Inbound NAT (port forwarding) is not working

Hi Team,

Am I doing anything wrong here? Trying to configure certain port forwarding from 10.10.14.50 to 10.10.11.60.
I mean traffic sent to

10.10.14.60:4222 -> 10.10.12.50:22

And multple other ports but its still not working. Here is my config

set firewall name OUT-IN rule 5 destination address '10.10.14.60'
set firewall name OUT-IN rule 5 destination port '18210,18211,257,4222'
set firewall name OUT-IN rule 6 destination address '10.10.14.60'
set firewall name OUT-IN rule 6 destination port '18191,18192'
set firewall name OUT-IN rule 7 destination address '10.10.14.60'
set firewall name OUT-IN rule 7 destination port '4222'
set nat destination rule 5 destination address '10.10.14.60'
set nat destination rule 5 destination port '18210'
set nat destination rule 5 inbound-interface 'eth1'
set nat destination rule 5 protocol 'tcp'
set nat destination rule 5 translation address '10.10.12.50'
set nat destination rule 5 translation port '18210'
set nat destination rule 6 destination address '10.10.14.60'
set nat destination rule 6 destination port '18211'
set nat destination rule 6 inbound-interface 'eth1'
set nat destination rule 6 protocol 'tcp'
set nat destination rule 6 translation address '10.10.12.50'
set nat destination rule 6 translation port '18211'
set nat destination rule 7 destination address '10.10.14.60'
set nat destination rule 7 destination port '257'
set nat destination rule 7 inbound-interface 'eth1'
set nat destination rule 7 protocol 'tcp'
set nat destination rule 7 translation address '10.10.12.50'
set nat destination rule 7 translation port '257'
set nat destination rule 8 destination address '10.10.14.60'
set nat destination rule 8 destination port '4222'
set nat destination rule 8 inbound-interface 'eth1'
set nat destination rule 8 protocol 'tcp'
set nat destination rule 8 translation address '10.10.12.50'
set nat destination rule 8 translation port '22'
set nat destination rule 9 destination address '10.10.14.60'
set nat destination rule 9 destination port '18191'
set nat destination rule 9 inbound-interface 'eth1'
set nat destination rule 9 protocol 'tcp'
set nat destination rule 9 translation address '10.10.12.50'
set nat destination rule 9 translation port '18191'
set nat destination rule 10 destination address '10.10.14.60'
set nat destination rule 10 destination port '18192'
set nat destination rule 10 inbound-interface 'eth1'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '10.10.12.50'
set nat destination rule 10 translation port '18192'
set nat source rule 5 outbound-interface 'eth1'
set nat source rule 5 source address '10.10.12.50'
set nat source rule 5 translation address '10.10.14.60'

And here is my diagram

nat1399×711 30.9 KB

Bare in mind that NAT happens BEFORE firewall.
So, while defining firewall rules, you need to accept the new/modified IP address and ports.

There’s also a command to accept all connections that had been NATed before (available in 1.4 and 1.5)
Check first options here: IPv4 Firewall Configuration — VyOS 1.5.x (circinus) documentation

Does that mean I need to allow port 22 as well and 10.10.12.50 as well?

Yes I allowed the actual IP address which is 10.10.12.50 and it worked

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.