Shulou(Shulou.com)06/03 Report--

SNAT, a source address translation, translates the source address of an ip packet into another address.

SNAT, some people may wonder why it is necessary to carry out ip address translation. In order to understand this problem, we need to look at the principle of local area network users on the public network. Suppose that the internal network host A (192.168.2.8) wants to communicate with the external network host B (61.132.62.131), and A sends IP packets to B. if there is no SNAT to translate the source address of host A, the communication between host An and host B will be interrupted abnormally. Because when the router sends the packet from the private network to the public network IP, the public network IP will return the packet to your private network IP. At this time, the public network IP simply cannot know how your private network IP should go. So ask it a higher-level router, of course, this is bound to fail, because you can't see the private IP from the public network at all, so you can't communicate with him. In order to send and return the packet correctly, the gateway must convert the address of A to a legitimate public network address, and in order for host B to send the packet to An in the future, the legitimate public network address must be the external network address of the gateway. if it is another public network address, B will send the packet to another gateway, not the gateway where host An is located, and A will not receive the packet sent by B. Therefore, if a private network host wants to access the public network, it must have a legal public network address, and the way to get this address is to let the gateway perform SNAT (source address translation) to convert the private network address into a public address (usually the external address of the gateway). Therefore, we often see that in order to allow private network users to access the public network, we must set snat in the firewall of routeros, commonly known as IP address spoofing or masquerade.

Let's take a look at how to implement SNAT. The configuration method of SNAT is different from that of DNAT. DNAT can be configured directly on FW, and SNAT can be implemented through UDR. If we want all outbound traffic to pass through FW, we can configure the exit of the default route as FW through UDR, so the traffic accessing internet must go through FW.

First, let's take a look at FW's rewriting of IP when doing DNAT, from home computer curl to FW IP.

In Nginx log, you can see that the source IP will be the IP of FW, that is, when doing DNAT, FW will rewrite the source IP of the request.

And if the public network IP of the curl server

In Log, you will see that the source IP is the public network IP of the client.

From each region curl to the web server public network IP, including FW's VNET and peer's VNET

Direct Curl web server public network IP. The source IP you see is the server's public network IP, indicating that the outbound server goes directly to internet without going through FW or SNAT.

Let's see how to configure SNAT. First, create a UDR in each region.

Add a default route to FW

Associate to each subnet

When you try to continue curl from VM to the web server, you will find that the traffic has been rejected by FW because there is no outbound permission rule

To solve this problem, we can open network rules on FW.

10.88 network segment can be curl www.baidu.com

Not if it's not in the 88 segment.

Add network rules for other network segments again

Try to add the rules of the network segment where the linux2 is located separately.

Try again, you can connect, and DNAT will simply be implemented.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.