Preparing the lab – Vyatta NAT Masquerade

Vyatta documentation (available after registration) provides many configuration examples and full command syntax reference. Today I’m going to explain how to set Masquerade NAT in Vyatta Core. Please forgive me if my explanation is not quite clear, let me know if you need more information (leave comments!)

My lab has started with a basic configuration where I’m not using VLAN (but I will…) so I’ve configured several interfaces in my Vyatta Core router. I want my virtual machines to be able to get packets from Internet but unfortunately the router which connects me to Internet has no way to add routes so it doesn’t know how to deal with packages from the networks behind my router.


I need to translate the source address of packages from,, and networks so one address of network is used when those networks try to connect to Internet. I will configure “Masquerade” NAT so the eth0 IP address of my Vyatta Core router (watson) will be used as the source address for package source translation. For example, if I want to translate source address packets with the one set in eth0 I’ll use this commands:

//I've used 10 as the route number identifier, but you can use any other unused number in your configuration
vyatta@one-router:~$ configure
vyatta@one-router# set nat source rule 10 outbound-interface eth0
vyatta@one-router# set nat source rule 10 source address
vyatta@one-router# set nat source rule 10 translation address masquerade
vyatta@one-router# commit
vyatta@one-router# save

OK, thanks to this masquerade NAT, my virtual machine can download packages from Internet. Important: this translation won’t allow these virtual machines to be reachable from Internet.


4 thoughts on “Preparing the lab – Vyatta NAT Masquerade

  1. marco says:

    Very nice post! Following your guide combined with other similar posts in other blogs I have benn able to setup my ESXI6 lab using vyos providing routing for my networks.
    But there is one item i have not been able to understand even spending days.
    I would like to test Vmware site recover manager or virtual san but all of them require layer2 or layer3 with multicast (someone speak about stretched lan) and I don’t know how could I simulate something like this:

    esx site1 (vyos or similar)———streched lan————>site2(disaster recovery)

    Do you have any suggestions?



    • n40lab says:

      Hi Marco, I’m sorry but I’ve no experience on that topic however I’ll study it and let you know if I found something useful. Thanks for reading!


  2. marco says:

    Thanks for quick and kind reply.
    No problem, as said, I found tens of posts explaining (at least at basic level) site recovery+vshpere replication or other solutions like veeam etc. But the problem is that none of them explain the network stack; they always speak about “stratched lan, strached vlan, layer2/3 with low latency, multicast (mandatory requirement for VSAN) etc…
    I think there are some reasons behind the fact that no one write about network:
    – enterprise products like this are used just in big company in which there are network admins working on cisco/juniper tecnologies that natively support this kind of configurations. And for a senior network admin shouldn’t be a so difficult task.
    – Explaining these products is not easy and require time and long posts. Maybe that adding the network part would require a whitepaper

    Anyway I just found some post speaking about pfsense with openvpn in tap mode but are not much clear and don’t explain why they use pfsense instead of something else; and is not clear if multicast is supported or not (for VSAN is a must)
    I already created the first part of the lab, now what is missing is how to simulate a layer2 (or 3???) connection with a remote site and use all kind of possible DR solutions.
    I already tried to ask to the authors but at the moment you are the only one that replied to me thus you are my last chance 🙂

    I can’t wait for your reply.



    • n40lab says:

      Hi Marco, I’m spending some time this weekend reading articles about stretched lans. I guess the reason behind using pfSense is that using openvpn with a web gui and configuring the bridge it’s quick and easy. If you give me some days I could try to use vyos in a test scenario, I like the topic and would like to write about it, maybe I’ll to ask you some questions to prepare the lab. Once again thanks for contacting me.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s