F5BigNatPolicy

Overview

The F5BigNatPolicy Custom Resource (CR) is a carrier-grade network address translation (CG-NAT) solution, using large-scale NAT (LSN) pools to support high-volume, low latency 5G workloads. The F5BigNatPolicy provides NAT44, NAT46, NAT64, and NAT66 IP address translations, and can advertise allocated NAT IP addresses to BGP peers, ensuring connections responses are routed properly and efficiently. Once installed and configured, the F5BigNatPolicy can be referenced by any of the Traffic Management CNF CRs.

NAT implementations

The NAT46 and NAT64 implementations require multiple CNFs CRs with specific CR configurations. Refer to the CNFs NAT implementation guides for assistance:

• CNFs NAT64
• CNFs NAT46

This document guides you through understanding, configuring and installing a simple F5BigNatPolicy CR.

CR parameters

The tables below describe the F5BigNatPolicy CR parameters.

metadata

Parameter	Description
name	The name of the NAT policy. This value is referenced by the traffic management CNF CRs.
namespace	The Kubernetes namespace the NAT policy will install to.

spec.sourceTranslation

Parameter	Description
name	Specifies the NAT Source Translation object name.
type	Specifies the type of translation to be performed: static-nat, static-pat or dynamic-pat.
addresses	Specifies a list of IPv4 or IPv6 addresses: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20.
port	Specifies a list of service ports or service port ranges. "8000", "8000-10000"
icmpEcho	Enables ICMP echo responses on translation IP addresses: true or false (default).
proxyArp	Enables proxy arp for translation IP addresses: true or false (default).
patMode	Specifies the translation mode of operation. napt (default) or pba. This parameter applies only if sourceTranslation.type is dynamic-pat.
excludeAddresses	Specifies a list of IPv4 or IPv6 Addresses to exclude from translation in the NAT pool: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20.
inbound.mode	Enables inbound connections: none(default) or endpoint-independent-filtering. This parameter applies only if the sourceTranslation.type is dynamic-pat.
inbound.eifTimeout	Specifies the timeout in seconds for endpoint independent filtering: 3 (default) to 300.
mapping.mode	Specifies the translated address mapping for setting successful translations: none (default), address-pooling-paired, or endpoint-independent-mapping. This parameter applies only if sourceTranslation.type is dynamic-pat.
mapping.timeout	Specifies the duration in seconds after which successfully translated address mappings expire. The default is 300 and the max is 31536000.
vlans.vlanList	Specifies a list of F5BigNetVlans in an array to apply NAT.
vlans.disableListedVlans	When enabled, apply NAT on all F5BigNetVlans except those defined in the sourceTranslation.vlans.vlanList paramter: true (default) or false.
routeAdvertisement	Enables route advertisements for translated IP addresses: true or false (default).
hairpinMode	Enables clients in the same private network to connect using their private destination. TMM translates the connection using the public destination address, but does not send the packet through the public network: true or false (default).
clientConnectionLimit	Specifies the number of translated concurrent connections allowed per subscriber. The default is 0 and the max is 65535.

Note: The removal of IP addresses from the existing NAT Source Translation Object is restricted. However, you can add more IP addresses. If you wish to remove existing IP addresses, you will need to delete the NAT policy and then reapply it with the new NAT IP addresses.

spec.sourceTranslation.portBlockAllocation

Parameter	Description
blockIdleTimeout	Specifies the amount of time in seconds that an assigned block of ports remains available when idle before it times out: 30 to 31536000. The default is 3600.
blockLifeTime	Specifies the lifetime in seconds of a block of ports: 0 (default) to 31536000.
blockSize	Specifies the number of ports per block. Each block is assigned to one client. A client can use all ports in a block multipled by the clientBlockLimit value, up to the connection limit if one is set: 1 to 31536000. The default is 64.
clientBlockLimit	Specifies the number of blocks that can be assigned to a client: 0 to 31536000. The default is 1.
zombieTimeout	Specifies the timeout duration for a zombie port block, which is a timed out port block with one or more active connections: 0 (default) to 31536000. When the timeout duration expires, connections using the zombie block are killed and the zombie port block becomes an available port block. The default is 0, which corresponds to an infinite timeout. The setting is ignored if the blockLifetTme value is 0.

spec.rule

Parameter	Description
name	Name of the rule.
description	Description of the rule.
ipProtocol	Specifies the IP protocol against which the packet will be compared: tcp, udp or any (default).
source.vlans	Specifies a list of VLAN against which the packet will be compared.
source.addresses	Specifies a list of IPv4 or IPv6 addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20.
source.addressLists	Specifies a list of address-list names F5BigCneAddresslist by metadata.name against which the packet will be compared. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source address
source.ports	Specifies a list of source service ports or port ranges against which the packet will be compared. Port 0 is not a valid value, and is not allowed. "1000-1200"
source.portLists	Specifies a list of F5BigCnePortlist by metadata.name against which the packet will be compared ["source-portlist-1"]. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source port
destination.addresses	Specifies a list of IPv4 or IPv6 addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20.
destination.addressLists	Specifies a list of F5BigCneAddresslist by metadata.name against which the packet will be compared "dest-addr-list-1". The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination address
destination.ports	Specifies a list of destination service ports or port ranges against which the packet will be compared. Port 0 is not a valid value, and is not allowed.
destination.portLists	Specifies a list of F5BigCnePortList by metadata.name against which the packet will be compared. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination port
sourceTranslation	Specifies the spec.sourceTranslation.name parameter to reference.

CR Example

apiVersion: "k8s.f5net.com/v1"
kind: F5BigNatPolicy
metadata:
  name: "cnf-66-nat"
  namespace: "cnf-gateway"
spec:
  sourceTranslation:
    - name: "nat66-dynamic"
      type: "dynamic-pat"
      addresses:
        - "2002::300:300:300:0/112"
      port: "8000-8050"
      icmpEcho: true
      proxyArp: true
      mapping:
        mode: "endpoint-independent-mapping"
        timeout: 300
      inbound:
        eifTimeout: 90
      routeAdvertisement: true
  rule:
    - name: dynamic-nat-66
      ipProtocol: tcp
      source:
        addresses:
          - "2002::100:100:100:0/112"
      destination:
        addresses:
          - "2002::200:200:200:0/112"
      sourceTranslation: "nat66-dynamic"

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigNatPolicy CR shortName is natpol.

View CR instance:

kubectl get natpol -n <namespace>

View CR configuration:

kubectl get natpol -n <namespace> -o yaml

NAT IP addresses

IP Allocation

When the F5BigNatPolicy is installed, the BIG-IP Controller reserves, and allocates blocks of IP addresses to each of the TMM Proxy PODs to use for NAT. When IP addresses are used and then no longer in use by the TMM, the reserved NAT IP addresses are released for use by other TMM Pods.

BGP Advertisement

When the TMM Proxy Pod installs with the f5-tmm-routing container, IP addresses used for NAT client connections are advertised to upstream BGP peers(by setting routeAdvertisement to True), enabling server responses to route back to TMM. Alternatively, you can configure appropriate routes on upstream devices, however, this method does not scale as well, and is more error-prone. For BGP configuration assistance, refer to the BGP Overview.

Requirements

Ensure you have:

• Installed the BIG-IP Controller.
• Installed the dSSM Database.
• A Linux based workstation.

Installation

Use these steps to install the example F5BigNatPolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.

Tip: Open a second shell to view the CNFs Event Logs while installing.

1. Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514 and the udp protocol. Copy and paste the example into a YAML file:

   Note: The F5BigLogHslpub CR will be referenced by the F5BigLogProfile.

   apiVersion: k8s.f5net.com/v1
   kind: F5BigLogHslpub
   metadata:
     name: "cnf-hsl-pub"
     namespace: "cnf-gateway"
   spec:
     pool:
     - name: "cnf-hslpool"
       endpoint:
       - "[2002::10:30:2:220]:514"
     syslog:
     - name: "syslog-dest"
       format: "rfc5424"
       protocol: "udp"
       pool: "cnf-hslpool"
   

2. Install the F5BigLogHslpub CR:

   kubectl apply -f cnf-hsl-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:

   I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub",
   F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
   

3. Optional: The example F5BigLogProfile CR specifies NAT events such as connection start and end to send to the remote log server. Copy and paste the CR into a YAML file:

   Note: The F5BigLogProfile CR will be referenced by the F5BigContextSecure CR.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigLogProfile
   metadata:
     name: "cnf-log-profile"
     namespace: "cnf-gateway"
   spec:
     name: "cnf-logs"
     nat:
       enabled: true
       logSubscriberID: true
       publisher: "cnf-hsl-pub"
       inbound:
         start:
           mode: "enabled"
         end:
           mode: "enabled"
       quotaExceeded:
         mode: "enabled"
       errors:
         mode: "enabled"
   

4. The example F5BigNatPolicy CR specifies that subscribers with source IP in the 2002::100:100.100:0/112 subnet, connecting to destinations in the 2002::200:200:200:0/112 subnet, will have their source IP address translated using addresses in the 2002::300:300:300:0/112 subnet. Copy and paste the example into a YAML file:

   Note: The F5BigNatPolicy CR will be referenced by the F5BigContextSecure CR.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigNatPolicy
   metadata:
     name: "cnf-66-nat"
     namespace: "cnf-gateway"
   spec:
     sourceTranslation:
       - name: "nat66-dynamic"
         type: "dynamic-pat"
         addresses:
           - "2002::300:300:300:0/112"
         port: "8000-8050"
         icmpEcho: true
         proxyArp: true
         mapping:
           mode: "endpoint-independent-mapping"
           timeout: 300
         inbound:
           eifTimeout: 90
         routeAdvertisement: true
     rule:
       - name: dynamic-nat-66
         ipProtocol: tcp
         source:
           addresses:
             - "2002::100:100:100:0/112"
         destination:
           addresses:
             - "2002::200:200:200:0/112"
         sourceTranslation: "nat66-dynamic"
   

5. Install the F5BigNatPolicy CR:

   kubectl apply -f nat-policy.yaml -n <namespace>
   

   In this example, the BIG-IP Controller logs indicate the F5BigNatPolicy CR was added/updated:

   I0202 12:00:00.12345   1 event.go:282 Event(v1.ObjectReference{Kind:"F5NatPolicy",
   NatPolicy cnf-gateway/cnf-nat-policy was added/updated
   

6. The example F5BigContextSecure CR listens for connections destined to the 2002::200:200:200:0/112 subnet on the subscriber-vlan interface, and references the installed CRs. Copy and paste the CR into a YAML file:

   apiVersion: k8s.f5net.com/v1
   kind: F5BigContextSecure
   metadata:
     name: "cnf-nat-context"
     namespace: "cnf-gateway"
   spec:
      ipv6destinationAddress: "2002::200:200:200:0/112"
      destinationPort: 0
      ipProtocol: "any"
      profile: "fastL4"
      natPolicy: "cnf-66-nat"
      logProfile: "cnf-log-profile"
      vlans:
        vlanList:
          - "subscriber-vlan"
   

7. Install the F5BigContextSecure CR:

   kubectl apply -f f5-cnf-context-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:

   I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext",
   SecureContext cnf-gateway/cnf-nat-context was added/updated
   

8. Review the Additional CRs and NAT statistics sections.

Additional CRs

The F5BigNatPolicy can also be referenced by these CNFs CRs:

• F5BigAlgFtp - File Transfer Protocol (FTP) application layer gateway services.
• F5BigAlgTftp - Trivial File Transfer Protocol (TFTP) application layer gateway services.
• F5BigAlgPptp - Point-to-Point Tunneling Protocol (PPTP) application layer gateway services.
• F5BigAlgRtsp - Real Time Streaming Protocol (RTSP) application layer gateway services.

NAT statistics

If the TMM Debug Sidecar is enabled (default), use the steps below to verify NAT connection statics.

1. Log in to the TMM debug Pod:

   In this example, the TMM debug container is in the cnf-gateway namespace:

   kubectl exec -it deploy/f5-tmm -c debug -n <namespace> -- bash
   

2. Verify F5BigNatPolicy connection statistics:

   tmctl -d blade fw_nat_rule_stat
   

   context_type context_name                          rule_name
   --------- ---------------------------------------  --------------------------
   virtual   cnf-cnf-context-secure-SecureContext_vs  10-20-subnet-natpolicyrule
   
   micro_rules counter last_hit_time action
   ----------- ------- ------------- ------
             1       8    1643836695      0
   

   tmctl -d blade fw_nat_trans_stat -s type,name,translation_requests
   

   type         name        translation_requests
   ------------ ----------- --------------------
   fw_src_trans transparent                    0
   fw_dst_trans transparent                    8
   fw_src_trans automap                        0
   

3. Verify the F5BigNatPolicy client IP address mappings:

   lsndb list all
   

   Client                                          Connections
   -----------------------------------------------------------
   0 client with 0 connection found.
   LSN Persistence Entries
   Client                                          Translation
   -----------------------------------------------------------
   10.20.2.220:52110                           10.200.2.8:8265
   10.20.2.220                                 10.200.2.8
   2 persist entries found.
   LSN port block allocations
   Client                                          Port block
   ----------------------------------------------------------
   0 port block entries found.
   LSN Inbound Mapping Entries
   Translation                                         Client
   ----------------------------------------------------------
   10.200.2.8:8265                          10.20.2.220:52110
   10.200.2.7:8397                          10.20.2.220:52106
   

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.