Playing with VRFs to isolate a number of internal subnets. I have the isolation working quite well but I want to provide these subnets with internet access.
Testing with one particular sub-net I have added a route to the gateway@main table and then added in a nat for this subnet onto one of my public addresses. I have then added a pre-route mangle to route mark all packets coming back in to the natted public address to my VRF table. This works very well!
Now I want to replicate this with my other subnets. Unfortunately, I do not have enough public addresses to provide a one-to-one nat for each internal subnet. Prior to isolation with VRF's, I would have just had a nat for all the private addresses mapped on to my range of publics to avoid this.
So is there away I can route mark packets after they have been nat translated back into there internal addresses?
Any help would be appreciated.