NAT rules lost during upgrade

I did an upgrade from:
a) 1.1.8 (community) to 1.3-rolling-201912261106 (add system image) and
b) 1.1.8 to 1.2.3 (self build, installed by booting from image and saving the old config suring install)

in both cases the upgrade was done, the system was working but all NAT rules got deleted from the config.
After adding them them from a backup (show config commands > file) told functionality was restored.

Done twice, so it should be reproducible.

Hi @RobertS, can you show your NAT rules?

Hi @Dimitry,
of course - but not at the public forum.
They contain my real ip addresses and I wouldn’t like to see them shared…
Unfortunately the address forum@vyos.io isn’t reachable.

Robert

@RobertS just replace your private data, and post here.

here wego…

set nat destination rule 10 description ‘Port-Forwarding domain to 111.222.333.2’
set nat destination rule 10 destination address ‘444.555.666.2’
set nat destination rule 10 destination port ‘domain’
set nat destination rule 10 inbound-interface ‘any’
set nat destination rule 10 log ‘enable’
set nat destination rule 10 protocol ‘tcp_udp’
set nat destination rule 10 translation address ‘111.222.333.2’
set nat destination rule 11 description ‘Port-Forwarding domain to 111.222.333.2’
set nat destination rule 11 destination address ‘444.555.666.2’
set nat destination rule 11 destination port ‘12888’
set nat destination rule 11 inbound-interface ‘any’
set nat destination rule 11 log ‘enable’
set nat destination rule 11 protocol ‘tcp’
set nat destination rule 11 translation address ‘111.222.333.2’
set nat destination rule 13 description ‘Port-Forwarding domain to 111.222.333.3’
set nat destination rule 13 destination address ‘212.79.163.2’
set nat destination rule 13 destination port ‘domain’
set nat destination rule 13 inbound-interface ‘any’
set nat destination rule 13 log ‘enable’
set nat destination rule 13 protocol ‘tcp_udp’
set nat destination rule 13 translation address ‘111.222.333.3’
set nat destination rule 14 description ‘Port-Forwarding port 12888 to 111.222.333.3’
set nat destination rule 14 destination address ‘212.79.163.2’
set nat destination rule 14 destination port ‘12888’
set nat destination rule 14 inbound-interface ‘any’
set nat destination rule 14 log ‘enable’
set nat destination rule 14 protocol ‘tcp’
set nat destination rule 14 translation address ‘111.222.333.3’
set nat destination rule 15 description ‘Port-Forwarding smtps to 111.222.333.8’
set nat destination rule 15 destination address ‘444.555.666.12’
set nat destination rule 15 destination port ‘587,80,https’
set nat destination rule 15 inbound-interface ‘any’
set nat destination rule 15 log ‘enable’
set nat destination rule 15 protocol ‘tcp’
set nat destination rule 15 translation address ‘111.222.333.8’
set nat destination rule 21 description ‘Port-Forwarding smtp,imap(s) to mailbox01.intra’
set nat destination rule 21 destination address ‘444.555.666.66’
set nat destination rule 21 destination port ‘imap,imaps,smtp,587’
set nat destination rule 21 inbound-interface ‘any’
set nat destination rule 21 log ‘enable’
set nat destination rule 21 protocol ‘tcp’
set nat destination rule 21 translation address ‘111.222.333.5’
set nat source rule 12 description ‘ASA API-Test’
set nat source rule 12 destination address ‘777.888.999.178’
set nat source rule 12 log ‘enable’
set nat source rule 12 outbound-interface ‘any’
set nat source rule 12 translation address ‘111.222.333.178’
set nat source rule 100 outbound-interface ‘eth0’
set nat source rule 100 source address ‘111.222.333.0/24’
set nat source rule 100 translation address ‘masquerade’

I can’t confirm wrong NAT rules migration from 1.1.8 to 1.2.3. In our LAB your rules successfully migrated (of course with changing ip addresses to correct format)
upd:// Also successfully migrated from 1.1.8 to 1.3-rolling-202001030757
Check first /var/log/vyatta/vyatta-config-loader.log and /var/log/vyatta/vyatta-commit.log

Hm - I can reproduce this how often I want:innocent:
Unfortunately I’ve sent you the wrong NAT table

A manual import of the original NAT rules gives me one error:
set nat destination rule 15 protocol ‘tcp_udp’
“not allowed protocal for smtp”, which was obviously not checked in previous versions.
May this is the reason why the automatic upgrade failes. However for me its fine beceuse a simple manual import (aftrer modification) solved the problem.

1 Like