Deterministic NAT not work

vah1280

I have a topo as below, I use Deterministic NAT but it doesn't work. Can you help me?

this is my config

NAT Configuration Parameters
----------------------------
endpoint-dependent true
translation hash buckets 16384
translation hash memory 12189696
deterministic true
user hash buckets 1024
user hash memory 761856
max translations per user 10240
max translations per thread 10240
max users per thread 1024
outside Route Table ipv4-VRF:0
inside Route Table ipv4-VRF:0
dynamic mapping enabled
forwarding is enabled
out2in-dpo is disabled
UDP timeout 300s
TCP established connections timeout 7440s
TCP transitory connections timeout 240s
ICMP timeout 60s


Deterministic Mappings
----------------------

Inside          Outside              Ratio     Ports  Sessions
--------------- ---------------- --------- --------- ---------
10.10.10.0/25   202.60.109.16/30        32      2016         0 
10.10.10.128/25 202.60.109.20/30        32      2016         0 

Pool Addresses  Route Table     Twice NAT
--------------  -----------     ---------
192.168.96.6                             


Pool Interfaces Twice NAT
--------- ---------
   gi1188          


Interfaces      Side   
---------       -------
gi100           inside 
gi1188          outside

Derelict

@vah1280 Deterministic NAT is being deprecated in the next version.

See first warning here:

https://docs.netgate.com/tnsr/en/latest/nat/deterministic.html#deterministic-nat

audian

Hi @vah1280,

Yes, what @Derelict states is true with regard to Deterministic NAT (it just wasn't performing the way we wanted without causing other issues), we did add NAT Logging in our 20.10 release to address intercept/compliance requirements (if that is your use-case/need). You can read about that here: https://docs.netgate.com/tnsr/en/latest/monitoring/ipfix.html

BTW - thanks for your interest in TNSR, please keep sharing your questions and feedback!

Audian

hashbang

@derelict said in Deterministic NAT not work:

https://docs.netgate.com/tnsr/en/latest/nat/deterministic.html#deterministic-nat

hi,
sad to read this. that was the purpose of downloading homelab version and test the performance of cgnat. Anything useable in tnsr for cgnat ?

thanks

audian

@hashbang

Would love to hear more about your CGNAT needs. Just sent you a DM.

Audian

hashbang

@audian
ty,
Need is, logging to syslog (remote). Looking for ipfix collector to txt file
same translated public ip address to private ip holder
high thruput of natting
thanks

Derelict

@hashbang It is possible that a combination of endpoint-dependent NAT plus IPfix logging would solve the issue of matching inside addresses with outside NAT translations for compliance purposes, etc.