Bypass or Rewrite NAT with BGP/DMZ

**yotta** · 04-05-2021, 09:37 AM

I am using Untangle to get my ip block 30.2.3.96/29 into my lab environment via BGP (NSX-T)

Adding BGP neighbors was a breeze, and adding a null-route to the BGP networks got everything routing out through the firewall, Success!

Interfaces: (Addressed changed to protect the innocent)
External -
Network - 30.2.3.96/24
Gateway - 30.2.3.97
Interface IP - 30.2.3.98
IP's to DMZ - 30.2.3.99-102

Internal (UplinkP1)
Network - 10.1.0.0/24
Interface IP - 10.1.0.1

Internal (UplinkP2)
Network - 10.2.0.0/24
Interface IP - 10.2.0.1

ASN 65001
Neighbor ASN 65101

When NSX-T allocates an IP on a gateway internal, the route gets redistributed just fine in the routing table

30.2.3.99/32 via 10.1.0.1

I set up SNAT/DNAT rules in NSX so it can route out. Success!

If I am on the internal BGP I can log in via 30.2.3.99. Success!

If I am external it times out, because the Untangle FW is doing NAT

ssh -> 30.2.3.99
curl website that can give me my public IP (my URL broke submission?)
38.2.3.98 ! <- NAT rewrite is breaking my ingress path from the outside.

I've tried making a couple NAT rules to rewrite this back to .99, but they end up breaking egress traffic without fixing ingress traffic.

Is there a way to do DMZ with BGP? I haven't seen this documented. Otherwise maybe my NAT rules aren't appropriate for this rewrite? Usually I don't use BGP and leverage a transparent bridge.. but that won't work here.

I made one for Destination and one for Source.

NAT -> Destination Address is 30.2.3.99, NAT Type Custom - Rewrite 30.2.3.99
NAT -> Source Address is 30.2.3.99, NAT Type Custom - Rewrite 30.2.3.99

Maybe a better NAT rule is all I need? Any advice is appreciated.

**sky-knight** · 04-05-2021, 09:42 AM

Do you want Untangle doing NAT?

**yotta** · 04-05-2021, 10:03 AM

If I disable NAT it stops working completely.

I do want Untangle doing NAT for all the hosts and networks we aren't assigning IP's to. Essentially we'll have 1 IP per NSX-T sub-network, but everything outside of NSX-T still needs a default route and NAT.

If I can't have it both ways I have a second IP range not-yet-in-use that is a static route from the IP

30.2.4.160/28. Although since that's a static route the gateway for it is still 30.2.3.97, so it might NAT that as well. I sent them an e-mail asking to set it up as a VLAN instead of a static rote, but the initial response was 'no'.

**sky-knight** · 04-05-2021, 03:21 PM

It sounds like you need to disable the NAT box on External, and make NAT policies to work with what actually needs translated.

If you don't untick that box, everything passing that interface gets translated. If you want to pick and choose, you're disabling NAT and making NAT policy as needed to get that both worlds thing you're after.

Beware... NAT policies need to be VERY specific, over matches in them will make your hair fall out.

**yotta** · 04-06-2021, 09:21 AM

I'll test more NAT variables. Guess there is no way to do DMZ with BGP which would bypass this.

**sky-knight** · 04-06-2021, 09:33 AM

Well if you're delivering an internet routable address directly to the device you can simply bridge an interface to External.

Thread: Bypass or Rewrite NAT with BGP/DMZ

LinkBack

Thread Tools

Bypass or Rewrite NAT with BGP/DMZ

Posting Permissions