Is DNAT not possible without SNAT?

Hello Team,
I am a noob in VyOS platform, but got up in a P1 requirement in my organisation where we want to preserve the source client ip.
Here we are using VyOS as NAT router or the main frontend appliance holding a public IP.
This VyOS server accepts all INTERNET Traffic and performs DNAT to send this to INTERNAL HAPRoxy LoadBalancer sitting in a Private Kubernetes cluster.

The issue is HAPRoxy always gets VyOS outbound interface internal IP as source IP (as we perform SNAT to pass the request to private local network sitting behind VyOS)

My NAT configuration -

nat {
    destination {
        rule 100 {
            description "route 80,443 to haproxy Internal loadbalancer"
            destination {
                address 0.0.0.0/0
                port 80,443
            }
            inbound-interface eth0
            protocol tcp_udp
            translation {
                address 10.XXX.XX.XX
            }
        }
    }
    source {
        rule 100 {
            outbound-interface eth1
            source {
                address !10.0.0.0/8
            }
            translation {
                address masquerade
            }
        }
    }
}

if I remove the Source NAT section then the request gets Timed OUT

Can you please review this scenario and suggest the best way to overcome this blocker?
please suggest any different approach within VyOS?

According to your configuration, your internal hosts has an IP 10.x.x.x.x. If those devices needs to reach internet, at some point source NAT is needed, because private networks are not routed in the internet.

Thanks for the reply @n.fort
Actually the internal Hosts doesn’t use VyOS for NAT (or outbound connectivity).
They use other NAT medium for that.
In our Infra VyOS is only used for incoming external/Internet traffic to internal hosts.

Client → xyz.com → VyOS PublicIP → DNAT - SNAT → HAProxy → App

You don’t need sNAT , for a dNAT entry to work.
On 1st packet (from WAN to LAN), dNAT rule is used, this generates a conntrack entry, which is used for all subsequent packets (both in and out), belonging to connection.
As there is some other gateway on your network, you either have to hassle with route table on the client, or add a masquerade rule on LAN interface.
This masquerade rule should only kick in for port mapped packets, and will translate source addres to VyOS LAN address. Now the client return traffic is destined to VyOS local LAN IP address, and is automatically routed correct.

1 Like

Thanks @16again for the detailed explanation.
So by using my current config, I cannot pass/persist the actual client IP address to upstream services, right?

Hi All,
We are looking to keep client IP after Dnating the source address, is there any way to achive this on Vyos?
Thanks in advance