L3 Switch NAT Breakout
Network Address Translation(NAT), our implement is more like Port Address Translation(PAT), but I think call it Flow Address Translation(FAT) might be better.
P6: inner
P7: outer
P5: other outer
Config XML
<configSet reboot="no">
<args>
<nat>true</nat>
</args>
</configSet>ARRAY NTB XML
breakout dns (basic sample)
<run>
<filter id="99" alt="dns query" sessionBase="no">
<or>
<find name="udp.port" relation="==" content="53"/>
</or>
</filter>
<filter id="3" sessionBase="no">
<or>
<find name="arp.request.target.ip" relation="==" content="172.16.10.10"/>
</or>
</filter>
<output id="3">
<port>P5</port>
<arp_reply_default_mac/>
</output>
<output id="5">
<port>P5</port>
<modify_src_default_mac/>
<modify_srcip nat="yes">172.16.10.10</modify_srcip>
<gateway>172.16.10.1</gateway>
</output>
<output id="6" arp_dstip_mac="yes">
<port>P6</port>
</output>
<chain>
<in>P6</in>
<fid type="and">F99</fid>
<out>O5</out>
<next type="notmatch">
<out>P7</out>
</next>
</chain>
<chain>
<in>P7</in>
<out>P6</out>
</chain>
<chain>
<in>P5</in>
<fid>F3</fid>
<out>O3</out>
<next type="notmatch">
<out>O6</out>
</next>
</chain>
</run>breakout dns and replace dns query server
Set P6 NAT Breakout (only dns query to 8.8.8.8) to P5
modify dns server from 8.8.8.8 to 168.95.1.1
<run>
<filter id="99" alt="dns query" sessionBase="no">
<or>
<find name="udp.port" relation="==" content="53"/>
</or>
</filter>
<filter id="100" alt="breakout server" sessionBase="no">
<or>
<find name="ip.dst" relation="==" content="8.8.8.8"/>
</or>
</filter>
<filter id="101" alt="dns from server" sessionBase="no">
<or>
<find name="ip.src" relation="==" content="168.95.1.1"/>
</or>
</filter>
<filter id="3" sessionBase="no">
<or>
<find name="arp.request.target.ip" relation="==" content="172.16.10.10"/>
</or>
</filter>
<output id="3">
<port>P5</port>
<arp_reply_default_mac/>
</output>
<output id="5">
<port>P5</port>
<modify_src_default_mac/>
<modify_dstip>168.95.1.1</modify_dstip>
<modify_srcip nat="yes">172.16.10.10</modify_srcip>
<gateway>172.16.10.1</gateway>
</output>
<output id="6" arp_dstip_mac="yes">
<port>P6</port>
</output>
<output id="101" arp_dstip_mac="yes">
<port>P6</port>
<modify_srcip>8.8.8.8</modify_srcip>
</output>
<chain>
<in>P6</in>
<fid type="and">F99,F100</fid>
<out>O5</out>
<next type="notmatch">
<out>P7</out>
</next>
</chain>
<chain>
<in>P7</in>
<out>P6</out>
</chain>
<chain>
<in>P5</in>
<fid>F3</fid>
<out>O3</out>
<next type="notmatch">
<fid>F101</fid>
<out>O101</out>
<next type="notmatch">
<out>O6</out>
</next>
</next>
</chain>
</run>breakout ssh and reply ICMP fragmentation needed if packet length over 1500
<run>
<filter id="99" alt="ssh" sessionBase="no">
<or>
<find name="tcp.port" relation="==" content="22"/>
</or>
</filter>
<filter id="3" sessionBase="no">
<or>
<find name="arp.request.target.ip" relation="==" content="172.16.10.10"/>
</or>
</filter>
<filter id="4" alt="df and packet over 1500" sessionBase="no">
<and>
<find name="ip.flags.df" relation="==" content="1"/>
<find name="packet.len" relation=">=" content="1500"/>
</and>
</filter>
<output id="3">
<port>P5</port>
<arp_reply_default_mac/>
</output>
<output id="5">
<port>P5</port>
<modify_src_default_mac/>
<modify_srcip nat="yes">172.16.10.10</modify_srcip>
<gateway>172.16.10.1</gateway>
</output>
<output id="6" arp_dstip_mac="yes">
<port>P6</port>
</output>
<output id="7">
<port>P6</port>
<icmp_reply_fragment_need mtu="1440"/>
<modify_srcip>172.16.10.10</modify_srcip>
</output>
<chain>
<in>P6</in>
<fid>F4</fid>
<out>O7</out>
<next type="notmatch">
<fid type="and">F99</fid>
<out>O5</out>
<next type="notmatch">
<out>P7</out>
</next>
</next>
</chain>
<chain>
<in>P7</in>
<out>P6</out>
</chain>
<chain>
<in>P5</in>
<fid>F3</fid>
<out>O3</out>
<next type="notmatch">
<out>O6</out>
</next>
</chain>
</run>Last updated