I have been trying to configure destination nat with different outside and inside port. With different ports its not working even though I am seeing incomming packets with “show nat destination stat” command. But if I set same ports for both outside and inside network, its working fine
There are my current configurations. I have grouped public ips with address group.
set nat destination rule 6000 destination group address-group ‘Natting-IPs’
set nat destination rule 6000 destination port ‘2002’
set nat destination rule 6000 protocol ‘tcp’
set nat destination rule 6000 translation address ‘10.16.200.2/32’
set nat destination rule 6000 translation port ‘8291’
If I set ‘2002’ to ‘8291’. It works fine. but with different outside and inside ports. It’s not working.
What VyOS version you are using?
Share output of:
sudo nft list chain ip vyos_nat PREROUTING
Please, remove /32 from your rules.
Just use:
set nat destination rule 6000 translation address ‘10.16.200.2’
I tested first without /32 too. Same result
Please share once again:
- nat commands
- nft output
In a quick test I get:
vyos@BRIDGE# run show config comm | grep "nat destination"
## Rule 101 using /32 -> Wrong
set nat destination rule 101 destination port '1111'
set nat destination rule 101 protocol 'tcp'
set nat destination rule 101 translation address '192.168.88.1/32'
set nat destination rule 101 translation port '8291'
## Rule 202 without using /32 -> OK
set nat destination rule 202 destination port '222'
set nat destination rule 202 protocol 'tcp'
set nat destination rule 202 translation address '192.168.88.1'
set nat destination rule 202 translation port '8291'
[edit]
vyos@BRIDGE# sudo nft list chain vyos_nat PREROUTING
table ip vyos_nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
counter packets 344 bytes 92542 jump VYOS_PRE_DNAT_HOOK
tcp dport 1111 counter packets 0 bytes 0 dnat prefix to 192.168.88.1/32 comment "DST-NAT-101"
## Rule 202 as expected
tcp dport 222 counter packets 0 bytes 0 dnat to 192.168.88.1:8291 comment "DST-NAT-202"
}
}
[edit]
vyos@BRIDGE#
yes its working fine without /32. But I have found one thing. If we port forward same port both sides,don’t add translation port command in rule or use /32 in translation address to make it work
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.