Port Forward in Lab not working


#1

I am working with my techs to do some labbing and we have basic route to internet and nat working, but port forwards are causing us issues and I don’t see the problem. If you wouldn’t mind helping spot the problem we would appreciate it.

Quick Lab Image

The lab itself should be fairly simple in configuration. The ISP router is a VyOS VM on the network doing routing between the fake tech /30 networks and the internet connected lab network. The configuration is:

[code]set interfaces ethernet eth0 address 192.168.20.157/24
set interfaces ethernet eth0 description “WAN Uplink”
set interfaces ethernet eth1 address 172.16.251.5/30
set interfaces ethernet eth1 description “LAB ME”
set interfaces ethernet eth2 address 172.16.251.9/30
set interfaces ethernet eth2 description “LAB TECH1”
set interfaces ethernet eth3 address 172.16.251.13/30
set interfaces ethernet eth3 description “LAB TECH2”

set protocols static route 0.0.0.0/0 next-hop 192.168.20.1 distance 1
set service ssh port 22
set system name-server 208.67.222.222
set system name-server 208.67.220.220[/code]

That all works, no issues. So from my workstation, I setup 3x VMs: VyOS, Server 2012 R2, and Windows 7. I have VyOS acting as the local network firewall to Server and W7. I can reach the internet and browse. But I am unable to SSH into my VyOS router from the outside or RDP into my server vm. Here’s that config:

[code]set interfaces ethernet eth0 address ‘172.16.251.6/30’
set interfaces ethernet eth0 description ‘WAN’
set interfaces ethernet eth1 address ‘10.11.0.1/29’
set interfaces ethernet eth1 description ‘VLAN1 MGMT’
set interfaces ethernet eth2 address ‘10.11.0.33/29’
set interfaces ethernet eth2 description ‘VLAN20 WORKSTATION’
set interfaces ethernet eth3 address ‘10.11.0.241/29’
set interfaces ethernet eth3 description ‘VLAN10 SERVER’

set protocol static route 0.0.0.0/0 next-hop 172.16.251.5

set service ssh port 2222

set nat source rule 100 outbound-interface ‘eth0’
set nat source rule 100 source address ‘10.11.0.33/29’
set nat source rule 100 translation address masquerade
set nat source rule 200 outbound-interface ‘eth0’
set nat source rule 200 source address ‘10.11.0.240/29’
set nat source rule 200 translation address masquerade

set nat destination rule 100 description ‘ssh to fw’
set nat destination rule 100 destination port 2222
set nat destination rule 100 inbound-interface eth0
set nat destination rule 100 protocol tcp
set nat destination rule 100 translation address 172.16.251.6
set nat destination rule 110 description ‘rdp to vm server’
set nat destination rule 110 destination port 3389
set nat destination rule 110 inbound-interface eth0
set nat destination rule 110 protocol tcp
set nat destination rule 110 translation address 10.11.0.242

set service dhcp-relay interface eth2
set service dhcp-relay interface eth3
set service dhcp-relay server 10.11.0.242

set firewall name wan2lan default-action drop
set firewall name wan2lan rule 100 action accept
set firewall name wan2lan rule 100 state established enable
set firewall name wan2lan rule 100 state related enable
set firewall name wan2lan rule 200 action accept
set firewall name wan2lan rule 200 description ‘rdp to vm server’
set firewall name wan2lan rule 200 destination port 3389
set firewall name wan2lan rule 200 destination address 10.11.0.242
set firewall name wan2lan rule 200 protocol tcp
set firewall name wan2lan rule 200 state new enable
set firewall name wan2lan rule 500 action drop
set firewall name wan2lan rule 500 state invalid enable

set firewall name wan2fw default-action drop
set firewall name wan2fw rule 100 action accept
set firewall name wan2fw rule 100 state established enable
set firewall name wan2fw rule 100 state related enable
set firewall name wan2fw rule 101 action accept
set firewall name wan2fw rule 101 description ‘ping to fw’
set firewall name wan2fw rule 101 icmp type-name any
set firewall name wan2fw rule 101 protocol icmp
set firewall name wan2fw rule 101 state new enable
set firewall name wan2fw rule 200 action accept
set firewall name wan2fw rule 200 description ‘ssh to fw’
set firewall name wan2fw rule 200 destination port 2222
set firewall name wan2fw rule 200 protocol tcp
set firewall name wan2fw rule 200 state new enable
set firewall name wan2fw rule 500 action drop
set firewall name wan2fw rule 500 state invalid enable

set interfaces ethernet eth0 firewall local name wan2fw
set interfaces ethernet eth0 firewall in name wan2lan[/code]

I assume I’ve messed up something in the NAT or firewall policies, but I’ve been playing around and cannot get it. The router responds to ping, so ICMP is working properly. When I run monitor interfaces I can see traffic on eth0 and eth3 for RDP or eth0 and lo for ping. The show firewall statistics packet counts keep going up everytime I try to SSH or RDP into the network.