NAT ssh port forwarding doesn't work

rafiki88 · May 25, 2022, 2:54pm

Hi Guys,
I’m new in VyOS and need a some advice. I’m trying to forward SSH (public 6222 → to 22 lan)port to my client inside LAN and this stuff doesn’t work. Everything else such as SMTP, HTTPS and HTTP working perfect just this SSH.

I tried different ports and nothing.

NAT Rule 5000 and firewall rule in OUTSIDE-IN 4000

If I set
set firewall name OUTSIDE-IN default-action accept then SSH forward works

 firewall {
     all-ping enable
     broadcast-ping enable
     name OUTSIDE-IN {
         default-action drop
         rule 10 {
             action accept
             state {
                 established enable
                 related enable
             }
         }
         rule 2000 {
             action accept
             description "Enable HTTPS (443) and HTTP (80)"
             destination {
                 port 443,80
             }
             protocol tcp
             state {
                 new enable
             }
         }
         rule 3000 {
             action accept
             description "Enable SMTP 25, 465 and 587"
             destination {
                 port 25,465,587
             }
             protocol tcp
         }
         rule 4000 {
             action accept
             destination {
                 port 6222
             }
             protocol tcp_udp
             state {
                 established enable
                 new enable
                 related enable
             }
         }
     }
     name OUTSIDE-LOCAL {
         default-action drop
         rule 20 {
             action accept
             icmp {
                 type-name echo-request
             }
             protocol icmp
             state {
                 new enable
             }
         }
     }
     state-policy {
         established {
             action accept
         }
         invalid {
             action accept
         }
         related {
             action accept
         }
     }
 }
 interfaces {
     ethernet eth0 {
         hw-id ec:eb:b8:5d:ae:6c
     }
     ethernet eth1 {
         address [REMOVED]/29
         description BT-WAN
         firewall {
             in {
                 name OUTSIDE-IN
             }
             local {
                 name OUTSIDE-LOCAL
             }
         }
         hw-id ec:eb:b8:5d:ae:6d
     }
     ethernet eth2 {
         address 192.168.10.250/24
         description ECO-LAN
         hw-id 00:0a:f7:3f:cc:ac
     }
     ethernet eth3 {
         description DSS-LAN
         hw-id 00:0a:f7:3f:cc:ad
     }
     ethernet eth4 {
         hw-id 00:0a:f7:3f:cc:ae
     }
     ethernet eth5 {
         hw-id 00:0a:f7:3f:cc:af
     }
     loopback lo {
     }
 }
 nat {
     destination {
         rule 2000 {
             description "Port forward HTTPS and HTTP to eco-proxy (192.168.10.3)"
             destination {
                 port 80,443
             }
             inbound-interface eth1
             protocol tcp
             translation {
                 address 192.168.10.3
             }
         }
         rule 3000 {
             description "Port forward SMTP to eco-proxy (192.168.10.3)"
             destination {
                 port 25,465,587
             }
             inbound-interface eth1
             protocol tcp
             translation {
                 address 192.168.10.3
             }
         }
         rule 5000 {
             destination {
                 port 6222
             }
             inbound-interface eth1
             protocol tcp
             translation {
                 address 192.168.10.3
                 port 22
             }
         }
     }
     source {
         rule 100 {
             outbound-interface eth1
             protocol all
             source {
                 address 192.168.10.0/24
             }
             translation {
                 address masquerade
             }
         }
     }
 }
 protocols {
     static {
         route 0.0.0.0/0 {
             next-hop [REMOVED] {
             }
         }
     }
 }
 service {
     https {
     }
     ssh {
     }
 }
 system {
     config-management {
         commit-revisions 100
     }
     conntrack {
         modules {
             ftp
             h323
             nfs
             pptp
             sip
             sqlnet
             tftp
         }
     }
     console {
         device ttyS0 {
             speed 115200
         }
     }
     host-name vyos
     login {
         user vyos {
             authentication {
                 plaintext-password ""
             }
         }
     }
     name-server 1.1.1.1
     name-server 8.8.8.8
     ntp {
         server 0.pool.ntp.org {
         }
         server 1.pool.ntp.org {
         }
         server 2.pool.ntp.org {
         }
         server time1.vyos.net {
         }
         server time2.vyos.net {
         }
         server time3.vyos.net {
         }
     }
     syslog {
         global {
             facility all {
                 level info
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone Europe/London
 }

Viacheslav · May 25, 2022, 4:46pm

Try to open port 22 for OUTSIDE-IN

Critical · May 25, 2022, 4:51pm

As Viacheslav says you need to change rule 4000 to port 22 because thats the port you translated the connection to.

rafiki88 · May 25, 2022, 4:58pm

Yes, but I’m trying to expose ssh on the public port 6222 instead 22.

And this doesn’t work. Just only for ssh.

rafiki88 · May 25, 2022, 7:15pm

You were right, I have added a rule in firewall to open tcp 22 for 192.168.10.3 and works, cheers mate

     rule 20 {
         action accept
         destination {
             address 192.168.10.3
             port 22
         }
         protocol tcp
         state {
             new enable
         }
     }

system · May 27, 2022, 7:16pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.