Hello, when I configure VRRP on my router DNAT stops working. Why? What I did wrong?
show nat destination rule 998
description Temp
destination {
address *SOMEIP*
port 9291
}
inbound-interface any
protocol tcp
translation {
address 11.11.11.13
port 22
}
Where SOMEIP is VRRP address.
Hard to tell, since no sign of troubleshooting is shown.
This dnat address must be active on outside, so original request will enter the router (verify using tcpdump)
Then on LAN, packet should be answered to same VRRP member.
Hi @hexes
Please, provide VRRP and VyOS version, so we can test exactly what is going on.
Version: VyOS 1.4-rolling-202111072034
Release train: sagitta
Built by: [email protected]
Built on: Sun 07 Nov 2021 20:34 UTC
Build UUID: a365b87c-083c-4f88-a821-697a86d7f05e
Build commit ID: 7fc087b255aca9
You know, I’m start thinking that problem possible with firewall, directly when i remove it from INput of interface NAT starts working, but I have rule that should gave access to NAT.
show firewall name ISP-IN rule 60
action accept
description LIP
destination {
port 39781-39788
}
protocol tcp
show nat destination rule 47
description "LIP-M"
destination {
address VRRPIP
port 39787
}
inbound-interface any
protocol tcp
translation {
address 11.11.13.191
port 9786
}
For firewall analysis, please share all firewall config, since there might be other rules that is dropping your connection.
show firewall name ISP-IN
default-action drop
rule 20 {
action drop
description STOP-SSH-BRUTE
destination {
port 22
}
protocol tcp
recent {
count 2
time 120
}
state {
new enable
}
}
rule 21 {
action accept
description SSH
destination {
port 22
}
protocol tcp
state {
new enable
}
}
rule 25 {
action accept
description "allow icmp ping"
protocol icmp
}
rule 50 {
action accept
description L2TP,IKE,NAT-T
destination {
port 1701,500,4500
}
protocol udp
}
rule 51 {
action accept
description ESP
protocol esp
state {
established enable
new enable
related enable
}
}
rule 52 {
action accept
description "Allow PPTP access from the Internet"
destination {
port 1723
}
protocol tcp
}
rule 53 {
action accept
protocol gre
}
rule 60 {
action accept
description LIP
destination {
port 9786,39781-39788
}
protocol tcp
}
rule 9000 {
action accept
description OpenVPN
destination {
port 9000,9002
}
protocol udp
}
@hexes .
This config, almost copied from yours but simplified, is working as expected:
NAT Rules:
vyos@vyos# run show config comm | grep "nat destination"
set nat destination rule 47 destination address '192.168.122.133' #Virtual IP address of VRRP
set nat destination rule 47 destination port '39787'
set nat destination rule 47 inbound-interface 'any'
set nat destination rule 47 protocol 'tcp'
set nat destination rule 47 translation address '10.1.1.2'
set nat destination rule 47 translation port '9786'
Firewall config:
vyos@vyos# run show config comm | grep firewall
set firewall name ISP-IN default-action 'drop'
set firewall name ISP-IN rule 60 action 'accept'
set firewall name ISP-IN rule 60 destination port '9786,39781-39788'
set firewall name ISP-IN rule 60 protocol 'tcp'
set interfaces ethernet eth0 firewall in name 'ISP-IN'
Counters on NAT and firewall get increased properly:
vyos@vyos# run show firewall name ISP-IN statistics
-----------------------------
Rulesets Information
-----------------------------
IPv4 Firewall "ISP-IN":
Active on (eth0,IN)
rule packets bytes action source destination
---- ------- ----- ------ ------ -----------
60 19 4.21K ACCEPT 0.0.0.0/0 0.0.0.0/0
10000 9 540 DROP 0.0.0.0/0 0.0.0.0/0
[edit]
vyos@vyos# run show nat destination statistics
rule pkts bytes interface
---- ---- ----- ---------
47 1 60 192.168.122.133
Were you able to trace why when you enable your firewall this stops working?
Didn’t work for me…
Rule 60 statistics is empty…
run show firewall name ISP-IN statistics
------------------------
Firewall Global Settings
------------------------
Firewall state-policy for all IPv4 and Ipv6 traffic
state action log
----- ------ ---
invalid drop disabled
established accept disabled
related accept disabled
-----------------------------
Rulesets Information
-----------------------------
IPv4 Firewall "ISP-IN":
Active on (eth0.301,IN)
rule packets bytes action source destination
---- ------- ----- ------ ------ -----------
20 65 3.90K DROP 0.0.0.0/0 0.0.0.0/0
21 17 860 ACCEPT 0.0.0.0/0 0.0.0.0/0
25 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
50 3 572 ACCEPT 0.0.0.0/0 0.0.0.0/0
51 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
52 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
53 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
60 0 0 ACCEPT 0.0.0.0/0 VRRP-IP
9000 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
10000 3.38K 233.63K DROP 0.0.0.0/0 0.0.0.0/0
No, can’t understand…
Nov 19 16:02:40 r1-brn kernel: [812960.273168] [ISP-IN-default-D]IN=eth0.301 OUT=eth0.93 MAC=00:50:56:99:b5:89:18:e7:28:e9:ad:3f:08:00 SRC=MYSOURCEIP DST=TRANSLATIONIP LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=44343 DF PROTO=TCP SPT=48796 DPT=9786 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 19 16:02:42 r1-brn kernel: [812962.253022] [ISP-IN-default-D]IN=eth0.301 OUT=eth0.93 MAC=00:50:56:99:b5:89:18:e7:28:e9:ad:3f:08:00 SRC=MYSOURCEIP DST=TRANSLATIONIP LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=44344 DF PROTO=TCP SPT=48796 DPT=9786 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 19 16:02:46 r1-brn kernel: [812966.273109] [ISP-IN-default-D]IN=eth0.301 OUT=eth0.93 MAC=00:50:56:99:b5:89:18:e7:28:e9:ad:3f:08:00 SRC=MYSOURCEIP DST=TRANSLATIONIP LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=44345 DF PROTO=TCP SPT=48796 DPT=9786 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 19 16:02:55 r1-brn kernel: [812974.402989] [ISP-IN-default-D]IN=eth0.301 OUT=eth0.93 MAC=00:50:56:99:b5:89:18:e7:28:e9:ad:3f:08:00 SRC=MYSOURCEIP DST=TRANSLATIONIP LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=44346 DF PROTO=TCP SPT=48796 DPT=9786 WINDOW=65535 RES=0x00 SYN URGP=0
I change rule to
show firewall name ISP-IN rule 59
action accept
description TEst
protocol tcp_udp
source {
address MYSOURCEIP
}
And it worked! But why first rule didn’t work?
rule packets bytes action source destination
---- ------- ----- ------ ------ -----------
20 65 3.90K DROP 0.0.0.0/0 0.0.0.0/0
21 17 860 ACCEPT 0.0.0.0/0 0.0.0.0/0
60 0 0 ACCEPT 0.0.0.0/0 VRRP-IP
Why does rule 60 output show VRRP-IP in dest column? Rule 60 doesn’t specify dest target IP. And if it did, it should match on LAN IP as firewall comes after dNAT
F…k, dude THANKS! BUT this configuration worked perfectly on VyOS 1.2.1-s2
Why it stop working on 1.4? When i remove DEST IP it start working…
I can’t understand, when I copypast my FW rules early there wasn’t DST addr, and it didn’t work…
Aaaaaand… AGAIN!
Nov 23 11:13:05 r1-brn kernel: [1141177.444504] [AVANTEL-IN-default-D]IN=eth0.301 OUT=eth0.93 MAC=00:50:56:99:b5:89:18:e7:28:e9:ad:3f:08:00 SRC=MYSOURCEIP DST=TRANSLATIONIP LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=45936 DF PROTO=TCP SPT=38218 DPT=9786 WINDOW=65535 RES=0x00 SYN URGP=0
rule packets bytes action source destination
---- ------- ----- ------ ------ -----------
20 67 3.99K DROP 0.0.0.0/0 0.0.0.0/0
21 35 1.77K ACCEPT 0.0.0.0/0 0.0.0.0/0
25 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
50 3 572 ACCEPT 0.0.0.0/0 0.0.0.0/0
51 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
52 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
53 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
60 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
9000 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
10000 2.08K 123.14K DROP 0.0.0.0/0 0.0.0.0/0
show firewall name ISP-IN rule 60
action accept
description LIP
destination {
port 39781-39788
}
protocol tcp
WHATDAFUCK?!?!?!
Nov 23 11:13:05 r1-brn kernel: [1141177.444504] [AVANTEL-IN-default-D]IN=eth0.301 OUT=eth0.93 MAC=00:50:56:99:b5:89:18:e7:28:e9:ad:3f:08:00 SRC=MYSOURCEIP DST=TRANSLATIONIP LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=45936 DF PROTO=TCP SPT=38218 DPT=9786 WINDOW=65535 RES=0x00 SYN URGP=0
In that log entry, I can see 2 differences, regarding the definition of your firewall rules:
AVANTEL-IN-default-D → This means that log is related to firewall name AVANTEL-IN, not ISP-IN.
Destination port 9786, while rule 60 doesn’t include that port
Agrrr… I’m so inconsiderate. Again THANKS and SORRY! (Names of rules I changed for more clearance)
Left to read the documentation …
NAT, Routing, Firewall Interaction
There is a very nice picture/explanation in the Vyatta documentation which should be rewritten here.
If some one could, plz insert that nice picture…
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.