We have set up a Vyatta Core 6.1 gateway on our network with three interfaces:
eth0
–1.1.1.1
– public gateway/router IP (to public upstream router)eth1
–2.2.2.1/24
– public subnet (connected to a second firewall2.2.2.2
)eth2
–10.10.0.1/24
– private subnet
Our ISP provided the 1.1.1.1
address for us to use as our gateway. The 2.2.2.1
address is so the other firewall (2.2.2.2
) can communicate to this gateway which then routes the traffic out through the eth0
interface.
Here is our current configuration:
interfaces {
bridge br100 {
address 2.2.2.1/24
}
ethernet eth0 {
address 1.1.1.1/30
vif 100 {
bridge-group {
bridge br100
}
}
}
ethernet eth1 {
bridge-group {
bridge br100
}
}
ethernet eth2 {
address 10.10.0.1/24
}
loopback lo {
}
}
service {
nat {
rule 100 {
outbound-interface eth0
source {
address 10.10.0.1/24
}
type masquerade
}
}
}
With this configuration, it routes everything, but the source address after masquerading is 1.1.1.1
, which is correct, because that's the interface it's bound to. But because of some of our requirements here, we need it to source from the 2.2.2.1
address instead (what's the point of paying for a class C public subnet if the only address we can send from is our gateway!?).
I've tried binding to br100
instead of eth0
, but it doesn't seem to route anything if I do that.
I imagine I'm just missing something simple. Any thoughts?
Best Answer
The behavior makes sense the way its configured. What you are doing with the "other" firewall? This may be as easy as routing your traffic through the second firewall but it begs the question, "Why are there 2 firewalls?" As configured, any traffic originating from 10.10.0.1/24 will be translated to 1.1.1.1 on the other side. (Using Port Address Translation) If you need systems behind your firewall to "claim" one of your public IPs for itself, you need to also setup Static NAT.
It would look something like this:
(Taken from here for more detailed reference.)
set service nat rule 1
edit service nat rule 1
set type destination
set translation-type static
set inbound-interface eth0
set protocols all
set source network 0.0.0.0/0
set destination address PUBLIC_IP
set inside-address address INSIDE_IP
set service nat rule 2
edit service nat rule 2
set type source
set translation-type static
set outbound-interface eth0
set protocols all
set source address INSIDE_IP
set destination network 0.0.0.0/0
set outside-address address PUBLIC_IP