Destination NAT for everything except one port

Here’s a nice thing I discovered about using dummy interfaces

I have a server behind a vyos that I want to have almost all incoming traffic destination NATed to. I don’t at this point care what port of protocol I’m just using the vyos as a firewall so almost everything needs to be passed through. The one thing that want is to have the vyos itself see is SSH access (on some port like 2222).

I can pass everything through by doing something like this

set nat destination rule 100 destination address 'ext.ip.ad.dr'
set nat destination rule 100 inbound-interface 'eth0'
set nat destination rule 100 protocol 'all'
set nat destination rule 100 translation address '192.168.ad.dr'

If I then create a dummy interface on the vyos I can now add a rule 5 that NATs traffic to ext.ip.ad.dr and port 2222 and redirect it to the dummy interface and port 22

set interfaces dummy dum0 address '192.168.du.mmy/30'
set nat destination rule 50 destination address 'ext.ip.ad.dr'
set nat destination rule 50 destination port '2222'
set nat destination rule 50 inbound-interface 'eth0'
set nat destination rule 50 protocol 'tcp'
set nat destination rule 50 translation address '192.168.du.mmy'
set nat destination rule 50 translation port '22'

Now ssh -p 2222 connects to the vyos and everything else is passed through. If I want to I can add rules 60-90 to translate other ports/protocols the same way