Start a new topic

Dual NAT

 First of all, I really like this product. It's stable and fast plus offers API functionalities.


Second:


I'm dealing with a complex situation in AWS and I cannot find out why it is failing. I have the following setup


  • An AWS Lambda with IP 172.17.0.1 (private subnet, internet traffic routed to Instance 1)
  • NAT instance 1 with IP 172.17.1.1 (public subnet (with public IP)
  • NAT instance 2 with IP 172.17.1.2 (same public subnet (with different public IP)


I want instance 1 to route all traffic to the internet via instance 2 when the source IP matches a firewall rule (in this example 172.17.0.1).


My firewall rules are:


Instance 1:

PREROUTING_CUST -i eth0 -s 172.17.0.0/24 -j DNAT --to-destination 172.17.1.2
POSTROUTING_CUST -d 172.17.0.0/24 -j SNAT --to-source 172.17.1.1
MACRO_CUST -o eth0 -s 0.0.0.0/0 -j MASQUERADE


Instance 2:
MACRO_CUST -o eth0 -s 0.0.0.0/0 -j MASQUERADE


If I execute the Lamda, it times out, which indicates the traffic is dropped. I suspect I need to SNAT the request from instance 1, because otherwise instance 2 will route the traffic directly to the Lambda, instead of via instance 1. But I was kind of hoping that would be solved by the macro_cust rule.


I've disabled source check, and if I update the routing table in AWS to instance 2, the call s succesful. Any idea what is wrong?


Kind regards,


David



1 Comment

Hi David,


Apologies for the late reply. As it happens, source-based routing was not straightforward until recently. We'd be more than happy to give you a demo of the 6.0 beta (available in AWS and Azure) which makes this simple.

Feel free to open a support ticket any time. (Our forums are usually on the quiet side.)


Bob Smetana

Cohesive Networks

Login or Signup to post a comment