Using source pools

This topic includes a procedure for configuring the source IP address pools used in NAT, and examples of NAT deployments. It includes the following sections:

Configuring source pools

You use the Source Pool page to create configuration objects for source IP addresses used for NAT in Layer 4 virtual server configurations.

In a Layer 4 virtual server configuration, you select a “packet forwarding method” that includes the following network address translation (NAT) options:

In a Layer 7 virtual server configuration, you do not select a packet forwarding option. Layer 7 virtual servers use NAT46 and NAT64 to support those traffic flows, but they do not use the Source Pool configuration.

See the examples that follow the procedure for illustrated usage.

Before you begin:

After you have configured a source pool IP address range configuration object, you can select it in the virtual server configuration. You can assign a virtual server multiple source pools (with the same or different source pool interface associated with it).

To configure a source pool:
  1. Go to Server Load Balance > Virtual Server.
  2. Click the NAT Source Pool tab.
  3. Click Add to display the configuration editor.
  4. Complete the configuration as described in Table 24.
  5. Save the configuration.

 Table 24:   Source pool configuration
Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the virtual server configuration.

Note: After you initially save the configuration, you cannot edit the name.

Interface

Interface to receive responses from the backend server. The interface used for the initial client traffic is determined by the virtual server configuration.

Address Type
  • IPv4
  • IPv6

Address Range

The first address in the address pool.

To

The last address in the address pool.
Node Member
Name

Create a node member list to be used in an HA active-active deployment. In an active-active deployment, node interfaces are configured with a list of IP addresses for all nodes in the cluster. You use this configuration to provision SNAT addresses for each of the nodes.

Name is a configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the virtual server configuration.

Note: After you initially save the configuration, you cannot edit the name.
Pool Type IPv4 or IPv6.
Minimum IP The first address in the address pool.
Maximum IP The last address in the address pool.
Interface Interface to receive responses from the backend server. The interface used for the initial client traffic is determined by the virtual server configuration.
HA Node Number Specify the HA cluster node ID.

Example: DNAT

Figure  34 illustrates destination NAT (DNAT). The NAT module rewrites only the destination IP address. Therefore, if you configure destination NAT, you do not need to configure a source pool. In this DNAT example, the destination IP address in the packets it receives from the client request is the IP address of the virtual server—192.168.1.101. The NAT module translates this address to the address of the real server selected by the load balancer—in this example, 192.168.2.1. The system maintains this NAT table and performs the inverse translation when it receives the server-to-client traffic.

Figure  34:   Destination NAT

Example: full NAT

Figure  35 illustrates full NAT. The source IP / destination IP pair in the packets received is SRC 192.168.1.1 / DST 192.168.1.101. The NAT module translates the source IP address to the next available address in the source pool—in this example, 192.168.2.101. It translates the destination IP address to the address of the real server selected by the load balancer—in this example, 192.168.2.1.

The system maintains this NAT table and performs the inverse translation when it receives the server-to-client traffic.

Figure  35:   Full NAT

Example: NAT46 (Layer 4 virtual servers)

Figure  36 illustrates full NAT with NAT46. The IPv6 client connects to the virtual server IPv4 address. The source IP / destination IP pair in the packets received is SRC 192.168.1.1 / DST 192.168.1.101. The NAT module translates the source IP address to the next available IPv6 address in the source pool—in this example, 2002::2:1001. It translates the destination IP address to the IPv6 address of the real server selected by the load balancer—in this example, 2002::2:1.

The system maintains this NAT table and performs the inverse translation when it receives the server-to-client traffic.

Figure  36:   NAT46 (Layer 4 virtual servers)

 Table 25:   Limitations: NAT46 (Layer 4 virtual servers)
Features Notes

Profile

Not Supported: FTP

ICMP

ICMP traffic is dropped.

Example: NAT64 (Layer 4 virtual servers)

Figure  37 illustrates full NAT with NAT64. The IPv6 client connects to the virtual server IPv6 address. The source IP / destination IP pair in the packets received is SRC 2001::1:1 / DST 2001::1:101. The NAT module translates the source IP address to the next available IPv4 address in the source pool—in this example, 192.168.2.101. It translates the destination IP address to the IPv4 address of the real server selected by the load balancer—in this example, 192.168.2.1.

The system maintains this NAT table and performs the inverse translation when it receives the server-to-client traffic.

Figure  37:   NAT64 (Layer 4 virtual servers)

 Table 26:   Limitations: NAT64 (Layer 4 virtual servers)
Features Notes

Profiles

Not Supported: FTP

ICMP

ICMP traffic is dropped.

Security

Not Supported: IP Reputation, DoS protection, Security logs and reports

Example: NAT46 (Layer 7 virtual servers)

Figure  38 illustrates full NAT with NAT46. The IPv4 client connects to the virtual server IPv4 address. The source IP / destination IP pair in the packets received is SRC 192.168.1.1 / DST 192.168.1.101. The NAT module translates the source IP address to the IPv6 address of the egress interface that has IPv6 connectivity with the real server—in this example, 2002::2:1001. It translates the destination IP address to the IPv6 address of the real server selected by the load balancer—in this example, 2002::2:1.

The system maintains this NAT table and performs the inverse translation when it receives the server-to-client traffic.

Figure  38:   NAT46 (Layer 7 virtual servers)

 Table 27:   Limitations: NAT46 (Layer 7 virtual servers)
Feature Note
Profiles Not Supported: RADIUS, HTTP Turbo
Profile options Not supported: Source Address (Using the original source IP address for the connection to the real server is contrary to the purpose of NAT.)
Virtual server options Not supported: Connection Rate Limit
Real server pool options Not supported: Connection Rate Limit

Example: NAT64 (Layer 7 virtual servers)

Figure  39 illustrates full NAT with NAT64. The IPv6 client connects to the virtual server IPv6 address. The source IP / destination IP pair in the packets received is SRC 2001::1:1 / DST 2001::1:101. The NAT module translates the source IP address to the IPv4 address of the egress interface that has IPv4 connectivity with the real server—in this example, 192.168.2.101. It translates the destination IP address to the IPv4 address of the real server selected by the load balancer—in this example, 192.168.2.1.

The system maintains this NAT table and performs the inverse translation when it receives the server-to-client traffic.

Figure  39:   NAT64 (Layer 7 virtual servers)

 Table 28:   Limitations: NAT64 (Layer 7 virtual servers)
Feature Note
Profiles Not Supported: RADIUS, HTTP Turbo
Profile options Not supported: Source Address (Using the original source IP address for the connection to the real server is contrary to the purpose of NAT.)
Virtual server options Not supported: Connection Rate Limit
Real server pool options Not supported: Connection Rate Limit
Security Not Supported: IP Reputation, DoS protection, Security logs and reports