NAT issues? Can ping from other hosts, but TCP connections seem to only work from certain hosts

asyncmeow · May 25, 2025, 2:50am

Hello!
I’m currently working on building out a lab in GNS3. for testing out some network changes I’m doing on my personal infra with a few friends. The new setup will primarily be MikroTik based (due to already having the hardware, and wanting routing running on separate hardware as it’s a colo’d server and I want remote access in case of issues on the server itself).
In my lab environment in GNS3, I have a MikroTik CHR with the two interfaces i’d be using on the physical device, and an additional interface going to a VyOS router for a sort of “lab management network”, which has one interface going to the CHR and one to a “physical” network (VM network on the GNS3 host machine). I’m connected to that network over Wireguard, and there’s several other VMs as well.
Here’s a simplified diagram of the network, including the host networks and how I’m connected:

The reason I’m using a lab management network and not attaching the CHR directly to the host’s vmbr1 via host-eth0 is because I’m aiming for the CHR (or rather, the hardware that will be running mostly-the-same config as the CHR) to be a drop-in replacement for OPNSense, including its networks, so it would already be aware of that subnet as it’s used elsewhere in the GNS3 project.

In VyOS, I have this configuration (simplified by removing defaults for the forum thread):

interfaces {
    ethernet eth0 {
        address 172.26.0.57/16
        hw-id 0c:08:81:15:00:00
    }
    ethernet eth1 {
        address 10.255.255.1/24
        hw-id 0c:08:81:15:00:01
    }
}
nat {
    destination {
        rule 1 {
            description "Remap connections to routers IP to DUT IP"
            destination {
                address 172.26.0.57
            }
            inbound-interface {
                name eth0
            }
            log
            translation {
                address 10.255.255.2
            }
        }
    }
    source {
        rule 1 {
            description "On connections to DUT, use routers internal IP"
            outbound-interface {
                name eth1
            }
            source {
                address 0.0.0.0/0
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 10.255.0.0/24 {
            description "Route to WireGuard via existing prod router"
            next-hop 172.26.0.1 {
            }
        }
    }
}

With this configuration, I am able to ping 172.26.0.57 and see the ping (via wireshark) end up at 10.255.255.2 (the CHR) from any machines on my network, either directly on the server or via WireGuard.

This is where it gets weird, though: From OPNSense itself and from my home machine over WireGuard, I can do curl http://172.26.0.57 and get something back from the CHR. On any other machines - such as a Debian test VM on the server - the connection times out.

Looking in Wireshark, the connections that succeed do (obviously) have traffic shown going from the VyOS instance to the CHR. On the connections that fail, it looks like VyOS didn’t even try to do anything - there’s no traffic generated on the link between VyOS eth1 and the CHR, and it seems VyOS just ignores the connection entirely on eth0. From what I can tell, this would not be caused by firewall rules, either, as the defaults seem to be to just allow all traffic - and this is the behavior I’ve seen on other parts of my lab network (not pictured, but effectively a simplified internet connection for validating firewall rules on the CHR and making sure I’m configuring it correctly).

Does anyone have any ideas what would cause this and how I would fix it?

edit: Also, if needed, I can attach packet captures of each side of VyOS - one on the link between the host and VyOS eth0 and one on the link between VyOS eth1 and the CHR/

tjh · May 25, 2025, 7:09am

Hi @asyncmeow and welcome to the VyOS forums!

The first thing I’d do is check that it’s not an MTU issue - which this sounds a little bit like it could be.

Try adding in some MSS clamping to see if it helps:

set interfaces wireguard eth0 ip adjust-mss '1380'
set interfaces wireguard eth1 ip adjust-mss '1380'

You mention Wireshark, but are you doing tcpdump on the VyOS box itself?
What Firewall rules (if any) do you have on the VyOS box?

asyncmeow · May 25, 2025, 11:28pm

Hello!
Just saw your reply - so, Wireguard in my setup is completely external from the VyOS box here (it’s running on the OPNSense VM in my network diagram). What confuses me though iswhat setting the MSS on the WG interfaces would accomplish? The WG connections are working fine, what’s having issues is non-WG connections (ie. from other VMs on the host).

The packet captures I was getting were from tcpdump in GNS3 itself, my thinking was that would avoid anything in VyOS from affecting the dump that it gets.

On the VyOS box, I have zero firewall rules - the only sections ommitted from the config I sent in the original post are the service and system config blocks, both of which are completely set to the default values (aside from hostname).

Viacheslav · May 26, 2025, 5:51am

NAT rules seems to wrong

asyncmeow · May 26, 2025, 6:52am

How would my NAT rules be wrong?

In the cases where the connection works - including pings from hosts that I can’t make actual connections from - it behaves as I expect:

Connections to the router (ie. to 172.26.0.57) get translated to 10.255.255.2
10.255.255.2 sees the connections as coming from 10.255.255.1

asyncmeow · June 7, 2025, 7:52pm

So, I looked at this with a friend of mine who knows the internals of Linux networking a bit more, and we added some nftables rules to debug this, and we eventually ended up at the conclusion that the issue here is an issue with conntrack - specifically, packets from 172.26.0.230 (the test VM) aren’t being considered new by conntrack.

I will say, though, that I’m not entirely sure on everything here - this is mostly the friend I mentioned telling me what to run and looking at the traces

Here’s how we figured this out:

First, we added some nft hooks to trace what’s happening

sudo nft table ip filter
sudo nft add chain filter trace_chain { type filter hook prerouting priority -301\; }
sudo nft add rule filter trace_chain tcp dport 80 meta nftrace set 1

sudo nft monitor trace > working.txt # (did a curl from the macbook (over wireguard from opnsense) here, which does work)
sudo nft monitor trace > broken.txt # (did a curl from the VM here, which does not work)

In the broken.txt trace, we first noticed that NAT was being skipped, and when trying to figure out why, we saw it was because connections weren’t being treated as new by conntrack.
show conntrack table ipv4 did not show anything after connection attempts from the VM:

vyos@management:~$ show conntrack table ipv4
Id          Original src       Original dst          Reply src             Reply dst          Protocol    State    Timeout    Mark    Zone
----------  -----------------  --------------------  --------------------  -----------------  ----------  -------  ---------  ------  ------
4103079268  10.255.255.2:5678  255.255.255.255:5678  255.255.255.255:5678  10.255.255.2:5678  udp                  0          0
vyos@management:~$

For context, here’s what I see after connection attempts from my macbook:

vyos@management:~$ show conntrack table ipv4
Id          Original src       Original dst          Reply src             Reply dst           Protocol    State      Timeout    Mark    Zone
----------  -----------------  --------------------  --------------------  ------------------  ----------  ---------  ---------  ------  ------
1241303910  10.255.0.2:51508   172.26.0.57:80        10.255.255.2:80       10.255.255.1:51508  tcp         TIME_WAIT  63         0
4103079268  10.255.255.2:5678  255.255.255.255:5678  255.255.255.255:5678  10.255.255.2:5678   udp                    21         0
vyos@management:~$

When adding filter rules to trace all packets from 172.26.0.230, we just confirmed that the initial TCP packets are not going through NAT, and that it most likely seems like a conntrack issue.

What would my nexts steps be to debug this?
Here’s my version info for the VyOS system:

Version:          VyOS 2025.05.13-0019-rolling
Release train:    current
Release flavor:   generic

Built by:         [email protected]
Built on:         Tue 13 May 2025 00:19 UTC
Build UUID:       bcc09b0b-ac04-4a1c-9e57-be8420c579fd
Build commit ID:  5891a5bd25bf65

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest
Secure Boot:      n/a (BIOS)

Hardware vendor:  QEMU
Hardware model:   Ubuntu 24.04 PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    c7088115-6b62-4340-a660-15f4fb419e1e

Copyright:        VyOS maintainers and contributors

L0crian · June 7, 2025, 9:52pm

If you’re using curl, then the fact conntrack isn’t creating an entry will be a red herring. Conntrack requires a 3-way handshake for a tracked TCP session, so the lack of an entry could just mean the handshake failed. Just focus on ICMP for your testing. Once that’s working you can try curl.

It’s a little hard to follow your topology because you reference things by a host (debian host instead of x.x.x.x). It could help if you provided a map of hosts to their IP address. Also, when referencing traffic, whether working or not, it’d help if you state the src/dst IP pair.

For testing, add a secondary address to eth0 on VyOS of something like 172.26.0.58/16. Then try to reach that address from the hosts that are failing. If that works, then you can move down to the connection between the CHR and VyOS.

Make sure you have a route on the CHR to 172.26.0.0/16. Since it seems like that is the return traffic that is failing. You can quickly test that by trying to ping the CHR from VyOS with a source of 172.26.0.57 or the newly created 172.26.0.58. If that fails, then it could be routing/firewall rules on the CHR.

You have a SNAT rule towards the CHR, so traffic shouldn’t have a source of 172.26.0.0/16 for that segment, but it will help with troubleshooting to have that route if NAT is failing.

With the CHR, VyOS, and OPNSense all being routers, is there any reason why you’re doing NAT rather than just adding routing between the devices?

asyncmeow · June 7, 2025, 10:14pm

Hey, thank you for responding!
I’ll go through your response point-by-point here…

Right now, pinging works as I expect - pinging 172.26.0.57 (the VyOS IP) ends up getting NATed to the CHR (ie. 172.26.0.230 → 172.26.0.57 ends up pinging 10.255.255.2 with a source IP of 10.255.255.1) - it’s only TCP connections that are failing
That’s a good point - here’s an version of the original diagram with the IP addresses added:

mermaid-diagram-2025-06-07-1807553127×2264 330 KB
I previously had one, and could ping it without issues - but I can add one back and make sure I can still ping that. Not sure if it’s too relevant unless pings to .57 end up failing, though, but if that does happen it helps to isolate any issues.
The last three paragraphs I can kinda respond to together, as the reason I’m doing things how they are covers all three. I don’t have a route on the CHR for 172.26.0.0/16 as the CHR will later end up being in the place of the OPNSense router, and since I want it to be a drop-in replacement later, I need to have it be able to route its own 172.26.0.0/16 network within the lab environment. Adding a route to 172.26.0.0/16 via 10.255.255.1 would keep me from using 172.26.0.0/16 within the lab environment (unless I do something like set up VIFs on the CHR, but I feel like that would be adding complexity I don’t want to my setup). To work around this limitation of wanting to keep the existing subnets within the lab environment, I thought I could use another router to effectively pass connections to the CHR from my existing network, while masking the fact the connections are coming from my existing network by NATing and masking the source IP.

Editing to add info on what did/did not work in my testing, using src/dest IP pairs:

Pinging from 10.255.0.2 to 172.26.0.57 (which gets NATed to 10.255.255.2) works
TCP connections (via curl) from 10.255.0.2 to 172.26.0.57 (NATed to 10.255.255.2) works
Pinging from 172.26.0.1 to 172.26.0.57 (NATed to 10.255.255.2) works
TCP connections (via curl) from 172.26.0.1 to 172.26.0.57 (NATed to 10.255.255.2) works
Pinging from 172.26.0.230 to 172.26.0.57 (NATed to 10.255.255.2) works
TCP connections (via curl) from 172.26.0.230 (… or any other host also on vmbr1 that I’ve tested) to 172.26.0.57 do not work

And also editing again to add info the aforementioned friend who’s been poking at this with me just said:

3 way handshake is failing because SYN packets are skipping NAT

L0crian · June 7, 2025, 10:29pm

asyncmeow:

The last three paragraphs I can kinda respond to together, as the reason I’m doing things how they are covers all three. I don’t have a route on the CHR for 172.26.0.0/16 as the CHR will later end up being in the place of the OPNSense router, and since I want it to be a drop-in replacement later, I need to have it be able to route its own 172.26.0.0/16 network within the lab environment. Adding a route to 172.26.0.0/16 via 10.255.255.1 would keep me from using 172.26.0.0/16 within the lab environment (unless I do something like set up VIFs on the CHR, but I feel like that would be adding complexity I don’t want to my setup). To work around this limitation of wanting to keep the existing subnets within the lab environment, I thought I could use another router to effectively pass connections to the CHR from my existing network, while masking the fact the connections are coming from my existing network by NATing and masking the source IP.

Gotcha, so there’s IP overlap across 2 networks?

Do you have firewall or PBR rules on VyOS? If you do, can you provide your configs for that?

Can you clear the VyOS logs, and then provide the output from these when trying curl from a host that fails, as well as a host that succeeds:

sudo tcpdump -ni eth0 port 80
sudo tcpdump -ni eth1 port 80

Or:
sudo tcpdump -ni any port 80

Then provide the output of:

show log nat destination rule 1

asyncmeow · June 7, 2025, 10:58pm

I don’t have any firewall or PBR rules on VyOS - the config I sent in the OP is, aside from changing the hostname, the full config I have.

Here’s the output of sudo tcpdump -ni any port 80:

vyos@management:~$ sudo tcpdump -ni any port 80
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
22:53:33.009340 eth0  In  IP 10.255.0.2.55124 > 172.26.0.57.80: Flags [SEW], seq 3205641606, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3691686114 ecr 0,sackOK,eol], length 0
22:53:33.010342 eth1  Out IP 10.255.255.1.55124 > 10.255.255.2.80: Flags [SEW], seq 3205641606, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3691686114 ecr 0,sackOK,eol], length 0
22:53:33.012530 eth1  In  IP 10.255.255.2.80 > 10.255.255.1.55124: Flags [S.E], seq 1877005250, ack 3205641607, win 65160, options [mss 1460,sackOK,TS val 2519461971 ecr 3691686114,nop,wscale 5], length 0
22:53:33.012559 eth0  Out IP 172.26.0.57.80 > 10.255.0.2.55124: Flags [S.E], seq 1877005250, ack 3205641607, win 65160, options [mss 1460,sackOK,TS val 2519461971 ecr 3691686114,nop,wscale 5], length 0
22:53:33.065107 eth0  In  IP 10.255.0.2.55124 > 172.26.0.57.80: Flags [.], ack 1, win 2064, options [nop,nop,TS val 3691686169 ecr 2519461971], length 0
22:53:33.065107 eth0  In  IP 10.255.0.2.55124 > 172.26.0.57.80: Flags [P.], seq 1:75, ack 1, win 2064, options [nop,nop,TS val 3691686169 ecr 2519461971], length 74: HTTP: GET / HTTP/1.1
22:53:33.065154 eth1  Out IP 10.255.255.1.55124 > 10.255.255.2.80: Flags [.], ack 1, win 2064, options [nop,nop,TS val 3691686169 ecr 2519461971], length 0
22:53:33.065217 eth1  Out IP 10.255.255.1.55124 > 10.255.255.2.80: Flags [P.], seq 1:75, ack 1, win 2064, options [nop,nop,TS val 3691686169 ecr 2519461971], length 74: HTTP: GET / HTTP/1.1
22:53:33.066438 eth1  In  IP 10.255.255.2.80 > 10.255.255.1.55124: Flags [.], ack 75, win 2034, options [nop,nop,TS val 2519462025 ecr 3691686169], length 0
22:53:33.066484 eth0  Out IP 172.26.0.57.80 > 10.255.0.2.55124: Flags [.], ack 75, win 2034, options [nop,nop,TS val 2519462025 ecr 3691686169], length 0
22:53:33.135740 eth1  In  IP 10.255.255.2.80 > 10.255.255.1.55124: Flags [.], seq 1:1349, ack 75, win 2034, options [nop,nop,TS val 2519462027 ecr 3691686169], length 1348: HTTP: HTTP/1.1 200 OK
22:53:33.135740 eth1  In  IP 10.255.255.2.80 > 10.255.255.1.55124: Flags [P.], seq 1349:2697, ack 75, win 2034, options [nop,nop,TS val 2519462027 ecr 3691686169], length 1348: HTTP
22:53:33.135740 eth1  In  IP 10.255.255.2.80 > 10.255.255.1.55124: Flags [P.], seq 2697:2953, ack 75, win 2034, options [nop,nop,TS val 2519462028 ecr 3691686169], length 256: HTTP
22:53:33.135792 eth0  Out IP 172.26.0.57.80 > 10.255.0.2.55124: Flags [.], seq 1:1349, ack 75, win 2034, options [nop,nop,TS val 2519462027 ecr 3691686169], length 1348: HTTP: HTTP/1.1 200 OK
22:53:33.135842 eth0  Out IP 172.26.0.57.80 > 10.255.0.2.55124: Flags [P.], seq 1349:2697, ack 75, win 2034, options [nop,nop,TS val 2519462027 ecr 3691686169], length 1348: HTTP
22:53:33.135845 eth0  Out IP 172.26.0.57.80 > 10.255.0.2.55124: Flags [P.], seq 2697:2953, ack 75, win 2034, options [nop,nop,TS val 2519462028 ecr 3691686169], length 256: HTTP
22:53:33.208203 eth0  In  IP 10.255.0.2.55124 > 172.26.0.57.80: Flags [.], ack 1, win 2064, options [nop,nop,TS val 3691686295 ecr 2519462025,nop,nop,sack 1 {2697:2953}], length 0
22:53:33.208203 eth0  In  IP 10.255.0.2.55124 > 172.26.0.57.80: Flags [.], ack 1349, win 2043, options [nop,nop,TS val 3691686295 ecr 2519462027,nop,nop,sack 1 {2697:2953}], length 0
22:53:33.208203 eth0  In  IP 10.255.0.2.55124 > 172.26.0.57.80: Flags [.], ack 2953, win 2018, options [nop,nop,TS val 3691686295 ecr 2519462027], length 0
22:53:33.208203 eth0  In  IP 10.255.0.2.55124 > 172.26.0.57.80: Flags [F.], seq 75, ack 2953, win 2048, options [nop,nop,TS val 3691686297 ecr 2519462027], length 0
22:53:33.208242 eth1  Out IP 10.255.255.1.55124 > 10.255.255.2.80: Flags [.], ack 1, win 2064, options [nop,nop,TS val 3691686295 ecr 2519462025,nop,nop,sack 1 {2697:2953}], length 0
22:53:33.208302 eth1  Out IP 10.255.255.1.55124 > 10.255.255.2.80: Flags [.], ack 1349, win 2043, options [nop,nop,TS val 3691686295 ecr 2519462027,nop,nop,sack 1 {2697:2953}], length 0
22:53:33.208304 eth1  Out IP 10.255.255.1.55124 > 10.255.255.2.80: Flags [.], ack 2953, win 2018, options [nop,nop,TS val 3691686295 ecr 2519462027], length 0
22:53:33.208305 eth1  Out IP 10.255.255.1.55124 > 10.255.255.2.80: Flags [F.], seq 75, ack 2953, win 2048, options [nop,nop,TS val 3691686297 ecr 2519462027], length 0
22:53:33.281575 eth1  In  IP 10.255.255.2.80 > 10.255.255.1.55124: Flags [F.], seq 2953, ack 76, win 2034, options [nop,nop,TS val 2519462168 ecr 3691686297], length 0
22:53:33.281611 eth0  Out IP 172.26.0.57.80 > 10.255.0.2.55124: Flags [F.], seq 2953, ack 76, win 2034, options [nop,nop,TS val 2519462168 ecr 3691686297], length 0
22:53:33.334766 eth0  In  IP 10.255.0.2.55124 > 172.26.0.57.80: Flags [.], ack 2954, win 2048, options [nop,nop,TS val 3691686439 ecr 2519462168], length 0
22:53:33.334802 eth1  Out IP 10.255.255.1.55124 > 10.255.255.2.80: Flags [.], ack 2954, win 2048, options [nop,nop,TS val 3691686439 ecr 2519462168], length 0
22:53:38.846124 eth0  In  IP 172.26.0.230.60668 > 172.26.0.57.80: Flags [S], seq 1516184020, win 64240, options [mss 1460,sackOK,TS val 172001801 ecr 0,nop,wscale 7], length 0
22:53:39.863376 eth0  In  IP 172.26.0.230.60668 > 172.26.0.57.80: Flags [S], seq 1516184020, win 64240, options [mss 1460,sackOK,TS val 172002821 ecr 0,nop,wscale 7], length 0
22:53:41.879362 eth0  In  IP 172.26.0.230.60668 > 172.26.0.57.80: Flags [S], seq 1516184020, win 64240, options [mss 1460,sackOK,TS val 172004837 ecr 0,nop,wscale 7], length 0
22:53:45.943289 eth0  In  IP 172.26.0.230.60668 > 172.26.0.57.80: Flags [S], seq 1516184020, win 64240, options [mss 1460,sackOK,TS val 172008901 ecr 0,nop,wscale 7], length 0
22:53:54.134997 eth0  In  IP 172.26.0.230.60668 > 172.26.0.57.80: Flags [S], seq 1516184020, win 64240, options [mss 1460,sackOK,TS val 172017093 ecr 0,nop,wscale 7], length 0
22:54:10.262932 eth0  In  IP 172.26.0.230.60668 > 172.26.0.57.80: Flags [S], seq 1516184020, win 64240, options [mss 1460,sackOK,TS val 172033221 ecr 0,nop,wscale 7], length 0
22:54:42.774161 eth0  In  IP 172.26.0.230.60668 > 172.26.0.57.80: Flags [S], seq 1516184020, win 64240, options [mss 1460,sackOK,TS val 172065733 ecr 0,nop,wscale 7], length 0
^C
35 packets captured
35 packets received by filter
0 packets dropped by kernel
vyos@management:~$

And the output of show log nat destination rule 1:

vyos@management:~$ show log nat destination rule 1
Jun 07 22:53:33 kernel: [DST-NAT-1]IN=eth0 OUT= MAC=0c:08:81:15:00:00:bc:24:11:21:47:35:08:00 SRC=10.255.0.2 DST=172.26.0.57 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=55124 DPT=80 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0
vyos@management:~$

L0crian · June 7, 2025, 11:16pm

Gotcha, definitely not getting NATted. Can you provide the output of:

sudo nft list table vyos_nat

asyncmeow · June 7, 2025, 11:26pm

Yep, here’s the output of that:

table ip vyos_nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		counter packets 89 bytes 15552 jump VYOS_PRE_DNAT_HOOK
		iifname "eth0" ip daddr 172.26.0.57 counter packets 1 bytes 64 log prefix "[DST-NAT-1]" dnat to 10.255.255.2 comment "DST-NAT-1"
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 13 bytes 784 jump VYOS_PRE_SNAT_HOOK
		oifname "eth1" ip saddr 0.0.0.0/0 counter packets 1 bytes 64 masquerade comment "SRC-NAT-1"
	}

	chain VYOS_PRE_DNAT_HOOK {
		return
	}

	chain VYOS_PRE_SNAT_HOOK {
		return
	}
}

L0crian · June 7, 2025, 11:34pm

That looks fine.

Can you provide the output of this. Do a ping (count 1 is fine) and curl from 172.26.0.230 to 172.26.0.57:

sudo tcpdump -ni any -e

asyncmeow · June 7, 2025, 11:35pm

If I’m reading this right, it looks like it is getting to 10.255.255.2:

vyos@management:~$ sudo tcpdump -ni any -e
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
23:34:39.061676 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 104: 172.26.0.230 > 172.26.0.57: ICMP echo request, id 60708, seq 1, length 64
23:34:39.063102 eth1  Out ifindex 3 0c:08:81:15:00:01 ethertype IPv4 (0x0800), length 104: 10.255.255.1 > 10.255.255.2: ICMP echo request, id 60708, seq 1, length 64
23:34:39.064306 eth1  In  ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 104: 10.255.255.2 > 10.255.255.1: ICMP echo reply, id 60708, seq 1, length 64
23:34:39.064475 eth0  Out ifindex 2 0c:08:81:15:00:00 ethertype IPv4 (0x0800), length 104: 172.26.0.57 > 172.26.0.230: ICMP echo reply, id 60708, seq 1, length 64
23:34:39.230374 eth1  In  ifindex 3 0c:21:03:b1:00:02 ethertype ARP (0x0806), length 48: Request who-has 10.255.255.1 tell 10.255.255.2, length 28
23:34:39.230395 eth1  Out ifindex 3 0c:08:81:15:00:01 ethertype ARP (0x0806), length 48: Reply 10.255.255.1 is-at 0c:08:81:15:00:01, length 28
23:34:39.283850 eth0  Out ifindex 2 0c:08:81:15:00:00 ethertype ARP (0x0806), length 48: Request who-has 172.26.0.230 tell 172.26.0.57, length 28
23:34:39.284052 eth1  Out ifindex 3 0c:08:81:15:00:01 ethertype ARP (0x0806), length 48: Request who-has 10.255.255.2 tell 10.255.255.1, length 28
23:34:39.284976 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype ARP (0x0806), length 48: Reply 172.26.0.230 is-at a6:c8:21:1b:b1:d9, length 28
23:34:39.285250 eth1  In  ifindex 3 0c:21:03:b1:00:02 ethertype ARP (0x0806), length 48: Reply 10.255.255.2 is-at 0c:21:03:b1:00:02, length 28
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
vyos@management:~$

L0crian · June 7, 2025, 11:37pm

Did you do the curl as well in that capture? Or just ICMP? The pings are leaving VyOS and NAT is working correctly (like you previously mentioned).

asyncmeow · June 7, 2025, 11:39pm

That capture is only ping, no curl, so yeah just ICMP.

L0crian · June 7, 2025, 11:39pm

Can you do ICMP and curl in the same capture?

asyncmeow · June 7, 2025, 11:45pm

Ah, yeah I can, my bad - I misread your original post. Here you go (leaving curl going until it times out … and probably a bit longer since I alt-tabbed out and forgot to stop it for a minute):

vyos@management:~$ sudo tcpdump -ni any -e
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
23:41:12.514124 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 104: 172.26.0.230 > 172.26.0.57: ICMP echo request, id 52039, seq 1, length 64
23:41:12.515656 eth1  Out ifindex 3 0c:08:81:15:00:01 ethertype IPv4 (0x0800), length 104: 10.255.255.1 > 10.255.255.2: ICMP echo request, id 52039, seq 1, length 64
23:41:12.516730 eth1  In  ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 104: 10.255.255.2 > 10.255.255.1: ICMP echo reply, id 52039, seq 1, length 64
23:41:12.516749 eth0  Out ifindex 2 0c:08:81:15:00:00 ethertype IPv4 (0x0800), length 104: 172.26.0.57 > 172.26.0.230: ICMP echo reply, id 52039, seq 1, length 64
23:41:14.381060 eth1  M   ifindex 3 0c:21:03:b1:00:02 ethertype IPv6 (0x86dd), length 216: fe80::e21:3ff:feb1:2.5678 > ff02::1.5678: UDP, length 148
23:41:14.381060 eth1  B   ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 196: 10.255.255.2.5678 > 255.255.255.255.5678: UDP, length 148
23:41:14.381650 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 80: 172.26.0.230.48888 > 172.26.0.57.80: Flags [S], seq 159570009, win 64240, options [mss 1460,sackOK,TS val 174857408 ecr 0,nop,wscale 7], length 0
23:41:15.410150 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 80: 172.26.0.230.48888 > 172.26.0.57.80: Flags [S], seq 159570009, win 64240, options [mss 1460,sackOK,TS val 174858437 ecr 0,nop,wscale 7], length 0
23:41:17.426270 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 80: 172.26.0.230.48888 > 172.26.0.57.80: Flags [S], seq 159570009, win 64240, options [mss 1460,sackOK,TS val 174860453 ecr 0,nop,wscale 7], length 0
23:41:17.549840 eth1  In  ifindex 3 0c:21:03:b1:00:02 ethertype ARP (0x0806), length 48: Request who-has 10.255.255.1 tell 10.255.255.2, length 28
23:41:17.549864 eth1  Out ifindex 3 0c:08:81:15:00:01 ethertype ARP (0x0806), length 48: Reply 10.255.255.1 is-at 0c:08:81:15:00:01, length 28
23:41:17.612422 eth0  Out ifindex 2 0c:08:81:15:00:00 ethertype ARP (0x0806), length 48: Request who-has 172.26.0.230 tell 172.26.0.57, length 28
23:41:17.612567 eth1  Out ifindex 3 0c:08:81:15:00:01 ethertype ARP (0x0806), length 48: Request who-has 10.255.255.2 tell 10.255.255.1, length 28
23:41:17.613361 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype ARP (0x0806), length 48: Reply 172.26.0.230 is-at a6:c8:21:1b:b1:d9, length 28
23:41:17.613994 eth1  In  ifindex 3 0c:21:03:b1:00:02 ethertype ARP (0x0806), length 48: Reply 10.255.255.2 is-at 0c:21:03:b1:00:02, length 28
23:41:17.727652 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype ARP (0x0806), length 48: Request who-has 172.26.0.57 tell 172.26.0.230, length 28
23:41:17.727669 eth0  Out ifindex 2 0c:08:81:15:00:00 ethertype ARP (0x0806), length 48: Reply 172.26.0.57 is-at 0c:08:81:15:00:00, length 28
23:41:21.554156 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 80: 172.26.0.230.48888 > 172.26.0.57.80: Flags [S], seq 159570009, win 64240, options [mss 1460,sackOK,TS val 174864581 ecr 0,nop,wscale 7], length 0
23:41:29.746162 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 80: 172.26.0.230.48888 > 172.26.0.57.80: Flags [S], seq 159570009, win 64240, options [mss 1460,sackOK,TS val 174872773 ecr 0,nop,wscale 7], length 0
23:41:36.264639 eth0  M   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv6 (0x86dd), length 216: fe80::efe:a9ff:fea0:0.5678 > ff02::1.5678: UDP, length 148
23:41:36.264639 eth0  B   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv4 (0x0800), length 196: 172.26.0.63.5678 > 255.255.255.255.5678: UDP, length 148
23:41:44.384594 eth1  M   ifindex 3 0c:21:03:b1:00:02 ethertype IPv6 (0x86dd), length 216: fe80::e21:3ff:feb1:2.5678 > ff02::1.5678: UDP, length 148
23:41:44.384594 eth1  B   ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 196: 10.255.255.2.5678 > 255.255.255.255.5678: UDP, length 148
23:41:45.873748 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 80: 172.26.0.230.48888 > 172.26.0.57.80: Flags [S], seq 159570009, win 64240, options [mss 1460,sackOK,TS val 174888901 ecr 0,nop,wscale 7], length 0
23:41:50.993518 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype ARP (0x0806), length 48: Request who-has 172.26.0.57 tell 172.26.0.230, length 28
23:41:50.993648 eth0  Out ifindex 2 0c:08:81:15:00:00 ethertype ARP (0x0806), length 48: Reply 172.26.0.57 is-at 0c:08:81:15:00:00, length 28
23:42:06.270634 eth0  M   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv6 (0x86dd), length 216: fe80::efe:a9ff:fea0:0.5678 > ff02::1.5678: UDP, length 148
23:42:06.270634 eth0  B   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv4 (0x0800), length 196: 172.26.0.63.5678 > 255.255.255.255.5678: UDP, length 148
23:42:14.376213 eth1  M   ifindex 3 0c:21:03:b1:00:02 ethertype IPv6 (0x86dd), length 216: fe80::e21:3ff:feb1:2.5678 > ff02::1.5678: UDP, length 148
23:42:14.376213 eth1  B   ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 196: 10.255.255.2.5678 > 255.255.255.255.5678: UDP, length 148
23:42:19.664534 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 80: 172.26.0.230.48888 > 172.26.0.57.80: Flags [S], seq 159570009, win 64240, options [mss 1460,sackOK,TS val 174922693 ecr 0,nop,wscale 7], length 0
23:42:24.784520 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype ARP (0x0806), length 48: Request who-has 172.26.0.57 tell 172.26.0.230, length 28
23:42:24.784577 eth0  Out ifindex 2 0c:08:81:15:00:00 ethertype ARP (0x0806), length 48: Reply 172.26.0.57 is-at 0c:08:81:15:00:00, length 28
23:42:36.272642 eth0  M   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv6 (0x86dd), length 216: fe80::efe:a9ff:fea0:0.5678 > ff02::1.5678: UDP, length 148
23:42:36.272642 eth0  B   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv4 (0x0800), length 196: 172.26.0.63.5678 > 255.255.255.255.5678: UDP, length 148
23:42:44.381682 eth1  M   ifindex 3 0c:21:03:b1:00:02 ethertype IPv6 (0x86dd), length 216: fe80::e21:3ff:feb1:2.5678 > ff02::1.5678: UDP, length 148
23:42:44.381682 eth1  B   ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 196: 10.255.255.2.5678 > 255.255.255.255.5678: UDP, length 148
23:42:50.531257 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 80: 127.0.0.1.32880 > 127.0.0.1.53: 19407+ A? time1.vyos.net. (32)
23:42:50.531521 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 108: 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 udp port 53 unreachable, length 68
23:42:50.531679 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 80: 127.0.0.1.32880 > 127.0.0.1.53: 53449+ AAAA? time1.vyos.net. (32)
23:42:50.531696 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 108: 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 udp port 53 unreachable, length 68
23:42:50.532109 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 80: 127.0.0.1.41065 > 127.0.0.1.53: 19407+ A? time1.vyos.net. (32)
23:42:50.532121 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 108: 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 udp port 53 unreachable, length 68
23:42:50.532134 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 80: 127.0.0.1.41065 > 127.0.0.1.53: 53449+ AAAA? time1.vyos.net. (32)
23:42:50.532138 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 108: 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 udp port 53 unreachable, length 68
23:42:50.533444 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 80: 127.0.0.1.37918 > 127.0.0.1.53: 34583+ A? time2.vyos.net. (32)
23:42:50.533456 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 108: 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 udp port 53 unreachable, length 68
23:42:50.533477 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 80: 127.0.0.1.37918 > 127.0.0.1.53: 26379+ AAAA? time2.vyos.net. (32)
23:42:50.533487 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 108: 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 udp port 53 unreachable, length 68
23:42:50.533851 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 80: 127.0.0.1.43903 > 127.0.0.1.53: 34583+ A? time2.vyos.net. (32)
23:42:50.533859 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 108: 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 udp port 53 unreachable, length 68
23:42:50.533869 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 80: 127.0.0.1.43903 > 127.0.0.1.53: 26379+ AAAA? time2.vyos.net. (32)
23:42:50.533873 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 108: 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 udp port 53 unreachable, length 68
23:42:50.534291 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 80: 127.0.0.1.45497 > 127.0.0.1.53: 5265+ A? time3.vyos.net. (32)
23:42:50.534302 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 108: 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 udp port 53 unreachable, length 68
23:42:50.534421 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 80: 127.0.0.1.45497 > 127.0.0.1.53: 63893+ AAAA? time3.vyos.net. (32)
23:42:50.534427 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 108: 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 udp port 53 unreachable, length 68
23:42:50.534777 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 80: 127.0.0.1.59650 > 127.0.0.1.53: 5265+ A? time3.vyos.net. (32)
23:42:50.534785 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 108: 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 udp port 53 unreachable, length 68
23:42:50.534795 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 80: 127.0.0.1.59650 > 127.0.0.1.53: 63893+ AAAA? time3.vyos.net. (32)
23:42:50.534806 lo    In  ifindex 1 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 108: 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 udp port 53 unreachable, length 68
23:43:06.273038 eth0  M   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv6 (0x86dd), length 216: fe80::efe:a9ff:fea0:0.5678 > ff02::1.5678: UDP, length 148
23:43:06.273039 eth0  B   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv4 (0x0800), length 196: 172.26.0.63.5678 > 255.255.255.255.5678: UDP, length 148
23:43:14.383496 eth1  M   ifindex 3 0c:21:03:b1:00:02 ethertype IPv6 (0x86dd), length 216: fe80::e21:3ff:feb1:2.5678 > ff02::1.5678: UDP, length 148
23:43:14.383497 eth1  B   ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 196: 10.255.255.2.5678 > 255.255.255.255.5678: UDP, length 148
23:43:36.279070 eth0  M   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv6 (0x86dd), length 216: fe80::efe:a9ff:fea0:0.5678 > ff02::1.5678: UDP, length 148
23:43:36.279070 eth0  B   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv4 (0x0800), length 196: 172.26.0.63.5678 > 255.255.255.255.5678: UDP, length 148
23:43:44.376558 eth1  M   ifindex 3 0c:21:03:b1:00:02 ethertype IPv6 (0x86dd), length 216: fe80::e21:3ff:feb1:2.5678 > ff02::1.5678: UDP, length 148
23:43:44.376558 eth1  B   ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 196: 10.255.255.2.5678 > 255.255.255.255.5678: UDP, length 148
23:44:06.275989 eth0  M   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv6 (0x86dd), length 216: fe80::efe:a9ff:fea0:0.5678 > ff02::1.5678: UDP, length 148
23:44:06.275989 eth0  B   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv4 (0x0800), length 196: 172.26.0.63.5678 > 255.255.255.255.5678: UDP, length 148
23:44:14.381523 eth1  M   ifindex 3 0c:21:03:b1:00:02 ethertype IPv6 (0x86dd), length 216: fe80::e21:3ff:feb1:2.5678 > ff02::1.5678: UDP, length 148
23:44:14.381523 eth1  B   ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 196: 10.255.255.2.5678 > 255.255.255.255.5678: UDP, length 148
^C
73 packets captured
97 packets received by filter
0 packets dropped by kernel
vyos@management:~$

L0crian · June 7, 2025, 11:55pm

Can you clear logs and then do this and try again (both with a previously working host, as well as 172.26.0.230). Also provide the output of show nat destination statistics and show log nat destination afterwards:

edit nat destination
rename rule 1 to rule 10
set rule 5 destination address '172.26.0.57'
set rule 5 inbound-interface name 'eth0'
set rule 5 log
set rule 5 source address '172.26.0.230'
set rule 5 translation address '10.255.255.2'

asyncmeow · June 8, 2025, 12:11am

Yep, just did that:

vyos@management:~$ sudo tcpdump -ni any -e
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
00:07:10.814885 eth0  B   ifindex 2 a6:c8:21:1b:b1:d9 ethertype ARP (0x0806), length 48: Request who-has 172.26.0.57 tell 172.26.0.230, length 28
00:07:10.815163 eth0  Out ifindex 2 0c:08:81:15:00:00 ethertype ARP (0x0806), length 48: Reply 172.26.0.57 is-at 0c:08:81:15:00:00, length 28
00:07:10.816592 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 104: 172.26.0.230 > 172.26.0.57: ICMP echo request, id 60233, seq 1, length 64
00:07:10.819081 eth1  Out ifindex 3 0c:08:81:15:00:01 ethertype IPv4 (0x0800), length 104: 10.255.255.1 > 10.255.255.2: ICMP echo request, id 60233, seq 1, length 64
00:07:10.821692 eth1  In  ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 104: 10.255.255.2 > 10.255.255.1: ICMP echo reply, id 60233, seq 1, length 64
00:07:10.821712 eth0  Out ifindex 2 0c:08:81:15:00:00 ethertype IPv4 (0x0800), length 104: 172.26.0.57 > 172.26.0.230: ICMP echo reply, id 60233, seq 1, length 64
00:07:12.798378 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 80: 172.26.0.230.58300 > 172.26.0.57.80: Flags [S], seq 228948388, win 64240, options [mss 1460,sackOK,TS val 176415862 ecr 0,nop,wscale 7], length 0
00:07:13.808577 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 80: 172.26.0.230.58300 > 172.26.0.57.80: Flags [S], seq 228948388, win 64240, options [mss 1460,sackOK,TS val 176416873 ecr 0,nop,wscale 7], length 0
00:07:14.403506 eth1  M   ifindex 3 0c:21:03:b1:00:02 ethertype IPv6 (0x86dd), length 216: fe80::e21:3ff:feb1:2.5678 > ff02::1.5678: UDP, length 148
00:07:14.403506 eth1  B   ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 196: 10.255.255.2.5678 > 255.255.255.255.5678: UDP, length 148
00:07:15.820681 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 80: 172.26.0.230.58300 > 172.26.0.57.80: Flags [S], seq 228948388, win 64240, options [mss 1460,sackOK,TS val 176418885 ecr 0,nop,wscale 7], length 0
00:07:15.870309 eth1  In  ifindex 3 0c:21:03:b1:00:02 ethertype ARP (0x0806), length 48: Request who-has 10.255.255.1 tell 10.255.255.2, length 28
00:07:15.870381 eth1  Out ifindex 3 0c:08:81:15:00:01 ethertype ARP (0x0806), length 48: Reply 10.255.255.1 is-at 0c:08:81:15:00:01, length 28
00:07:16.140675 eth0  Out ifindex 2 0c:08:81:15:00:00 ethertype ARP (0x0806), length 48: Request who-has 172.26.0.230 tell 172.26.0.57, length 28
00:07:16.140932 eth1  Out ifindex 3 0c:08:81:15:00:01 ethertype ARP (0x0806), length 48: Request who-has 10.255.255.2 tell 10.255.255.1, length 28
00:07:16.141614 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype ARP (0x0806), length 48: Reply 172.26.0.230 is-at a6:c8:21:1b:b1:d9, length 28
00:07:16.141861 eth1  In  ifindex 3 0c:21:03:b1:00:02 ethertype ARP (0x0806), length 48: Reply 10.255.255.2 is-at 0c:21:03:b1:00:02, length 28
00:07:20.044458 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 80: 172.26.0.230.58300 > 172.26.0.57.80: Flags [S], seq 228948388, win 64240, options [mss 1460,sackOK,TS val 176423109 ecr 0,nop,wscale 7], length 0
00:07:28.240396 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 80: 172.26.0.230.58300 > 172.26.0.57.80: Flags [S], seq 228948388, win 64240, options [mss 1460,sackOK,TS val 176431305 ecr 0,nop,wscale 7], length 0
00:07:36.339830 eth0  M   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv6 (0x86dd), length 216: fe80::efe:a9ff:fea0:0.5678 > ff02::1.5678: UDP, length 148
00:07:36.339831 eth0  B   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv4 (0x0800), length 196: 172.26.0.63.5678 > 255.255.255.255.5678: UDP, length 148
00:07:44.363932 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 80: 172.26.0.230.58300 > 172.26.0.57.80: Flags [S], seq 228948388, win 64240, options [mss 1460,sackOK,TS val 176447429 ecr 0,nop,wscale 7], length 0
00:07:44.412043 eth1  M   ifindex 3 0c:21:03:b1:00:02 ethertype IPv6 (0x86dd), length 216: fe80::e21:3ff:feb1:2.5678 > ff02::1.5678: UDP, length 148
00:07:44.412043 eth1  B   ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 196: 10.255.255.2.5678 > 255.255.255.255.5678: UDP, length 148
00:07:49.483930 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype ARP (0x0806), length 48: Request who-has 172.26.0.57 tell 172.26.0.230, length 28
00:07:49.483966 eth0  Out ifindex 2 0c:08:81:15:00:00 ethertype ARP (0x0806), length 48: Reply 172.26.0.57 is-at 0c:08:81:15:00:00, length 28
00:08:06.334748 eth0  M   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv6 (0x86dd), length 216: fe80::efe:a9ff:fea0:0.5678 > ff02::1.5678: UDP, length 148
00:08:06.334748 eth0  B   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv4 (0x0800), length 196: 172.26.0.63.5678 > 255.255.255.255.5678: UDP, length 148
00:08:14.412380 eth1  M   ifindex 3 0c:21:03:b1:00:02 ethertype IPv6 (0x86dd), length 216: fe80::e21:3ff:feb1:2.5678 > ff02::1.5678: UDP, length 148
00:08:14.412380 eth1  B   ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 196: 10.255.255.2.5678 > 255.255.255.255.5678: UDP, length 148
00:08:18.155222 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype IPv4 (0x0800), length 80: 172.26.0.230.58300 > 172.26.0.57.80: Flags [S], seq 228948388, win 64240, options [mss 1460,sackOK,TS val 176481221 ecr 0,nop,wscale 7], length 0
00:08:23.274650 eth0  In  ifindex 2 a6:c8:21:1b:b1:d9 ethertype ARP (0x0806), length 48: Request who-has 172.26.0.57 tell 172.26.0.230, length 28
00:08:23.274670 eth0  Out ifindex 2 0c:08:81:15:00:00 ethertype ARP (0x0806), length 48: Reply 172.26.0.57 is-at 0c:08:81:15:00:00, length 28
00:08:36.341749 eth0  M   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv6 (0x86dd), length 216: fe80::efe:a9ff:fea0:0.5678 > ff02::1.5678: UDP, length 148
00:08:36.341749 eth0  B   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv4 (0x0800), length 196: 172.26.0.63.5678 > 255.255.255.255.5678: UDP, length 148
00:08:44.406105 eth1  M   ifindex 3 0c:21:03:b1:00:02 ethertype IPv6 (0x86dd), length 216: fe80::e21:3ff:feb1:2.5678 > ff02::1.5678: UDP, length 148
00:08:44.406105 eth1  B   ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 196: 10.255.255.2.5678 > 255.255.255.255.5678: UDP, length 148
00:08:55.477478 eth0  B   ifindex 2 bc:24:11:21:47:35 ethertype ARP (0x0806), length 48: Request who-has 172.26.0.4 tell 172.26.0.1, length 28
00:09:01.013467 eth0  B   ifindex 2 bc:24:11:21:47:35 ethertype ARP (0x0806), length 48: Request who-has 172.26.0.3 tell 172.26.0.1, length 28
00:09:06.339088 eth0  M   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv6 (0x86dd), length 216: fe80::efe:a9ff:fea0:0.5678 > ff02::1.5678: UDP, length 148
00:09:06.339088 eth0  B   ifindex 2 0c:fe:a9:a0:00:00 ethertype IPv4 (0x0800), length 196: 172.26.0.63.5678 > 255.255.255.255.5678: UDP, length 148
00:09:14.411263 eth1  M   ifindex 3 0c:21:03:b1:00:02 ethertype IPv6 (0x86dd), length 216: fe80::e21:3ff:feb1:2.5678 > ff02::1.5678: UDP, length 148
00:09:14.411263 eth1  B   ifindex 3 0c:21:03:b1:00:02 ethertype IPv4 (0x0800), length 196: 10.255.255.2.5678 > 255.255.255.255.5678: UDP, length 148
^C
43 packets captured
43 packets received by filter
0 packets dropped by kernel
vyos@management:~$

vyos@management:~$ show nat destination statistics
Rule    Packets    Bytes    Interface
------  ---------  -------  -----------
5       1          84       eth0
10      0          0        eth0
vyos@management:~$ show log nat destination
Jun 08 00:07:10 kernel: [DST-NAT-5]IN=eth0 OUT= MAC=0c:08:81:15:00:00:a6:c8:21:1b:b1:d9:08:00 SRC=172.26.0.230 DST=172.26.0.57 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=20677 DF PROTO=ICMP TYPE=8 CODE=0 ID=60233 SEQ=1
vyos@management:~$