In my quest to migrate from Sophos UTM to VyOS, I’m now stuck on NAT rules with dynamic addresses.
I have a DNAT rule:
from the IP address of host something.ddns.net
on port 4422
to public interface
translate to internal IP, port 22
I see I can create a firewall dynamic group so that ddns hostname gets resolved to an IP, and I can use that in a firewall rule.
But is dat supported in NAT rules? And if so, what is the command as I can’t find it in the docs?
If not, how do I deal with this? I obviously don’t want to allow the entire world to be able to access the SSH port of this internal server.
While re-reading this, I thought I could add a DNAT rule without a source address, and add a firewall rule allowing that dynamic group access to internal IP, port 22.
Would work for this case but that would block public port 4422 for other uses, as I have more DNAT rules using that same port, for other sources to other internal servers, so I would need to change ports, inform third parties using those ports, etc, which I’d like to avoid.
tjh
April 8, 2026, 9:03pm
3
You should always share what version you’re using, as that defines often what features are/aren’t available.
Looking at v1.5.0 I see the following options:
tim@ferrari# set nat destination rule 6000 destination fqdn test.test.com
Possible completions:
<Enter> Execute the current command
im@ferrari# set nat destination rule 6000 source fqdn test.test.com
Possible completions:
<Enter> Execute the current command
Hopefully this answers your question?
You should have those same options available if you’re using stream 2026.03
I can’t give a version, as I don’t have anything running yet, as I wrote, I’m working on a conversion from Sophos UTM config to VyOS config.
Yes, I think that answers my question, thanks.
Where exactly can I find the latest details on what is supported, as the docs seem to lag behind (the fqdn option is not documented yet)?