Results 1 to 6 of 6
  1. #1
    Newbie
    Join Date
    Apr 2021
    Posts
    3

    Default Bypass or Rewrite NAT with BGP/DMZ

    I am using Untangle to get my ip block 30.2.3.96/29 into my lab environment via BGP (NSX-T)

    Adding BGP neighbors was a breeze, and adding a null-route to the BGP networks got everything routing out through the firewall, Success!

    Interfaces: (Addressed changed to protect the innocent)
    External -
    Network - 30.2.3.96/24
    Gateway - 30.2.3.97
    Interface IP - 30.2.3.98
    IP's to DMZ - 30.2.3.99-102

    Internal (UplinkP1)
    Network - 10.1.0.0/24
    Interface IP - 10.1.0.1

    Internal (UplinkP2)
    Network - 10.2.0.0/24
    Interface IP - 10.2.0.1

    ASN 65001
    Neighbor ASN 65101

    When NSX-T allocates an IP on a gateway internal, the route gets redistributed just fine in the routing table

    30.2.3.99/32 via 10.1.0.1

    I set up SNAT/DNAT rules in NSX so it can route out. Success!

    If I am on the internal BGP I can log in via 30.2.3.99. Success!

    If I am external it times out, because the Untangle FW is doing NAT

    ssh -> 30.2.3.99
    curl website that can give me my public IP (my URL broke submission?)
    38.2.3.98 ! <- NAT rewrite is breaking my ingress path from the outside.

    I've tried making a couple NAT rules to rewrite this back to .99, but they end up breaking egress traffic without fixing ingress traffic.

    Is there a way to do DMZ with BGP? I haven't seen this documented. Otherwise maybe my NAT rules aren't appropriate for this rewrite? Usually I don't use BGP and leverage a transparent bridge.. but that won't work here.

    I made one for Destination and one for Source.

    NAT -> Destination Address is 30.2.3.99, NAT Type Custom - Rewrite 30.2.3.99
    NAT -> Source Address is 30.2.3.99, NAT Type Custom - Rewrite 30.2.3.99

    Maybe a better NAT rule is all I need? Any advice is appreciated.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,808

    Default

    Do you want Untangle doing NAT?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Apr 2021
    Posts
    3

    Default

    If I disable NAT it stops working completely.

    I do want Untangle doing NAT for all the hosts and networks we aren't assigning IP's to. Essentially we'll have 1 IP per NSX-T sub-network, but everything outside of NSX-T still needs a default route and NAT.

    If I can't have it both ways I have a second IP range not-yet-in-use that is a static route from the IP

    30.2.4.160/28. Although since that's a static route the gateway for it is still 30.2.3.97, so it might NAT that as well. I sent them an e-mail asking to set it up as a VLAN instead of a static rote, but the initial response was 'no'.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,808

    Default

    It sounds like you need to disable the NAT box on External, and make NAT policies to work with what actually needs translated.

    If you don't untick that box, everything passing that interface gets translated. If you want to pick and choose, you're disabling NAT and making NAT policy as needed to get that both worlds thing you're after.

    Beware... NAT policies need to be VERY specific, over matches in them will make your hair fall out.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Apr 2021
    Posts
    3

    Default

    I'll test more NAT variables. Guess there is no way to do DMZ with BGP which would bypass this.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,808

    Default

    Well if you're delivering an internet routable address directly to the device you can simply bridge an interface to External.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2