Static bidirectional static NAT for duplicate IP devices using iptables

Static bidirectional static NAT for duplicate IP devices using iptables

[Alon Bar-Lev]

Hello,

I am sure this was addressed before, I tried to find relevant
information but could not. I appreciate any assistance.

Constraints

* Two devices with the same IP, this cannot be changed.
* Devices do not have a default router, they must communicate with
applications on the same IP network.
* Host applications should access the two devices using UDP and TCP
based protocols.

Network Solution

* To avoid address conflict, each device resides on a different VLAN.

APPLICATION -->
Kernel -->
* v10@eth0 - interface on VLAN=10
* v11@eth0 - interface on VLAN=11

Switch -->
* Port1 VLAN=10
  * DEVICE1 [10.0.0.10]
* Port2 VLAN=11
  * DEVICE2 [10.0.0.10]

Diagram [In fixed width font]:
---
,-----------+--------.       ,----------+-+--------.
|           |v10@eth0|.......|          |1|VLAN=10 |---DEVICE1 [10.0.0.10]
|APPLICATION|    eth0|-------|   Switch +-+--------+
|           |v11@eth0|.......|          |2|VLAN=11 |---DEVICE2 [10.0.0.10]
`-----------+--------'       `----------+-+--------'
---

I would like to have a bidirectional static NAT so that per
application point of view:
* DEVICE1 will be 192.168.110.10
* DEVICE2 will be 192.168.111.10
And per device point of view:
* APPLICATION will be 10.0.0.11

I thought of having v10@eth0 address 192.168.110.1 and v11@eth0
address 192.168.111.0, however, I am unsure how to set up the
bidirectional translation to the device virtual address using SNAT
without creating duplicate addresses.

Any assistance will be appreciated.

Regards,
Alon Bar-Lev

Re: Static bidirectional static NAT for duplicate IP devices using iptables

[Alon Bar-Lev]

On Sat, Feb 15, 2025 at 1:57 AM Alon Bar-Lev <alon.barlev@gmail.com> wrote:
>
> Hello,
>
> I am sure this was addressed before, I tried to find relevant
> information but could not. I appreciate any assistance.
>
> Constraints
>
> * Two devices with the same IP, this cannot be changed.
> * Devices do not have a default router, they must communicate with
> applications on the same IP network.
> * Host applications should access the two devices using UDP and TCP
> based protocols.
>
> Network Solution
>
> * To avoid address conflict, each device resides on a different VLAN.
>
> APPLICATION -->
> Kernel -->
> * v10@eth0 - interface on VLAN=10
> * v11@eth0 - interface on VLAN=11
>
> Switch -->
> * Port1 VLAN=10
>   * DEVICE1 [10.0.0.10]
> * Port2 VLAN=11
>   * DEVICE2 [10.0.0.10]
>
> Diagram [In fixed width font]:
> ---
> ,-----------+--------.       ,----------+-+--------.
> |           |v10@eth0|.......|          |1|VLAN=10 |---DEVICE1 [10.0.0.10]
> |APPLICATION|    eth0|-------|   Switch +-+--------+
> |           |v11@eth0|.......|          |2|VLAN=11 |---DEVICE2 [10.0.0.10]
> `-----------+--------'       `----------+-+--------'
> ---
>
> I would like to have a bidirectional static NAT so that per
> application point of view:
> * DEVICE1 will be 192.168.110.10
> * DEVICE2 will be 192.168.111.10
> And per device point of view:
> * APPLICATION will be 10.0.0.11
>
> I thought of having v10@eth0 address 192.168.110.1 and v11@eth0
> address 192.168.111.0, however, I am unsure how to set up the
> bidirectional translation to the device virtual address using SNAT
> without creating duplicate addresses.
>
> Any assistance will be appreciated.
>
> Regards,
> Alon Bar-Lev

Hi,

I made some progress using nftables which is nicer and simpler than
iptables for this mission.
However, I am unable to figure out how to re-write the ARP
request/reply, there are no good examples of how to use ARP rewrite.
I need to rewrite the ARP request to be the same as the translation.

This is the configuration I reached so for v10 is the interface of
vlan 10 and v11 is the interface of vlan 11.

v10:
   Host: 10.0.0.11<=>192.168.110.11
   Device: 10.0.0.10<=>192.168.110.10
v11:
   Host: 10.0.0.11<=>192.168.111.11
   Device: 10.0.0.10<=>192.168.111.10

table ip mytable {
        chain prerouting {
                type filter hook prerouting priority -300; policy accept;
                iifname "v10" ip daddr 10.0.0.11 ip daddr set 192.168.110.11
                iifname "v11" ip daddr 10.0.0.11 ip daddr set 192.168.111.11
                iifname "v10" ip saddr 10.0.0.10 ip saddr set 192.168.110.10
                iifname "v11" ip saddr 10.0.0.10 ip saddr set 192.168.111.10
        }
        chain output {
                type filter hook output priority -300; policy accept;
                ip saddr 192.168.110.11 ip saddr set 10.0.0.11
                ip saddr 192.168.111.11 ip saddr set 10.0.0.11
                ip daddr 192.168.110.10 ip daddr set 10.0.0.10
                ip daddr 192.168.111.10 ip daddr set 10.0.0.10
        }
}

Now I just need to figure out how to manage the ARP.

Regards,
Alon

Re: Static bidirectional static NAT for duplicate IP devices using iptables

[Alon Bar-Lev]

On Sat, Feb 15, 2025 at 6:09 AM Alon Bar-Lev <alon.barlev@gmail.com> wrote:
>
> On Sat, Feb 15, 2025 at 1:57 AM Alon Bar-Lev <alon.barlev@gmail.com> wrote:
> >

Summary: I am trying to access two devices with the same IP address
connected locally to a Linux computer, each resides in its own VLAN.

I made yet another progress, I use arptables to mangle the ARP request
of the host side, but I am still missing ARP response to the device.

nftables:
---
table ip gnat {
        chain prerouting {
                type filter hook prerouting priority -300; policy accept;
                iifname "v10" ip daddr 10.0.0.11 ip daddr set 192.168.110.11
                iifname "v11" ip daddr 10.0.0.11 ip daddr set 192.168.111.11
                iifname "v10" ip saddr 10.0.0.10 ip saddr set 192.168.110.10
                iifname "v11" ip saddr 10.0.0.10 ip saddr set 192.168.111.10
        }

        chain output {
                type filter hook output priority -300; policy accept;
                oifname "v10" ip saddr 192.168.110.11 ip saddr set 10.0.0.11
                oifname "v11" ip saddr 192.168.111.11 ip saddr set 10.0.0.11
                oifname "v10" ip daddr 192.168.110.10 ip daddr set 10.0.0.10
                oifname "v11" ip daddr 192.168.111.10 ip daddr set 10.0.0.10
        }
}
---

arptables:
---
arptables --new IN
arptables --new OUT
arptables -A IN --in-interface v10 -d 192.168.110.10 -j DROP
arptables -A IN --in-interface v11 -d 192.168.111.10 -j DROP
arptables -A OUT --out-interface v10 -s 192.168.110.10 -j mangle
--mangle-ip-d 10.0.0.10
arptables -A OUT --out-interface v11 -s 192.168.111.10 -j mangle
--mangle-ip-d 10.0.0.10
---

As far as I could understand, although the arptable uses the backward
compatibility layer of the nftables, the mangle functionality is
missing from the nftables, so I must still use arptables.

Any hint how can I use the arptables or any to respond to the device
ARP for 10.0.0.1 with the MAC address of the 192.168.110.10 or
192.168.110.11 interfaces? This is the last bit which is missing. I
tried all combinations I could find of the arptable mangle, nothing
seems to respond to ARP requests from the outside world.

Regards,
Alon

Re: Static bidirectional static NAT for duplicate IP devices using iptables

[Adam Nielsen]

> Summary: I am trying to access two devices with the same IP address
> connected locally to a Linux computer, each resides in its own VLAN.
> 
> I made yet another progress, I use arptables to mangle the ARP request
> of the host side, but I am still missing ARP response to the device.

Isn't arptables the wrong approach here?  If you're using NAT then by
definition you're mapping IPs to the target subnet, so then there
should be no need to mess with ARP as the packets leaving the machine
are already on the right IP for the subnet?

I am by no means an expert but I would've thought that all you're
trying to do is to convert a 192.x address into the same target IP, and
just control which interface the packet goes out on based on whatever
the original IP address was.

Is ARP mangling needed at all for this?

Cheers,
Adam.

Re: Static bidirectional static NAT for duplicate IP devices using iptables

[Alon Bar-Lev]

On Sun, Feb 16, 2025 at 4:40 AM Adam Nielsen <a.nielsen@shikadi.net> wrote:
>
> > Summary: I am trying to access two devices with the same IP address
> > connected locally to a Linux computer, each resides in its own VLAN.
> >
> > I made yet another progress, I use arptables to mangle the ARP request
> > of the host side, but I am still missing ARP response to the device.
>
> Isn't arptables the wrong approach here?  If you're using NAT then by
> definition you're mapping IPs to the target subnet, so then there
> should be no need to mess with ARP as the packets leaving the machine
> are already on the right IP for the subnet?
>
> I am by no means an expert but I would've thought that all you're
> trying to do is to convert a 192.x address into the same target IP, and
> just control which interface the packet goes out on based on whatever
> the original IP address was.
>
> Is ARP mangling needed at all for this?

Hello Adam,

What I am looking for is a static NAT to have 1:1 replacement of
addresses from one subnet to another subnet.
For example having 192.168.0.X <-> 10.0.0.X in both directions, so
that 192.168.0.1 == 10.0.0.1, 192.168.0.2 == 10.0.0.2 and so on.
The NAT is in reverse so that it does not NAT incoming but outgoing
communications.
And to make it more difficult, two interfaces share the same
destination address, so that we need to assign them with different
virtual addresses.
In my example I proposed two conversions: 192.168.110.X <-> 10.0.0.X
and 192.168.168.111 <-> 10.0.0.X.
The 10.0.0.X is the device network which cannot be modified.

Do you know of a NAT configuration that can digest this?
For now the only solution I could come up with is filter hooks + arptables.

Thanks,
Alon

Re: Static bidirectional static NAT for duplicate IP devices using iptables

[Adam Nielsen]

> > I am by no means an expert but I would've thought that all you're
> > trying to do is to convert a 192.x address into the same target IP, and
> > just control which interface the packet goes out on based on whatever
> > the original IP address was.
> >
> > Is ARP mangling needed at all for this?  
> 
> Hello Adam,
> 
> What I am looking for is a static NAT to have 1:1 replacement of
> addresses from one subnet to another subnet.
> For example having 192.168.0.X <-> 10.0.0.X in both directions, so
> that 192.168.0.1 == 10.0.0.1, 192.168.0.2 == 10.0.0.2 and so on.
> The NAT is in reverse so that it does not NAT incoming but outgoing
> communications.
> And to make it more difficult, two interfaces share the same
> destination address, so that we need to assign them with different
> virtual addresses.
> In my example I proposed two conversions: 192.168.110.X <-> 10.0.0.X
> and 192.168.168.111 <-> 10.0.0.X.
> The 10.0.0.X is the device network which cannot be modified.
> 
> Do you know of a NAT configuration that can digest this?
> For now the only solution I could come up with is filter hooks + arptables.

ARP deals with mapping a MAC address to an IP address.  I don't think
you need to operate at this low level, and I think messing with ARP is
going to complicate what you're trying to do.

Think of a normal NAT gateway.  You connect to a remote host, but you
send that packet to the gateway.  The gateway changes the source IP
address and then forwards on the packet.  This way altering ARP is not
necessary, because a real IP belonging to the machine is used for
outgoing traffic.  The normal ARP process handles it all as usual.

If you do the same in your situation, then your 10.0.0.10 device will
need to see traffic coming from 10.0.0.X (whatever IPs you assign
v10@eth0 and v11@eth0).  Because these IPs are in the same subnet, you
don't need to deal with ARP issues or routing the reverse traffic as
you would if you kept the 192.168.x source IP.

Then all you have to do is configure your machine so that any traffic
destined for 192.168.110.10 and .111.10 gets the target IP changed to
10.0.0.2 and gets sent out the right interface, and when packets come
back from 10.0.0.2 the reverse IP translation happens as well.

This might be tricky since both interfaces will be in the same subnet,
but since the packet leaving the machine will already be in the same
subnet as the destination IP, you won't need to deal with ARP at all as
it will be handled automatically.

I think you probably need both SNAT and DNAT rules to make this work.
The SNAT rule would take care of ensuring outgoing packets have a
source address of 10.0.0.X, while the DNAT rule would map the 192.x
target address to 10.0.0.2.

I would try to use two different IPs for the VLAN interfaces, e.g.
10.0.0.10 and 10.0.0.11, just to make things a bit simpler.  If you use
the same IP you may then run into ARP issues, unless both VLAN
interfaces have the same MAC address.

Cheers,
Adam.

Re: Static bidirectional static NAT for duplicate IP devices using iptables

[Alon Bar-Lev]

On Sun, Feb 16, 2025 at 12:12 PM Adam Nielsen <a.nielsen@shikadi.net> wrote:
>
> > > I am by no means an expert but I would've thought that all you're
> > > trying to do is to convert a 192.x address into the same target IP, and
> > > just control which interface the packet goes out on based on whatever
> > > the original IP address was.
> > >
> > > Is ARP mangling needed at all for this?
> >
> > Hello Adam,
> >
> > What I am looking for is a static NAT to have 1:1 replacement of
> > addresses from one subnet to another subnet.
> > For example having 192.168.0.X <-> 10.0.0.X in both directions, so
> > that 192.168.0.1 == 10.0.0.1, 192.168.0.2 == 10.0.0.2 and so on.
> > The NAT is in reverse so that it does not NAT incoming but outgoing
> > communications.
> > And to make it more difficult, two interfaces share the same
> > destination address, so that we need to assign them with different
> > virtual addresses.
> > In my example I proposed two conversions: 192.168.110.X <-> 10.0.0.X
> > and 192.168.168.111 <-> 10.0.0.X.
> > The 10.0.0.X is the device network which cannot be modified.
> >
> > Do you know of a NAT configuration that can digest this?
> > For now the only solution I could come up with is filter hooks + arptables.
>
> ARP deals with mapping a MAC address to an IP address.  I don't think
> you need to operate at this low level, and I think messing with ARP is
> going to complicate what you're trying to do.

I used the ARP as in my setup I use hook modification of the IP
addresses and this does
not include the ARP. It is working reliably if I reply to the ARP
request of the device.
I am open to a NAT solution, however, I do not understand how to make
it work for this
use case.

> Think of a normal NAT gateway.  You connect to a remote host, but you
> send that packet to the gateway.  The gateway changes the source IP
> address and then forwards on the packet.  This way altering ARP is not
> necessary, because a real IP belonging to the machine is used for
> outgoing traffic.  The normal ARP process handles it all as usual.

I am unsure how you use NAT to perform the entire network
transformation of 192.168.0.X <-> 10.0.0.X.

> If you do the same in your situation, then your 10.0.0.10 device will
> need to see traffic coming from 10.0.0.X (whatever IPs you assign
> v10@eth0 and v11@eth0).  Because these IPs are in the same subnet, you
> don't need to deal with ARP issues or routing the reverse traffic as
> you would if you kept the 192.168.x source IP.

I cannot do this, the packets should be outgoing to the device in the
10.0.0.X address.
Hence I need a full transformation of addresses of both source and
destination addresses.

> Then all you have to do is configure your machine so that any traffic
> destined for 192.168.110.10 and .111.10 gets the target IP changed to
> 10.0.0.2 and gets sent out the right interface, and when packets come
> back from 10.0.0.2 the reverse IP translation happens as well.

I will be happy to test a specific configuration if you have, I do not
understand how to
perform the reverse NAT as my interface is NATing the use of the
network and not in
the usual direction.

> This might be tricky since both interfaces will be in the same subnet,
> but since the packet leaving the machine will already be in the same
> subnet as the destination IP, you won't need to deal with ARP at all as
> it will be handled automatically.
>
> I think you probably need both SNAT and DNAT rules to make this work.
> The SNAT rule would take care of ensuring outgoing packets have a
> source address of 10.0.0.X, while the DNAT rule would map the 192.x
> target address to 10.0.0.2.

This is not the configuration I look for... I look for a configuration
of full network
static NAT 192.168.0.X <-> 10.0.0.X [x=1->254].

> I would try to use two different IPs for the VLAN interfaces, e.g.
> 10.0.0.10 and 10.0.0.11, just to make things a bit simpler.  If you use
> the same IP you may then run into ARP issues, unless both VLAN
> interfaces have the same MAC address.

There is no issue of ARP in this case as each interface resides in a
different VLAN.

Thank you for your assistance!
Alon Bar-Lev.

Re: Static bidirectional static NAT for duplicate IP devices using iptables

[Slavko]

Ahoj,

Dňa Sun, 16 Feb 2025 12:20:51 +0200 Alon Bar-Lev
<alon.barlev@gmail.com> napísal:

> I am unsure how you use NAT to perform the entire network
> transformation of 192.168.0.X <-> 10.0.0.X.

I never used it, but what about this, to map IPs from 10.141.11.0/24
to 192.168.2.0/24:

    snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 }

regards

-- 
Slavko
https://www.slavino.sk

Re: Static bidirectional static NAT for duplicate IP devices using iptables

[Adam Nielsen]

> > Think of a normal NAT gateway.  You connect to a remote host, but you
> > send that packet to the gateway.  The gateway changes the source IP
> > address and then forwards on the packet.  This way altering ARP is not
> > necessary, because a real IP belonging to the machine is used for
> > outgoing traffic.  The normal ARP process handles it all as usual.  
> 
> I am unsure how you use NAT to perform the entire network
> transformation of 192.168.0.X <-> 10.0.0.X.

It is partly NAT and partly routing:

  Client                  Client
  ping 192.168.110.10     ping 192.168.111.10
   |                       |
   +--------------------+--+
                        |
                     Router:
   For 192.168.110.10:     For 192.168.111.10:
   v10@eth0                v11@eth0
   10.0.0.10               10.0.0.11
    |                       |
   Device 1                Device 2
   10.0.0.2                10.0.0.2
   (ping from 10.0.0.10)   (ping from 10.0.0.11)
    
> > If you do the same in your situation, then your 10.0.0.10 device will
> > need to see traffic coming from 10.0.0.X (whatever IPs you assign
> > v10@eth0 and v11@eth0).  Because these IPs are in the same subnet, you
> > don't need to deal with ARP issues or routing the reverse traffic as
> > you would if you kept the 192.168.x source IP.  
> 
> I cannot do this, the packets should be outgoing to the device in the
> 10.0.0.X address.
> Hence I need a full transformation of addresses of both source and
> destination addresses.

Yes, this is what I have explained.

> > Then all you have to do is configure your machine so that any traffic
> > destined for 192.168.110.10 and .111.10 gets the target IP changed to
> > 10.0.0.2 and gets sent out the right interface, and when packets come
> > back from 10.0.0.2 the reverse IP translation happens as well.  
> 
> I will be happy to test a specific configuration if you have, I do not
> understand how to
> perform the reverse NAT as my interface is NATing the use of the
> network and not in
> the usual direction.

My solution is to use NAT in both directions.  I am thinking these are
the steps:

 1. Outgoing packets to 192.168.110.10 must go to v10@eth0 and have the
    destination changed to 10.0.0.2.  The source IP must be 10.0.0.10.
 2. Incoming packets from 10.0.0.2 on v10@eth0 must have their source
    IP changed to 192.168.110.10.  The destination IP should be
    whatever the original IP was.
 3. Same again for v11@eth0 and 192.168.111.10.

I think you should be able to use DNAT rules to change the destination
IP, and SNAT rules to change the source IP.  The only trick would be
getting packets for 192.168.110.10 sent to v10@eth0 (which has the IP
10.0.0.10/24).  I am not sure whether adding a route would be enough,
or whether you would have to add an IP like 192.168.110.99/24 to that
interface to have the routing happen as intended.

> > I think you probably need both SNAT and DNAT rules to make this work.
> > The SNAT rule would take care of ensuring outgoing packets have a
> > source address of 10.0.0.X, while the DNAT rule would map the 192.x
> > target address to 10.0.0.2.  
> 
> This is not the configuration I look for... I look for a configuration
> of full network
> static NAT 192.168.0.X <-> 10.0.0.X [x=1->254].

So far you have only described a single device 10.0.0.2.  Your original
question did not mention that you have 254 devices on the subnet!

> > I would try to use two different IPs for the VLAN interfaces, e.g.
> > 10.0.0.10 and 10.0.0.11, just to make things a bit simpler.  If you use
> > the same IP you may then run into ARP issues, unless both VLAN
> > interfaces have the same MAC address.  
> 
> There is no issue of ARP in this case as each interface resides in a
> different VLAN.

The problem I describe is that if v10@eth0 and v11@eth0 have different
MAC addresses, but the same IP address, the Linux kernel may respond to
the ARP request with the MAC address of the wrong interface, since two
different interfaces with the same IP is not a normal situation.

Think of it like this:  You have MAC address A for 10.0.0.5 (v10@eth0)
and MAC address B also for 10.0.0.5 (v11@eth0).  An ARP request comes in
asking what the MAC address is for 10.0.0.5.  Do you reply A or B?

The answer is different depending on which interface the request came
in on, and I am not sure whether the kernel cares about this.  In the
past it did not, because you are supposed to have a different IP
address for every network interface.

Cheers,
Adam.