NAT question: masquerade vs range

I have what I hope is an easy question. I am evaluating vyos as a replacement to our aging Juniper routers.

I have a basic config with 2 interfaces, a default route, and source NAT.

 interfaces {
     ethernet eth0 {
         address x.x.x.6/25
         description OUTSIDE
         hw-id a0:36:9f:0d:fe:09
     ethernet eth6 {
         description INSIDE
         hw-id 64:00:6a:97:1c:b2

 nat {
     source {
         rule 100 {
             outbound-interface eth0
             source {
             translation {
                 address x.x.x.7-x.x.x.8

 protocols {
     static {
         route {
             next-hop x.x.x.1 {

Where x.x.x.x is my actual public addresses, of course.

This works, but the initial translation seems VERY slow. I have a laptop connected on the with a static IP of, and when I point my browser at, for example, it takes 10-20 seconds for the page to start loading. I am also unable to ping my next-hop router (x.x.x.1)

When I change the NAT translation to masquerade, it works immediately, without any delay. I am also now able to ping my next-hop router.

Anyone have any insight into what is going on here, or what I have misconfigured?


if you use address x.x.x.7-x.x.x.8 VyOS - or better to say Linux will use either .7 or .8 as the outbound IP address for your NAT preferrably. This means that you also need to add e.g. a dummy interface with address x.x.x.7/32 and address x.x.x.8/32.

When set to masquerade, Linux and VyOS will use the configured primary IP address of eth0 for translation.


Thank you for the response! I added the following to my config and it seems to have fixed my issues:

set interfaces dummy dum0 address x.x.x.7
set interfaces dummy dum0 address x.x.x.8
set interfaces dummy dum0 description 'dummy interface for nat pool'

However, after a complete re-reading of the NAT documentation, I seem to have missed a note on my first reading:

The translation address must be set to one of the available addresses on the configured outbound-interface or it must be set to masquerade which will use the primary IP address of the outbound-interface as its translation address.

so adding those IPs to eth0 also works… in hindsight this makes sense :slight_smile:

Is there any reason to use the dummy interface over just adding these IPs to eth0 interface?

ARP was your problem. Solution is answering ARP requests for .7 and .8.
Which can be done by simply adding those addresses as secondary IPs to WAN interface.
Or by using proxy arp, and having those .7 and .8 in local route table. Last can be accomplished with assigning IPs to dummy interface, or even static black-hole routing them!

Thanks for the responses!