define routing_source_ip = 185.15.56.1 define virtual_subnet_cidr = 172.16.0.0/21 define nic_host = "ens2f0np0" define nic_virt = "ens2f1np1.1107" define nic_wan = "ens2f1np1.1120" table inet cloudgw { set dmz_cidr_set { type ipv4_addr . ipv4_addr flags interval counter elements = { 172.16.0.0/21 . 208.80.154.224 , 172.16.0.0/21 . 208.80.154.240 , 172.16.0.0/21 . 208.80.153.224 , 172.16.0.0/21 . 208.80.153.240 , 172.16.0.0/21 . 198.35.26.96 , 172.16.0.0/21 . 198.35.26.112 , 172.16.0.0/21 . 103.102.166.224 , 172.16.0.0/21 . 103.102.166.240 , 172.16.0.0/21 . 91.198.174.192 , 172.16.0.0/21 . 91.198.174.208 , 172.16.0.0/21 . 208.80.154.24 , 172.16.0.0/21 . 208.80.154.143 , 172.16.0.0/21 . 208.80.153.118 , 172.16.0.0/21 . 208.80.153.78 , 172.16.0.0/21 . 208.80.153.107 , 172.16.0.0/21 . 208.80.154.137 , 172.16.0.0/21 . 208.80.154.30 , 172.16.0.0/21 . 208.80.153.42 , 172.16.0.0/21 . 208.80.154.15 , 172.16.0.0/21 . 208.80.154.23 , 172.16.0.0/21 . 208.80.154.132 , 172.16.0.0/21 . 208.80.154.85 , 172.16.0.0/21 . 208.80.153.59 , 172.16.0.0/21 . 208.80.153.75 , 172.16.0.0/21 . 208.80.153.116 , 172.16.0.0/21 . 208.80.153.15 , 172.16.0.0/21 . 208.80.154.252 , 172.16.0.0/21 . 208.80.153.252 , 172.16.0.0/21 . 208.80.155.119 , 172.16.0.0/21 . 208.80.155.126 , 172.16.0.0/21 . 208.80.155.125 , 172.16.0.0/21 . 10.64.37.18/32 , 172.16.0.0/21 . 10.64.37.28/32 , 172.16.0.0/21 . 10.64.37.27/32 , 172.16.0.0/21 . 10.64.37.13/32 , 172.16.0.0/21 . 10.64.4.15/32 , } } chain prerouting { type nat hook prerouting priority dstnat; policy accept; } chain postrouting { type nat hook postrouting priority srcnat; policy accept; ip saddr . ip daddr @dmz_cidr_set counter accept comment "dmz_cidr" ip saddr $virtual_subnet_cidr counter snat ip to $routing_source_ip comment "routing_source_ip" } chain forward { type filter hook forward priority filter; policy drop; # only forward packets in the VRF iifname "vrf-cloudgw" oifname { $nic_virt, $nic_wan } counter accept counter comment "counter dropped packets" } }