Deterministic NAT

Overview

Deterministic Network Address Translation (DNAT) ensures that a source IP address and port consistently map to the same post-NAT IP address and port range, and reverse mapping always returns to the same internal IP address. DNAT mode provides address translation that eliminates logging of every address mapping. However, it still allows internal client address tracking using only an external address and port, and a destination address and port. Reverse mapping allows BIG-IP CGNAT operators to respond to legal requests revealing the identity of the originator of a specific communication. For example, revealing the identity of file sharers or P2P network users accused of copyright theft.

Deterministic mode allows unique identification of internal client addresses based on:

• External address and port (the address and port visible to the destination server)
• Subscriber IP Address

The following diagram illustrates the deployment architecture with F5-DAG serving as upstream router for DNAT CNF.

Limitations

Following are the limitations for Deterministic mode configurations applicable for the current release:

• Deterministic mode is only supported in NAT44 configuration.

• For Dynamic NAT, the VLAN CMP Hash settings must be configured as either the source or destination address, depending on the subscriber (client-side) and internet (server-side) interfaces (VLANs).

• All internal client addresses that will communicate through the CGNAT must be specified during the configuration process.

  Note: This means that all virtual servers referring to an LSN pool through deterministic NAT mode must specify the source attribute with a value other than 0.0.0.0/0 or ::/0 (any/0).

• Members of two or more deterministic Large Scale Network (LSN) pools must not overlap. For example, every external/translation address used for deterministic mapping must occur in only one LSN pool.

• While upgrading CNFs with DNAT application deployment traffic loss is expected for a short period (not greater than 120 seconds).

Simplified logging

As an alternative to per-connection logging, deterministic mode maps internal addresses to external addresses algorithmically to calculate the mapping without relying on per-connection logging. Deterministic mode significantly reduces the logging burden while mapping an inside IP address of the subscriber with an outside internet address and port.

To decipher mapping generated by LSN pools using deterministic mode, use the DNAT utility tool that can be run as out of box utility.

Configuring NAT mode as deterministic

patMode DNAT will enable deterministic mode for given LSN pool.

Sample configuration:

sourceTranslation:
  - name: "dnatsrctr"
   type: "dynamic-pat"
   patMode: "dnat"

External Deterministic Address Grouping (DAG) for Deterministic NAT

DNAT CNF expects upstream routers to DAG the TMM pods of the subscribers. DNAT will then algorithmically assign translation addresses, which are deterministic in nature. F5 DAG CNF can be used as external DAG. Following is an example configuration that allows admin to configure f5-dag parameters.

Note: f5-dag uses carp hash for externally dagging subscribers to TMM.

deterministicNat:
  upstreamRouter: "f5-dag"
  f5Dag:
    f5DagAlgorithm: "carp-hash"
    subscriberVlan: "vlan-dag"

Example connection

Subscriber IP 10.10.10.1 has been assigned a deterministic translation IP and port range of 100.100.100.100:2000–2099. All outbound connections originating from 10.10.10.1 will have their source IP translated to 100.100.100.100, with the source port mapped to a value within the 2000–2099 range. This allows a maximum of 100 concurrent connections per subscriber. Once this limit is reached, any new connection attempts from the same subscriber will be dropped

For example, an IPV4 only client requires a connection to IPv4 only server www.44test.com. The DNS address of www.44test.com is 40.40.40.1, ingress source address is 10.10.10.1 and port is 34545. In this scenario, on the egress side, the DNAT translates the source address to 100.100.100.100 and port to 2000. The destination addresses and port in IP layer remains the same.

Required CNFs CRs

NAT44 requires CNFs Custom Resources (CRs) installed in this order:

• F5BigDnsApp (Optional) - Specifies a DNS listener used to translate and convert DNS queries.
• F5BigNatPolicy - Specifies the IPv4 and IPv6 translation addresses.
• F5BigFwPolicy (Optional) - Filters subscriber connections by IP address.
• F5BigLogProfile (Optional) - Sends connection events to remote logging servers.
• F5BigContextSecure - Processes and load balances the subscriber connections.
• F5BigNetVlan - The F5BigNetVlan CR defines the VLAN name used between the F5-DAG and DNAT-CNF.
• F5PersistenceProfile - The F5PersistenceProfile CR is used to fetch the CARP algorithm input for DAG. The ipv4PrefixLength parameter should be set to 32 to be used along with DNAT.

Requirements

Following are the requirements before proceeding with DNAT you have:

• Install the BIG-IP Controller.
• Install all required CNFs CRs configurations.
• A Linux based workstation.

Pre-requisites

• Use only the most specific address prefixes that include all the subscriber addresses, while congifuring the NAT policy.

• Deploy DAG CNFs before deploying the DNAT application.

• Disable the bgp routers on the Client side router.

• For the hairpin mode or inbound modes to work in DNAT, set the looseInitiation and looseClose parameters values to true in F5BigFastl4Setting. The F5BigFastl4Setting should be included in the SecureContext CR of the CNFs DAG application.

  • F5BigNatpolicy CR example

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigNatPolicy
    metadata:
      name: "natpol-dnat"
    spec:
      sourceTranslation:
        - name: "dnatsrctr1"
          type: "dynamic-pat"
          patMode: "dnat"
          addresses:
          - "44.1.1.1-44.1.1.8"
          port: "1000-2000"
          icmpEcho: True
          deterministicNat:
            upstreamRouter: "f5-dag"
            f5Dag:
              f5DagAlgorithm: "carp-hash"
              subscriberVlan: "dagtmm-net"
          mapping:
            mode: address-pooling-paired
            timeout: 60
          inbound:
            mode: endpoint-independent-filtering
            eifTimeout: 300
          routeAdvertisement: True
          hairpinMode: True
      rule:
        - name: dnatrule_1
          ipProtocol: tcp
          source:
            addresses:
              - "11.11.11.0/24"
          sourceTranslation: "dnatsrctr1"
    

  • F5BigFastl4Setting CR example

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigFastl4Setting
    metadata:
      name: fastl4-test
    spec:
      #idleTimeout: 1
      looseInitiation: true
      looseClose: true
    

  • F5BigContextSecure CR example

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigContextSecure
    metadata:
      name: virtual-carp-profile-v4
    spec:
      destinationAddress: 0.0.0.0/0
      #ipv6destinationAddress: ::/0
      ipProtocol: "any"
      destinationPort: 0
      persistenceProfile: "srcaddr-carp-profile"
      profile: "fastL4"
      fastL4Settings:
        profileName: fastl4-test
      monitors:
        icmp:
           - interval: 5
      pool:
        members:
          - address: "20.1.1.150"
          - address: "20.1.1.151"
            #- address: "20.1.1.152"
            #- address: "20.1.1.153"
    

  • F5BigContextSecure CR example

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigNetVlan
    metadata:
      name: "dagtmm-net"
    spec:
      name: dagtmm-net
      interfaces:
      - "1.1"
      selfip_v4s:
      - "20.1.1.150"
      - "20.1.1.151"
      prefixlen_v4: 24
      selfip_v6s:
      - "2002::20:1:1:150"
      - "2002::20:1:1:151"
      prefixlen_v6: 112
      auto_lasthop: "AUTO_LASTHOP_DISABLED"
      cmp_hash: SRC_ADDR
    

  • F5BigNetVlan CR example

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigNetVlan
    metadata:
      name: "dagtmm-net"
    spec:
      name: dagtmm-net
      interfaces:
      - "1.1"
      selfip_v4s:
      - "20.1.1.150"
      - "20.1.1.151"
      prefixlen_v4: 24
      selfip_v6s:
      - "2002::20:1:1:150"
      - "2002::20:1:1:151"
      prefixlen_v6: 112
      auto_lasthop: "AUTO_LASTHOP_DISABLED"
      cmp_hash: SRC_ADDR
    

    Note: The interface between the client-router and the dnat-tmm side should use the SRC_ADDR as the value for CMP_HASH parameter, in the F5BigNetVlan CR.

Example CR

Following is an example DNAT NatPolicy CR:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigNatPolicy
metadata:
  name: "dnat-policy-1"
spec:
  sourceTranslation:
    - name: "dnatsrctr"
      type: "dynamic-pat"
      patMode: "dnat"
      addresses:
        - "22.22.22.1-22.22.22.8"
      port: "1025-65535"
      deterministicNat:
        upstreamRouter: "f5-dag"
        f5Dag:
          f5DagAlgorithm: "carp-hash"
          subscriberVlan: "vlan1"
      routeAdvertisement: True
  rule:
    - name: dnatrule_1
      ipProtocol: tcp
      source:
        addresses:
          - "11.11.11.0/24"
      sourceTranslation: "dnatsrctr"

Note: The subscriberVlan parameter value should be the same as spec.name parameter value given in the F5BigNetVlan CR as mentioned in the Pre-requisistes section.

Installation

Following is the procedure to install and configure the TMM Proxy Pod for NAT44 functionality.

Tip: Open a second shell to view the CNFs Event Logs while installing.

1. (Optional) The example F5BigLogHslpub CR specifies a remote server with IP 10:30:2:220 and port 514, and the udp protocol.

   Copy and paste the following example into a YAML file:

   apiVersion: k8s.f5net.com/v1
   kind: F5BigLogHslpub
   metadata:
     name: "cnf-hsl-pub"
     namespace: "cnf-gateway"
   spec:
     pool:
       - name: "hsl-pool"
       endpoint:
       - "[10:30:2:220]:514"
     syslog:
       - name: "cnf-syslog"
       format: "rfc5424"
       protocol: "udp"
       pool: "hsl-pool"
   

2. Run the following command to install the F5BigLogHslpub CR:

   kubectl apply -f cnf-hsl-cr.yaml

   Sample Output:

   In the following example output, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added or updated.

   I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub", F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
   

3. (Optional) The example F5BigLogProfile CR captures NAT events such as connection start and end, and firewall events such as packet match and drop.

   Note: The F5BigLogProfile CR will be referenced by the F5BigContextSecure CR.

   Copy and paste the following example CR into a YAML file:

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigLogProfile
   metadata:
     name: "cnf-log-profile"
     namespace: "cnf-gateway"
   spec:
     name: "cnf-logs"
     nat:
       enabled: true
       logSubscriberID: true
       publisher: "cnf-hsl-pub"
       inbound:
       start:
           mode: "enabled"
       end:
           mode: "enabled"
       quotaExceeded:
       mode: "enabled"
       errors:
       mode: "enabled"
     firewall:
       enabled: true
       network:
       publisher: "cnf-hsl-pub"
       events:
           aclMatchAccept: true
           aclMatchDrop: true
           tcpEvents: true
           translationFields: true
   

4. Install the F5BigLogProfile CR, run the following command:

   kubectl apply -f cnf-log-cr.yaml

   Sample Output

   In the following example output, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added or updated.

   I0202 12:00:00.12348   1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile", LogProfile cnf-gateway/cnf-log-profile was added/updated
   

5. The example F5BigDnsApp CR receives DNS queries on IP 10.20.2.10, and sends the query to 10.30.2.220 for resolution.

   Note: The F5BigDnsApp CR will be referenced by the F5BigContextSecure CR.

   Copy and paste the following example CR into a YAML file:

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigDnsApp
   metadata:
     name: "cnf-dns-44"
     namespace: "cnf-gateway"
   spec:
     destination:
       ipv6Address: "10.20.2.10"
       port: 53
     snat:
       type: "automap"
     udp:
     pool:
       members:
         - address: "10.30.2.220"
           port: 53
   

6. (Optional) Install the F5BigDnsApp CR, run the following command:

   kubectl apply -f cnf-dns-cr.yaml

   Sample Output

   In the following example output, the BIG-IP Controller logs indicate the F5BigDnsApp CR was added or updated.

   I0202 12:00:00.12345   1 event.go:282 Event(v1.ObjectReference{Kind:"F5Dns", F5Dns cnf-gateway/cnf-dns-44 was added/updated
   

7. The example F5BigNatPolicy CR NATs subscriber connections are sourced from IPv4 prefix 11.11.11.0/24 address within the 22.22.22.1-22.22.22.8 range, and sent to the IPv4 address of the server.

   Note: The F5BigNatPolicy CR will be referenced by the F5BigContextSecure CR.

   Copy and paste the following example CR into a YAML file:

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigNatPolicy
   metadata:
     name: "natpol-dnat"
   spec:
     sourceTranslation:
       - name: "dnatsrctr"
       type: "dynamic-pat"
       patMode: "dnat"
       port: "1025-65535"
       addresses: ['44.1.1.1-44.1.1.8']
       deterministicNat:
         upstreamRouter: "f5-dag"
         f5Dag:
           f5DagAlgorithm: "carp-hash"
           subscriberVlan: "dagtmm-net"
       routeAdvertisement: True
       icmpEcho: True
       proxyArp: True
     rule:
       - name: "dnatrule_1"
       ipProtocol: tcp
       source:
         addresses:
           - "11.11.11.0/24"
       sourceTranslation: "dnatsrctr"
   

8. Install the F5BigNatPolicy CR, run the following command:

   kubectl apply -f cnf-nat-cr.yaml

   Sample Output

   In the following example output, the BIG-IP Controller logs indicate the F5BigNatPolicy CR was added or updated.

   I0202 12:00:00.12345   1 event.go:282 Event(v1.ObjectReference{Kind:"F5NatPolicy", NatPolicy cnf-gateway/cnf-nat-44 was added/updated
   

9. (Optional) The example F5BigFwPolicy allows connections only from the IPv4 prefix 11.11.11.0/24.

   Note: The F5BigFwPolicy CR will be referenced by the F5BigContextSecure CR.

   Copy and paste the following example CR into a YAML file:

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigFwPolicy
   metadata:
     name: "cnf-fw-44"
     namespace: "cnf-gateway"
   spec:
     rule:
     - name: allow-10-20
       action: "accept"
       logging: true
       ipProtocol: any
       source:
         addresses:
           - "11.11.11.0/24"
     - name: drop-all
       action: "drop"
       logging: true
       ipProtocol: any
       source:
         addresses:
           - "0.0.0.0/0"
   

10. Install the F5BigFwPolicy CR, run the following command:

    kubectl apply -f cnf-fw-cr.yaml

    Sample Output

    In the following example output, the BIG-IP Controller logs indicate the F5BigFwPolicy CR was added or updated.

    I0202 12:00:00.12346   1 event.go:282 Event(v1.ObjectReference{Kind:"F5FirewallPolicy", FirewallPolicy cnf-gateway/cnf-fw-44 was added/updated
    

11. The F5BigContextSecure CR listens for connections destined to the 0.0.0.0/0 (Any address on web) prefix on service port 80, and processes application traffic by referencing the installed CRs.

    Copy and paste the following example CR into a YAML file:

    apiVersion: k8s.f5net.com/v1
    kind: F5BigContextSecure
      metadata:
        name: "cnf-44-context"
        namespace: "cnf-gateway"
    spec:
        ipv4destinationAddress: "0.0.0.0/0"
        destinationPort: 80
        firewallEnforcedPolicy: "cnf-fw-44"
        natPolicy: "cnf-nat-44"
        logProfile: "cnf-log-profile"
        ipProtocol: "any"
        profile: "fastL4"
    

12. Install the F5BigContextSecure CR, run the following command:

    kubectl apply -f f5-cnf-44-context.yaml

    Sample Output

    In the following example output, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added or updated.

    I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", SecureContext cnf-gateway/cnf-44-context was added/updated
    

13. Continue to the Traffic statistics section after testing the application.

Traffic Statistics

If the TMM Debug container is installed, use the following steps to gather traffic processing statistics for the F5BigNatPolicy, F5BigFwPolicy and F5BigContextSecure CRs.

1. Log in to the TMM debug Pod.

   In the following example, the TMM debug container is in the cnf-gateway namespace

   kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash

2. Verify F5BigNatPolicy connection statistics. Run the following command:

   tmctl -d blade fw_nat_rule_stat

   Sample Output:

   context_type context_name                          rule_name
   --------- ---------------------------------------  --------------------------
   virtual   cnf-cnf-context-secure-SecureContext_vs  10-20-subnet-natpolicyrule
   
   micro_rules counter last_hit_time action
   ----------- ------- ------------- ------
           1       8    1643836695      0
   tmctl -d blade fw_nat_trans_stat -s type,name,translation_requests
   type         name        translation_requests
   ------------ ----------- --------------------
   fw_src_trans transparent                    8
   fw_dst_trans transparent                    8
   fw_src_trans automap                        0
   

3. Verify the F5BigNatPolicy client IP address mappings.

   • DNAT policy

   For DNAT policy address mappings, see Example CR

   • VLAN policy

     apiVersion: "k8s.f5net.com/v1"
     kind: F5BigNetVlan
     metadata:
       name: "dagtmm-net"
     spec:
       name: dagtmm-net
       interfaces:
       - "1.1"
       selfip_v4s:
       - "20.1.1.150"
       - "20.1.1.151"
       prefixlen_v4: 24
       selfip_v6s:
       - "2002::20:1:1:150"
       - "2002::20:1:1:151"
       prefixlen_v6: 112
       auto_lasthop: "AUTO_LASTHOP_DISABLED"
       cmp_hash: SRC_ADDR
     

   • Client (11.11.11.1) mapping

     ./dnat-util --config_dir . --subscriber_addr 11.11.11.1 --action forward
     {
         "queryParameters:": {
             "subscriber_address": "11.11.11.1",
             "subscriber_port": "N/A",
             "action": "forward"
         },
         "subscribers": [
             {
                 "translation": {
                     "tmm_self_ip": "20.1.1.150",
                     "subscriber_ip": "11.11.11.1",
                     "translation_ip": "44.1.1.2",
                     "port_block": "1025-3039"
                 }
             }
         ]
     }
     

4. Verify the F5BigFwPolicy statistics, run the following command:

   tmctl -d blade profile_dns_stat -s name,queries,responses

   Sample Output:

   rule_name                  counter last_hit_time action
   -------------------------- ------- ------------- ------
   allow-4-firewallpolicyrule       1    1646355700      2
   allow-6-firewallpolicyrule       1    1646355702      2
   drop-4-firewallpolicyrule        0             0      0
   drop-6-firewallpolicyrule        0             0      0
   

5. Verify the F5BigDnsApp DNS Profile statistics, run the following command:

   tmctl -d blade profile_dns_stat -s name,queries,responses

   Sample Output:

   name                               queries responses
   ---------------------------------- ------- ---------
   cnf-gateway-cnf-dns-44-profile_dns      20        20
   

6. Verify the F5BigContextSecure, and F5BigDnsApp virtual server statistics, run the following command:

   tmctl -d blade virtual_server_stat -s name,clientside.tot_conns

   name                                   clientside.tot_conns
   -------------------------------------- --------------------
   cnf-gateway-ipv44-vip-SecureContext_vs                   15
   cnf-gateway-dns-44-virtual_server                        20
   

DNATUTIL

Dnatutil is an offline utility tool designed to retrieve mapping information for Deterministic NAT (DNAT) on the CNFs platform. For more information on how to install and use the dnat-util tool, see DNATUTIL Tool page.

Feedback

To provide feedback and help improve this document, please email us at cnfdocs@f5.com.

Supplemental

• Wikipedia - Network Address Translation overview.