diff --git a/docs/vpp/configuration/nat/nat44.rst b/docs/vpp/configuration/nat/nat44.rst index 6a52b30f..1f868f99 100644 --- a/docs/vpp/configuration/nat/nat44.rst +++ b/docs/vpp/configuration/nat/nat44.rst @@ -234,7 +234,13 @@ For more granular control, you can create port-specific static rules. This is us Where: * ```` and ```` are the port numbers used by the connection -* ```` specifies the protocol (tcp, udp, icmp) - if not specified, the rule applies to all protocols +* ```` specifies the protocol (tcp, udp, icmp) + +.. important:: + + If you do not specify ports and protocol, the rule will apply to all traffic between the specified internal and external addresses. + + Rules must contain either both ports and protocol or neither. Advanced Static Rule Options ---------------------------- @@ -298,8 +304,8 @@ To document your rules, you can add a description: set vpp nat44 static rule description -Configuration Examples -^^^^^^^^^^^^^^^^^^^^^^ +Static Rules Configuration Examples +----------------------------------- **Full one-to-one NAT mapping:** @@ -338,6 +344,163 @@ Configuration Examples ``set vpp nat44 address-pool twice-nat address `` +Exclude Rules Configuration +=========================== + +Exclude rules allow you to prevent specific traffic from undergoing NAT translation. This is particularly useful for: + +* **Router management**: Allowing SSH access to the router itself from external networks +* **Service bypass**: Excluding specific services from NAT processing +* **Traffic forwarding**: Allowing forwarded traffic to bypass NAT with 1-to-1 mapping + +Exclude rules take precedence over both dynamic and static NAT rules, ensuring that matching traffic bypasses NAT processing. For forwarded traffic, exclude rules create invisible 1-to-1 mappings that allow packets to pass through without NAT modifications. + +Basic Exclude Rule Configuration +-------------------------------- + +To create an exclude rule, you need to specify the traffic characteristics that should bypass NAT. You can configure exclude rules in two ways: + +**Option 1: Using local address** + +.. cfgcmd:: + + set vpp nat44 exclude rule local-address + +**Option 2: Using external interface** + +.. cfgcmd:: + + set vpp nat44 exclude rule external-interface + +Where: + +* ```` is a unique identifier for the exclude rule +* ```` is the local IP address that should be excluded from NAT +* ```` is the external interface where the traffic originates + +.. important:: + + You must use either ``local-address`` OR ``external-interface`` in an exclude rule, but not both simultaneously. These options are mutually exclusive. + +Port-specific Exclude Rules +--------------------------- + +For more granular control, you can exclude only specific ports and protocols. You can combine port and protocol specifications with either local-address or external-interface: + +**With local address:** + +.. cfgcmd:: + + set vpp nat44 exclude rule local-address + +.. cfgcmd:: + + set vpp nat44 exclude rule local-port + +.. cfgcmd:: + + set vpp nat44 exclude rule protocol + +**With external interface:** + +.. cfgcmd:: + + set vpp nat44 exclude rule external-interface + +.. cfgcmd:: + + set vpp nat44 exclude rule local-port + +.. cfgcmd:: + + set vpp nat44 exclude rule protocol + +Where: + +* ```` is the specific port to exclude (1-65535) +* ```` can be ``tcp``, ``udp``, ``icmp``, or ``all`` (default) + +Rule Documentation +------------------ + +Add descriptions to your exclude rules for better management: + +.. cfgcmd:: + + set vpp nat44 exclude rule description + +Exclude Rules Configuration Examples +------------------------------------ + +**Exclude SSH access to router:** + +.. code-block:: none + + # Allow external SSH access to router without NAT + set vpp nat44 exclude rule 10 local-address 192.168.1.1 + set vpp nat44 exclude rule 10 local-port 22 + set vpp nat44 exclude rule 10 protocol tcp + set vpp nat44 exclude rule 10 description "SSH access to router" + +**Exclude SNMP monitoring:** + +.. code-block:: none + + # Allow SNMP monitoring without NAT translation + set vpp nat44 exclude rule 20 local-port 161 + set vpp nat44 exclude rule 20 protocol udp + set vpp nat44 exclude rule 20 external-interface eth1 + set vpp nat44 exclude rule 20 description "SNMP monitoring" + +**Exclude all traffic to router management interface:** + +.. code-block:: none + + # Exclude all traffic to router's management IP + set vpp nat44 exclude rule 30 local-address 192.168.100.1 + set vpp nat44 exclude rule 30 description "Management interface bypass" + +**Exclude all traffic from external interface:** + +.. code-block:: none + + # Exclude all traffic from external interface (alternative approach) + set vpp nat44 exclude rule 31 external-interface eth1 + set vpp nat44 exclude rule 31 description "External interface bypass" + +**Exclude forwarded traffic for specific service:** + +.. code-block:: none + + # Allow external access to internal server without NAT translation + set vpp nat44 exclude rule 40 local-address 192.168.1.50 + set vpp nat44 exclude rule 40 local-port 8080 + set vpp nat44 exclude rule 40 protocol tcp + set vpp nat44 exclude rule 40 description "Direct access to internal service" + +Common Use Cases +---------------- + +**Router Administration:** + +Exclude rules are essential when you need to manage the router from external networks. Without exclude rules, NAT would attempt to translate the router's own traffic, potentially breaking management connections. + +**Service Monitoring:** + +Network monitoring systems often need direct access to router services. Exclude rules ensure that monitoring traffic bypasses NAT translation. + +**Routing Protocols:** + +Some routing protocols or network services may require direct communication without NAT interference. + +**Traffic Forwarding:** + +Exclude rules also work for forwarded traffic between networks. Without exclude rules, traffic from external to local networks must either match a static rule or be dropped. With exclude rules, traffic can bypass NAT processing with invisible 1-to-1 mappings. + +.. important:: + + Exclude rules affect both traffic destined for the router itself and forwarded traffic flowing through the router. For forwarded traffic, exclude rules create transparent 1-to-1 mappings that allow packets to pass without NAT modifications, while from the outside perspective, the traffic appears to bypass NAT entirely. + Advanced NAT44 Settings ======================= @@ -466,6 +629,17 @@ Here's a complete example showing how to configure VyOS NAT44 for a typical netw set vpp nat44 address-pool translation address 203.0.113.10-203.0.113.50 set vpp nat44 address-pool twice-nat address 203.0.113.100-203.0.113.110 + # Exclude rules for router management + set vpp nat44 exclude rule 10 local-address 203.0.113.1 + set vpp nat44 exclude rule 10 local-port 22 + set vpp nat44 exclude rule 10 protocol tcp + set vpp nat44 exclude rule 10 description "SSH access to router" + + set vpp nat44 exclude rule 11 local-address 203.0.113.1 + set vpp nat44 exclude rule 11 local-port 443 + set vpp nat44 exclude rule 11 protocol tcp + set vpp nat44 exclude rule 11 description "HTTPS access to router web interface" + # Static rule for web server (HTTP) set vpp nat44 static rule 100 local address 192.168.1.10 set vpp nat44 static rule 100 local port 80 @@ -505,6 +679,7 @@ Best Practices and Troubleshooting Recommendations --------------- +* **Use exclude rules** for router management services like SSH * **Use out-to-in-only** for services that do not need access to external networks * **Limit port ranges** in static rules to only necessary ports * **Document all rules** using descriptions for easier management @@ -526,6 +701,18 @@ Common Configuration Issues 2. Verify static rules have the correct twice-nat option 3. Check that both translation and twice-nat pools are properly defined +**Router management access issues:** + +1. Verify exclude rules are configured for management services +2. Check that local-address matches the router's interface IP +3. Ensure external-interface is correctly specified + +**Forwarded traffic from external networks not bypassing NAT:** + +1. Verify exclude rules are configured for the specific traffic flow +2. Check that local-address matches the destination IP in the internal network +3. Ensure protocol and port specifications match the traffic requirements + Operational Commands ====================