Hi Adriˆn, thanks for the question!
When a router interface is behind a NAT or on a network that disallows inbound connections (such as LTE), then it must be the initiator for all traffic to its peers. To describe this topology, we added a new configuration item within a neighborhood (on a network-interface) to indicate that a network-interface is outbound only -- i.e., it must originate requests:
admin@labsystem1.fiedler (network-interface[name=wan0])# show
name wan0
global-id 5
¾
neighborhood beacon-wan
name beacon-wan
peer-connectivity outbound-only
topology spoke
external-nat-address 44.33.22.11
exit
inter-router-security 128t-hq
source-nat true
¾
address 11.22.33.44
ip-address 11.22.33.44
prefix-length 24
gateway 11.22.33.45
¾
host-service ssh
service-type ssh
exit
exit
Here you can see I've indicated that this network-interface should be treated as outbound-only. (Any peers for this router will reflect this in the adjacency that is created.)
When a peer wants to send to an adjacency that is outbound-only, what it will do is ""NAT"" the packet it is going to send just prior to sending it on the wire, and re-uses the ports for BFD (1280). Because BFD connectivity is a prerequisite for sending traffic to a peer, this path will be known to be up and working a priori.
When the router receives this ""BFD"" packet, it will detect that there is 128T metadata inside, hand it up to the service processing logic, and allocate SVR flows (and waypoint addresses) for itself and its peer, and forward the packet as it would normally. When packets go back in the reverse direction, it will punch a hole in the NAT (or create an outbound LTE connection, etc.) and ""initiate"" the flows from the outbound-only side. All subsequent packets will use these allocated waypoint addresses.
Two other notes about outbound-only:
- When a router has a peer that is designated as outbound-only, it will not proactively send BFD to it... it waits to hear from its peer, then uses the source of those packets as the destination for its BFD in the reverse direction. (So-called ""latching"" onto the source address.)
- When two routers are both configured as outbound-only, they will (obviously) not be able to talk to one another.
I hope this helps!