In IOS, the choice of NAT global address pool (or the choice of none at all to disable NAT) can be based on evaluation of an access list or a route map:

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html

TNSR does not have named NAT pools, just one nameless global pool per VRF (and, I guess, a "twice-nat" pool per VRF). Unfortunately the capability to choose "no pool at all" was lost along with the capability to choose among pools!

That said I hope you will not emulate Cisco's NAT configuration because it's an incomprehensible disaster, especially when VRF are involved.

Some of these configurations could possibly be achieved more simply than Cisco by a feature to recirculate the packet:

interface looppair natswitch instance 10 interface loopnexthop10 enable interface looprecirculated10 enable nat inside interface outside0 ip address 123.0.1.1/24 enable nat outside nat pool interface outside0 route ipv4 table ipv4-VRF:0 route 123.0.10.0/24 next-hop 0 via 123.0.1.2 # no NAT route 0.0.0.0/0 next-hop 0 via 9.9.9.9 loopnexthop10 resolve-via-attached # yes NAT

Combined with a hypothetical policy-routing feature that could consider source IP in routing decisions this could handle having a mix of rfc1918 and globally-routable hosts behind a single "inside" interface. For example, route source IP 10.0.0.0/8 via loopnexthop10, and route source IP 123.0.20.0/24 via outside0 directly.

It creates a problem that 123.0.1.2 is directly attached to outside0 so, if NAT is wanted for that destination address, it's difficult to ignore outside0's automatically-added direct route. The hypothetical policy-routing(*) feature could fix that, too, by considering ingress interface in routing decisions. Ingress interface looprecirculated10 will use the VRF's ordinary table, while inside0 ingress interface will policy override and send 123.0.1.0/24 via loopnexthop10 at higher priority than the directly-attached route.

Recirculation solves most VRF problems with three simple rules:

outside and inside interfaces don't need to be in the same VRF. to create or freshen a dynamic translation, the packet must enter a 'nat inside' interface and leave a 'nat outside' interface to match an existing static or dynamic translation, the packet must enter a 'nat outside' interface. It doesn't matter where it exits because that's not known at the time of translation. However the translation may move the packet to a different VRF before routing table lookup if the VRFs differed when the dynamic translation was created.

The only things missing are:

policy routing nat static mapping ... route-table outside-vrf local-route-table inside-vrf
(yes, one could add a "via .. next-hop-table" route to <local address> pointing to the other VRF, but this is not general enough. There's no reason <local address> shouldn't still be reachable directly in outside-vrf. The nat static rule should not have to cast a shadow over it. Also there may be 10 inside-vrfs all having local 192.168.1.1 port 22 listening, and we want to use <external ip> port 2220, 2221, ... 2229 to reach each of them.) ability to bind 'nat pool' to 'nat outside' interface.

--
(*) Unfortunately if 'via classify <table>' was the syntax planned for policy routing, that syntax may not work intuitively because the directly-attached outside0 subnet route needs to be overriden, not passed through a layer of indirection.

@derelict Our company is moving from a 16bit mask to smaller segments. This is to be done as smoothly as possible But the problem is the old address’s must stay the same but with new subnets ie 10.23.3.1/16 could now be 10.23.3.1/24. This obviously means there will be temporary overlapping subnets
The idea is to use VRFs to help get this done. I’m trying to get VRF leaking to work but somehow the interfaces aren’t communicating.Therefore I thought it would be good for troubleshooting purposes to be able to ping from one VRF to the other using the cli. I know the cli is using the default VRF so it’s probably not possible to ping from another VRF but maybe there’s some kind of cool command.

@hashbang It is possible that a combination of endpoint-dependent NAT plus IPfix logging would solve the issue of matching inside addresses with outside NAT translations for compliance purposes, etc.

@derelict yes, it worked.
I changed gw to 192.168.96.5
Many thanks

@alan-jones That means nothing unless you are passing them through directly. Tnsr only sees virtio or vmxnet3. The underlying hardware is obfuscated.

@dbeyzade Can't promise, but I will certainly pass this along to our product manager.

@dbeyzade I assume you're capturing in the host shell on the capture interface presented there.

Your screenshot does not show any ping attempts.

Is it possible to capture your entire test and post the pcap file instead of a screen shot?

The same on the connected switch port would be nice as well.

Thank you.

@kiokoman This did the trick, thank you very much :)

@jamescr We have opened a ticket for you and assigned one of our engineers to see if we can work through these concerns. Thanks!

@derelict if I'm going to try, the problem I see is exactly the one you describe, even in mikrotik the neighbor is recognized and the changes that ospf announces.
ospf.PNG

@helmlein It is not intended to be this way and there is an open bug on the RA. DHCP6 features are simply not implemented yet.

@derelict Thanks.

@vesalius no they do not. RHEL can always be rebuilt from the source code that rhel MUST provide per the GPL. When centos was borged by RHEL the writing was on the wall for Centos. The other rebuilds will continue because the rhel sources will always be available. https://etc-md.com/2020/12/09/the-end-of-centos-and-my-moving-to-bsd/

@robing They need to be a type of NIC that dpdk supports. It should basically work with vmxnet3. Not sure what the capabilities of vmware player are.

@schnitzel_itdept Can do you do a packet capture on server B to double check all advertisements are received correctly?

@capitanblack

Thanks for your interest.

TNSR provides a RESTCONF API. I'm not aware of anyone that has attempted to integrate or test the API against Openstack/Ansible, but if those tools can make RESTCONFI requests it should be possible for them to configure TNSR.

The TNSR API docs can be found here: https://docs.netgate.com/tnsr/en/latest/api/

Feel free to send more questions or update us on your progress!

Time to put a CAPTCHA on logins? I dislike those things but sometimes you do what you gotta do...