Alias for dynamic IP address of interface

saagraa · July 26, 2020, 5:20pm

Hello,

I have a dynamic IP address from my ISP and I’d like to use the acquired IP address in other parts of the configuration (e.g. as a destination in a firewall rule). How would I achieve this?

Thanks,
Sam

Dmitry · July 26, 2020, 5:35pm

Hello @saagraa, I’m not sure that this is possible now, but can you provide a firewall example?
I guess many rules should possibly create without known IP address received via DHCP or etc.

saagraa · July 26, 2020, 5:52pm

Hi @Dmitry,

I guess I can’t think of a firewall rule that requires this, a poor example on my part.

Where I have used this before (in EdgeOS) is hairpin NAT. From the example in the Vyos docs:

destination {
     rule 110 {
         description "NAT Reflection: INSIDE"
         destination {
             port 3389
++           address dynamic-ip-on-eth0
         }
         inbound-interface eth0.10
         protocol tcp
         translation {
             address 192.0.2.40
         }
     }
 }

My understanding (I could be wrong) is that without the address limitation in the destination node, traffic on 3389 to any IP gets redirected internally, whereas I’d like to only redirect traffic that is trying to reach back into my network from within my network via my networks external IP, and send other outgoing traffic on that port to the external IP.

Thanks

Dmitry · July 26, 2020, 6:22pm

@saagraa, as I understand this will apply only for traffic coming from eth0.10, so in this case, you can use this rule without defining destination address

saagraa · July 26, 2020, 6:48pm

Lets assume I have WAN on eth0 and LAN on eth1, and my ip on eth0 is A.B.C.D.

So my DNAT rule is:

destination {
     rule 110 {
         description "NAT Reflection: INSIDE"
         destination {
             port 3389
         }
         inbound-interface eth1
         protocol tcp
         translation {
             address 192.0.2.40
         }
     }
 }

Now if I try to reach U.X.Y.Z:3389 from my LAN. Doesn’t that match the NAT rule and translate the IP into 192.0.2.40?

qdrop · December 15, 2023, 3:10pm

I just invested like 3 hours to get hairpin working - no success. I managed to get it working with my current public IP on the rule. But this IP is dynamic - so we can roll a dice until this rule breaks.

If I implement the rules like in the documentation NAT44 — VyOS 1.4.x (sagitta) documentation (we’re using Sagitta: 1.4-rolling-202311180301), then obviously, all HTTPs packets (in our case) on our internal vyos-interface are redirected to our webserver. Which breaks HTTPs traffic for all clients.

We have to select the impacted traffic more granularly with the destionation address. There’s currently no workaround available.

Let me know if I can support in any way.

Viacheslav · December 15, 2023, 6:23pm

https://vyos.dev/T2196