DNAT with DHCP interface

ebrithil · January 14, 2021, 8:12am

Hi,

is there a way to set the destination address of a DNAT rule to a dhcp interface address?
I want to be able to reach my DNAT destinations from within the network through NAT Reflection but my WAN address is a dynamic dhcp address.
On ubiquitis edgerouters this was possible with an address alias for the interfaces that could be used, is something similar possible with VyOS?

Ideally in my head the configuration would look something like

description "HTTP/S Forwarding"
destination {
    address dhcp-interface eth0
    port 80,443
}
inbound-interface any
protocol tcp
translation {
    address my.local.address
}

Thanks in advance

Viacheslav · January 14, 2021, 8:39am

You can set only ports and no set any address.
dport 80.443 => translation x.x.x.x

ebrithil · January 14, 2021, 8:50am

But wouldn’t that make me unable to access other websites?

From my understanding that would translate ANY request to port 80/443 to my internal server

Edit: Unless DNAT only works on local addresses, is that the case?

Viacheslav · January 14, 2021, 8:52am

For serve web from external address will be source port 80.
Lan = Router = ISP = Web

Clients from LAN use dport 80 for web, so scr port 80 from web will be responded to your router.
If from ISP will be traffic to sport 80 of your router it will be translated to your LAN server.

You can specify only eth0 interface, for example

set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '192.0.2.1'

Or use own logic with “source address not 192.168.0.0/24” (where 192.168.0.0/24 your LAN network)

set nat destination rule 10 source address !192.168.0.0/24

ebrithil · January 14, 2021, 9:51am

Yes that is how i have it set up currently, however i’d like to be able to reach my internal web servers by my external ip address.

Maybe i am missing something here, but if i dont specify a destination address and and set the inbound-interface to my internal interface all requests to any address on port 80/443 are nat-ed back to my own server. This is obviously not what i want.

Example:
Client on Lan makes request to eg google.com:443 -> destination port 443 matches DNAT rule

The only way that i am aware of to circumvent this would be to specify the destination address in the DNAT rule. Which is not possible in this case because it is not a static address.

The only other way would be to use split-horizon dns and make the hostnames resolve to the internal address directly, but i’d rather not have to open that can of worms if i don’t have to.

Viacheslav · January 14, 2021, 9:59am

inbound-interface eth0

eth0 your external interface

ebrithil · January 14, 2021, 10:08am

I think you misunderstood me. This is how i have it set up currently:

Note that eth0 is my WAN interface.

nat {
    destination {
        rule 10 {
            description "HTTP/S"
            destination {
                port 80,443
            }
            inbound-interface eth0
            protocol tcp
            translation {
                address xxx.xxx.1.10
            }
        }
    }
}

This works fine for external connections.

But if i make a request to the WAN-IP on port 80/443 from inside my network the NAT rule does not apply because the incoming interface is not bond0.1 (my internal interface).

Viacheslav · January 14, 2021, 10:23am

As an option, if your internal LAN customers use your local DNS server, you can add A record
foo.com A 192.0.2.1

There is no option for dhcp interface.

ebrithil · January 14, 2021, 10:26am

Okay thats what i figured, would it be okay to make a feature request to allow specifying dhcp interface adresses as dnat destination?

phillipmcmahon · January 14, 2021, 10:44am

I would second that. Ubiquiti have an implementation on edgeos that deals nicely with dynamic addresses on the WAN interface. Moving to Vyos I hit this issue and was fortunate that I could get (at a small price) a fixed IP from my ISP.

That solved inbound connectivity and I run split-DNS for internal access which works nicely too.

ebrithil · January 14, 2021, 11:05am

I have created a feature request at DNAT destination address for dhcp-interface

phillipmcmahon · January 14, 2021, 11:28am

Nice, I just dropped a comment on there.

https://phabricator.vyos.net/T2196

This was created after my discussions on the same topic last year. It doesn’t appear to have progressed.

ebrithil · January 14, 2021, 1:21pm

I just had a look at your phabricator ticket, it seems to me, that Dmitry didn’t really understand what you (and now me) were trying to achieve.

Other than that, that’s exactly what i want.

helushune · January 15, 2021, 4:37am

I think what Dmitry was saying is that you can add a “not” statement on the DNAT rules as a workaround.

Example:

nat {
    destination {
        rule 10 {
            destination {
                address !123.45.67.89/32
                port 80,443
            }
            inbound-interface eth0
            protocol tcp
            translation {
                address 172.16.1.10
            }
        }
    }
}

This can translate to a lot of rules though, and you might have to get creative with their positioning. And it would need to be updated every time the DHCP assignment changed.

ebrithil · January 15, 2021, 7:56am

I fail to see how that would be a workaround.

If i know the ip address of the interface i can obviously do

nat {
    destination {
        rule 10 {
            description "HTTP/S"
            destination {
                address xxx.xxx.52.68
                port 80,443
            }
            inbound-interface any
            protocol tcp
            translation {
                address xxx.xxx.1.10
            }
        }
    }
}

This is how i have it set up on my servers where i do have a static ip address.

For a dhcp interface i would have to manually edit all rules and update the destination address to the new dhcp address. This would be inconvenient at best

helushune · January 16, 2021, 1:40am

I agree with you; I was trying to interpret. Perhaps I didn’t fully understand what was going on in the Phabricator task.

I wonder if it’s possible to script/automate this using the API as a workaround. If the API will allow it, I’ve thought up something but will need to test. How big of a subnet are you being assigned over DHCP? Can you give me an example of what your incoming traffic flow would look like?

ebrithil · January 17, 2021, 2:11pm

How big of a subnet are you being assigned over DHCP

Not sure what you mean, i am being assigned a single ip address from my ISP.

Can you give me an example of what your incoming traffic flow would look like?

Basically i have a webserver on my local network. The Domain example.org points to my WAN address where i have set up DNAT for 80,443 to my webserver. I want to be able to use this same domain from inside my network as well which requires me to have Hairpin-NAT setup.