Network Address Translation

Skills to be Learned

  1. Abusing networks namespaces for fun and profit

  2. Configuring nat address

  3. Configuring nat inside and outside interfaces

FD.io VPP command learned in this exercise

  1. nat44 add interface address

  2. set interface nat44

Topology

NAT Topology

NAT Topology

Initial state

Unlike previous exercises, for this one you want to start tabula rasa.

Note: You will lose all your existing config in your FD.io VPP instances!

To clear existing config from previous exercises run:

ps -ef | grep vpp | awk '{print $2}'| xargs sudo kill
$ sudo ip link del dev vpp1host
$ sudo ip link del dev vpp1vpp2

Install vpp-plugins

NAT is supported by a plugin, so the respective package needs to be installed

$ sudo apt-get install vpp-plugin-core

Create FD.io VPP instance

Create one FD.io VPP instance named vpp1.

Confirm nat44 plugin is present:

# vppctl -s /run/vpp/cli-vpp1.sock show plugins | egrep nat44
57. nat44_ei_plugin.so                       24.02-rc0~124-g2ab902f28         IPv4 Endpoint-Independent NAT (NAT44 EI)

Please note that earlier versions if VPP and this document referred to the snat plugin, which was renamed.

Create veth interfaces

  1. Create a veth interface with one end named vpp1outside and the other named vpp1outsidehost

  2. Assign IP address 10.10.1.1/24 to vpp1outsidehost

  3. Create a veth interface with one end named vpp1inside and the other named vpp1insidehost

  4. Assign IP address 10.10.2.1/24 to vpp1insidehost

Because we'd like to be able to route *via* our vpp instance to an interface on the same host, we are going to put vpp1insidehost into a network namespace

Create a new network namespace 'inside'

$ sudo ip netns add inside

Move interface vpp1inside into the 'inside' namespace:

$ sudo ip link set dev vpp1insidehost up netns inside

Assign an ip address to vpp1insidehost

$ sudo ip netns exec inside ip addr add 10.10.2.1/24 dev vpp1insidehost

Create a route inside the netns:

$ sudo ip netns exec inside ip route add 10.10.1.0/24 via 10.10.2.2

Configure vpp outside interface

  1. Create a vpp host interface connected to vpp1outside

  2. Assign ip address 10.10.1.2/24

  3. Create a vpp host interface connected to vpp1inside

  4. Assign ip address 10.10.2.2/24

Configure nat44

Enable the nat44 plugin

vpp# nat44 plugin enable

Configure nat44 to use the address of host-vpp1outside

vpp# nat44 add interface address host-vpp1outside

Configure nat44 inside and outside interfaces

vpp# set interface nat44 in host-vpp1inside out host-vpp1outside

Prepare to Observe NAT

Observing NAT in this configuration is interesting. To do so, vagrant ssh a second time into your VM and run:

$ sudo tcpdump -s 0 -i vpp1outsidehost

Also enable tracing on vpp1

Ping via NAT

$ sudo ip netns exec inside ping -c 3 10.10.1.1

Confirm NAT

Examine the tcpdump output and vpp1 trace to confirm NAT occurred.