Exception from standard NAT (masquerade)

I’m moving my router from a Debian installation & iptables (FWbuilder GUI) to VYOS.

Currently I’ve managed site-2-site connections and all the basic settings almost without any problems.
At my very simle home network, I’ve just one masqurading rule to hide the internal network behind the official router address - like normal.
So far so good. The question is now how can I exclude traffic to one external address IP from beeing masqueraded?

My current nat-script does it like this:
$IPTABLES -t nat -A POSTROUTING -o eth1 -s ! -d <external destination not nat’ed> -j SNAT --to-source

any ideas?

regards
Robert

Solved it by myself.
If somebody has the same problem here is my solution:

[list=1]
[]I’ve defined a standard masquerading rule as “rule 100”
[
]To exclude traffic to one address I’ve created that rule:
set nat source rule 5 destination address
set nat source rule 5 exclude
set nat source rule 5 outbound-interface
set nat source rule 5 source-address
[/list]That’s all…

Hi
Thanks for a solution to this problem.
Is “source-address” the lokal Lan ?

Br
OFH

Hi,
As I can remember “source-address” was the local Lan.

Unfortunately I’m not using VyOS any longer, cause the lack of any graphical interfaces makes it quite hard to maintain a couple of more or less static firewalls.
If you work with it on a daily basis its OK and may a perfect tool, but after few weeks or months you have to remmeber things again. Even the syntax is not far away from other devices like CISCO switches/routers.

regards
Robert

Thanks for replying.
Im am using VyOS in education situation, where we use VyOS as a virtual router (VmWare).
Just needed help on exclude command.
Thanks for helping.
BR
OFH