|
| 1 | +# User SNAT bindings |
| 2 | + |
| 3 | +{% hint style="warning" %} |
| 4 | +This is an enterprise feature. To use it, purchase our [enterprise license](enterprise/license.md) or ensure that your deployment does not exceed the [usage limits](enterprise/license.md#enterprise-is-free-up-to-certain-limits). |
| 5 | +{% endhint %} |
| 6 | + |
| 7 | +{% hint style="info" %} |
| 8 | +This feature is available starting from version 1.5 |
| 9 | +{% endhint %} |
| 10 | + |
| 11 | +**User SNAT bindings** allow administrators to assign specific public IP addresses to users for outbound traffic from defguard VPN gateways in a given location. This provides fine-grained control over how user traffic appears to external networks. |
| 12 | + |
| 13 | +## Overview |
| 14 | + |
| 15 | +defguard administrators are able to create SNAT (Source Network Address Translation) bindings which include following information: |
| 16 | + |
| 17 | +* location ID |
| 18 | +* user ID |
| 19 | +* public IP address |
| 20 | + |
| 21 | +{% hint style="warning" %} |
| 22 | +Each user can have only one binding configured in a given location. |
| 23 | +{% endhint %} |
| 24 | + |
| 25 | +Once a binding is configured, when a specified user connects to a given location using one of their devices, all their traffic leaving the VPN gateway (for example to access the public internet) will appear as if originating from the configured IP address. |
| 26 | + |
| 27 | +## Configuring user SNAT bindings |
| 28 | + |
| 29 | +Bindings can be configured through the defguard REST API, which supports following operations: |
| 30 | + |
| 31 | +* listing all bindings for a given location |
| 32 | +* creating a new binding |
| 33 | +* updating an existing binding |
| 34 | +* removing an existing binding |
| 35 | + |
| 36 | +All the endpoints require authentication (with session cookies or [API tokens](integrations/api-tokens.md#generating-api-token)) and Admin role permissions. |
| 37 | + |
| 38 | +The details are available in the [Swagger docs](integrations/api-tokens.md#rest-api-documentation) provided by each defguard instance. |
| 39 | + |
| 40 | +Each modification to configured bindings triggers an update to be sent to relevant VPN gateways assigned to a given location. |
| 41 | + |
| 42 | +## Implementation details |
| 43 | + |
| 44 | +{% hint style="warning" %} |
| 45 | +Currently SNAT binding functionality is only supported on Linux gateways. |
| 46 | +{% endhint %} |
| 47 | + |
| 48 | +Configured bindings are sent to relevant VPN gateways as part of their firewall configuration. |
| 49 | + |
| 50 | +Each binding is then translated into one SNAT rule in the `POSTROUTING` firewall chain. |
| 51 | + |
| 52 | +Those rules are applied before the final `MASQUERADE` rule which handles all the remaining outbound traffic. |
| 53 | + |
| 54 | +The gateway itself is not aware of public IPs available on it's network interfaces, so it's important to verify that the IP address assigned to a user is indeed available. Otherwise it's possible to block all outgoing traffic for a user. |
0 commit comments