NAT Reflection Issue

Hi guys!

I try to do NAT Reflection to get access to my server from the internal network.

This is my config, but it doesn’t work…

set nat destination rule 11 description 'Port Forward from Inside'
set nat destination rule 11 destination port '28058'
set nat destination rule 11 inbound-interface 'br0'
set nat destination rule 11 protocol 'tcp'
set nat destination rule 11 translation address '172.16.10.6'

set nat source rule 111 description 'Port Forward from Inside'
set nat source rule 111 destination address '172.16.0.0/16'
set nat source rule 111 outbound-interface 'br0'
set nat source rule 111 protocol 'tcp'
set nat source rule 111 source address '172.16.0.0/16'
set nat source rule 111 translation address 'masquerade'

Does anyone know why it doesn’t working? From the outside, it’s working like a charm.

Thanks!

Wait a minute. I don’t understand. What does it mean to access the server from the internal network? Why set the bridge interface as the inbound interface of DNAT? Why set the bridge interface as the outbound interface of SNAT?

Hi @jack9603301

Thanks for your quick reply.

I have a server at home which his ip is 172.16.10.6. I forwarded 28058 port on my WAN (pppoe). From this part, remote users are able to connect to my server via my WAN IP Address without any problem.

I have some computer that I want to get connected to the server via the external IP address even if they are in the same network as the server. I don’t want to specify the internal IP on my client. I want the client to be able to use the external IP (WAN) to get connected to the server.

My client IP is 172.16.10.60

Why I specified br0 ? it’s because eth0, eth2 and eth4 are in the bridge

First of all, I’m not sure I understand your problem, but I think your configuration is wrong.

The configuration of NAT has certain directionality. The exit of SNAT generally refers to Wan, while the entrance of DNAT generally refers to WAN

Your topology description is a bit confusing, so I’m not sure where you said the intranet is and where a bunch of servers are located

When the internal network wants to access the external network area of Wan, it only needs to configure SNAT in the router for source address translation

When a computer in an external network wants to access an intranet server, it also needs DNAT

If there are multiple servers in your internal network that need to be exposed to the external network, there are the following situations:

a) Multiple servers use the same port, such as providing web services. In this case, you need to configure DNAT rules. When translating the external address to the destination of the intranet address, you can route to the correct reverse proxy server according to the set rule port. Please note that this requires DNAT port mapping

b) Multiple servers use different ports. In this case, you need to configure DNAT rules. When translating the external address to the destination of the intranet address, you can route to the correct server according to the set rule port. Please note that this requires DNAT port mapping

Hey @fegauthier

there is a example in the docu
https://docs.vyos.io/en/latest/configuration/nat/nat44.html#hairpin-nat-nat-reflection

Hi @fegauthier,

May I know the vyos version ?