On Sun, Feb 16, 2025 at 12:12 PM Adam Nielsen <a.nielsen@xxxxxxxxxxx> wrote: > > > > I am by no means an expert but I would've thought that all you're > > > trying to do is to convert a 192.x address into the same target IP, and > > > just control which interface the packet goes out on based on whatever > > > the original IP address was. > > > > > > Is ARP mangling needed at all for this? > > > > Hello Adam, > > > > What I am looking for is a static NAT to have 1:1 replacement of > > addresses from one subnet to another subnet. > > For example having 192.168.0.X <-> 10.0.0.X in both directions, so > > that 192.168.0.1 == 10.0.0.1, 192.168.0.2 == 10.0.0.2 and so on. > > The NAT is in reverse so that it does not NAT incoming but outgoing > > communications. > > And to make it more difficult, two interfaces share the same > > destination address, so that we need to assign them with different > > virtual addresses. > > In my example I proposed two conversions: 192.168.110.X <-> 10.0.0.X > > and 192.168.168.111 <-> 10.0.0.X. > > The 10.0.0.X is the device network which cannot be modified. > > > > Do you know of a NAT configuration that can digest this? > > For now the only solution I could come up with is filter hooks + arptables. > > ARP deals with mapping a MAC address to an IP address. I don't think > you need to operate at this low level, and I think messing with ARP is > going to complicate what you're trying to do. I used the ARP as in my setup I use hook modification of the IP addresses and this does not include the ARP. It is working reliably if I reply to the ARP request of the device. I am open to a NAT solution, however, I do not understand how to make it work for this use case. > Think of a normal NAT gateway. You connect to a remote host, but you > send that packet to the gateway. The gateway changes the source IP > address and then forwards on the packet. This way altering ARP is not > necessary, because a real IP belonging to the machine is used for > outgoing traffic. The normal ARP process handles it all as usual. I am unsure how you use NAT to perform the entire network transformation of 192.168.0.X <-> 10.0.0.X. > If you do the same in your situation, then your 10.0.0.10 device will > need to see traffic coming from 10.0.0.X (whatever IPs you assign > v10@eth0 and v11@eth0). Because these IPs are in the same subnet, you > don't need to deal with ARP issues or routing the reverse traffic as > you would if you kept the 192.168.x source IP. I cannot do this, the packets should be outgoing to the device in the 10.0.0.X address. Hence I need a full transformation of addresses of both source and destination addresses. > Then all you have to do is configure your machine so that any traffic > destined for 192.168.110.10 and .111.10 gets the target IP changed to > 10.0.0.2 and gets sent out the right interface, and when packets come > back from 10.0.0.2 the reverse IP translation happens as well. I will be happy to test a specific configuration if you have, I do not understand how to perform the reverse NAT as my interface is NATing the use of the network and not in the usual direction. > This might be tricky since both interfaces will be in the same subnet, > but since the packet leaving the machine will already be in the same > subnet as the destination IP, you won't need to deal with ARP at all as > it will be handled automatically. > > I think you probably need both SNAT and DNAT rules to make this work. > The SNAT rule would take care of ensuring outgoing packets have a > source address of 10.0.0.X, while the DNAT rule would map the 192.x > target address to 10.0.0.2. This is not the configuration I look for... I look for a configuration of full network static NAT 192.168.0.X <-> 10.0.0.X [x=1->254]. > I would try to use two different IPs for the VLAN interfaces, e.g. > 10.0.0.10 and 10.0.0.11, just to make things a bit simpler. If you use > the same IP you may then run into ARP issues, unless both VLAN > interfaces have the same MAC address. There is no issue of ARP in this case as each interface resides in a different VLAN. Thank you for your assistance! Alon Bar-Lev.
