Gday, I would like some advice on how to use VyOS for a specific type of NAT.
I have a situation where I would like to NAT a connection matched on destination address and destination port. But I'd like to translate not only the destination port, but the source address also. So I need a DNAT and a corresponding SNAT.
There will be multiple connections, and the idea is, they will get different source addresses based on the original destination, and be re-routed to a common destination.
The problem is that the DNAT goes first, and since it translates the destination, I don't know what to match on in the SNAT. If I was able to make the SNAT happen first, that would solve the problem. Or if I was somehow able to 'mark' the connection with the DNAT and then match on that in the SNAT, that would work too.
Here's an example of two connections, where I've invented some non-existent connection marking feature to illustrate what I want to do:
set nat destination rule 89 destination address 192.168.222.222
set nat destination rule 89 destination port 10089
set nat destination rule 89 translation port 10000
set nat destination rule 89 modify mark '89'
set nat source rule 89 connection mark '89'
set nat source rule 89 translation address 10.1.1.89
set nat destination rule 96 destination address 192.168.222.222
set nat destination rule 96 destination port 10096
set nat destination rule 96 translation port 10000
set nat destination rule 96 modify mark '96'
set nat source rule 96 connection mark '96'
set nat source rule 96 translation address 10.1.1.96
Notice both connections are translated to the same destination, so I can't use that in the SNAT rule.
Is there any way to do SNAT before DNAT, or achieve what I want in any other way in VyOS?
Other things to note:
- All connections come from the same host, so I can't match on that
- The original source port is ephemeral, so I can't match on that
- The purpose of such a setup is to simulate connections from multiple clients to a common destination, when in reality they're coming from a single host using a different destination port to differentiate each simulated client.
EDIT: I think it's possible if I was using iptables instead of VyOS like this:
iptables -t mangle -A PREROUTING -d 192.168.222.222 -p tcp --dport 10106 -j CONNMARK --set-mark 89
iptables -t nat -A PREROUTING -d 192.168.222.222 -p tcp --dport 10089 -j DNAT --to-destination 192.168.222.222:10000
iptables -t nat -A POSTROUTING -m connmark --mark 89 -j SNAT --to-source 10.1.1.89
iptables -t mangle -A PREROUTING -d 192.168.222.222 -p tcp --dport 10096 -j CONNMARK --set-mark 96
iptables -t nat -A PREROUTING -d 192.168.222.222 -p tcp --dport 10096 -j DNAT --to-destination 192.168.222.222:10000
iptables -t nat -A POSTROUTING -m connmark --mark 96 -j SNAT --to-source 10.1.1.96
If iptables can do it, I would have guessed VyOS could... but maybe not?
I asked this question over at the VyOS forums and got an answer: https://forum.vyos.io/t/matching-in-snat-after-dnat/
Summary is, as of now there is no way to achieve exactly what I want using VyOS. BUT, part of the solution is there. There is a way to mark connections, so the only feature that's missing is to be able to match on a connection mark for the SNAT.