Hi Rajith, If you are not using output feature you have to configure both inside and outside nat interfaces separately.
So got with input + output or output feature. Output feature is not an nat interface. it is a feature that handles configuration of both outside and inside nat interfaces and together with pool address creates complete configuratoin of basic NAT box == home router gateway. To nat specific local interface traffic only you have to configure inside interface for the lan interface and outside interface for the wan interface. If you have any further questions please ask. Best regards, Filip Varga From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Rajith PR via lists.fd.io Sent: Saturday, January 15, 2022 8:02 AM To: alekc...@googlemail.com Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Unable to configure mixed NAT and non-NAT traffic Importance: High Hi all, Just to add to the query, I have observed that in interface configuration is optional for NAT to work. All traffic get NATed if out interface is set with output-feature. Thanks, Rajith On Thu, 13 Jan 2022 at 7:06 AM, alekcejk via lists.fd.io<http://lists.fd.io> <alekcejk=googlemail....@lists.fd.io<mailto:googlemail....@lists.fd.io>> wrote: Hi all, I am trying to get setup for mixed NAT and non-NAT traffic. In GNS3 I created VPP VM with three interfaces (1 external, 2 internal). External interface GigabitEthernet0/5/0 with public IP address 203.0.113.1/30<http://203.0.113.1/30> connected to host with IP 203.0.113.2/30<http://203.0.113.2/30> and route to 198.51.100.0/24<http://198.51.100.0/24> via 203.0.113.1 Internal interface GigabitEthernet0/6/0 with private IP address 172.16.0.1/24<http://172.16.0.1/24> connected to host with IP 172.16.0.2/24<http://172.16.0.2/24> Internal interface GigabitEthernet0/7/0 with public IP address 198.51.100.1/25<http://198.51.100.1/25> connected to host with IP 198.51.100.2/25<http://198.51.100.2/25> Internal traffic from/to 198.51.100.0/25<http://198.51.100.0/25> should be forwarded without NAT. NAT address 198.51.100.128 should be applied on external interface only for internal traffic from 172.16.0.0/24<http://172.16.0.0/24>. Here my setup for VPP 21.01.1 (running on CentOS 8) /etc/vpp/startup.conf: unix { nodaemon startup-config /etc/vpp/startup-config log /var/log/vpp/vpp.log full-coredump cli-listen /run/vpp/cli.sock cli-history-limit 100 cli-no-banner poll-sleep-usec 10 gid vpp } api-trace { on } api-segment { gid vpp } dpdk { dev 0000:00:05.0 dev 0000:00:06.0 dev 0000:00:07.0 } plugins { plugin default { disable } plugin dpdk_plugin.so { enable } plugin nat_plugin.so { enable } plugin arping_plugin.so { enable } plugin ping_plugin.so { enable } } logging { default-log-level debug default-syslog-log-level debug } ethernet { default-mtu 1500 } /etc/vpp/startup-config: set interface state GigabitEthernet0/5/0 up set interface state GigabitEthernet0/6/0 up set interface state GigabitEthernet0/7/0 up set interface ip address GigabitEthernet0/5/0 203.0.113.1/30<http://203.0.113.1/30> set interface ip address GigabitEthernet0/6/0 172.16.0.1/24<http://172.16.0.1/24> set interface ip address GigabitEthernet0/7/0 198.51.100.1/25<http://198.51.100.1/25> nat44 enable sessions 50000 endpoint-dependent nat44 forwarding enable nat44 add address 198.51.100.128 set interface nat44 in GigabitEthernet0/6/0 output-feature set interface nat44 out GigabitEthernet0/5/0 output-feature If I run ping from internal host 172.16.0.2 to external host 203.0.113.2 then translation works correctly 02:44:23.420497 IP 198.51.100.128 > 203.0.113.2<http://203.0.113.2>: ICMP echo request, id 64233, seq 4, length 64 02:44:23.420516 IP 203.0.113.2 > 198.51.100.128<http://198.51.100.128>: ICMP echo reply, id 64233, seq 4, length 64 But if I run ping 203.0.113.2 from internal host 198.51.100.2 then NAT also applied even though I didn't set nat in on the GigabitEthernet0/7/0 02:47:15.242598 IP 198.51.100.128 > 203.0.113.2<http://203.0.113.2>: ICMP echo request, id 22324, seq 127, length 64 02:47:15.242620 IP 203.0.113.2 > 198.51.100.128<http://198.51.100.128>: ICMP echo reply, id 22324, seq 127, length 64 vpp# show nat44 interfaces NAT44 interfaces: GigabitEthernet0/6/0 output-feature in GigabitEthernet0/5/0 output-feature out If I remove "output-feature" then translation not applied at all with enabled "nat44 forwarding enable". In setup for VPP 21.10 I removed "endpoint-dependent" but if "output-feature" will stay on internal interface GigabitEthernet0/6/0 I see new problem. Only one correct response received on internal host 172.16.0.2 when running ping 203.0.113.2, second response comes with source IP 198.51.100.128 instead of 203.0.113.2. 03:06:18.420787 IP 172.16.0.2 > 203.0.113.2<http://203.0.113.2>: ICMP echo request, id 405, seq 1, length 64 03:06:18.427246 IP 203.0.113.2 > 172.16.0.2<http://172.16.0.2>: ICMP echo reply, id 405, seq 1, length 64 03:06:19.424157 IP 172.16.0.2 > 203.0.113.2<http://203.0.113.2>: ICMP echo request, id 405, seq 2, length 64 03:06:19.424441 IP 198.51.100.128 > 172.16.0.2<http://172.16.0.2>: ICMP echo reply, id 59651, seq 2, length 64 So I removed "output-feature" from internal interface GigabitEthernet0/6/0 /etc/vpp/startup-config: set interface state GigabitEthernet0/5/0 up set interface state GigabitEthernet0/6/0 up set interface state GigabitEthernet0/7/0 up set interface ip address GigabitEthernet0/5/0 203.0.113.1/30<http://203.0.113.1/30> set interface ip address GigabitEthernet0/6/0 172.16.0.1/24<http://172.16.0.1/24> set interface ip address GigabitEthernet0/7/0 198.51.100.1/25<http://198.51.100.1/25> nat44 enable sessions 50000 nat44 forwarding enable nat44 add address 198.51.100.128 set interface nat44 in GigabitEthernet0/6/0 set interface nat44 out GigabitEthernet0/5/0 output-feature vpp# show nat44 interfaces NAT44 interfaces: GigabitEthernet0/6/0 in GigabitEthernet0/5/0 output-feature in out With this setup NAT also applied to both 172.16.0.0/24<http://172.16.0.0/24> and 198.51.100.0/25<http://198.51.100.0/25>. Can someone point me to what is wrong with my settings and what needs to be changed in order for the NAT to work as required in my case? Thanks, Alexey NOTICE TO RECIPIENT This e-mail message and any attachments are confidential and may be privileged. If you received this e-mail in error, any review, use, dissemination, distribution, or copying of this e-mail is strictly prohibited. Please notify us immediately of the error by return e-mail and please delete this message from your system. For more information about Rtbrick, please visit us at www.rtbrick.com<http://www.rtbrick.com>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20780): https://lists.fd.io/g/vpp-dev/message/20780 Mute This Topic: https://lists.fd.io/mt/88388590/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
