Vyatta masquerade out bridge interface

bridgegatewayvyatta

We have set up a Vyatta Core 6.1 gateway on our network with three interfaces:

  • eth01.1.1.1 – public gateway/router IP (to public upstream router)
  • eth12.2.2.1/24 – public subnet (connected to a second firewall 2.2.2.2)
  • eth210.10.0.1/24 – private subnet

Our ISP provided the 1.1.1.1 address for us to use as our gateway. The 2.2.2.1 address is so the other firewall (2.2.2.2) can communicate to this gateway which then routes the traffic out through the eth0 interface.

Here is our current configuration:

interfaces {
    bridge br100 {
        address 2.2.2.1/24
    }
    ethernet eth0 {
        address 1.1.1.1/30
        vif 100 {
            bridge-group {
                bridge br100
            }
        }
    }
    ethernet eth1 {
        bridge-group {
            bridge br100
        }
    }
    ethernet eth2 {
        address 10.10.0.1/24
    }
    loopback lo {
    }
}
service {
    nat {
        rule 100 {
            outbound-interface eth0
            source {
                address 10.10.0.1/24
            }
            type masquerade
        }
    }
}

With this configuration, it routes everything, but the source address after masquerading is 1.1.1.1, which is correct, because that's the interface it's bound to. But because of some of our requirements here, we need it to source from the 2.2.2.1 address instead (what's the point of paying for a class C public subnet if the only address we can send from is our gateway!?).

I've tried binding to br100 instead of eth0, but it doesn't seem to route anything if I do that.

I imagine I'm just missing something simple. Any thoughts?

Best Answer

The behavior makes sense the way its configured. What you are doing with the "other" firewall? This may be as easy as routing your traffic through the second firewall but it begs the question, "Why are there 2 firewalls?" As configured, any traffic originating from 10.10.0.1/24 will be translated to 1.1.1.1 on the other side. (Using Port Address Translation) If you need systems behind your firewall to "claim" one of your public IPs for itself, you need to also setup Static NAT.

It would look something like this:

(Taken from here for more detailed reference.)

set service nat rule 1

edit service nat rule 1

set type destination

set translation-type static

set inbound-interface eth0

set protocols all

set source network 0.0.0.0/0

set destination address PUBLIC_IP

set inside-address address INSIDE_IP

set service nat rule 2

edit service nat rule 2

set type source

set translation-type static

set outbound-interface eth0

set protocols all

set source address INSIDE_IP

set destination network 0.0.0.0/0

set outside-address address PUBLIC_IP

Related Topic