Help with access into an isolated network through masquerading IP

Hey everyone - I’m hoping to get a little help with my vyOS configuration here.

I’m trying to create an isolated network where I can restore my VMs into, and run various tests against them to test recoverability. I want to be able to simply restore them, and not have to mess with networking so I thought vyOS would be a great router to put in between the isolated network and prod. The isolated network would essentially be a clone of my production network. I want to then be able to get into the isolated network using a different subnet, say

Basically, this is my setup

vyOS with 2 nics

  • eth1 is my management NIC and IP’d on my MGMT network, IPd at
  • eth0 is a nic connected to an isolated network within vSphere (no uplinks at all). The IP on this nic is the same as my VM Network production gateway ( This allows the VMs placed on this network to see their gateway, and talk to each other, but not get out to the outside networks.

Have setup a static route on my client machine, to route traffic destined to to the eth1 IP of

Basically, the traffic flow I’m looking for is as follows
Client issues ssh request to
Route table sends that to vyOS eth1 of
vyOS eth1 sees IP of, translates it to
vyOS forwards request to eth0
vyOS eth0 sends request to VM inside isolated network on it’s original IP
All is well in the world

I did get some rules from another post here looking to do the same, and this is what I’ve done thus far.

set interfaces ethernet eth0 address ‘’
set interfaces ethernet eth0 description ‘ISOLATED’

set interfaces ethernet eth1 address ‘’
set interfaces ethernet eth1 description ‘MANAGEMENT’

set nat destination rule 100 destination address ‘’
set nat destination rule 100 inbound-interface ‘eth1’
set nat destination rule 100 translation address ‘’

set firewall name ISOLATED-IN default-action ‘drop’
set firewall name ISOLATED-IN ‘enable-default-log’

set firewall name ISOLATED-IN rule 1 action ‘accept’
set firewall name ISOLATED-IN rule 1 state established ‘enable’
set firewall name ISOLATED-IN rule 1 state related ‘enable’

set firewall name ISOLATED-IN rule 2 action ‘drop’
set firewall name ISOLATED-IN rule 2 log ‘enable’
set firewall name ISOLATED-IN rule 2 state invalid ‘enable’
set firewall name ISOLATED-IN rule 2 state new ‘enable’

set interfaces ethernet eth0 firewall in name 'ISOLATED-IN’

This doesn’t seem to work. The VMS in the isolated network are functioning fine, can see each other, ping each other and ping their gateway while not being able to ping outside the isolated network - but the access into the network isn’t working.
IE, ssh admin@ seems to do nothing…

Any thoughts/help?

Try to add the next nat rule:

set nat source rule 100 outbound-interface eth1
set nat source rule 100 source address
set nat source rule 100 translation address

Hello @mwpr3ston .
Looks like a routing problem.
If I don’t misunderstand you, VyOS router has 2 networks defined:

  • eth0:
  • eth1:

You are trying to ssh from a host located in network to a host located in network
Does VyOS router reach the host? Is there a static route for that network?
If you are trying to connect to a host located in network, there should be a route entry for that destination. Simple NAT won’t work, because destination nat occurs when destination address (in this case the ssh connection to host is an IP associated to the router itself.


So, yes, vyOS config is as described by you.

My is a production VM network - what I’ve done is attached eth0 to an isolated vSwitch, and assigned it an IP of that networks gateway ( in hopes of being able to restore virtual machines into that isolated network, giving them a gateway and not have to mess with their IPs.

My thoughts were, what I’d like to do, is be able to access those restored VMs in that network, through the use of another IP subnet (the, and have vyos translate that to the and push it through eth0.

I can ping an isolated VM through eth0 on it’s IP (, but not the translated one (

Basically, I’m trying to achieve what is laid out in this post - Access Isolated Network - #7 by noise

Will this inturn allow outbound access from the ISOLATED NETWORK, because I don’t want that…

Actually, just confirmed that it is working without these above NAT rules. So as long as I add a static route on my client, and the client is configured on the same network as vyOS eth1 ( I can ssh into the isolated VM using

My problem now is I would like to actually be able to ssh to this from the vyOS router itself, but that is not working…

Yes, mi mistake. Dst Nat is actually done in prerouting, so it works.
Also, if you need to ssh from vyos router itself, you may need to use real IP address of those VMs