Skip to main content

Network Address Translation (NAT)

The Configuration reference section provides the full configuration reference and the sections that follow after explain possible uses cases on the Anapaya appliance.

Configuration reference

v0.40v0.39v0.38next

Anapaya appliance configuration (nat only)

nat object

Top-level configuration and state for NAT.

dnats object[]

Top-level configuration and state for the destination NAT.

  • Array [
    • addressstring<ip-address>

    The IP address that needs to be translated. This is an exact match on the destination IP of packets received from the IP-in-SCION tunnel.

    descriptionstring

    An optional textual description of the destination NAT configuration.

    destination_addressstring<ip-address>

    The mapped destination IP address. The destination IP of matched packets is replaced by this IP.

    port_mappings object[]

    The list of port mappings for the destination NAT. Mandatory when ingress source NAT is enabled as well.

  • Array [
    • descriptionstring

    An optional textual description of the port mapping configuration.

    destination_portinteger<uint16>

    The mapped destination port. The destination port of matched packets is replaced by this port.

    portinteger<uint16>

    The destination port that needs to be translated. This is an exact match on the destination port of packets received from the IP-in-SCION tunnel.

    protocolstring

    Transmission layer protocol. Supported protocols are (tcp, udp).

  • ]
  • ]
    • snat object

    Top-level configuration and state for the source NAT.

    address_poolstring<ip-prefix>[]

    The list of IP prefixes to use as the source NAT pool.

    excludestring<ip-prefix>[]

    The list of IP prefixes to exclude from the NAT. The number of IP addresses that can be excluded is limited.

    interfacesstring[]

    The list of interfaces to do the NAT. These are typically interfaces connected to the local network

    Use cases

    Egress source NAT

    Egress source NAT is useful for deployments that only have a single public IP address that can be tunneled through an IP-in-SCION tunnel. The egress source NAT setup works the same way as a regular source NAT setup, e.g., for a home network. The appliance will rewrite the source IP address of packets leaving the local network to the public IP address.

    • nat.snat.address_pool A list of IPv4 prefixes that can be used as public IP addresses for the NAT. These addresses should also be announced to remote IP-in-SCION tunneling endpoints.

    • nat.snat.exclude A list of IPv4 prefixes to exclude from the NAT. Useful for excluding addresses of services that use their own public IP address.

    • nat.snat.interfaces For egress NAT, this must include the scion-gateway interface, and optionally any interface connected to the external network (e.g., public Internet). Specifying interfaces connected to the local network (i.e, LAN) together with the scion-gateway is a misconfiguration and leads to undefined behavior.

    Refer to IP-in-SCION tunneling for more information.

    Ingress source NAT

    Ingress source NAT is useful when replies to the packets coming out from a SCION tunnel are supposed to be routed back to the tunnel while other packets can still be routed in an arbitrary user-defined way. The motivation for this is so that return traffic can be sent via the EDGE if there is also an Internet router available for it.

    Using ingress NAT assumes that the routing of packets to the appliance is done using static routes. Combining ingress NAT with BGP is not supported.

    • nat.snat.address_pool A list of IPv4 prefixes that are used to route the reply packets back to the appliance. The appliance will rewrite the source IP address of packets entering the local network to one of these addresses. It is up to the user to configure the routing of these addresses in the local network accordingly.

    • nat.snat.exclude A list of IPv4 prefixes to exclude from the NAT.

    • nat.snat.interfaces The list of the interfaces connected to the local network.

    Refer to IP-in-SCION tunneling for more information.

    Destination NAT

    Destination NAT is useful to allow external clients to access services running on private IPs. For example in a Cloud deployment of a service, the services uses a private IP address and the appliance exposes the public IP to make the service available.

    Ingress SNAT and DNAT

    Ingress SNAT and DNAT is useful when the appliance is used as a gateway to provide access to services running on private IPs and at the same time those services are also reachable from other networks. The DNAT guarantees that the private IP can be reached and the SNAT asserts that the traffic can easily be routed back to the appliance.