Dnat
These scenarios show how to configure DNAT (Destination Network Address Translation) on OSDx.
Test DNAT
Description
In this scenario, DUT0 modifies the destination
address of incoming packets generated at the WAN
side. The address is translated to a custom one:
192.168.100.2.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth1 address 10.0.0.2/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.100.2 set interfaces ethernet eth1 traffic nat destination rule 1 selector SEL set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic selector SEL rule 1 protocol tcp,udp
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.22/24 set protocols static route 0.0.0.0/0 next-hop 10.0.0.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2:
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.344 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.344/0.344/0.344/0.000 ms
Step 5: Ping IP address 10.0.0.22 from DUT0:
admin@DUT0$ ping 10.0.0.22 count 1 size 56 timeout 1Show output
PING 10.0.0.22 (10.0.0.22) 56(84) bytes of data. 64 bytes from 10.0.0.22: icmp_seq=1 ttl=64 time=0.486 ms --- 10.0.0.22 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.486/0.486/0.486/0.000 ms
Step 6: Initiate a tcp connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.0.0.2 8080 tcp
Step 7: Initiate a udp connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 5050 udp admin@DUT1$ monitor test connection client 10.0.0.2 5050 udp
Step 8: Run command system conntrack show nat at DUT0 and check if output contains the following tokens:
src=10.0.0.22 dst=10.0.0.2 src=192.168.100.2 dst=10.0.0.2Show output
icmp 1 24 src=192.168.100.1 dst=192.168.100.2 type=8 code=0 id=328 packets=1 bytes=84 src=192.168.100.2 dst=192.168.100.1 type=0 code=0 id=328 packets=1 bytes=84 mark=0 use=1 tcp 6 src=10.0.0.22 dst=10.0.0.2 sport=44008 dport=8080 packets=14 bytes=836 src=192.168.100.2 dst=10.0.0.22 sport=8080 dport=44008 packets=13 bytes=784 [ASSURED] [OFFLOAD, packets=10 bytes=620 packets=10 bytes=620] mark=0 use=2 udp 17 src=10.0.0.22 dst=10.0.0.2 sport=37690 dport=5050 packets=5 bytes=240 src=192.168.100.2 dst=10.0.0.22 sport=5050 dport=37690 packets=5 bytes=240 [OFFLOAD, packets=3 bytes=144 packets=4 bytes=192] mark=0 use=2 icmp 1 24 src=10.0.0.2 dst=10.0.0.22 type=8 code=0 id=329 packets=1 bytes=84 src=10.0.0.22 dst=10.0.0.2 type=0 code=0 id=329 packets=1 bytes=84 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 4 flow entries have been shown.
Test DNAT Redirect
Description
This scenario is similar to the previous one, but when redirect is specified the destination address is NATed to the interface IP.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth1 address 10.0.0.2/24 set interfaces ethernet eth1 traffic nat destination rule 1 address redirect set interfaces ethernet eth1 traffic nat destination rule 1 selector SEL set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic selector SEL rule 1 protocol tcp,udp
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.22/24 set protocols static route 0.0.0.0/0 next-hop 10.0.0.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.22 from DUT0:
admin@DUT0$ ping 10.0.0.22 count 1 size 56 timeout 1Show output
PING 10.0.0.22 (10.0.0.22) 56(84) bytes of data. 64 bytes from 10.0.0.22: icmp_seq=1 ttl=64 time=0.585 ms --- 10.0.0.22 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.585/0.585/0.585/0.000 ms
Step 4: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 192.168.100.3 8080 tcp
Step 5: Initiate a udp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 5050 udp admin@DUT1$ monitor test connection client 192.168.100.3 5050 udp
Step 6: Run command system conntrack show nat at DUT0 and check if output contains the following tokens:
src=10.0.0.22 dst=192.168.100.3 src=10.0.0.2 dst=10.0.0.22Show output
udp 17 29 src=10.0.0.22 dst=192.168.100.3 sport=54030 dport=5050 packets=5 bytes=240 src=10.0.0.2 dst=10.0.0.22 sport=5050 dport=54030 packets=5 bytes=240 mark=0 use=1 icmp 1 24 src=10.0.0.2 dst=10.0.0.22 type=8 code=0 id=330 packets=1 bytes=84 src=10.0.0.22 dst=10.0.0.2 type=0 code=0 id=330 packets=1 bytes=84 mark=0 use=1 tcp 6 17 TIME_WAIT src=10.0.0.22 dst=192.168.100.3 sport=59896 dport=8080 packets=14 bytes=836 src=10.0.0.2 dst=10.0.0.22 sport=8080 dport=59896 packets=13 bytes=784 [ASSURED] mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 3 flow entries have been shown.