DNAT (port forward) does not work


#1

I have VYOS in public IP 1.2.3.4 and internal IP 10.0.0.195. There is a web server in 10.0.0.104. VYOS can ping 8.8.8.8 and 10.0.0.104/16. VYOS and web server are using KVM on Debian and can ping each other. The NAT just does not work. so if i browse 1.2.3.4 and it just loading and die after 60s.

this is my settings.

set interfaces ethernet eth0 address 1.2.3.4/27
set interfaces ethernet eth0 description ‘WAN’
set system gateway-address 1.2.3.1
set system name-server 8.8.8.8

set interfaces ethernet eth1 address ‘10.0.0.195/16’
set interfaces ethernet eth1 description ‘LAN’

set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 10.0.0.0/16
set nat source rule 100 translation address masquerade

set firewall name OUTSIDE-IN default-action drop
set firewall name OUTSIDE-IN rule 10 action accept
set firewall name OUTSIDE-IN rule 10 state established enable
set firewall name OUTSIDE-IN rule 10 state related enable

set firewall name OUTSIDE-LOCAL default-action drop
set firewall name OUTSIDE-LOCAL rule 10 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 10 state established ‘enable’
set firewall name OUTSIDE-LOCAL rule 10 state related ‘enable’

set interfaces ethernet eth0 firewall in name ‘OUTSIDE-IN’
set interfaces ethernet eth0 firewall local name ‘OUTSIDE-LOCAL’

set nat destination rule 110 description ‘Port Forward: HTTP to 10.0.0.104’
set nat destination rule 110 destination port ‘80’
set nat destination rule 110 destination address 1.2.3.4
set nat destination rule 110 inbound-interface ‘eth0’
set nat destination rule 110 protocol ‘tcp’
set nat destination rule 110 translation address ‘10.0.0.104’
set nat destination rule 110 translation port 80

set firewall name OUTSIDE-IN rule 111 action ‘accept’
set firewall name OUTSIDE-IN rule 111 destination address ‘10.0.0.104’
set firewall name OUTSIDE-IN rule 111 destination port ‘80’
set firewall name OUTSIDE-IN rule 111 protocol ‘tcp’
set firewall name OUTSIDE-IN rule 111 state new ‘enable’


#2

try removing your destination address in your firewall and nat rule


#3

hairpin nat ?
try add sournce nat rules
set nat source rule 200 description ‘NAT Reflection: INSIDE’
set nat source rule 200 destination address ‘10.0.0.0/16’
set nat source rule 200 outbound-interface ‘eth1’
set nat source rule 200 source address ‘10.0.0.0/16’
set nat source rule 200 translation address ‘masquerade’

change
set nat destination rule 110 inbound-interface ‘any’