Problem with Destination NAT + zone firewall

Hi
I’m struggling to forward port 443 to an internal machine. I followed “Vyos from scratch”, I’m using a “router on a stick” setup with a smart/managed switch and zone policies to apply the firewalls.

Trying to connect to my public IP just gets a connection refused

curl: (7) Failed to connect to <public ip> port 443: Connection refused

I’ve tried sprinkling logs around, but I’m not really sure how to debug this. I’ve read that NAT comes before the firewall, but then I’m not quite sure how the zones apply. All the DNAT doco I can find doesn’t use zones at all.

Any help would be most appreciated :slight_smile:

                                                     10.28.10.28
+---------------+        +--------------+          +---------------+
|               |        |              |          |               |
|  ISP (dhcp)   <-------->    switch    <---------->  web server   |
|               |        |              |          |               |
+---------------+        +-------^------+          +---------------+
                                 |
                                 |
                                 |
                  eth0.2         |       eth0.10
              <public ip> +------v-----+ 10.28.10.1
                          |            |
                          |   vyos     |
                          |            |
                          +------------+

Here’s the cut down config:

firewall {
    name LOCAL-PRIVATE {
        default-action accept
    }
    name LOCAL-WAN {
        default-action accept
    }
    name PRIVATE-LOCAL {
        default-action accept
    }
    name PRIVATE-WAN {
        default-action accept
    }
    name WAN-LOCAL {
        default-action drop
        rule 5 {
            action accept
            description "Allow EST/Related Traffic"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            protocol icmp
            state {
                new enable
            }
        }
    }
    name WAN-PRIVATE {
        default-action drop
        rule 5 {
            action accept
            description "Allow EST/Related Traffic"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            protocol icmp
            state {
                new enable
            }
        }
        rule 30 {
            action accept
            destination {
                address 10.28.10.28
                port 443
            }
            log enable
            log-level debug
            protocol tcp_udp
            state {
                new enable
            }
        }
    }
}
interfaces {
    ethernet eth0 {
        hw-id xx:xx:xx:xx:xx
        vif 2 {
            address dhcp
            description wan
        }
        vif 10 {
            address 10.28.10.1/24
            description private
        }
    }
    loopback lo {
    }
}
nat {
    destination {
        rule 10 {
            description "Port Forward: HTTPS to 10.28.10.28"
            destination {
                port 443
            }
            inbound-interface eth0.2
            log
            protocol tcp_udp
            translation {
                address 10.28.10.28
                port 443
            }
        }
    }
    source {
        rule 100 {
            outbound-interface eth0.2
            source {
                address 10.28.10.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
zone-policy {
    zone LOCAL {
        default-action drop
        from PRIVATE {
            firewall {
                name PRIVATE-LOCAL
            }
        }
        from WAN {
            firewall {
                name WAN-LOCAL
            }
        }
        local-zone
    }
    zone PRIVATE {
        default-action drop
        from LOCAL {
            firewall {
                name LOCAL-PRIVATE
            }
        }
        from WAN {
            firewall {
                name WAN-PRIVATE
            }
        }
        interface eth0.10
    }
    zone WAN {
        default-action drop
        from LOCAL {
            firewall {
                name LOCAL-WAN
            }
        }
        from PRIVATE {
            firewall {
                name PRIVATE-WAN
            }
        }
        interface eth0.2
    }
}

Try to allow WAN-LOCAL dport 443
Or change the default action reject to see which rule drop the session

Seeing firewall counters with show firewall statics will let you know which drop-rule matches.

Use tcpdump on WAN and LAN to see where packet ends up. Maybe ISP blocks it

Thanks for the suggestions.
It turned out that I needed hairpin NAT (which I’d tried previously, but hadn’t configured quite right)

All the debugging tips were really helpful.

I don’t have access to any outside boxes to test the normal DNAT/port forward, so I ended up testing via a commercial VPN service.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.