DNAT rules - best practices to configure multiple protocol/ports to the same host?

victorhooi · December 31, 2021, 2:37am

I’m using destination NAT to port forward multiple ports to an internal LAN host.

So I’m using something like this.

vyos@vyos# set nat destination rule 10 description "Lorem ipsum"
[edit]
vyos@vyos# set nat destination rule 10 inbound-interface eth0
[edit]
vyos@vyos# set nat destination rule 10 protocol udp
[edit]
vyos@vyos# set nat destination rule 10 destination port 500
[edit]
vyos@vyos# set nat destination rule 10 translation address 192.168.1.10
[edit]

Question is - should I use the same rule (e.g. NAT rule 10) to handle multiple ports to the same host?

Is this a bad practice?

And how do you cleanly handle multiple ports/protocol tuples going to the same host?

Nikolay · December 31, 2021, 3:14am

Hi @victorhooi ,

You can use a range of ports::
set nat destination rule 10 destination port 500-5500

01# set nat destination rule 10 destination port
Possible completions:
   <port name>  Named port (any name in /etc/services, e.g., http)
   <1-65535>    Numbered port
   <start>-<end>
                Numbered port range (e.g., 1001-1005)

Detailed information:
  Multiple destination ports can be specified as a comma-separated list.
  The whole list can also be "negated" using '!'.
  For example:  '!22,telnet,http,123,1001-1005'

16again · December 31, 2021, 6:31am

For speed, it will hardly make a difference combining rules.
Only packet with state=new walks the nat rules, subsequent packets use conntrack entry
Combining rules has the disadvantage of also combining log counters