Another Port Forward/Firewall Issue

azhagan · February 23, 2024, 3:49am

Hello,

I installed Vyos today to learn the system and play around with it, but I can’t seem to get port forwarding working. I’m trying to forward 32400 to an internal IP of 192.168.1.200, but it’s not working after adding bother firewall forwarding rules and NAT destination rules. This is a new installation of 1.4. What am I doing wrong?

Thanks!
ILLY

nat {
     destination {
         rule 10 {
             description "PLEX Port Forward"
             destination {
                 port 32400
             }
             inbound-interface {
                 name eth0
             }
             protocol tcp
             translation {
                 address 192.168.1.200
             }
         }
     }
     source {
         rule 100 {
             outbound-interface {
                 name eth0
             }
             source {
                 address 192.168.1.0/24
             }
             translation {
                 address masquerade
             }
         }
     }
 }

firewall {
     global-options {
         state-policy {
             established {
                 action accept
             }
             invalid {
                 action drop
             }
             related {
                 action accept
             }
         }
     }
     group {
         interface-group LAN {
             interface eth8
         }
         interface-group WAN {
             interface eth0
         }
         network-group NET-INSIDE-v4 {
             network 192.168.1.0/24
         }
     }
     ipv4 {
         forward {
             filter {
                 rule 10 {
                     action accept
                     connection-status {
                         nat destination
                     }
                     state new
                 }
                 rule 100 {
                     action jump
                     destination {
                         group {
                             network-group NET-INSIDE-v4
                         }
                     }
                     inbound-interface {
                         group WAN
                     }
                     jump-target OUTSIDE-IN
                 }
             }
         }
         input {
             filter {
                 default-action drop
                 rule 20 {
                     action jump
                     destination {
                         port 22
                     }
                     jump-target VyOS_MANAGEMENT
                     protocol tcp
                 }
                 rule 30 {
                     action accept
                     icmp {
                         type-name echo-request
                     }
                     protocol icmp
                     state new
                 }
                 rule 40 {
                     action accept
                     destination {
                         port 53
                     }
                     protocol tcp_udp
                     source {
                         group {
                             network-group NET-INSIDE-v4
                         }
                     }
                 }
                 rule 50 {
                     action accept
                     source {
                         address 127.0.0.0/8
                     }
                 }
             }
         }
         name OUTSIDE-IN {
             default-action drop
         }
         name VyOS_MANAGEMENT {
             default-action return
             rule 15 {
                 action accept
                 inbound-interface {
                     group LAN
                 }
             }
             rule 20 {
                 action drop
                 inbound-interface {
                     group WAN
                 }
                 recent {
                     count 4
                     time minute
                 }
                 state new
             }
             rule 21 {
                 action accept
                 inbound-interface {
                     group WAN
                 }
                 state new
             }
         }
     }
 }

n.fort · February 23, 2024, 10:30am

You can use tcpdump to see if traffic is being received and forward to desired interface:

sudo tcpdump -ni any port 32400

you can also enable log for rules and check logs and counters.

azhagan · February 24, 2024, 4:40am

I was able to solve this by changing the rule 10 under forward filter to call out the DNAT setting explicitly.

Here is my config under ipv4 forward filter that worked. Instead of the rule 10 above, I used the following:

rule 10 {
                     action accept
                     destination {
                         address 192.168.1.200
                         port 32400
                     }
                     protocol tcp
                     state new
                 }

Apachez · February 24, 2024, 4:43am

Possible for you to bring how the finaly solution looks like configwise (so future readers can compare with your initial post)?

marc_s · February 24, 2024, 8:07am

I think @azhagan refers to the explicit rules by @cnrd in related topic https://forum.vyos.io/t/any-differences-in-firewall-configuration-syntax-between-1-4-rolling-202312140147-and-1-4-0-epa1/

It does smell of a DNAT matching bug…

azhagan · February 24, 2024, 12:05pm

I updated my post with the rule that I ended up using for clarity.

system · March 25, 2024, 12:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.