FiOS “Three-Router” with VyOS and ESXi, Part 8: Network Address Translation

At this point, our primary router has connectivity to the Internet, and we have a functioning home network with DHCP and DNS. Now we need to implement Network Address Translation (NAT) so that all of the hosts on the Home Network can share Internet access through the primary router’s one public IP.

Sharing one public IP with many clients to is called source NAT. This is because the translation is occurring at the source of the traffic—our home network. The other type, destination NAT, is better known in the consumer space as port forwarding. We’ll discuss that later.

The behavior we are looking for is simple. We want traffic that is bound for the Internet to be received by the router, have its source address changed to that of the router itself (instead of the private 10.0.0.0/24 address), and then forwarded on to its destination. When a response is received, the opposite should happen so that the response makes its way to the host on the 10.0.0.0/24 net that originally requested it.

We need only one source NAT rule for this.

vyos@primary-router:~# set nat source rule 10
vyos@primary-router:~# set nat source rule 10 outbound-interface eth0
vyos@primary-router:~# set nat source rule 10 protocol all
vyos@primary-router:~# set nat source rule 10 source address 10.0.0.0/24
vyos@primary-router:~# set nat source rule 10 translation address masquerade

The router will listen for traffic from 10.0.0.0/24, and forward it out of eth0 while “masquerading” as the original source.

vyos@primary-router:~# compare
vyos@primary-router:~# commit
vyos@primary-router:~# save

At this point, hosts on your 10.0.0.0/24 internal network should have Internet access. You can connect all your home devices to this network and use them normally; wireless devices will require you to connect a wireless bridge to your switch. Many consumer-grade wireless routers can be configured to operate in bridge mode to serve in this role.