> **Current state**: cross-VRF routing is working, but NAT breaks it.
>
> conntrack log shows state is immediately destroyed after it gets created,
> and the packet is "lost" between `up` and `muplink`.
The basic idea of `100.64.0.0/10` seems to be that a CGN-Router should be able to handle multiple interfaces using `100.64.0.0/10` (including an uplink), but keeping them separated.
Now theoretically it should work moving each interface (apart from the uplink) into a different network namespace, connect all network namespaces with `veth` pairs to the main one (using some other IP addresses...), and enable SNAT when forwarding packets to the main namespace, and SNAT again when forwarding to the uplink.
This demo tries to use VRFs; hopefully this results in having to NAT only once (and doesn't need additional local IP addresses).
To test yourself run `./cgnat-demo.sh` as root (doesn't need network, so feel free to use some isolated container/VM/...):
- spawns `tmux` with multiple windows after setup is done (`ip vrf/netns exec ...` and others)
-`tmux` is configured to use `ctrl-a` prefix (like screen)
-`tmux` shouldn't be detached; default detach keybind (`ctrl-a d`) is replaced to prompt for session destroy
Dependencies:
-`nftables` for NAT / trace
-`conntrack` to show conntrack events
-`tmux` to open shells in various contexts
## Example pings
- Working in `blue_c2`:
-`ping -I 192.0.2.2 192.0.2.1` - ping `uplink` "public" IP