NAT loopback

mp1256 · August 17, 2017, 6:35am

Hello,

I’m running vyos with the following config:

interface eth0 WAN1
interface eth1 WAN2
interface eth4 LAN-Servers
interface eth6 LAN-Clients

I’m trying to setup a NAT rule for one internal server and want to access it with the IP 91.112.x.x of eth0 (WAN1) from 10.0.6.10 from eth6 (LAN-Clients) to 10.0.1.29 eth4 (LAN-Servers)

I’ve created a DNAT-rule:
set nat destination rule 700 destination port ‘315’
set nat destination rule 700 destination address ‘91.112.x.x’
set nat destination rule 700 inbound-interface ‘any’
set nat destination rule 700 protocol ‘tcp’
set nat destination rule 700 translation address ‘10.0.1.29’
set nat destination rule 700 translation port ‘315’

I’ve also created two SNAT-rules:

set nat source rule 470 outbound-interface ‘eth4’
set nat source rule 470 source address ‘10.0.0.0/8’
set nat source rule 470 destination address ‘91.112.x.x/32’
set nat source rule 470 destination port ‘315’
set nat source rule 470 protocol tcp
set nat source rule 470 translation address masquerade
set nat source rule 470 log enable

set nat source rule 471 outbound-interface ‘eth4’
set nat source rule 471 source address ‘10.0.0.0/8’
set nat source rule 471 destination address ‘10.0.1.29/32’
set nat source rule 471 destination port ‘315’
set nat source rule 471 protocol tcp
set nat source rule 471 translation address masquerade
set nat source rule 471 log enable

Traffic from the internet to the internal servers works fine.
But the traffic from the internal clients ends up at IF eth1 (WAN2) instead of eth4 (LAN-Servers)

sudo tcpdump -i eth1 | grep “.315”
06:31:17.036168 IP 10.0.6.10.2898 > 10.0.1.29.315: Flags [S], seq 1108436121, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

I don’t know why this does happen :-/

Fervus · August 17, 2017, 8:29am

You should remove SNAT rules for your LAN interfaces and configure your internal server and clients with either a default route to your vyos, or static route to your “LAN-Clients” and “Lan-Servers” networks respectevly.
Your single DNAT rule shoudl be enough to get it working.

mp1256 · August 17, 2017, 12:58pm

I’ve removed the SNAT-rules without success.

The DNAT-rule is working correctly (for requests from external).
But for internal requests vyos routes it to the WAN-interface after the DNAT-translation and not to the internal-interface.

Fervus · August 17, 2017, 2:36pm

Can you ping 10.0.1.29 from 10.0.6.10?

Do you have any load-balancing or custom iptables rules configured?

What version of VyOS are you currently using?

mp1256 · August 17, 2017, 2:44pm

I’m using vyos 1.1.7.
I can ping the server from the client and vice versa, my only problem is to get the DNAT rule working for internal clients
I’m using policy-based routes and snat to route the http/https traffic through wan1 and the other traffic through wan2.