1-to-1 NAT using secondary IP address

brian.flinte · December 6, 2021, 8:04pm

I’m looking to create a 1-to-1 NAT using a secondary ZeroTier interface IP. Is this possible?

My thought it to assign two IP addresses to a member. The primary IP would be for the linux PC with ZeroTier client. The secondary IP would NAT to a device (like an IP camera) on the local network.

I made a diagram to help explain what I’m trying to accomplish. Thanks!

brian.flinte · December 7, 2021, 1:11pm

I have tried a few things with iptables, but I can’t seem to get it working.

This is my starting point.

sudo iptables -t nat -A PREROUTING -d 172.30.0.3 -j DNAT --to-destination 192.168.0.50
sudo iptables -t nat -A POSTROUTING -j MASQUERADE

zt-travis · December 7, 2021, 3:16pm

We have a similar set up here https://zerotier.atlassian.net/wiki/spaces/SD/pages/224395274/Route+between+ZeroTier+and+Physical+Networks

I’m not sure the need for a second ip address.

You can add a managed route like 192.168.0.50/32 via 172.30.0.2 or 3 if you don’t want to route to the whole subnet.

Or did you want to access the camera as “172.30.0.3”?

brian.flinte · December 7, 2021, 5:02pm

Thanks for the reply. I’m looking to access the camera as 172.30.0.3.

In my specific case I have a bunch of edge networks that all have the same 192.168.0.x subnet. Each edge subnet has just a few devices. I’m thinking I could just use secondary ZeroTier IP addresses and NAT the ZeroTier IP to each edge device. I could then access whatever edge device I want using a 172.30.x.x address. I could have a complete overlay network and not have to worry about the edge network subnets overlapping or being duplicated.

Thanks!

brian.flinte · December 7, 2021, 9:28pm

I got it working. I think there was an issue with forwarding not working until I updated the setting in “/etc/sysctl.conf” and rebooted. Overall, it’s pretty easy.

Here’s the solution:

-Edit /etc/sysctl.conf and set “net.ipv4.ip_forward=1”.

-Reboot

-sudo iptables -t nat -I PREROUTING -s 172.30.0.0/16 -d 172.30.0.3 -j DNAT --to-destination 192.168.0.50

-sudo iptables -t nat -I POSTROUTING -o eno1 -s 192.168.0.50/32 -j SNAT --to-source 172.30.0.3

brian.flinte · December 7, 2021, 9:53pm

This works too…

sudo iptables -t nat -I PREROUTING -s 172.30.0.0/16 -d 172.30.0.3 -j DNAT --to-destination 192.168.0.50
sudo iptables -t nat -A POSTROUTING -j MASQUERADE -o eno1

system · January 6, 2022, 9:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.