I am trying to setup up a DNAT for my homelab that is proxied behind Cloudflare. I would like to limit the DNAT to source IPS from Cloudflare only. I have created an Address Group with all the Cloudflare IPs. Without the source rule the DNAT works as expected. When the source filter rule is added the DNAT fails.
Upon closer inspection I noticed that the show nat destination translations tells me the pre-NAT address is my public IP not the IP from Cloudflare. I have tried accessing the network using a vpn and my mobile data to rule out the issue being that VYOS is seeing the client IP and not the Cloudflare one.
A previous post mentioned WAN load balancing. However, when I try set load-balancing wan disable-source-nat I cannot commit the config without further configuration of load-balancing.
I am not sure where to go from here nor what the issue maybe.
I am using firewall zones.
Below are the commands used to enable the DNAT.
Thank you for any help.
set nat destination rule 680 description 'Port Forward: HTTP to 192.168.0.53'
set nat destination rule 680 destination port '80'
set nat destination rule 680 inbound-interface name 'eth4'
set nat destination rule 680 protocol 'tcp_udp'
set nat destination rule 680 translation address '192.168.0.53'
set nat destination rule 680 source group address-group CLOUDFLARE-IPS-V4
set nat destination rule 643 description 'Port Forward: HTTPS to 192.168.0.53'
set nat destination rule 643 destination port '443'
set nat destination rule 643 inbound-interface name 'eth0'
set nat destination rule 643 protocol 'tcp_udp'
set nat destination rule 643 translation address '192.168.0.53'
set nat destination rule 643 source group address-group CLOUDFLARE-IPS-V4
set firewall ipv4 name WAN-SERVICES rule 10 action accept
set firewall ipv4 name WAN-SERVICES rule 10 description 'Allow DNAT'
set firewall ipv4 name WAN-SERVICES rule 10 connection-status nat destination
set firewall ipv4 name WAN-SERVICES rule 10 state 'new'
set firewall ipv4 name WAN-SERVICES rule 10 log