Exception from standard NAT (masquerade)


I’m moving my router from a Debian installation & iptables (FWbuilder GUI) to VYOS.

Currently I’ve managed site-2-site connections and all the basic settings almost without any problems.
At my very simle home network, I’ve just one masqurading rule to hide the internal network behind the official router address - like normal.
So far so good. The question is now how can I exclude traffic to one external address IP from beeing masqueraded?

My current nat-script does it like this:
$IPTABLES -t nat -A POSTROUTING -o eth1 -s ! -d <external destination not nat’ed> -j SNAT --to-source

any ideas?



Solved it by myself.
If somebody has the same problem here is my solution:

[]I’ve defined a standard masquerading rule as “rule 100”
]To exclude traffic to one address I’ve created that rule:
set nat source rule 5 destination address
set nat source rule 5 exclude
set nat source rule 5 outbound-interface
set nat source rule 5 source-address
[/list]That’s all…