Local subnet being NATed

I have two subnet

192.168.100.0/24 - ETH0
192.168.200.0/24 - ETH1
WAN - ETH5

My traffic from 192.168.200.0/24 to/from 192.168.100.0/24 is going via NAT (confirmed via traceroute)
Not sure what i’m missing.

vyos# show nat
 source {
     rule 10 {
         destination {
             address 192.168.100.0/24
         }
         exclude
         source {
             address 192.168.200.0/24
         }
         translation {
             address masquerade
         }
     }
     rule 20 {
         destination {
             address 192.168.200.0/24
         }
         exclude
         source {
             address 192.168.100.0/24
         }
         translation {
             address masquerade
         }
     }
     rule 100 {
         destination {
             address 0.0.0.0/0
         }
         source {
             address 192.168.100.0/24
         }
         translation {
             address masquerade
         }
     }
     rule 200 {
         destination {
             address 0.0.0.0/0
         }
         source {
             address 192.168.200.0/24
         }
         translation {
             address masquerade
         }
     }
     rule 300 {
         destination {
             address 0.0.0.0/0
         }
         source {
             address 10.0.0.0/24
         }
         translation {
             address masquerade
         }
     }
 }
[edit]

routes

vyos:~$ show ip route 
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

S>* 0.0.0.0/0 [210/0] via xx.xx.112.1, eth4, weight 1, 02w3d23h
  *                   via xx.xx.3.1, eth5, weight 1, 02w3d23h
C>* 10.0.0.0/24 is directly connected, eth4.100, 02w3d23h
C>* xx.xx.112.0/20 is directly connected, eth4, 02w3d23h
C>* xx.xx.3.0/24 is directly connected, eth5, 02w3d23h
S   192.168.100.0/24 [1/0] is directly connected, eth0, weight 1, 02w3d23h
C>* 192.168.100.0/24 is directly connected, eth0, 02w3d23h
S   192.168.200.0/24 [1/0] is directly connected, eth1, weight 1, 02w3d23h
C>* 192.168.200.0/24 is directly connected, eth1, 02w3d23h

What version of Vyos?

I would try removing the translation address masquerade from rule 10 and 20 and see if that helps.

I actually added it just recently. It wasn’t working without either.

Running on VyOS 1.5-rolling-202401220025

Let’s validate your design a little first. What are you expecting rule 10 and 20 to do? Do you actually need SNAT towards those prefixes.

Your problem is rule 100 and 200. You’re not defining any interfaces in your SNAT policies, so even though you exclude those 2 subnets in rules 10 and 20, they immediately go on to match rules 100 and 200. You need to define outbound interfaces (or maybe a group since it looks like you may have 2 WAN interfaces; eth4 and eth5). Apply that to rules 100 and 200. If you actually need 10 and 20, they should have an outbound interface of eth0 and eth1 respectively.

Should add that I fixed and added some NAT logging last week. You should be able to use those in a rolling release after the 23rd. It could help you narrow things down when you encounter issues like this.

I narrowed it down to my load balance of my WAN network as the cause of the problem. Removing that and everything worked as expected.

Now need to figure out why load balance behavior is different and how to fix.

Have you excluded inter-LAN traffic from the LB? Please post your LB config.