Network Address Translation (NAT)

The nat section exposes the configuration of NAT.

Source NAT Configuration

To configure source NAT on the appliance, the following configuration options are available:

nat.snat.address_pool

A list of IPv4 prefixes to specify which addresses can be used for the source NAT. A packet’s source address will be replaced by one of these addresses. A response packet will have its destination address replaced by the original source address.

nat.snat.exclude

A list of IPv4 prefixes to exclude from the source NAT. A packet with source IP address covered by one of these prefixes will be passed as is without rewriting its source address. The number of addresses to exclude is limited to 1000000.

nat.snat.interfaces

A list of network interfaces on which source NATing should be applied. Outgoing (transmitted) packets on these interfaces will have their source IP address rewritten to one of the addresses in the address pool. Incoming (received) packets will have their destination address rewritten to the original source address. The list of network interfaces can contain any interface on the host that is not using the LINUX driver. Furthermore, there is a special interface, the scion-gateway interface. It can be used to configure source NATing for outgoing IP-in-SCION tunneling traffic.

Use Case: Egress Source NAT

Egress source NAT is useful for deployments that only have a single public IP address that can be tunneled through an IP-in-SCION tunnel. The egress source NAT setup works the same way as a regular source NAT setup, e.g., for a home network. The appliance will rewrite the source IP address of packets leaving the local network to the public IP address.

nat.snat.address_pool

A list of IPv4 prefixes that can be used as public IP addresses for the NAT. These addresses should also be announced to remote IP-in-SCION tunneling endpoints.

nat.snat.exclude

A list of IPv4 prefixes to exclude from the NAT. Useful for excluding addresses of services that use their own public IP address.

nat.snat.interfaces

For egress NAT, this is the scion-gateway interface.

Refer to Configuring Egress Source NAT if only few public IP addresses are available for more information.

Use Case: Ingress Source NAT

Ingress source NAT is useful when replies to the packets coming out from a SCION tunnel are supposed to be routed back to the tunnel while other packets can still be routed in an arbitrary user-defined way. The motivation for this is so that return traffic can be sent via the EDGE if there is also an Internet router available for it.

Using ingress NAT assumes that the routing of packets to the appliance is done using static routes. Combining ingress NAT with BGP is not supported.

nat.snat.address_pool

A list of IPv4 prefixes that are used to route the reply packets back to the appliance. The appliance will rewrite the source IP address of packets entering the local network to one of these addresses. It is up to the user to configure the routing of these addresses in the local network accordingly.

nat.snat.exclude

A list of IPv4 prefixes to exclude from the NAT.

nat.snat.interfaces

The list of the interfaces connected to the local network.

Refer to Configuring Ingress NAT to collect Users from the Anapaya GATE for more information.