Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT not doing as expected, not sure what I'm doing wrong

    Scheduled Pinned Locked Moved
    NAT
    2
    3
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stilez
      last edited by

      As far as I understand, Outbound NAT (combined with a VIP) modifies the source address of a packet as it traverses inward across an interface. I'm trying to use this feature but I'm not able to get this to happen, and can't understand why.

      I have 2 interfaces, OPT1 (192.168.1.1/24) and OPT2 (192.168.2.1/24). I have PC1 on OPT1 at 192.168.1.2 which pings PC2 on OPT2 at 192.168.2.2. What I'm trying to do is that with NAT in place, 192.168.2.2 will see the ping source as being an IP in the 192.168.2.0/24 subnet, with the original IP rewritten by the router before sending it out on OPT2)

      I made the following settings:

      1. Created a virtual IP 192.168.2.10 on OPT1 - I've tried this as both IP alias and proxy ARP.
        2. Enabled hybrid outbound NAT
        3. Set an outbound NAT rule with interface=OPT1, protocol=source=any, dest=192.168.2.0/24, translation address 192.168.2.10, other fields left at default.

      My understanding is that this should catch packets traversing into the router on OPT1 from any source and dest=192.168.2.0/24, and modify the header so that the packet appears to have source=192.168.2.10, and then process and forward this in the usual way.

      But if I do this and ping from 192.168.1.2 to 192.168.2.2 with packet capture on OPT2, I can see the packet outgoing at OPT2 but the source still shows unmodified as 192.168.1.2, not 192.168.2.10. The packet is traversing but Outbound Nat isn't doing anything as it passes through OPT1.

      What have I misunderstood, and what do I have to do to get the effect I'm after?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        As far as I understand, Outbound NAT (combined with a VIP) modifies the source address of a packet as it traverses inward across an interface. I'm trying to use this feature but I'm not able to get this to happen, and can't understand why.

        Actually it's called outbound NAT because it translates source addresses as packets traverse outbound.

        I made the following settings:

        1. Created a virtual IP 192.168.2.10 on OPT1 - I've tried this as both IP alias and proxy ARP.
          2. Enabled hybrid outbound NAT
          3. Set an outbound NAT rule with interface=OPT1, protocol=source=any, dest=192.168.2.0/24, translation address 192.168.2.10, other fields left at default.

        My understanding is that this should catch packets traversing into the router on OPT1 from any source and dest=192.168.2.0/24, and modify the header so that the packet appears to have source=192.168.2.10, and then process and forward this in the usual way.

        Yeah that's not at all how it works. Put your VIP and outbound NAT rule on the outbound interface. OPT2 in this case if I am understanding correctly.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          stilez
          last edited by

          @Derelict:

          Yeah that's not at all how it works. Put your VIP and outbound NAT rule on the outbound interface. OPT2 in this case if I am understanding correctly.

          Thank you! That worked perfectly first time - after all this time of banging my head. In case anyone else is looking, this is what I did:

          1. Set up a virtual IP of type "IP alias" (but perhaps some other types would have worked just as well) with the IP that I want the packet to look like it came from (192.168.2.10 in this example). The IP alias is set on the interface it will leave the router on, not the one it arrives into the router at (OPT2 in this example).

          2. Set hybrid NAT (or if you prefer Manual/AON) and then add an Outbound NAT rule again on the same interface the packet will leave on (OPT2) with source = any (or whatever IP range the packet actually came from) and dest = the destination IP or its subnet or whatever (I used 192.168.2.0/24). Then set the translation address by choosing the virtual IP from step 1, in the drop-down box.

          As far as I understand it in lay-terms, the misunderstanding is that outbound NAT seems to mean "outbound from the router", not "outbound from a given network into the router". Ambiguity of language, but what a headache. The packet, sent to its destination IP, travels in from OPT1 and is picked up by NAT when it's outgoing at OPT2 (the interface in the NAT rule). As the packet's src matches "any" and its dest matches the value entered in the NAT rule (192.168.2.0/24), its source is translated to be 192.168.2.10 as required.

          Packet capture confirms it - when I ping as described in the 1st post, packet capture on the OPT1 interface shows a ping and reply from 192.168.1.2 -> 192.168.2.2, but packet capture on the OPT2 interface shows a ping and reply from 192.168.2.10 -> 192.168.2.2 as desired.

          Thank you very much indeed. (Maybe this could be made clearer in the documentation as well?)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post