VRRP with Outside NAT¶
This example is a two-node VRRP cluster with internal and external VR address and NAT handled by VPF.
See also
For an example without NAT, see VRRP Example.
In this example, the WAN-side VR address (203.0.113.254) is used for
outbound NAT from the internal private subnet 10.2.0.0/24. Clients will use
the LAN-side VR address (10.2.0.1) as their gateway.
Interface tracking is included in the example to protect against a single failure of either WAN or LAN.
See also
See VRRP Configuration for more information on how the commands in the example function.
Warning
Dynamic NAT state data is not shared between TNSR hosts participating in VRRP. This means that dynamic NAT failover is not seamless. When a failover occurs, clients relying on dynamic NAT will most likely need to reconnect any open and ongoing connections. They can reconnect immediately, but existing sessions are invalid.
For many clients, such as web browsers, this may go unnoticed. However, for long-lived sessions such as remote desktops or terminals, clients may have to be manually reconnected.
Static NAT is not affected as it does not require NAT state data.
Required Information¶
These tables contain all required information to configure the cluster.
The information in this first table is related to the setup in general, not a specific cluster node.
Item |
Value |
|---|---|
Upstream Gateway |
203.0.113.1 |
Shared WAN VR Address |
203.0.113.254 |
NAT Address |
203.0.113.254 |
Shared LAN VR Address |
10.2.0.1 |
LAN Client Gateway |
10.2.0.1 |
This information is for the primary node, which in this example is called R1.
Item |
Value |
|---|---|
R1 WAN Interface |
0000:06:00.0 |
R1 WAN IP Address |
203.0.113.2/24 |
R1 WAN VR ID |
220 |
R1 WAN VR Priority |
254 |
R1 LAN Interface |
0000:06:00.1 |
R1 LAN IP Address |
10.2.0.2/24 |
R1 LAN VR ID |
210 |
R1 LAN VR Priority |
254 |
R1 Priority Decrease |
240 (14) |
This information is for the secondary node, which in this example is called R2. Note that the interface addresses are different than R1, but the same VR address is used.
Item |
Value |
|---|---|
R2 WAN Interface |
0000:06:00.0 |
R2 WAN IP Address |
203.0.113.3/24 |
R2 WAN VR ID |
220 |
R2 WAN VR Priority |
100 |
R2 LAN Interface |
0000:06:00.1 |
R2 LAN IP Address |
10.2.0.3/24 |
R2 LAN VR ID |
210 |
R2 LAN VR Priority |
100 |
R2 Priority Decrease |
90 (10) |
Example Configuration¶
The configuration commands in this section show how the settings from the table above are applied to each node. Some additional VRRP settings are shown in the commands but not the tables, but they are using the default values, shown for emphasis.
First, set the R1 interface names:
r1 tnsr(config)# dataplane dpdk dev 0000:06:00.0 network name WAN
r1 tnsr(config)# dataplane dpdk dev 0000:06:00.1 network name LAN
r1 tnsr(config)# service dataplane restart
Now configure the R1 WAN interface:
r1 tnsr(config)# int WAN
r1 tnsr(config-interface)# ip address 203.0.113.2/24
r1 tnsr(config-interface)# ip vrrp-virtual-router 220
r1 tnsr(config-vrrp4)# preempt true
r1 tnsr(config-vrrp4)# accept-mode true
r1 tnsr(config-vrrp4)# v3-advertisement-interval 100
r1 tnsr(config-vrrp4)# priority 254
r1 tnsr(config-vrrp4)# track-interface LAN priority-decrement 240
r1 tnsr(config-vrrp4)# virtual-address 203.0.113.254
r1 tnsr(config-vrrp4)# exit
r1 tnsr(config-interface)# exit
r1 tnsr(config)#
Next, configure the R1 LAN interface:
r1 tnsr(config)# int LAN
r1 tnsr(config-interface)# ip address 10.2.0.2/24
r1 tnsr(config-interface)# ip vrrp-virtual-router 210
r1 tnsr(config-vrrp4)# preempt true
r1 tnsr(config-vrrp4)# accept-mode true
r1 tnsr(config-vrrp4)# v3-advertisement-interval 100
r1 tnsr(config-vrrp4)# priority 254
r1 tnsr(config-vrrp4)# track-interface WAN priority-decrement 240
r1 tnsr(config-vrrp4)# virtual-address 10.2.0.1
r1 tnsr(config-vrrp4)# exit
r1 tnsr(config-interface)# exit
r1 tnsr(config)#
Configure NAT on R1:
r1 tnsr(config)# vpf nat ruleset WAN-nat
r1 tnsr(config-vpf-nat-ruleset)# description NAT for WAN
r1 tnsr(config-vpf-nat-ruleset)# rule 1000
r1 tnsr(config-vpf-nat-rule)# description NAT from LAN prefix
r1 tnsr(config-vpf-nat-rule)# direction out
r1 tnsr(config-vpf-nat-rule)# dynamic
r1 tnsr(config-vpf-nat-rule)# algorithm ip-hash
r1 tnsr(config-vpf-nat-rule)# from ipv4-prefix 10.2.0.0/24
r1 tnsr(config-vpf-nat-rule)# nat-prefix 203.0.113.254/32
r1 tnsr(config-vpf-nat-rule)# exit
r1 tnsr(config-vpf-nat-ruleset)# exit
r1 tnsr(config)# vpf options
r1 tnsr(config-vpf-option)# interface WAN nat-ruleset WAN-nat
r1 tnsr(config-vpf-option)# exit
r1 tnsr(config)#
R1 is now complete.
Set the R2 interface names:
r2 tnsr(config)# dataplane dpdk dev 0000:06:00.0 network name WAN
r2 tnsr(config)# dataplane dpdk dev 0000:06:00.1 network name LAN
r2 tnsr(config)# service dataplane restart
Configure the R2 WAN interface:
r2 tnsr(config)# int WAN
r2 tnsr(config-interface)# ip address 203.0.113.3/24
r2 tnsr(config-interface)# ip vrrp-virtual-router 220
r2 tnsr(config-vrrp4)# preempt true
r2 tnsr(config-vrrp4)# accept-mode true
r2 tnsr(config-vrrp4)# v3-advertisement-interval 100
r2 tnsr(config-vrrp4)# priority 100
r2 tnsr(config-vrrp4)# track-interface LAN priority-decrement 90
r2 tnsr(config-vrrp4)# virtual-address 203.0.113.254
r2 tnsr(config-vrrp4)# exit
r2 tnsr(config-interface)# exit
r2 tnsr(config)#
Next, configure the R2 LAN interface:
r2 tnsr(config)# int LAN
r2 tnsr(config-interface)# ip address 10.2.0.3/24
r2 tnsr(config-interface)# ip vrrp-virtual-router 210
r2 tnsr(config-vrrp4)# preempt true
r2 tnsr(config-vrrp4)# accept-mode true
r2 tnsr(config-vrrp4)# v3-advertisement-interval 100
r2 tnsr(config-vrrp4)# priority 100
r2 tnsr(config-vrrp4)# track-interface WAN priority-decrement 90
r2 tnsr(config-vrrp4)# virtual-address 10.2.0.1
r2 tnsr(config-vrrp4)# exit
r2 tnsr(config-interface)# exit
r2 tnsr(config)#
Finally, configure NAT on R2:
r2 tnsr(config)# vpf nat ruleset WAN-nat
r2 tnsr(config-vpf-nat-ruleset)# description NAT for WAN
r2 tnsr(config-vpf-nat-ruleset)# rule 1000
r2 tnsr(config-vpf-nat-rule)# description NAT from LAN prefix
r2 tnsr(config-vpf-nat-rule)# direction out
r2 tnsr(config-vpf-nat-rule)# dynamic
r2 tnsr(config-vpf-nat-rule)# algorithm ip-hash
r2 tnsr(config-vpf-nat-rule)# from ipv4-prefix 10.2.0.0/24
r2 tnsr(config-vpf-nat-rule)# nat-prefix 203.0.113.254/32
r2 tnsr(config-vpf-nat-rule)# exit
r2 tnsr(config-vpf-nat-ruleset)# exit
r2 tnsr(config)# vpf options
r2 tnsr(config-vpf-option)# interface WAN nat-ruleset WAN-nat
r2 tnsr(config-vpf-option)# exit
r2 tnsr(config)#
At this point, the interface and VRRP configuration is complete for both nodes.
LAN clients in 10.2.0.0/24 can use the LAN VR address of
10.2.0.1 as their default gateway. When traffic exits WAN, NAT will
translate the source address to 203.0.113.254.
Tip
If using TNSR for DNS with Unbound, ensure the VRRP address 10.2.0.1 is
listed as an interface in its configuration in addition to the
interface address.
If using TNSR as a DHCP server, set 10.2.0.1 as the router in the LAN
subnet options. If also using TNSR for DNS, set the address as the DNS server
as well.