Multiple inbound interfaces / 1 outbound interface with NAT

Hi all

I’m looking to achieve the following with 1 x router:

  1. Enable multiple interfaces as inbound interfaces for NAT, each of them already have IPs from different upstreams - eth0 (ISP 1), eth1 (ISP 2) and eth2 (ISP 3)

  2. Enable 1 outbound interface - eth4 (ISP 1) - I’ve already got this working


  • As soon as I set the outbound interface to eth4, I can no longer use eth1 and eth2 as the inbound IP.
  • Inbound interface eth0 continues to work (since the outbound interface eth4 is from the same upstream)
  • NAT source is set to address: masquerade, so my guess is theres packets being dropped by eth1 and eth2 since the source IP is from eth4 (different upstream)

Any ideas? There must be some additional policies etc. I can create to cater for this, not sure which ones I need though.


I’m not getting the scenario and what do you want/need to achieve.
Correct me if I’m wrong:

  • You have 3 connections: eth0-ISP1 ; eth1-ISP2 and eth2-ISP3
  • You want/need to apply destination NAT to connections received on those interfaces
  • You want/need source NAT to access internet, through eth4?

Correct. Bottom line eth4 is a dynamic IP, so we want to keep the inbound interfaces static, but be able to change the outbound/internet IP.

Having several internet connections, requires more configuration that you might think.
You must ensure that if incoming traffic is received from internet, for example in eth0-ISP, then the response should also be routed through same interface. Otherwise, the response will have another source ip address (let say eth4-ISPX public IP address), and client who initiated the connection will not accept this response, since it comes from a different IP.

This can be achieved, but as far as I remember, not directly from vyos cli. An idea on how to achieve this? You can try WAN Load Balancing, and enable sticky-connections. Then analize firewall rules and policies.
Also, a thread with similar requirements can be found here

Thanks! Just double checking having read the WAN Load Balancing doc, this would work for my scenario where I have multiple inbound interfaces (eth1, eth2, eth3 where NAT port forwarding occurs), and then all outbound traffic goes via a separate interface (eth4 DHCP)?

The challenge then is to ensure the response goes back from 1) eth4 → 2) the relevant inbound interface the request came from