Edge Gateway does not support DNAT for traffic from the South (Downlink) interface
book
Article ID: 321175
calendar_today
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms: DNAT for traffic coming in from the South and egressing to the North fails.
For example:
From IP1 > IP2 , if the traffic is DNAted on the downlink while entering the Edge to IP3, such that the traffic becomes IP1 > IP3 while egressing the North interface (Uplink), the return traffic back to IP1 may be IP3 > IP1, leading to the traffic failure.
Environment
VMware NSX-T Data Center 2.x VMware NSX-T Data Center
Cause
This issue occurs as Firewall and NAT is implemented on the North interface as well as the South interface. In order to prevent multiple services happening in the North to South path, the service is typically applied on the North interface (DNAT, SNAT, FW) and skip the South interface (only SNAT, DNAT).
This leads to the condition that if DNAT was done on the South interface while entering from the logical side, when the return traffic comes back from the north interface, it hits the default firewall services "on the Uplink (North interface)" and then subsequently because of the optimization in place, skips the services on the South interface, leading to the reverse translation of DNAT not to happen.
Resolution
This is a known issue affecting VMware NSX-T Data Center 2.x.
Currently, there is no resolution or workaround.
Additional Information
Impact/Risks: DNAT traffic will not work from South to North.