Due to a large number of bugs in nat statistics, it is easier to rewrite show nat source rules, which was written in T3435 then fix all bugs
VyOS example configuration:
set nat source rule 10 description 'Masquerade to NAT' set nat source rule 10 outbound-interface 'eth0' set nat source rule 10 translation address 'masquerade' set nat source rule 20 destination address '192.0.2.0/24' set nat source rule 20 exclude set nat source rule 20 outbound-interface 'any' set nat source rule 20 protocol 'all' set nat source rule 30 destination address '192.0.2.0/24' set nat source rule 30 outbound-interface 'any' set nat source rule 30 protocol 'tcp' set nat source rule 30 source address '203.0.113.0/24' set nat source rule 30 translation address '100.64.0.5' set nat source rule 40 destination address '192.0.2.85/32' set nat source rule 40 destination port '22001-22005' set nat source rule 40 outbound-interface 'eth0' set nat source rule 40 protocol 'tcp_udp' set nat source rule 40 source port '65001-65005' set nat source rule 40 translation address 'masquerade' set nat source rule 50 destination port '8080' set nat source rule 50 outbound-interface 'any' set nat source rule 50 protocol 'tcp' set nat source rule 50 source address '100.64.0.0/24' set nat source rule 50 source port '9999' set nat source rule 50 translation address 'masquerade' set nat source rule 50 translation port '8888' set nat source rule 60 destination port '2222-2225' set nat source rule 60 outbound-interface 'any' set nat source rule 60 protocol 'tcp' set nat source rule 60 source address '100.64.0.0/24' set nat source rule 60 source port '4442-4445' set nat source rule 60 translation address 'masquerade' set nat source rule 60 translation port '8882-8885' set nat source rule 70 destination address '192.0.2.5' set nat source rule 70 destination port '2222' set nat source rule 70 outbound-interface 'eth1' set nat source rule 70 protocol 'tcp' set nat source rule 70 translation address 'masquerade' set nat source rule 70 translation port '22' set nat source rule 80 destination port '22,80,443' set nat source rule 80 outbound-interface 'eth1' set nat source rule 80 protocol 'tcp' set nat source rule 80 translation address '192.0.2.99'
Show output:
vyos@r14:~$ show nat source rules Rule Source Translation Outbound Interface ---- ------ ----------- ------------------ 10 any masquerade eth0 20 any any 30 192.0.2.0/24 100.64.0.5 tcp 40 port 65001-65005 masquerade eth0 192.0.2.85 port 22001-22005 40 port 65001-65005 masquerade eth0 192.0.2.85 port 22001-22005 50 port 9999 port 8080 masquerade any 60 port 4442-4445 port 2222-2225 masquerade any 70 192.0.2.5 port 2222 masquerade eth1 80 port 22 192.0.2.99 eth1 vyos@r14:~$
Bugs:
- rule 20, exclude not indicates
- rule 30, Outbound interface tcp, source address incorrect it shows 192.0.2.0/24 but expected 203.0.113.0/24
- rule 40, it is not clear where source ports, and destination ports, source address incorrect, expected 0.0.0.0/0
- rule 50 shows destination port in source
- rule 60 doesn't show source address
- rule 70, shows destination address in source
- rule 80, shows only one port 22, but it is destionation port but we se it in source and only one, expected columns destination with 3 ports