F5BigNatPolicy¶
Overview¶
The F5BigNatPolicy Custom Resource (CR) is a carrier-grade network address translation (CG-NAT) solution, using large-scale NAT (LSN) pools to support high-volume, low latency 5G workloads. The F5BigNatPolicy provides NAT44, NAT46, NAT64, and NAT66 IP address translations, and can advertise allocated NAT IP addresses to BGP peers, ensuring connections responses are routed properly and efficiently. Once installed and configured, the F5BigNatPolicy can be referenced by any of the Traffic Management CNF CRs.
NAT implementations¶
The NAT46 and NAT64 implementations require multiple CNFs CRs with specific CR configurations. Refer to the CNFs NAT implementation guides for assistance:
This document guides you through understanding, configuring and installing a simple F5BigNatPolicy CR.
CR parameters¶
The tables below describe the F5BigNatPolicy CR parameters.
metadata¶
Parameter | Description |
---|---|
name |
The name of the NAT policy. This value is referenced by the traffic management CNF CRs. |
namespace |
The Kubernetes namespace the NAT policy will install to. |
spec.sourceTranslation¶
Parameter | Description |
---|---|
name |
Specifies the NAT Source Translation object name. |
type |
Specifies the type of translation to be performed: static-nat, static-pat or dynamic-pat. |
addresses |
Specifies a list of IPv4 or IPv6 addresses: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20. |
port |
Specifies a list of service ports or service port ranges. "8000", "8000-10000" |
icmpEcho |
Enables ICMP echo responses on translation IP addresses: true or false (default). |
proxyArp |
Enables proxy arp for translation IP addresses: true or false (default). |
patMode |
Specifies the translation mode of operation. napt (default) or pba. This parameter applies only if sourceTranslation.type is dynamic-pat. |
excludeAddresses |
Specifies a list of IPv4 or IPv6 Addresses to exclude from translation in the NAT pool: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20. |
inbound.mode |
Enables inbound connections: none(default) or endpoint-independent-filtering. This parameter applies only if the sourceTranslation.type is dynamic-pat. |
inbound.eifTimeout |
Specifies the timeout in seconds for endpoint independent filtering: 3 (default) to 300. |
mapping.mode |
Specifies the translated address mapping for setting successful translations: none (default), address-pooling-paired, or endpoint-independent-mapping. This parameter applies only if sourceTranslation.type is dynamic-pat. |
mapping.timeout |
Specifies the duration in seconds after which successfully translated address mappings expire. The default is 300 and the max is 31536000. |
vlans.vlanList |
Specifies a list of F5BigNetVlans in an array to apply NAT. |
vlans.disableListedVlans |
When enabled, apply NAT on all F5BigNetVlans except those defined in the sourceTranslation.vlans.vlanList paramter: true (default) or false. |
routeAdvertisement |
Enables route advertisements for translated IP addresses: true or false (default). |
hairpinMode |
Enables clients in the same private network to connect using their private destination. TMM translates the connection using the public destination address, but does not send the packet through the public network: true or false (default). |
clientConnectionLimit |
Specifies the number of translated concurrent connections allowed per subscriber. The default is 0 and the max is 65535. |
Note: The removal of IP addresses from the existing NAT Source Translation Object is restricted. However, you can add more IP addresses. If you wish to remove existing IP addresses, you will need to delete the NAT policy and then reapply it with the new NAT IP addresses.
spec.sourceTranslation.portBlockAllocation¶
Parameter | Description |
---|---|
blockIdleTimeout |
Specifies the amount of time in seconds that an assigned block of ports remains available when idle before it times out: 30 to 31536000. The default is 3600. |
blockLifeTime |
Specifies the lifetime in seconds of a block of ports: 0 (default) to 31536000. |
blockSize |
Specifies the number of ports per block. Each block is assigned to one client. A client can use all ports in a block multipled by the clientBlockLimit value, up to the connection limit if one is set: 1 to 31536000. The default is 64. |
clientBlockLimit |
Specifies the number of blocks that can be assigned to a client: 0 to 31536000. The default is 1. |
zombieTimeout |
Specifies the timeout duration for a zombie port block, which is a timed out port block with one or more active connections: 0 (default) to 31536000. When the timeout duration expires, connections using the zombie block are killed and the zombie port block becomes an available port block. The default is 0, which corresponds to an infinite timeout. The setting is ignored if the blockLifetTme value is 0. |
spec.rule¶
Parameter | Description |
---|---|
name |
Name of the rule. |
description |
Description of the rule. |
ipProtocol |
Specifies the IP protocol against which the packet will be compared: tcp, udp or any (default). |
source.vlans |
Specifies a list of VLAN against which the packet will be compared. |
source.addresses |
Specifies a list of IPv4 or IPv6 addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20. |
source.addressLists |
Specifies a list of address-list names F5BigCneAddresslist by metadata.name against which the packet will be compared. The ACL/NAT rule is disabled internally and is not used for matching traffic while:- This attribute is specifying one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source address |
source.ports |
Specifies a list of source service ports or port ranges against which the packet will be compared. Port 0 is not a valid value, and is not allowed. "1000-1200" |
source.portLists |
Specifies a list of F5BigCnePortlist by metadata.name against which the packet will be compared ["source-portlist-1"]. The ACL/NAT rule is disabled internally and is not used for matching traffic while:- This attribute is specifying one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source port |
destination.addresses |
Specifies a list of IPv4 or IPv6 addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20. |
destination.addressLists |
Specifies a list of F5BigCneAddresslist by metadata.name against which the packet will be compared "dest-addr-list-1". The ACL/NAT rule is disabled internally and is not used for matching traffic while:- This attribute is specifying one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination address |
destination.ports |
Specifies a list of destination service ports or port ranges against which the packet will be compared. Port 0 is not a valid value, and is not allowed. |
destination.portLists |
Specifies a list of F5BigCnePortList by metadata.name against which the packet will be compared. The ACL/NAT rule is disabled internally and is not used for matching traffic while:- This attribute is specifying one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination port |
sourceTranslation |
Specifies the spec.sourceTranslation.name parameter to reference. |
CR Example¶
apiVersion: "k8s.f5net.com/v1"
kind: F5BigNatPolicy
metadata:
name: "cnf-66-nat"
namespace: "cnf-gateway"
spec:
sourceTranslation:
- name: "nat66-dynamic"
type: "dynamic-pat"
addresses:
- "2002::300:300:300:0/112"
port: "8000-8050"
icmpEcho: true
proxyArp: true
mapping:
mode: "endpoint-independent-mapping"
timeout: 300
inbound:
eifTimeout: 90
routeAdvertisement: true
rule:
- name: dynamic-nat-66
ipProtocol: tcp
source:
addresses:
- "2002::100:100:100:0/112"
destination:
addresses:
- "2002::200:200:200:0/112"
sourceTranslation: "nat66-dynamic"
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigNatPolicy CR shortName is natpol.
View CR instance:
kubectl get natpol -n <namespace>
View CR configuration:
kubectl get natpol -n <namespace> -o yaml
NAT IP addresses¶
IP Allocation¶
When the F5BigNatPolicy is installed, the BIG-IP Controller reserves, and allocates blocks of IP addresses to each of the TMM Proxy PODs to use for NAT. When IP addresses are used and then no longer in use by the TMM, the reserved NAT IP addresses are released for use by other TMM Pods.
BGP Advertisement¶
When the TMM Proxy Pod installs with the f5-tmm-routing container, IP addresses used for NAT client connections are advertised to upstream BGP peers(by setting routeAdvertisement to True), enabling server responses to route back to TMM. Alternatively, you can configure appropriate routes on upstream devices, however, this method does not scale as well, and is more error-prone. For BGP configuration assistance, refer to the BGP Overview.
Requirements¶
Ensure you have:
- Installed the BIG-IP Controller.
- Installed the dSSM Database.
- A Linux based workstation.
Installation¶
Use these steps to install the example F5BigNatPolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.
Tip: Open a second shell to view the CNFs Event Logs while installing.
Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514 and the udp protocol. Copy and paste the example into a YAML file:
Note: The F5BigLogHslpub CR will be referenced by the F5BigLogProfile.
apiVersion: k8s.f5net.com/v1 kind: F5BigLogHslpub metadata: name: "cnf-hsl-pub" namespace: "cnf-gateway" spec: pool: - name: "cnf-hslpool" endpoint: - "[2002::10:30:2:220]:514" syslog: - name: "syslog-dest" format: "rfc5424" protocol: "udp" pool: "cnf-hslpool"
Install the F5BigLogHslpub CR:
kubectl apply -f cnf-hsl-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub", F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
Optional: The example F5BigLogProfile CR specifies NAT events such as connection start and end to send to the remote log server. Copy and paste the CR into a YAML file:
Note: The F5BigLogProfile CR will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigLogProfile metadata: name: "cnf-log-profile" namespace: "cnf-gateway" spec: name: "cnf-logs" nat: enabled: true logSubscriberID: true publisher: "cnf-hsl-pub" inbound: start: mode: "enabled" end: mode: "enabled" quotaExceeded: mode: "enabled" errors: mode: "enabled"
The example F5BigNatPolicy CR specifies that subscribers with source IP in the 2002::100:100.100:0/112 subnet, connecting to destinations in the 2002::200:200:200:0/112 subnet, will have their source IP address translated using addresses in the 2002::300:300:300:0/112 subnet. Copy and paste the example into a YAML file:
Note: The F5BigNatPolicy CR will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigNatPolicy metadata: name: "cnf-66-nat" namespace: "cnf-gateway" spec: sourceTranslation: - name: "nat66-dynamic" type: "dynamic-pat" addresses: - "2002::300:300:300:0/112" port: "8000-8050" icmpEcho: true proxyArp: true mapping: mode: "endpoint-independent-mapping" timeout: 300 inbound: eifTimeout: 90 routeAdvertisement: true rule: - name: dynamic-nat-66 ipProtocol: tcp source: addresses: - "2002::100:100:100:0/112" destination: addresses: - "2002::200:200:200:0/112" sourceTranslation: "nat66-dynamic"
Install the F5BigNatPolicy CR:
kubectl apply -f nat-policy.yaml -n <namespace>
In this example, the BIG-IP Controller logs indicate the F5BigNatPolicy CR was added/updated:
I0202 12:00:00.12345 1 event.go:282 Event(v1.ObjectReference{Kind:"F5NatPolicy", NatPolicy cnf-gateway/cnf-nat-policy was added/updated
The example F5BigContextSecure CR listens for connections destined to the 2002::200:200:200:0/112 subnet on the subscriber-vlan interface, and references the installed CRs. Copy and paste the CR into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigContextSecure metadata: name: "cnf-nat-context" namespace: "cnf-gateway" spec: ipv6destinationAddress: "2002::200:200:200:0/112" destinationPort: 0 ipProtocol: "any" profile: "fastL4" natPolicy: "cnf-66-nat" logProfile: "cnf-log-profile" vlans: vlanList: - "subscriber-vlan"
Install the F5BigContextSecure CR:
kubectl apply -f f5-cnf-context-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:
I0202 12:00:00:12350 1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", SecureContext cnf-gateway/cnf-nat-context was added/updated
Review the Additional CRs and NAT statistics sections.
Additional CRs¶
The F5BigNatPolicy can also be referenced by these CNFs CRs:
- F5BigAlgFtp - File Transfer Protocol (FTP) application layer gateway services.
- F5BigAlgTftp - Trivial File Transfer Protocol (TFTP) application layer gateway services.
- F5BigAlgPptp - Point-to-Point Tunneling Protocol (PPTP) application layer gateway services.
- F5BigAlgRtsp - Real Time Streaming Protocol (RTSP) application layer gateway services.
NAT statistics¶
If the TMM Debug Sidecar is enabled (default), use the steps below to verify NAT connection statics.
Log in to the TMM debug Pod:
In this example, the TMM debug container is in the cnf-gateway namespace:
kubectl exec -it deploy/f5-tmm -c debug -n <namespace> -- bash
Verify F5BigNatPolicy connection statistics:
tmctl -d blade fw_nat_rule_stat
context_type context_name rule_name --------- --------------------------------------- -------------------------- virtual cnf-cnf-context-secure-SecureContext_vs 10-20-subnet-natpolicyrule micro_rules counter last_hit_time action ----------- ------- ------------- ------ 1 8 1643836695 0
tmctl -d blade fw_nat_trans_stat -s type,name,translation_requests
type name translation_requests ------------ ----------- -------------------- fw_src_trans transparent 0 fw_dst_trans transparent 8 fw_src_trans automap 0
Verify the F5BigNatPolicy client IP address mappings:
lsndb list all
Client Connections ----------------------------------------------------------- 0 client with 0 connection found. LSN Persistence Entries Client Translation ----------------------------------------------------------- 10.20.2.220:52110 10.200.2.8:8265 10.20.2.220 10.200.2.8 2 persist entries found. LSN port block allocations Client Port block ---------------------------------------------------------- 0 port block entries found. LSN Inbound Mapping Entries Translation Client ---------------------------------------------------------- 10.200.2.8:8265 10.20.2.220:52110 10.200.2.7:8397 10.20.2.220:52106
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.