VPF Network Address Translation

Network Address Translation (NAT) can change the addresses and ports on packets as they enter or exit TNSR. This is beneficial for a variety of use cases, especially with IPv4. For example, when the LAN is using a local private network of unroutable addresses, such as 10.30.0.0/24, in most cases local hosts in that subnet require NAT to reach the Internet through an interface on TNSR.

Behavior Notes

Before proceeding, there are a few important things to note about the behavior of NAT in VPF:

  • VPF processes filtering operations before NAT operations in any direction.

    This means the addresses in packets are the pre-NAT addresses, not the translated addresses. For example: In reference to packets on an external WAN style interface, with outbound NAT the sources are local network addresses. With inbound NAT the destinations are the external network addresses.

  • VPF performs NAT on the source address for egress traffic (out direction), and performs NAT on the destination address for ingress traffic (in direction).

  • For IPv6 source NAT, VPF only supports prefix translation (npt66), it does not support NAPT/overload style NAT for IPv6 addresses.

  • Unlike dataplane NAT, VPF only requires NAT to be configured on egress interfaces. It does not need configured on internal interfaces in most cases.

  • TNSR will not automatically respond to ARP and ICMP echo requests (ping) for addresses used in VPF NAT rules. Addresses used in NAT rules must be either routed to TNSR or configured on TNSR interfaces before they can function properly.

    Note

    This is different than dataplane NAT, which automatically responds for NAT pool addresses. Thus, this is a key item to factor into any conversion from dataplane NAT to VPF NAT.