Dnat
These scenarios show how to configure DNAT (Destination Network Address Translation) on OSDx.
Test DNAT
Description
In this scenario, DUT0 modifies the destination
address of incoming packets generated at the WAN
side. The address is translated to a custom one:
192.168.100.2.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth1 address 10.0.0.2/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.100.2 set interfaces ethernet eth1 traffic nat destination rule 1 selector SEL set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic selector SEL rule 1 protocol tcp,udp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 10.0.0.22/24 set protocols static route 0.0.0.0/0 next-hop 10.0.0.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.403 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.403/0.403/0.403/0.000 ms
Step 5: Ping the IP address 10.0.0.22 from DUT0:
admin@DUT0$ ping 10.0.0.22 count 1 size 56 timeout 1Show output
PING 10.0.0.22 (10.0.0.22) 56(84) bytes of data. 64 bytes from 10.0.0.22: icmp_seq=1 ttl=64 time=0.566 ms --- 10.0.0.22 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.566/0.566/0.566/0.000 ms
Step 6: Initiate a tcp connection from DUT1 to DUT2 and exchange messages between both endpoints
admin@DUT2$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.0.0.2 8080 tcp
Step 7: Initiate a udp connection from DUT1 to DUT2 and exchange messages between both endpoints
admin@DUT2$ monitor test connection server 5050 udp admin@DUT1$ monitor test connection client 10.0.0.2 5050 udp
Step 8: Run the command system conntrack show nat on DUT0 and check whether the output contains the following tokens:
src=10.0.0.22 dst=10.0.0.2 src=192.168.100.2 dst=10.0.0.2Show output
tcp 6 src=10.0.0.22 dst=10.0.0.2 sport=44260 dport=8080 packets=10 bytes=628 src=192.168.100.2 dst=10.0.0.22 sport=8080 dport=44260 packets=9 bytes=576 [ASSURED] [OFFLOAD, packets=6 bytes=412 packets=6 bytes=412] mark=0 use=2 icmp 1 24 src=192.168.100.1 dst=192.168.100.2 type=8 code=0 id=227 packets=1 bytes=84 src=192.168.100.2 dst=192.168.100.1 type=0 code=0 id=227 packets=1 bytes=84 mark=0 use=1 udp 17 src=10.0.0.22 dst=10.0.0.2 sport=59700 dport=5050 packets=5 bytes=240 src=192.168.100.2 dst=10.0.0.22 sport=5050 dport=59700 packets=5 bytes=240 [OFFLOAD, packets=3 bytes=144 packets=4 bytes=192] mark=0 use=2 icmp 1 24 src=10.0.0.2 dst=10.0.0.22 type=8 code=0 id=228 packets=1 bytes=84 src=10.0.0.22 dst=10.0.0.2 type=0 code=0 id=228 packets=1 bytes=84 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 4 flow entries have been shown.
Test DNAT Redirect
Description
This scenario is similar to the previous one, but when redirect is specified the destination address is NATed to the interface IP.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth1 address 10.0.0.2/24 set interfaces ethernet eth1 traffic nat destination rule 1 address redirect set interfaces ethernet eth1 traffic nat destination rule 1 selector SEL set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic selector SEL rule 1 protocol tcp,udp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 10.0.0.22/24 set protocols static route 0.0.0.0/0 next-hop 10.0.0.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 10.0.0.22 from DUT0:
admin@DUT0$ ping 10.0.0.22 count 1 size 56 timeout 1Show output
PING 10.0.0.22 (10.0.0.22) 56(84) bytes of data. 64 bytes from 10.0.0.22: icmp_seq=1 ttl=64 time=0.410 ms --- 10.0.0.22 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.410/0.410/0.410/0.000 ms
Step 4: Initiate a tcp connection from DUT1 to DUT0 and exchange messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 192.168.100.3 8080 tcp
Step 5: Initiate a udp connection from DUT1 to DUT0 and exchange messages between both endpoints
admin@DUT0$ monitor test connection server 5050 udp admin@DUT1$ monitor test connection client 192.168.100.3 5050 udp
Step 6: Run the command system conntrack show nat on DUT0 and check whether the output contains the following tokens:
src=10.0.0.22 dst=192.168.100.3 src=10.0.0.2 dst=10.0.0.22Show output
icmp 1 24 src=10.0.0.2 dst=10.0.0.22 type=8 code=0 id=229 packets=1 bytes=84 src=10.0.0.22 dst=10.0.0.2 type=0 code=0 id=229 packets=1 bytes=84 mark=0 use=1 tcp 6 17 TIME_WAIT src=10.0.0.22 dst=192.168.100.3 sport=43100 dport=8080 packets=10 bytes=628 src=10.0.0.2 dst=10.0.0.22 sport=8080 dport=43100 packets=9 bytes=576 [ASSURED] mark=0 use=1 udp 17 29 src=10.0.0.22 dst=192.168.100.3 sport=51440 dport=5050 packets=5 bytes=240 src=10.0.0.2 dst=10.0.0.22 sport=5050 dport=51440 packets=5 bytes=240 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 3 flow entries have been shown.