VPF NAT Rules

VPF NAT rules are contained within rulesets. To create a ruleset, start in config mode and then use the vpf nat ruleset <name> command to create a NAT ruleset with the name <name> and enter config-vpf-nat-ruleset mode.

See also

VPF rulesets must be associated with an interface before they are active, see Interface Options for details.

The following commands are available within config-vpf-nat-ruleset mode:

description <text>:

Adds an optional description to the ruleset describing its purpose.

rule <seq>:

Creates a new rule with the given sequence number and enters config-vpf-nat-rule mode.

VPF processes rules in an order determined by the sequence number of each rule.

When forming a NAT ruleset, in most cases the best practice is to use a very high sequence number (e.g. 1000) for a typical outbound NAT catchall to perform NAT for internal subnets when exiting a WAN. This is to allow room to configure exceptions to this rule that get processed before the default catchall rule. For example, if there are multiple external IP addresses, this leaves room for additional rules to map internal hosts or subnets to alternate external addresses.

A common practice is to leave a gap between rule numbers when starting in case rules must be rearranged at a later date. Increasing the sequence number by 10 or 100 for each rule is a common tactic (10, 20, 30, 40, etc.).

NAT Rule Configuration

VPF rules contain a variety of options to control how it matches packets and how it translates packets that match the rule.

These are all configured from within config-vpf-nat-rule mode.

Description

Each rule can have its own description so the ruleset can be self-documenting.

description <text>:

Adds an optional test description to this rule to explain its purpose.

Direction

Controls the direction in which this rule matches packets.

direction in:

Matches packets entering an interface (ingress) and performs translation on the destination address. On external interfaces, such as WANs or VPNs, these are packets arriving at TNSR from hosts on the Internet or VPN going to local destinations. On internal interfaces, such as LANs, these are packets arriving at TNSR from local hosts going to other remote or local destinations.

direction out:

Matches packets exiting an interface (egress) and performs translation on the source address. On external interfaces, such as WANs or VPNs, these are packets leaving TNSR from local hosts going to remote destinations on the Internet or VPNs. On internal interfaces, such as LANs, these are packets leaving TNSR coming from remote hosts.

dest-route-table <route-table>:

Configures an alternate routing table (VRF) for an inbound rule. VPF will use this VRF when determining how to route an inbound packet.

Protocol Options

Rules can match one or more protocol values. ICMP and TCP matches can be restricted further by protocol attributes.

protocol <values>:

Specifies protocols to allow, separated by spaces. Protocol values can be given by name (in lowercase) or protocol number. Packets can match any protocol in this list.

When unset, packets of any protocol will match the rule.

Note

If the protocol is unset and the rule also contains a from or to value to match a port, VPF assumes the protocol to be either TCP or UDP.

icmp (code|type) <value>:

Matches only specific ICMP codes and subtypes by numeric value.

tcp flags value <flag-name> [<flag-name> […]]:

Operates the same as filter rule TCP flag values. See Protocol Options.

tcp flags mask <flag-name> [<flag-name> […]]:

Operates the same as filter rule TCP flag masks. See Protocol Options.

Source and Destination Address Matching

VPF supports a variety of ways to match the source and destination addresses on packets.

The from commands match the source address on packets, while the to commands match destination addresses. Both sets of commands support the same types of address matching mechanisms.

These matching commands work identically to the commands in VPF filter rules. See Source and Destination Address Matching for details.

Network Address Translation Operations

These options control how VPF translates addresses and ports on packets matching the NAT rule.

nat-interface <name>:

Translates the address on the packet to the IP address addresses on the given TNSR interface.

Note

If the given interface has multiple addresses, VPF will utilize all of them with NAT when configured in this way. To limit NAT to only a single address, use nat-prefix with a /32 prefix. To perform NAT using a specific list of external addresses, use nat-table.

nat-prefix <ip-prefix>:

Translates the address on the packet to the specific given prefix.

This can be a single IP address (using a /32 CIDR for IPv4, for example), or an entire subnet, depending on the type of NAT being configured. Prefixes with multiple addresses can be used with the netmap and npt66 algorithms. Other algorithms only support single addresses with this statement, but can utilize multiple addresses or subnets via nat-table instead.

nat-port <port-number>:

Translates the port on the packet to the given port. For example, when port forwarding, this is the port on the internal host to which VPF forwards packets. This can be the same as the external port or it can be a different port entirely.

Note

When translating a range of ports, this port number is only the starting port number on the target host as the range size must match exactly.

nat-table <table-name>:

Translates the address on the packet an IP address from one of the prefixes in the given VPF table. This can work with the ip-hash, and round-robin algorithms to NAT connections using a pool of external addresses.

Tables for this purpose can contain single addresses, subnets, or both.

dynamic:

Controls whether the NAT translation is stateful (dynamic is set) or stateless/static (dynamic is unset).

Dynamic mapping implies that the network address and port are being translated in some way, such as for typical outbound NAT or port forwarding scenarios.

no-port-translation:

When present, disables port translation. For example, so source ports can be maintained for specific use cases (e.g. VoIP, IPsec).

algorithm (ip-hash|netmap|npt66|one-to-one|round-robin):

Further controls how VPF applies address translation when the nat-prefix contains multiple addresses.

ip-hash:

Used when dynamic is set. VPF selects the translation address for a new connection based on a hash of the original source and destination addresses. This algorithm attempts to keep all connections of particular client associated with the same translation address when connecting to the same remote server. This is the default algorithm.

round-robin:

Used when dynamic is set. VPF selects the translation address for each new connection on a round-robin basis.

netmap:

Can work with static or dynamic NAT. VPF performs network address mapping from one prefix to another, leaving the host part as-is.

The new address is computed as follows: addr = net-addr | (orig-addr & ~mask).

one-to-one:

Works only with static NAT. VPF attempts to use a specific external address for every internal address. When used with static NAT, VPF does not translate ports.

npt66:

Works only with static NAT. VPF performs IPv6-to-IPv6 network prefix translation (NPTv6) as defined in RFC 6296. This requires a prefix of equal size for the internal and external address (e.g. both using /64).

Note

NPT66 does not translate the prefixes 1:1. The translation is made according to specific mathmatical rules which allow the packet IP header checksums to remain valid without being recalculated. See RFC 6296 for details.