> > I am by no means an expert but I would've thought that all you're > > trying to do is to convert a 192.x address into the same target IP, and > > just control which interface the packet goes out on based on whatever > > the original IP address was. > > > > Is ARP mangling needed at all for this? > > Hello Adam, > > What I am looking for is a static NAT to have 1:1 replacement of > addresses from one subnet to another subnet. > For example having 192.168.0.X <-> 10.0.0.X in both directions, so > that 192.168.0.1 == 10.0.0.1, 192.168.0.2 == 10.0.0.2 and so on. > The NAT is in reverse so that it does not NAT incoming but outgoing > communications. > And to make it more difficult, two interfaces share the same > destination address, so that we need to assign them with different > virtual addresses. > In my example I proposed two conversions: 192.168.110.X <-> 10.0.0.X > and 192.168.168.111 <-> 10.0.0.X. > The 10.0.0.X is the device network which cannot be modified. > > Do you know of a NAT configuration that can digest this? > For now the only solution I could come up with is filter hooks + arptables. ARP deals with mapping a MAC address to an IP address. I don't think you need to operate at this low level, and I think messing with ARP is going to complicate what you're trying to do. Think of a normal NAT gateway. You connect to a remote host, but you send that packet to the gateway. The gateway changes the source IP address and then forwards on the packet. This way altering ARP is not necessary, because a real IP belonging to the machine is used for outgoing traffic. The normal ARP process handles it all as usual. If you do the same in your situation, then your 10.0.0.10 device will need to see traffic coming from 10.0.0.X (whatever IPs you assign v10@eth0 and v11@eth0). Because these IPs are in the same subnet, you don't need to deal with ARP issues or routing the reverse traffic as you would if you kept the 192.168.x source IP. Then all you have to do is configure your machine so that any traffic destined for 192.168.110.10 and .111.10 gets the target IP changed to 10.0.0.2 and gets sent out the right interface, and when packets come back from 10.0.0.2 the reverse IP translation happens as well. This might be tricky since both interfaces will be in the same subnet, but since the packet leaving the machine will already be in the same subnet as the destination IP, you won't need to deal with ARP at all as it will be handled automatically. I think you probably need both SNAT and DNAT rules to make this work. The SNAT rule would take care of ensuring outgoing packets have a source address of 10.0.0.X, while the DNAT rule would map the 192.x target address to 10.0.0.2. I would try to use two different IPs for the VLAN interfaces, e.g. 10.0.0.10 and 10.0.0.11, just to make things a bit simpler. If you use the same IP you may then run into ARP issues, unless both VLAN interfaces have the same MAC address. Cheers, Adam.
