destination NAT to server that doesn't use VyOS as its DG


#1

Hi all, I’m interested to understand if VyOS has capabilities as described in my question as per the subject.

Essentially I’m looking to replicate features that are often available in load balancers.

If I perform a DNAT to a machine that does not use the VyOS router as its default gateway, the traffic of course never goes back out through VyOS.

Typically this is overcome by choosing to do one of two things on a typical load balancer:

  1. Change the default gateway on the target server to use the VyOS router so that packets are sent back to the VyOS router by default.
  2. SNAT the inbound packets so that the receiving server sees the packets as having come from the VyOS router and thus will send them back to it.

I can’t do number 1 so that leaves me with number 2.

My VyOS configuration is somewhat unique (or maybe not, it just feels it to me) in that I have two trusted ethernet interfaces and one openvpn interface. I am performing the DNAT from the openvpn interface.

Network 1: 192.168.1.0/24
This is where the target for my DNAT resides. The hosts on this network use 192.168.1.1 as their default gateway.

Network 2: 10.0.2.0/24
The hosts on this network use 10.0.2.1 (one of the VyOS router’s ethernet interfaces) as their default gateway.

OpenVPN: Dynamically assigned IP
When connected, hosts on the 10.0.2.0/24 network route traffic out through this. The DNAT is configured here.

The interface and NAT configuration is shown below. Network 1 is essentially my primary network and the VyOS router is a host on that. I’m not SNATing anything from Network 2 in to Network 1 (I have considered this approach but was hoping for something that retains an un-SNATed configuration).

Can anyone help?

I’m about to go away and try and configure a very specific SNAT rule - if I come up with something, I’ll re-post here. Isn’t it funny how typing up a problem sends you off in different directions…

[code]
interfaces {
ethernet eth0 {
address 192.168.1.19/24
description DMZ
duplex auto
smp_affinity auto
speed auto
}
ethernet eth1 {
address 10.0.2.1/24
description Internal
duplex auto
smp_affinity auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
firewall {
in {
name VPN-IN
}
local {
name VPN-LOCAL
}
}
mode client
openvpn-option “–verb 3”
openvpn-option --comp-lzo
openvpn-option “–auth-user-pass /config/auth/secret.txt”
openvpn-option “–link-mtu 1542”
openvpn-option “–script-security 2”
protocol udp
remote-host uk1.vpn.giganews.com
remote-port 1194
tls {
ca-cert-file /config/auth/ca.vyprvpn.com.crt
}
}
}

nat {
destination {
rule 11 {
description “Port forward: HTTP to 192.168.1.13”
destination {
port 80
}
inbound-interface vtun0
log enable
protocol tcp
translation {
address 192.168.1.13
port 80
}
}
}
source {
rule 100 {
outbound-interface vtun0
source {
address 10.0.2.0/24
}
translation {
address masquerade
}
}
}
}[/code]


Well, it seems it wasn’t as hard as I first thought.

After adding a SNAT to accompany the DNAT, it works.

Typed all that and then resolved it myself. D’oh. Anyhoo, here it is for anyone else trying to do the same thing.

nat {
     destination {
         rule 11 {
             description "Port forward: HTTP to 192.168.1.13"
             destination {
                 port 80
             }
             inbound-interface vtun0
             log enable
             protocol tcp
             translation {
                 address 192.168.1.13
                 port 80
             }
         }
     }
     source {
         rule 100 {
             outbound-interface vtun0
             source {
                 address 10.0.2.0/24
             }
             translation {
                 address masquerade
             }
         }
         rule 101 {
             destination {
                 address 192.168.1.13
                 port 80
             }
             outbound-interface eth0
             protocol tcp
             translation {
                 address masquerade
             }
         }
     }
 }