Cannot Filter DNAT by source as the Source IP is change to VYOS public IP

I am trying to setup up a DNAT for my homelab that is proxied behind Cloudflare. I would like to limit the DNAT to source IPS from Cloudflare only. I have created an Address Group with all the Cloudflare IPs. Without the source rule the DNAT works as expected. When the source filter rule is added the DNAT fails.

Upon closer inspection I noticed that the show nat destination translations tells me the pre-NAT address is my public IP not the IP from Cloudflare. I have tried accessing the network using a vpn and my mobile data to rule out the issue being that VYOS is seeing the client IP and not the Cloudflare one.

A previous post mentioned WAN load balancing. However, when I try set load-balancing wan disable-source-nat I cannot commit the config without further configuration of load-balancing.

I am not sure where to go from here nor what the issue maybe.

I am using firewall zones.

Below are the commands used to enable the DNAT.

Thank you for any help.

set nat destination rule 680 description 'Port Forward: HTTP to 192.168.0.53'

set nat destination rule 680 destination port '80'

set nat destination rule 680 inbound-interface name 'eth4'

set nat destination rule 680 protocol 'tcp_udp'

set nat destination rule 680 translation address '192.168.0.53'

set nat destination rule 680 source group address-group CLOUDFLARE-IPS-V4

set nat destination rule 643 description 'Port Forward: HTTPS to 192.168.0.53'

set nat destination rule 643 destination port '443'

set nat destination rule 643 inbound-interface name 'eth0'

set nat destination rule 643 protocol 'tcp_udp'

set nat destination rule 643 translation address '192.168.0.53'

set nat destination rule 643 source group address-group CLOUDFLARE-IPS-V4

set firewall ipv4 name WAN-SERVICES rule 10 action accept

set firewall ipv4 name WAN-SERVICES rule 10 description 'Allow DNAT'

set firewall ipv4 name WAN-SERVICES rule 10 connection-status nat destination

set firewall ipv4 name WAN-SERVICES rule 10 state 'new'

set firewall ipv4 name WAN-SERVICES rule 10 log

The op-mode command to show destination NAT translations, it refers to destination address, and not to source address. Since you are using destination NAT, the idea is to change destination IP address of the packet, so OP mode command shows:

  1. Original Destination IP address
  2. Translated IP address

Maybe adding log to the NAT rule will help you debug and check the source address.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.