Introduction:
In this example, both source and destination NAT are used to NAT all traffic from an external IP address to an internal IP address and vice-versa. If there is a condition where no specific routing needs to take place between the external and internal network, and to allow the hosts to transparently communicate with each other, we need to use proxy-arp in the router. It gives its own MAC address in response to ARP requests to reach the destination. All that is necessary is that the networks be reachable from the gateway.
Configuration:
Gateway Router:
set interfaces ethernet eth0 address '2.2.2.1/24' set interfaces ethernet eth1 vif 902 address '10.7.255.1/24' |
Vyos Firewall Router:
set interfaces ethernet eth0 vif 102 address '172.16.2.24/24' set interfaces ethernet eth1 vif 902 address '10.7.255.253/24' set interfaces ethernet eth1 vif 902 ip proxy-arp-pvlan set nat destination rule 100 destination address '10.7.255.129' set nat destination rule 100 inbound-interface 'eth1.902' set nat destination rule 100 translation address '172.16.2.8' set nat source rule 110 outbound-interface 'eth1.902' set nat source rule 110 source address '172.16.2.8' set nat source rule 110 translation address '10.7.255.129' set protocols static route 0.0.0.0/0 next-hop 10.7.255.1 |
Output:
Ping from the server:
server:~$ ping 2.2.2.2 PING 2.2.2.2 (2.2.2.2) 56(84) bytes of data. 64 bytes from 2.2.2.2: icmp_seq=1 ttl=62 time=3.11 ms 64 bytes from 2.2.2.2: icmp_seq=2 ttl=62 time=5.72 ms 64 bytes from 2.2.2.2: icmp_seq=3 ttl=62 time=6.65 ms 64 bytes from 2.2.2.2: icmp_seq=4 ttl=62 time=6.04 ms |
tcpdump from the gateway router:
13:13:15.149367 IP 2.2.2.2 > 10.7.255.129: ICMP echo reply, id 1669, seq 1, length 64 13:13:16.149086 IP 10.7.255.129 > 2.2.2.2: ICMP echo request, id 1669, seq 2, length 64 13:13:16.153248 IP 2.2.2.2 > 10.7.255.129: ICMP echo reply, id 1669, seq 2, length 64 13:13:17.150988 IP 10.7.255.129 > 2.2.2.2: ICMP echo request, id 1669, seq 3, length 64 |