface) in Vyatta PBR.

Why do you have both interface in the same LAN? It will cause many issues.

At least you could have one interface with IP in the 99.99.99.0/24 network and the other interface with IP in the 1.1.1.0/24.

Even if both are actually in the same network segment that would dramatically simplify the configuration...

Edit :

OK misunderstood where the 1.1.1.0/24 was placed. The question remains... why?

This is not a good setup. Whatever the reason behind having 2 interfaces in the same IP network is, there should be a better solution.

In this configuration I don't see how to achieve what you want.

If you set another network between Vyatta eth1 and your gateway (a /30 for example) , then you can do it.

Edit 2 following last comment :

If you want to have your email server NATed to a different IP, to avoid blacklisting, then it's easy to do without bothering with 2 interfaces. You don't even have to set the IP on the interface, it works with nat rules only.

1 - remove the configuration on eth1

2 - set your nat source rule like:

rule 10 {

 description "Mail server"
 outbound-interface eth0
 source
     address 1.1.1.10/32
 translation {
     address 99.99.99.2
 }

rule 20 {

 description "all other machines"
 outbound-interface eth0
 source
     address 1.1.1.0/24
 translation {
     address 99.99.99.1
 }

You can even specify only TCP port 25 in rule 10 (add "protocol tcp" and "source port 25")

Of course, the key point here is to have the NAT rule for the mail server having a lower number than the more generic network NAT.

3 - Set a nat destination rule like:

rule 10 {

 description "Mail server"
 inboud-interface eth0
 destination
     address 99.99.99.2
     port 25  #add 80/443/110/143 if needed
 protocol tcp
 translation {
     address 1.1.1.10

Summary

is this on the right track?

Yes... very similar to the link in the comment... As you mentioned, you only need to do two things...

Configure NAT overload on the global interface
Put a static route in the VRF for the speed test server...

Details

Assume your speed test server is at 172.16.10.5... and you're trying to ping it from a CE switch in VRF01.

  To Speed Test Server
  (172.16.10.5, NH 172.16.1.1)
   <-------

Fa0/0 (global table) +-----+ Fa1/0 (VRF01)             Fa0/17 +-----+
        172.16.1.200 |     | 192.0.2.1/24      192.0.2.100/24 |     |
---------------------| PE1 |----------------------------------| CE1 |
                     |     |                                  |     |
                     +-----+                                  +-----+

PE1's Config

!!! PE1 Config
!
hostname PE1
!
ip vrf VRF01
 rd 100:1
 route-target export 100:1
 route-target import 100:1
!
interface FastEthernet0/0
 description global table interface
 ip address 172.16.1.200 255.255.255.0
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
!
!
interface FastEthernet1/0
 ip vrf forwarding VRF01
 ip address 192.0.2.1 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
ip route vrf VRF01 172.16.10.5 255.255.255.255 172.16.1.1 global
!
!! Insert other PE1 global routing configs

CE1's config

!!! CE1 Config
!
hostname CE1
!
interface FastEthernet0/17
 switchport access vlan 11
 switchport mode access
 switchport nonegotiate
!
!
interface Vlan11
 ip address 192.0.2.100 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1

Ping proof...

CE1#ping 172.16.10.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
CE1#

NAT entry...

PE1#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.16.1.200:3    192.0.2.100:3      172.16.10.5:3      172.16.10.5:3
PE1#

NAT translation of a packet on interface with IPv4 address to interface with IPv6 address and vice versa

Doing NAT from IPv6 to IPv4 is possible because you can embed the IPv4 address inside the IPv6 address. This is usually done with DNS64.

Doing NAT from IPv4 to IPv6 is much harder because you can't embed an IPv6 address inside an IPv4 address. That doesn't fit. Matt is still possible, but you'd have to statically configure mappings between IPv4 and IPv6 address.

I don't know if the Linux kernel can do that, but it's a bad idea anyway. Because of the different header lengths you'll run into issues with fragmentation and MTU sizes. Using a proxy would be a much better idea.

Best Answer

Related Solutions

Nat – IOS – Nat from a VRF to WAN interface in global routing table

Summary

Details

NAT translation of a packet on interface with IPv4 address to interface with IPv6 address and vice versa

Related Topic