Hello there! Novice VyOS user here.
I switched my router from Unifi USG to a VyOS box, while it is much more stable I am stuck with 1 issue: I cannot reach services in my network via my public IP, while being inside my network. Outside the network this works perfectly fine. After doing some Googling, I found that NAT Hairpinning is the solution to this problem.
Now I noticed that this is explained quite well in the VyOS docs, but as is usual with networks my situation differs from the docs. I’ve got a record, lets call it example.com, pointing to my public IPv4, outside my network the service is reachable, inside it is not.
My subnet topology is as follows:
192.168.1.0/24 - default network, eth1
192.168.2.0.24 - Servers, eth1.20
10.10.4.0/24 - VMs and Kubernetes
I am on the default network myself, the service is on Kubernetes. At first connecting to the service resulted in a connection refused, so the traffic never even reached the server. Now however I’m getting a time out on the response, indicating that the traffic reached the server but isn’t coming back (correctly?).
My SNAT rules:
rule 100 {
description LAN-NAT
outbound-interface eth0.300
source {
address 192.168.1.0/24
}
translation {
address masquerade
}
}
rule 101 {
description VM-NAT
outbound-interface eth0.300
source {
address 10.10.4.0/24
}
translation {
address masquerade
}
}
rule 102 {
description SERVER-NAT
outbound-interface eth0.300
source {
address 192.168.2.0/24
}
translation {
address masquerade
}
}
rule 1000 {
description “NAT HTTP(S) Inside”
destination {
address 10.10.4.0/24
}
outbound-interface eth1.40
protocol tcp_udp
source {
address 10.10.4.0/24
}
translation {
address masquerade
}
}
rule 1001 {
destination {
address 192.168.1.0/24
}
outbound-interface eth1
protocol tcp_udp
source {
address 192.168.2.0/24
}
translation {
address masquerade
}
}
My DNAT rules:
rule 110 {
description “Kubernetes Ingress”
destination {
port 443
}
inbound-interface eth0.300
protocol tcp
translation {
address 10.10.4.254
port 443
}
}
rule 1000 {
destination {
address [PUBLIC v4]
port 443,80
}
inbound-interface eth1.40
protocol tcp_udp
translation {
address 10.10.4.254
}
}
rule 1001 {
destination {
address [PUBLIC v4]
port 443,80
}
inbound-interface eth1
protocol tcp_udp
source {
address 192.168.1.0/24
}
translation {
address 10.10.4.254
}
}
Help getting this to work would be greatly appreciated!