port forwarding issues

General questions
1

I got issues when trying to port forward to local device.

I got PPPoE connection to my provider.
Output firewall default action - accept

Input firwall rules:

default-action drop rule 5 { action drop description "deny ssh connections" destination { port ssh } protocol tcp } rule 10 { action accept state { established enable related enable } } rule 140 { action accept destination { port 9560 } log enable protocol tcp }

Local firewall rules:

[code] default-action drop
rule 4 {
action drop
destination {
port ssh
}
protocol tcp
}
rule 5 {

 action drop
 destination {
     port telnet
 }
 protocol tcp

}
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 90 {
action drop
protocol icmp
}
rule 141 {
action accept
destination {
port 9560
}
protocol tcp
}[/code]

And this is my port forwarding rule:

show nat destination rule 141 { destination { port 9560 } inbound-interface any log enable protocol tcp translation { address 172.16.11.40 port ssh } }

but when i’m trying to connect via ssh i’m getting this:

ssh: connect to host [PPPoE_IP] port 9560: Connection timed out

And i see that it’s being forwarded:

show nat destination translations Pre-NAT Post-NAT Prot Timeout [PPPoE_IP]:9560 172.16.11.40:22 tcp 117

So, what am i doing wrong?
Regards,
Nufay.

2

Input firewall is used for packets traversing VyOS. dNAT is done before firewall, so you should allow tcp traffic destined for 172.16.11.40:22.
Also, for best speed, always make established/related rule the 1st
Best firewall explanation around (EdgeOS though , but same Vyatta roots)
https://community.ubnt.com/t5/EdgeMAX/Layman-s-firewall-explanation/td-p/1436103

3

When i’m changing nat destination inbound interface to pppoe0 i’m getting connection refused message, do you know why is that?
Or i need to define interface, where my destination ip is located?

Btw thank you for this link with explanation.

Regards,
Nufay.

4

Do you get pppoe0 option after typing:
configure
set nat destination rule 141 inbound-interface ?

I do get all the interfaces currently present