DNAT issue (I can't access the Ubuntu server from my local machine)

Jamal · January 26, 2023, 12:12pm

Hi Team,

I have a vyos router where i want to configure the DNAT rules to access the ubuntu server which is behind the vyos router from my local host (computer outside).

Local host ip 192.168.18.10
ubuntu server Behind vyos connected - 172.16.10.2

topology

local host ------> router vyos —> ubuntu server

Vyos DNAT rule i added

set nat destination rule 1 destination address ‘172.16.10.2’
set nat destination rule 1 destination port ‘22’
set nat destination rule 1 inbound-interface ‘eth1’
set nat destination rule 1 protocol ‘tcp’
set nat destination rule 1 source address ‘192.168.18.10’
set nat destination rule 1 translation address ‘172.16.10.2’

interfaces in vyos:
outside interface : eth0
inside interface : eth1 (Ubuntu server connected)

I can’t access the Ubuntu server from my local machine. Is anything is missing from my side ?

Viacheslav · January 26, 2023, 12:19pm

You also need source NAT rule

set nat source rule 10 outbound-interface ‘eth1’
set nat source rule 10 source address 172.16.10.2
set nat source rule 10 translation address masquerade

n.fort · January 26, 2023, 12:22pm

Translation and destination address is the same → Then no need to nat.

Local host ip 192.168.18.10
ubuntu server Behind vyos connected - 172.16.10.2

I guess in destination address you should configure address 192.168.18.x (ip address of vyos interface). Then try ssh to that address

RyVolodya · January 26, 2023, 12:27pm

Hello @Jamal,

The destination address is the interface ip address eth0.
The translation address is the Ubuntu server
The source address can be left unconfigured.

Jamal · January 26, 2023, 4:22pm

Hi all,
Thanks for your response, i have made changes but still not accessing the machine by Local PC.

abc@Local-PC ~ % ssh ubuntu@172.16.10.2
ssh: connect to host 172.16.10.2 port 22: Network is unreachable

Updated Configuration:

set nat destination rule 1 destination address ‘192.168.18.131’
set nat destination rule 1 destination port ‘22’
set nat destination rule 1 inbound-interface ‘eth1’
set nat destination rule 1 protocol ‘tcp’
set nat destination rule 1 translation address ‘172.16.10.2’

SNAT
set nat source rule 10 outbound-interface ‘eth1’
set nat source rule 10 source address ‘172.16.10.2’
set nat source rule 10 translation address ‘192.168.18.131’

n.fort · January 26, 2023, 5:13pm

and ssh ubuntu@192.168.18.131 ?

Jamal · January 26, 2023, 5:31pm

Hi @n.fort

Yeah, it’s now i able to access through >>ssh ubuntu@192.168.18.131.
I have tried password for ubuntu machine and vyos… but not working.

abc@Local-Machine ~ % ssh ubuntu@192.168.18.131
Password:
Password:
Password:
ubuntu@192.168.18.131: Permission denied (publickey,keyboard-interactive).

RyVolodya · January 27, 2023, 12:01pm

Hello @Jamal

You may have connected to port 22 of the vyos router.
Try configuring a different port for the ssh connection. For example: connect to port 222 and nat translate it to port 22 of ubuntu server.
Configuration:

set nat destination rule 1 destination address 192.168.18.131
set nat destination rule 1 destination port 222
set nat destination rule 1 inbound-interface eth1
set nat destination rule 1 protocol tcp
set nat destination rule 1 translation address 172.16.10.2
set nat destination rule 1 translation port 22

Command to connect:
ssh ubuntu@192.168.18.131 -p 222

Jamal · January 30, 2023, 9:35am

Hi @RyVolodya

Thanks for your response.
I changed the destination port to 222 and translation port 22, but still same issue.

ssh ubuntu@192.168.18.131 222
Password:
Password:
Password:
ubuntu@192.168.18.131: Permission denied (publickey,keyboard-interactive).

Configuration in vyos

set nat destination rule 1 destination address '192.168.18.131'
set nat destination rule 1 destination port '222'
set nat destination rule 1 inbound-interface 'eth1'
set nat destination rule 1 protocol 'tcp'
set nat destination rule 1 translation address '172.16.10.2'
set nat destination rule 1 translation port '22'

Jamal · February 1, 2023, 11:32am

One question more,

Is this possible to apply a dnat rule in vyos which have 2 VM ubuntu machine.
like
interface - eth1 (172.16.20.1/24)
Ubuntu1 172.16.20.12
Ubuntu2 172.16.20.13

How i ssh these two Ubuntu vm by other network?
Is following configuration for ssh is fine ?
I have configured rules

set nat destination rule 1 destination address ‘192.168.18.132/32’
set nat destination rule 1 destination port ‘223’
set nat destination rule 1 inbound-interface ‘eth1’
set nat destination rule 1 protocol ‘tcp’
set nat destination rule 1 translation address ‘172.16.20.12’
set nat destination rule 1 translation port ‘22’

set nat destination rule 2 destination address ‘192.168.18.132/32’
set nat destination rule 2 destination port ‘222’
set nat destination rule 2 inbound-interface ‘eth1’
set nat destination rule 2 protocol ‘tcp’
set nat destination rule 2 translation address ‘172.16.20.13’
set nat destination rule 2 translation port ‘22’

n.fort · February 1, 2023, 11:50am

It looks correct. Be aware that in previous post you used ip 192.168.18.131, and now 192.168.131.132

Jamal · February 1, 2023, 11:51am

Yeah, it’s second vyos

Jamal · February 2, 2023, 6:59am

It’s working fine after changing the inbound interface from eth1 to eth0

eth1— private(inbound)
eth0 — public facing

[

quote="Jamal, post:10, topic:10301"]
set nat destination rule 1 destination address ‘192.168.18.132/32’
set nat destination rule 1 destination port ‘223’
set nat destination rule 1 inbound-interface ‘eth0’
set nat destination rule 1 protocol ‘tcp’
set nat destination rule 1 translation address ‘172.16.20.12’
set nat destination rule 1 translation port ‘22’

set nat destination rule 2 destination address ‘192.168.18.132/32’
set nat destination rule 2 destination port ‘22’
set nat destination rule 2 inbound-interface ‘eth0’
set nat destination rule 2 protocol ‘tcp’
set nat destination rule 2 translation address ‘172.16.20.13’

[/quote]``

Jamal · February 2, 2023, 7:13am

for vyos 2 192.168.18.132