Network Address Translation (NAT)
The Configuration reference section provides the full configuration reference and the sections that follow after explain possible uses cases on the Anapaya appliance.
Configuration reference
Anapaya appliance configuration (nat only)
nat object
Top-level configuration and state for NAT.
dnats object[]
Top-level configuration and state for the destination NAT.
The IPv4 address to match for destination NAT. Incoming packets with this address as the destination will have it translated to nat.dnats.dnat.destination_address. The translation can be restricted to specific ports using nat.dnats.dnat.port_mappings.
An optional textual description of the destination NAT configuration.
The IPv4 address to which nat.dnats.dnat.address is translated. If outgoing packets have this source address, it will be replaced by nat.dnats.dnat.address.
port_mappings object[]
The list of port mappings for the destination NAT. Mandatory when ingress source NAT is enabled as well.
An optional textual description of the port mapping configuration.
The port to which the destination port is translated. Must be an integer between 0 and 65535.
The destination port to match for the port mapping. Must be an integer between 0 and 65535. If the destination port matches and the destination address matches the nat.dnats.dnat.address, the destination port will be replaced by nat.dnats.dnat.port_mappings.destination_port.
Transmission layer protocol. Supported protocols are (tcp, udp).
snat object
Top-level configuration and state for the source NAT.
A list of IPv4 prefixes to specify which addresses can be used for the source NAT. A packet’s source address will be replaced by one of these addresses. A response packet will have its destination address replaced by the original source address.
A list of IPv4 prefixes to exclude from the source NAT. A packet with source IP address covered by one of these prefixes will be passed as is without rewriting its source address. The number of addresses to exclude is limited to 1000000.
A list of network interfaces on which source NATing should be applied. Outgoing (transmitted) packets on these interfaces will have their source IP address rewritten to one of the addresses in the address pool. Incoming (received) packets will have their destination address rewritten to the original source address. The list of network interfaces can contain any interface on the host that uses the VPP_DPDK driver. Furthermore, there is a special interface, the scion-gateway interface. It can be used to configure source NATing for outgoing IP-in-SCION tunneling traffic. In case SNAT is configured in combination with DNAT (see Use Case: Ingress SNAT and DNAT), the list of network interfaces must be empty, as DNATs and SNAT combination only works with the scion-gateway interface, it is automatically set.
Use cases
Egress source NAT
Egress source NAT is useful for deployments that only have a single public IP address that can be tunneled through an IP-in-SCION tunnel. The egress source NAT setup works the same way as a regular source NAT setup, e.g., for a home network. The appliance will rewrite the source IP address of packets leaving the local network to the public IP address.
-
nat.snat.address_poolA list of IPv4 prefixes that can be used as public IP addresses for the NAT. These addresses should also be announced to remote IP-in-SCION tunneling endpoints. -
nat.snat.excludeA list of IPv4 prefixes to exclude from the NAT. Useful for excluding addresses of services that use their own public IP address. -
nat.snat.interfacesFor egress NAT, this must include thescion-gatewayinterface, and optionally any interface connected to the external network (e.g., public Internet). Specifying interfaces connected to the local network (i.e, LAN) together with thescion-gatewayis a misconfiguration and leads to undefined behavior.
Refer to IP-in-SCION tunneling for more information.
Ingress source NAT
Ingress source NAT is useful when replies to the packets coming out from a SCION tunnel are supposed to be routed back to the tunnel while other packets can still be routed in an arbitrary user-defined way. The motivation for this is so that return traffic can be sent via the EDGE if there is also an Internet router available for it.
Using ingress NAT assumes that the routing of packets to the appliance is done using static routes. Combining ingress NAT with BGP is not supported.
-
nat.snat.address_poolA list of IPv4 prefixes that are used to route the reply packets back to the appliance. The appliance will rewrite the source IP address of packets entering the local network to one of these addresses. It is up to the user to configure the routing of these addresses in the local network accordingly. -
nat.snat.excludeA list of IPv4 prefixes to exclude from the NAT. -
nat.snat.interfacesThe list of the interfaces connected to the local network.
Refer to IP-in-SCION tunneling for more information.
Destination NAT
Destination NAT is useful to allow external clients to access services running on private IPs. For example in a Cloud deployment of a service, the services uses a private IP address and the appliance exposes the public IP to make the service available.
Ingress SNAT and DNAT
Ingress SNAT and DNAT is useful when the appliance is used as a gateway to provide access to services running on private IPs and at the same time those services are also reachable from other networks. The DNAT guarantees that the private IP can be reached and the SNAT asserts that the traffic can easily be routed back to the appliance.