is there a way to set the destination address of a DNAT rule to a dhcp interface address?
I want to be able to reach my DNAT destinations from within the network through NAT Reflection but my WAN address is a dynamic dhcp address.
On ubiquitis edgerouters this was possible with an address alias for the interfaces that could be used, is something similar possible with VyOS?
Ideally in my head the configuration would look something like
description "HTTP/S Forwarding"
destination {
address dhcp-interface eth0
port 80,443
}
inbound-interface any
protocol tcp
translation {
address my.local.address
}
For serve web from external address will be source port 80.
Lan = Router = ISP = Web
Clients from LAN use dport 80 for web, so scr port 80 from web will be responded to your router.
If from ISP will be traffic to sport 80 of your router it will be translated to your LAN server.
You can specify only eth0 interface, for example
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '192.0.2.1'
Or use own logic with “source address not 192.168.0.0/24” (where 192.168.0.0/24 your LAN network)
set nat destination rule 10 source address !192.168.0.0/24
Yes that is how i have it set up currently, however i’d like to be able to reach my internal web servers by my external ip address.
Maybe i am missing something here, but if i dont specify a destination address and and set the inbound-interface to my internal interface all requests to any address on port 80/443 are nat-ed back to my own server. This is obviously not what i want.
Example:
Client on Lan makes request to eg google.com:443 → destination port 443 matches DNAT rule
The only way that i am aware of to circumvent this would be to specify the destination address in the DNAT rule. Which is not possible in this case because it is not a static address.
The only other way would be to use split-horizon dns and make the hostnames resolve to the internal address directly, but i’d rather not have to open that can of worms if i don’t have to.
But if i make a request to the WAN-IP on port 80/443 from inside my network the NAT rule does not apply because the incoming interface is not bond0.1 (my internal interface).
I would second that. Ubiquiti have an implementation on edgeos that deals nicely with dynamic addresses on the WAN interface. Moving to Vyos I hit this issue and was fortunate that I could get (at a small price) a fixed IP from my ISP.
That solved inbound connectivity and I run split-DNS for internal access which works nicely too.
This can translate to a lot of rules though, and you might have to get creative with their positioning. And it would need to be updated every time the DHCP assignment changed.
This is how i have it set up on my servers where i do have a static ip address.
For a dhcp interface i would have to manually edit all rules and update the destination address to the new dhcp address. This would be inconvenient at best
I agree with you; I was trying to interpret. Perhaps I didn’t fully understand what was going on in the Phabricator task.
I wonder if it’s possible to script/automate this using the API as a workaround. If the API will allow it, I’ve thought up something but will need to test. How big of a subnet are you being assigned over DHCP? Can you give me an example of what your incoming traffic flow would look like?
How big of a subnet are you being assigned over DHCP
Not sure what you mean, i am being assigned a single ip address from my ISP.
Can you give me an example of what your incoming traffic flow would look like?
Basically i have a webserver on my local network. The Domain example.org points to my WAN address where i have set up DNAT for 80,443 to my webserver. I want to be able to use this same domain from inside my network as well which requires me to have Hairpin-NAT setup.