eth0 - public ip - example: 203.0.113.10
eth1 = 10.100.10.254/24 and 10.100.17.254/24
site www.domain.com → 203.0.113.10 (eth0) dst nat to 10.100.17.10
10.100.17.10 is a nginx reverse proxy which has 2 interfaces
eth0 - default route → 10.100.10.10 / default gw = 10.100.10.254 ( which is vyos) eth1 - 10.100.17.10/24 ( no default route )
The issue is from the outside, visiting www.domain.com works fine
from the server itself, if I do curl www.domain.com, it does not work.
here flow will be 10.100.10.10 → 10.254 → 113.10 → 17.254 → 17.10 ??
because i have 2 networks on the same interface ( necessity ) and there are 2 networks involved 10.x making request translated to 17.x, i am not sure how to do the hairpin nat.
Instead of 1 flow, you have 2 flows since you’re using proxy
Flow1 from client to NGINX
Client 10.100.10.10 sends packet to 203.0.113.10:80
This arrives at VyOS, and should be dNATted to 10.100.17.10:80, and returned on same interface.
Return traffic from NGINX flows from 10.100.17.10:80 to 10.100.10.10. Note these are different subnets, so packet flow is via VyOS. And you don’t need extra sNAT rule
Zone base firewall on VyOS should allow this traffic (in same zone)
Flow2 from NGINX to webserver
NGINX opens connection to webserver, like from 10.100.17.10 to x.x.x.x:80. (not sure what webserver IP is)
This flow is identical for connection from outside, and thus works.
So focus on flow 1
Use tcpdump, and look into NAT table on VyOS to see where packet ends up