The CDRouter Multiport add-on includes support for static NAT configurations. CPE devices that support this functionality will have two or more public IPv4 addresses. One public address is typically assigned to the primary WAN connection and one or more additional public IPv4 addresses are also assigned. These additional IPv4 addresses are used to allow a host on the LAN side of CPE to have its own public IPv4 address on the WAN. The IPv4 mapping between the public WAN and the private LAN is one-to-one and generally known as “static NAT”.
Test Coverage
CDRouter Multiport includes the nat-static.tcl test module specifically for testing static NAT hosts. This new module covers NAT functionality that is unique to static NAT mappings. However, all of CDRouter’s existing test modules can also be run on any configured static NAT hosts. CDRouter will automatically map traffic from specific LAN hosts to the appropriate public IP address based on the defined static NAT mappings.
CDRouter Multiport handles static NAT by defining a new LAN interface for each additional static NAT host. By repeating each test for all configured LAN interfaces, you can easily verify that the behavior of specific functionality supported by the DUT is consistent for both regular DHCP LAN hosts and any additional static NAT hosts that have been defined.
Getting Started
Support for static NAT is included in the CDRouter-Multiport add-on. As a result, you must have the CDRouter-Multiport add-on installed to enable the nat-static.tcl test module and test static NAT configurations. Static NAT hosts are defined within CDRouter-Multiport by creating additional LAN interfaces for each host using the _testvargroup concept. A LAN interface becomes a “static NAT” host when the testvars staticNatIp and the hostIp are defined.
The following example illustrates a basic static NAT configuration for CDRouter. In this example a second physical LAN interface (eth2) is added to the test setup using the testvar_group option. A new LAN host with an IP address of 192.168.1.100 is created on this interface. This host is designated a static NAT host by adding the staticNatIp testvar to the testvar_group, which creates a static NAT mapping from the LAN host to the public IP 68.1.2.18.
Basic configuration example
# -- Primary LAN interface setup
testvar lanInterface eth1
testvar lanType ethernet
# -- Static NAT host setup
testvar_group lan2 {
testvar lanInterface eth2
testvar lanType ethernet
testvar hostIp 192.168.1.100
testvar staticNatIp 68.1.2.18
}
Note that static NAT hosts do not need to be created on separate physical LAN interfaces. Static NAT hosts can share physical LAN interfaces with other LAN or static NAT hosts provided the physical interface is Ethernet. Whenever a static NAT host is defined on the same physical LAN interface as another host, a unique MAC address should be configured for the static NAT host using the testvar lanMac. Static NAT hosts can be placed on wireless interfaces, although wireless interfaces can not be shared by multiple LAN and static NAT hosts.
The example below shows how a specific MAC address can be configured for a static NAT host that is sharing a physical interface with the primary LAN client (eth1).
Example with specific MAC address
# -- Primary LAN interface setup
testvar lanInterface eth1
testvar lanType ethernet
# -- Static NAT host setup
testvar_group lan2 {
testvar lanInterface eth1
testvar lanType ethernet
testvar hostIp 192.168.1.100
testvar staticNatIp 68.1.2.18
testvar lanMac 00:01:22:33:44:55
}
Configure NAT Mode
By default, CDRouter will assume that the static NAT host is using the same NAT mode as the main WAN interface. The testvar natMode is used to define the expected NAT mode for the WAN interface. This testvar can also be defined inside of the testvar group to change the expected NAT mode for the static NAT host. For example, if the main WAN interface is using a port-restricted NAT, but the static NAT hosts use a full-cone NAT, the expected NAT mode on the static NAT host can be redefined.
Example with NAT mode
testvar_group lan2 {
testvar lanInterface eth2
testvar lanType ethernet
testvar hostIp 192.168.1.100
testvar staticNatIp 68.1.2.18
testvar natMode full-cone
}
Configure Firewall, Virtual Services and Port Triggers
If a static NAT host does not have a firewall applied, the testvar staticNatFirewall can be set to “no”. Otherwise, CDRouter assumes that basic firewalling is enabled on all static NAT hosts. Any virtual services, port triggers, or firewall exceptions can also be defined using the same testvar syntax as the main LAN interface.
Example with no firewall enabled on static NAT host
testvar_group lan2 {
testvar lanInterface eth2
testvar lanType ethernet
testvar hostIp 192.168.1.100
testvar staticNatIp 68.1.2.18
testvar lanMac 00:07:07:07:07:01
testvar staticNatFirewall no
Example with additional services on static NAT host
testvar_group lan2 {
testvar lanInterface eth2
testvar lanType ethernet
testvar hostIp 192.168.1.100
testvar staticNatIp 68.1.2.18
testvar lanMac 00:07:07:07:07:01
testvar virtualTcpServices yes
testvar virtualTcpServicePort1 21
testvar virtualTcpServiceHost1 192.168.1.100
testvar virtualTcpServiceName1 ftp
testvar virtualTcpServiceLanPort1 21
testvar virtualUdpServices yes
testvar virtualUdpServicePort1 69
testvar virtualUdpServiceHost1 192.168.1.100
testvar virtualUdpServiceName1 ftp
testvar virtualUdpServiceLanPort1 69
testvar portTriggers yes
testvar triggerName1 AIMtalk
testvar triggerPort1 4099
testvar triggerType1 tcp
testvar triggerPublic1 5190
testvar triggerPublicType1 tcp
}
Running Tests
When multiple LAN interfaces are defined, CDRouter will automatically switch to the next LAN interface after each test. In order to ensure that you are fully testing your static NAT host, you may want to repeat each test for each LAN interface before moving on to the next test case. You can do this using the -scount option from the command-line or selecting the Repeat each test X times in a row option when setting up your BuddyWeb package.
For example, if your configuration contains a single main LAN interface and a second LAN group configured as a static NAT host, you could run each test in the nat.tcl module two times in a row to test both the regular LAN interface and the static NAT host.
# buddy -config static_nat.conf -module nat.tcl -trace -pt -capture -scount 2
Static Nat Translation Overview:
http://www.firewall.cx/nat-static-part1.php