Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

The "exclude" option

Sometimes it is desirable to exclude packets from NAT that match certain criteria. This exclusion can be accomplished by using the exclude option.

The following example shows how to use the exclude option to exclude a subset of traffic (packets coming from 192.168.0.0/24 and destined for 172.16.50.0/24 through the dp0p1p1 interface from translation. Note that rule 10 excludes certain traffic from translation and rule 20 performs a translation on the traffic that meets its filter criteria and is not excluded by rule 10.

Table 1. Excluding packets from NAT by using the exclude option

Step

Command

Create SNAT rule 10.

vyatta@vyatta# set service nat source rule 10

Apply this rule to packets coming from any host on the 192.168.0.0/24 network, going to the 172.16.50.0/24 network, and egressing through the dp0p1p1 interface.

vyatta@vyatta# set service nat source rule 10 source address 192.168.0.0/24 
vyatta@vyatta# set service nat source rule 10 destination address 172.16.50.0/24 
vyatta@vyatta# set service nat source rule 10 outbound-interface dp0p1p1

Exclude packets from NAT that match the filter criteria in this rule.

vyatta@vyatta# set service nat source rule 10 exclude

Create SNAT rule 20.

vyatta@vyatta# set service nat source rule 20

Apply this rule to packets coming from any host on the 192.168.0.0/24 network and egressing through the dp0p1p1 interface.

vyatta@vyatta# set service nat source rule 20 source address 192.168.0.0/24 
vyatta@vyatta# set service nat source rule 20 outbound-interface dp0p1p1

Use the primary IP address of the outbound interface as the translation address.

vyatta@vyatta# set service nat source rule 20 translation address masquerade

Commit the change.

vyatta@vyatta# commit

Show the configuration.

vyatta@vyatta# show nat source
 rule 10 { 
     destination {
         address 172.16.50.0/24
     }
     exclude
     outbound-interface dp0p1p1
     source {
         address 192.168.0.0/24
     }
 }
 rule 20 { 
     outbound-interface dp0p1p1
     source {
         address 192.168.0.0/24
     }
     translation {
         address masquerade
     }
 }