[vpp-dev] Do VPP NAT have Conntrack-like feature?

Wed, 22 Jul 2020 09:35:01 -0700 

Hi all,

I'm using VPP to develop my program.
Here is my scenario.
I want to use VPP to build a NAT gateway with only one Public IPv4, and all 
traffic need to use this Public IP to internet. (for example: 1.1.1.1)
I only can allow only one port from external firewall
So I can only use 1.1.1.1:443 for example.

<Server> is in LAN side.
<Client> is in internet side.

If I setup a DNAT rule to map <Server1>:1234 to 1.1.1.1:443, and <Client1> 
connected to <Server1>:1234 via 1.1.1.1:443.
I will need to re-use 1.1.1.1:443 for <Client2> connect to <Server2>:4321.
In Linux Kernel Netfilter, we can use "Conntrack" to save session, and keep TCP 
connection.
So I can remove DNAT rule and create a new rule to map <Client2> to <Server2> 
without losing <Client1> to <Server1> connection.

I try to use VPP to speed up performance
I found VPP will delete related session when I removed DNAT rule.
So I cannot keep session in VPP.

Here is my startup.conf

nat { endpoint-dependent }

Here is my config in vppctl

set interface mac address TenGigabitEthernet6/0/0 00:00:00:00:00:01
set interface mac address TenGigabitEthernet6/0/1 00:00:00:00:00:02
create bond mode round-robin
bond add BondEthernet0 TenGigabitEthernet6/0/0
bond add BondEthernet0 TenGigabitEthernet6/0/1
create sub-interfaces BondEthernet0 10
create sub-interfaces BondEthernet0 11
set interface ip address BondEthernet0.10 192.168.1.1/16
set interface ip address BondEthernet0.11 1.1.1.1/24
ip route add 0.0.0.0/0 via 1.1.1.254 BondEthernet0.11
set ip neighbor BondEthernet0.11 1.1.1.254 00:00:00:00:00:03
set interface state BondEthernet0 up
set interface state BondEthernet0.10 up
set interface state BondEthernet0.11 up
set interface state TenGigabitEthernet6/0/0 up
set interface state TenGigabitEthernet6/0/1 up
nat44 add interface address BondEthernet0.11
set interface nat44 in BondEthernet0.10
set interface nat44 out BondEthernet0.11

nat44 add static mapping tcp local 10.0.0.2 1234 external 1.1.1.1 443

Do you guys have some advice for me?

Thanks a lot
Regards,
Date Huang

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#17041): https://lists.fd.io/g/vpp-dev/message/17041
Mute This Topic: https://lists.fd.io/mt/75728368/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to