i have one concerned faced recently on vyos 1.4.3 version . below are my configuration :-
set firewall ipv4 name FIREWALL_IN rule 40 action ‘accept’ set firewall ipv4 name FIREWALL_IN rule 40 description ‘server26107’ set firewall ipv4 name FIREWALL_IN rule 40 destination address ‘192.168.173.6’ set firewall ipv4 name FIREWALL_IN rule 40 destination port ‘80,443’ set firewall ipv4 name FIREWALL_IN rule 40 log set firewall ipv4 name FIREWALL_IN rule 40 protocol ‘tcp’ set nat destination rule 40 description ‘DNAT for server26107 - One To One’ set nat destination rule 40 destination address ‘103.205.66.142’ set nat destination rule 40 destination port ‘80,443’ set nat destination rule 40 inbound-interface name ‘eth1’ set nat destination rule 40 protocol ‘tcp’ set nat destination rule 40 translation address ‘192.168.173.6’ set nat source rule 40 description ‘SNAT server26107’ set nat source rule 40 outbound-interface name ‘eth1’ set nat source rule 40 protocol ‘all’ set nat source rule 40 source address ‘192.168.173.6’ set nat source rule 40 translation address ‘103.205.66.142’
set nat source rule 9999 destination address ‘192.168.173.0/27’ set nat source rule 9999 outbound-interface name ‘eth1’ set nat source rule 9999 protocol ‘all’ set nat source rule 9999 source address ‘192.168.173.0/27’ set nat source rule 9999 translation address ‘masquerade’
Note that eth1 is my firewall WAN interface where configured public IP 103.205.66.142 and eth2 is my firewall LAN interface where i configured 192.168.173.X range IP
everything is running good means when i try to access 80 and 443 port publicly from anywhere iam able to access but when i try to access the same 80 and 443 port publicly inside the server where it exactly hosted means inside the 192.168.173.6 server iam unable to telnet or access the port .means some kind of hair pining rules required .
please check my configuration and let me know what iam exactly iam missing
set nat destination rule 220 translation address '192.168.0.3'
set nat destination rule 230 description 'Hairpin NAT for Mosh X on Y'
set nat destination rule 230 destination group network-group 'v4-external-ip'
set nat destination rule 230 destination port '60000-60010'
set nat destination rule 230 inbound-interface name 'eth1'
set nat destination rule 230 protocol 'udp'
set nat source rule 230 description 'Hairpin NAT for X on Y'
set nat source rule 230 destination address '192.168.0.5'
set nat source rule 230 destination port '60000-60010'
set nat source rule 230 outbound-interface name 'eth1'
set nat source rule 230 protocol 'udp'
set nat source rule 230 source address '192.168.0.0/16'
set nat source rule 230 translation address 'masquerade'
Those rules is what I have and it works. eth1 in my config is my LAN interface.
You need a rule that says “traffic going OUT the LAN interface, rewrite it to the source address of that LAN interface” otherwise the router doesn’t see both sides of the traffic flow and stuff breaks.
You have
Traffic going OUT with source address of 192.168.173.10 (for example) destination of 103.205.66.142 gets rewritten to S:192.168.173.10 D:192.168.173.6 The problem is, when 192.168.173.6 goes to send back to 192.168.173.10 it does so without any changes. They’re on the same subnet, so traffic from .6 goes directly back to .10 (i.e not via the router, just using ARP and MAC) But 192.168.173.10 isn’t expecting ANY traffic from 192.168.173.6? It sent traffic to 103.205.66.142!! So you need a NAT rule in the other direction as well.
This means that when traffic comes INTO the LAN interface for 103.205.66.142the SOURCE address gets NAT’d to your Router’s LAN interface. Then when 103.205.66.142sends traffic back, the destination is your Router’s LAN interface, which can then do the final “Source address 192.168.173.6rewrite back to 103.205.66.142so your 192.168.173.10doesn’t get confused by a traffic flow it never expected/started. It sees traffic coming back from 103.205.66.142
I think just changing set nat source rule 9999 outbound-interface name ‘eth1’ to be eth2 will resolve your problem.
if i set eth2 instead of eth1 on Masquerade , my internet goes down , if set eth2 on destination rule iam unable to access the server from outside
in your example you mentioned 2 private ip 192.168.0.3 and 192.168.0.5 . can you please let me how i can configure.
currently my concern is not with private connection of 2 machine is same LAN . please try to understand i want my http https port will work globally as well inside the same server , but inside the iam unable to access the same port which is hosted in the same server even though when i try it via public IP from another machine on same LAN , there also its not accessible but from ouside the LAN and anywhere else its accessible.
please provide configuration example of your server public IP bind with private IP with SNAT rule with working hairpining rule
on your example you mentioned eth1 which is your LAN on DNAT and SNAT . Why ???
I do apologise, my first post was a mis-paste I realise and has included a rule from a previous NAT.
Here’s the rules I have:
set nat destination rule 230 description ‘Hairpin NAT for X on Y’
set nat destination rule 230 destination group network-group ‘v4-external-ip’
set nat destination rule 230 destination port ‘60000-60010’
set nat destination rule 230 inbound-interface name ‘eth1’
set nat destination rule 230 protocol ‘udp’
set nat destination rule 230 translation address ‘192.168.0.5’
set nat source rule 230 description ‘Hairpin NAT for X on Y’
set nat source rule 230 destination address ‘192.168.0.5’
set nat source rule 230 destination port ‘60000-60010’
set nat source rule 230 outbound-interface name ‘eth1’
set nat source rule 230 protocol ‘udp’
set nat source rule 230 source address ‘192.168.0.0/16’
set nat source rule 230 translation address ‘masquerade’
You set Masquerade on SNAT . my question is where is the public IP means what public IP server will take to go outside because usually we mentioned translation address “PUBLIC IP“ and you mentioned masquerade
my another question is are you able to access server from outside when you mentioned eth1 on DNAT and SNAT rule because its your LAN interface as you mentioned
when i try to replace eth1 with eth2(MY LAN) iam unable to access(Remote) my server but when i place eth1 iam able to access.
for your reference below are my config: -
set firewall ipv4 name FIREWALL_IN rule 30 action ‘accept’
set firewall ipv4 name FIREWALL_IN rule 30 description ‘RDP Access’
set firewall ipv4 name FIREWALL_IN rule 30 destination address ‘192.168.10.10’
set firewall ipv4 name FIREWALL_IN rule 30 destination port ‘3389’
set firewall ipv4 name FIREWALL_IN rule 30 log
set firewall ipv4 name FIREWALL_IN rule 30 protocol ‘tcp’
set firewall ipv4 name FIREWALL_IN rule 30 source geoip country-code ‘in’
set nat destination rule 30 description ‘DNAT for RDP’
set nat destination rule 30 destination address ‘103.117.156.127’
set nat destination rule 30 destination port ‘9296’
set nat destination rule 30 inbound-interface name ‘eth2’
set nat destination rule 30 protocol ‘tcp’
set nat destination rule 30 translation address ‘192.168.10.10’
set nat destination rule 30 translation port ‘3389’
set nat source rule 30 description ‘SNAT for server’
set nat source rule 30 destination address ‘192.168.10.10’
set nat source rule 30 destination port ‘3389’
set nat source rule 30 outbound-interface name ‘eth2’
set nat source rule 30 protocol ‘tcp’
set nat source rule 30 source address ‘192.168.10.0/24’
set nat source rule 30 translation address ‘masquerade’
still iam unable to access my server via configuring above command
you mentioned private IP and ports on SNAT . i didn’t understand why its required ??
Please learn how to use forum markdown to make your posts more readable. It’ll help in the future to provide help, particularly if someone views your post on mobile. I placed your config in a preformatted text block as an example.
You can use a single DNAT rule for this. You’d just add both the WAN and LAN interfaces into a group, and then match that in the DNAT rule.
set firewall group interface-group hairpin_nat_interfaces interface 'eth1'
set firewall group interface-group hairpin_nat_interfaces interface 'eth2'
set nat destination rule 30 inbound-interface group 'hairpin_nat_interfaces'
If you’re not accessing that server on port 9296 from the LAN, then you will need 2 DNAT rules Also, make sure you’re allowing that traffic on the LAN side through your firewall. In your config snippet, the FIREWALL_IN rule 30 will not match traffic from/to the LAN.
