when Create Nat with address Group This error are showing…
A simple example works fine.
set firewall group address-group ADDR address '192.0.2.1'
set firewall group address-group ADDR address '192.0.2.2'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source group address-group 'ADDR'
set nat source rule 100 translation address '192.168.122.14'
ping
vyos@r14# run ping 1.1.1.1 source-address 192.0.2.1
PING 1.1.1.1 (1.1.1.1) from 192.0.2.1 : 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=44.6 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=57 time=44.4 ms
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 44.437/44.506/44.576/0.069 ms
[edit]
vyos@r14#
your os version pls
My os version
For now, I’m testing on VyOS 1.4-rolling-202308280021 but I could check on another version later.
Problems is with translated address, which is a Network and and not an /32 address. And in this case map using group + translated network is not working
vyos@vyos# commit
WARNING: IP address 192.168.122.14 does not exist on the system!
Configuration file errors encountered!
[[nat]] failed
Commit failed
[edit]
vyos@vyos# compare
[nat source rule 1001 source]
- address "198.51.100.0/24"
+ group {
+ address-group "ADDR"
+ }
[edit]
vyos@vyos# cat /run/nftables_nat.conf | grep 1001
oifname "eth0" counter snat ip prefix to ip saddr map { None : 103.133.203.224/28 } comment "SRC-NAT-1001"
[edit]
vyos@vyos#
A pool aka group of IP-addresses and/or networks should be possible to be used for both SNAT and DNAT.
But I can agree that this would be borderline WAN- and LAN-loadbalancing.
Also translating into an IP-address (both SNAT and DNAT) which currently isnt configured on the box itself should be possible.