Network Address Translation (NAT)

The nat section exposes the configuration of NAT.

Source NAT

Source NAT is useful when replies to the packets coming out from a SCION tunnel are supposed to be routed back to the tunnel while other packets can still be routed in an arbitrary user-defined way.

Using source NAT assumes that the routing of packets to the appliance is done using static routes. Combining source NAT with BGP is not supported.

Note

The supported source NAT feature is not for outgoing traffic. Instead, source NAT is supported for incoming traffic. The motivation for this is so that return traffic can be sent via the EDGE if there is also an Internet router available for it.

nat.snat.address_pool

A list of IPv4 prefixes to specify which addresses can be used for the NAT. An incoming packet’s source address will be replaced by one of these addresses. It is up to the user to route the reply packets sent to these addresses back to the appliance.

nat.snat.exclude

A list of IPv4 prefixes to exclude from the NAT. A packet with source IP address covered by one of these prefixes will be passed as is without rewriting its source address. The number of addresses to exclude is limited to 1000000.

nat.snat.interfaces

A list of network interfaces to apply source NAT to. These are typically the interfaces connected to the local network.