Reply To: How to tell if VLAN is not NAT’d

Home Page Forums Network Management Networking How to tell if VLAN is not NAT’d Reply To: How to tell if VLAN is not NAT’d

#49665

ppalias
Member

Okay good news.
I tried the scenario. It seems to be working fine for me.

as you can see on the picture (or here if you cannot see it clearly) on the upper left window is the command I gave to ZS to allow only one subnet to NAT out of ETH00.
On the middle left window is the 2 pings I ran. The one towards 10.14.149.3 was initially not NATed and then I enabled NAT. You can see the change on the Wireshark window on the right. Source address changed from 192.168.20.2 (not NATed) to 10.14.149.25 (ETH00 address of ZS). On the lower left window is a tcpdump of another pc which accepted ping from the other VLAN of ZS, the 192.168.30.2 and it never changed it’s source IP address.
So to conclude the iptables command is correct

iptables -t nat -I POSTROUTING --src 192.168.20.0/24 -o ETH00 -j MASQUERADE

this ensures the 192.168.20.0/24 is NATed when goes out of ETH00 interface. Anything else goes out without NAT.
My iptables output on ZS is:

root@zeroshell root> iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 374 packets, 53544 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 171 packets, 14385 bytes)
pkts bytes target prot opt in out source destination
11 924 MASQUERADE all -- any ETH00 192.168.20.0/24 anywhere
171 14385 SNATVS all -- any any anywhere anywhere

Chain OUTPUT (policy ACCEPT 55 packets, 4641 bytes)
pkts bytes target prot opt in out source destination

Chain SNATVS (1 references)
pkts bytes target prot opt in out source destination