Port translation and LAN access

Thorvald_Hrafn · October 7, 2016, 2:35pm

Could anybody help me?
I have problem with port translation from internal web server through vyos router.
My configuration work fine when someone try connect to that from internet, but I can’t connect to web server on WAN IP from internal LAN.
I think I need some additional NAT rule(s), but I dont see it in documentation.
My NAT rules:

set nat destination rule 10 description ‘Port Forward: HTTP to 192.168.5.128’
set nat destination rule 10 destination port ‘80’
set nat destination rule 10 inbound-interface ‘eth0’
set nat destination rule 10 protocol ‘tcp’
set nat destination rule 10 source address ‘10.10.10.54’
set nat destination rule 10 translation address ‘192.168.5.128’
set nat source rule 100 outbound-interface ‘eth0’
set nat source rule 100 source address ‘192.168.5.0/24’
set nat source rule 100 translation address ‘10.10.10.111’

jl3128 · October 7, 2016, 2:44pm

I think what you are trying to do is “hairpin NAT”
you could also think about using DNS to resolve internal clients to the webserver’s internal address, and external clients resolving to the webserver’s external address

syncer · October 7, 2016, 2:51pm

Hello,
see
http://wiki.vyos.net/wiki/User_Guide#NAT
look for hairpin NAT or NAT reflection

Thorvald_Hrafn · October 10, 2016, 11:00am

Thanks for reply!
I add next rule

set nat source rule 110 description 'NAT Reflection: INSIDE' set nat source rule 110 destination address '192.168.5.0/24' set nat source rule 110 outbound-interface 'eth1' set nat source rule 110 source address '192.168.5.0/24' set nat source rule 110 translation address 'masquerade'

And next I modified string in old rule

to

This configuration work fine.
Result:

nat { destination { rule 10 { description "Port Forward: HTTP to 192.168.5.128" destination { port 80 } inbound-interface any protocol tcp source { } translation { address 192.168.5.128 } } } source { rule 100 { outbound-interface eth0 source { address 192.168.5.0/24 } translation { address 10.10.10.111 } } rule 110 { description "NAT Reflection: INSIDE" destination { address 192.168.5.0/24 } outbound-interface eth1 source { address 192.168.5.0/24 } translation { address masquerade } } } }

syncer · October 11, 2016, 3:14pm

Hi,
glad that you got it working
Close this thread
Thanks for sharing!