Destination nat with different inbound and outbound ports

I have been trying to configure destination nat with different outside and inside port. With different ports its not working even though I am seeing incomming packets with “show nat destination stat” command. But if I set same ports for both outside and inside network, its working fine

There are my current configurations. I have grouped public ips with address group.

set nat destination rule 6000 destination group address-group ‘Natting-IPs’
set nat destination rule 6000 destination port ‘2002’
set nat destination rule 6000 protocol ‘tcp’
set nat destination rule 6000 translation address ‘10.16.200.2/32’
set nat destination rule 6000 translation port ‘8291’

If I set ‘2002’ to ‘8291’. It works fine. but with different outside and inside ports. It’s not working.

image

What VyOS version you are using?
Share output of:

sudo nft list chain ip vyos_nat PREROUTING

I have changed rule 6000 now. But I can reproduce this again.

Please, remove /32 from your rules.
Just use:

set nat destination rule 6000 translation address ‘10.16.200.2’

I tested first without /32 too. Same result

Please share once again:

  • nat commands
  • nft output

In a quick test I get:

vyos@BRIDGE# run show config comm | grep "nat destination"
## Rule 101 using /32 -> Wrong
set nat destination rule 101 destination port '1111'
set nat destination rule 101 protocol 'tcp'
set nat destination rule 101 translation address '192.168.88.1/32'
set nat destination rule 101 translation port '8291'

## Rule 202 without using /32 -> OK
set nat destination rule 202 destination port '222'
set nat destination rule 202 protocol 'tcp'
set nat destination rule 202 translation address '192.168.88.1'
set nat destination rule 202 translation port '8291'
[edit]
vyos@BRIDGE# sudo nft list chain vyos_nat PREROUTING
table ip vyos_nat {
        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                counter packets 344 bytes 92542 jump VYOS_PRE_DNAT_HOOK
                tcp dport 1111 counter packets 0 bytes 0 dnat prefix to 192.168.88.1/32 comment "DST-NAT-101"
                ## Rule 202 as expected
                tcp dport 222 counter packets 0 bytes 0 dnat to 192.168.88.1:8291 comment "DST-NAT-202"
        }
}
[edit]
vyos@BRIDGE# 

yes its working fine without /32. But I have found one thing. If we port forward same port both sides,don’t add translation port command in rule or use /32 in translation address to make it work

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.