Please help me to figure it out what happened when I configure with NAT Hairping with the version 1.4.
I have 1 WAN interface and 4 LAN interface(create into 2 bridges) for LAB(br50) and OFFICE(br10).
I want to access External IP(asign to WAN interface) to open web service from lab pc (192.168.13.90) to web server ( private ip: 192.168.1.80)
I might follow the configure guide from VyOS official, it is not working. But when I keep running tcpdump with interface br50, it is working, I don’t know why.
Please help me, thanks
This is my configure and replace the wan-ip with 8.8.8.8.
vyos@gw:~$ show configuration
firewall {
group {
address-group WAN_IP {
address 8.8.8.8
}
interface-group INSIDE-INTERFACE {
interface eth8
interface eth7
interface br10
interface lo
interface tun100
}
interface-group LAB-INTERFACE {
interface eth5
interface eth6
interface br50
interface lo
}
network-group LAB-SUBNET {
network 192.168.0.0/16
}
network-group OFFICE-SUBNET {
network 10.2.10.0/24
}
port-group MAIL-SERVICE {
port smtp
port pop3
port imap2
}
port-group WEB-SERVICE {
port http
port https
port 8000
port 8080
}
}
ipv4 {
forward {
filter {
default-action drop
rule 50 {
action accept
inbound-interface {
group INSIDE-INTERFACE
}
}
rule 55 {
action accept
inbound-interface {
group LAB-INTERFACE
}
}
rule 100 {
action accept
destination {
group {
port-group WEB-SERVICE
}
}
protocol tcp
state new
}
rule 150 {
action accept
destination {
group {
port-group MAIL-SERVICE
}
}
protocol tcp
state new
}
rule 200 {
action accept
state established
state related
}
}
}
input {
filter {
default-action drop
rule 10 {
action accept
inbound-interface {
group INSIDE-INTERFACE
}
}
rule 15 {
action accept
inbound-interface {
group LAB-INTERFACE
}
}
rule 100 {
action accept
protocol gre
}
rule 110 {
action accept
destination {
group {
port-group WEB-SERVICE
}
}
protocol tcp
}
rule 120 {
action accept
destination {
group {
port-group MAIL-SERVICE
}
}
protocol tcp
}
rule 200 {
action accept
state established
state related
}
}
}
output {
filter {
default-action accept
}
}
}
}
interfaces {
bridge br10 {
address 10.2.10.254/24
description OFFICE
ip {
enable-arp-accept
enable-directed-broadcast
}
member {
interface eth7 {
}
interface eth8 {
}
}
stp
}
bridge br50 {
address 192.168.1.1/16
description LAB
ip {
enable-arp-accept
enable-directed-broadcast
}
member {
interface eth5 {
}
interface eth6 {
}
}
stp
}
ethernet eth1 {
address 8.8.8.8/24
description WAN
hw-id 00:18:7d:ff:b5:83
}
ethernet eth2 {
hw-id 00:18:7d:ff:b5:84
}
ethernet eth3 {
hw-id 00:18:7d:ff:b5:85
}
ethernet eth4 {
hw-id 00:18:7d:ff:b5:86
}
ethernet eth5 {
hw-id 00:18:7d:ff:b5:87
}
ethernet eth6 {
hw-id 00:18:7d:ff:b5:88
}
ethernet eth7 {
hw-id 00:18:7d:ff:b5:89
}
ethernet eth8 {
hw-id 00:18:7d:ff:b5:8a
}
loopback lo {
}
}
nat {
destination {
rule 100 {
description "WEB to HAProxy"
destination {
group {
port-group WEB-SERVICE
}
}
inbound-interface {
name eth1
}
protocol tcp
translation {
address 192.168.1.80
}
}
rule 110 {
description MAIL
destination {
group {
port-group MAIL-SERVICE
}
}
inbound-interface {
name eth1
}
protocol tcp
translation {
address 192.168.1.60
}
}
rule 200 {
destination {
group {
address-group WAN_IP
port-group WEB-SERVICE
}
}
protocol tcp
translation {
address 192.168.1.80
}
}
rule 210 {
destination {
group {
address-group WAN_IP
port-group MAIL-SERVICE
}
}
protocol tcp
translation {
address 192.168.1.60
}
}
}
source {
rule 50 {
description "NAT Reflection: INSIDE"
destination {
group {
network-group LAB-SUBNET
}
}
outbound-interface {
name br50
}
protocol tcp
source {
group {
network-group LAB-SUBNET
}
}
translation {
address masquerade
}
}
rule 510 {
outbound-interface {
name eth1
}
source {
group {
network-group OFFICE-SUBNET
}
}
translation {
address masquerade
}
}
rule 550 {
outbound-interface {
name eth1
}
source {
group {
network-group LAB-SUBNET
}
}
translation {
address masquerade
}
}
}
}
MOD Edit: Updated config to be readable - @tjh