Hi
I’m struggling to forward port 443 to an internal machine. I followed “Vyos from scratch”, I’m using a “router on a stick” setup with a smart/managed switch and zone policies to apply the firewalls.
Trying to connect to my public IP just gets a connection refused
curl: (7) Failed to connect to <public ip> port 443: Connection refused
I’ve tried sprinkling logs around, but I’m not really sure how to debug this. I’ve read that NAT comes before the firewall, but then I’m not quite sure how the zones apply. All the DNAT doco I can find doesn’t use zones at all.
Any help would be most appreciated
10.28.10.28
+---------------+ +--------------+ +---------------+
| | | | | |
| ISP (dhcp) <--------> switch <----------> web server |
| | | | | |
+---------------+ +-------^------+ +---------------+
|
|
|
eth0.2 | eth0.10
<public ip> +------v-----+ 10.28.10.1
| |
| vyos |
| |
+------------+
Here’s the cut down config:
firewall {
name LOCAL-PRIVATE {
default-action accept
}
name LOCAL-WAN {
default-action accept
}
name PRIVATE-LOCAL {
default-action accept
}
name PRIVATE-WAN {
default-action accept
}
name WAN-LOCAL {
default-action drop
rule 5 {
action accept
description "Allow EST/Related Traffic"
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
}
name WAN-PRIVATE {
default-action drop
rule 5 {
action accept
description "Allow EST/Related Traffic"
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
rule 30 {
action accept
destination {
address 10.28.10.28
port 443
}
log enable
log-level debug
protocol tcp_udp
state {
new enable
}
}
}
}
interfaces {
ethernet eth0 {
hw-id xx:xx:xx:xx:xx
vif 2 {
address dhcp
description wan
}
vif 10 {
address 10.28.10.1/24
description private
}
}
loopback lo {
}
}
nat {
destination {
rule 10 {
description "Port Forward: HTTPS to 10.28.10.28"
destination {
port 443
}
inbound-interface eth0.2
log
protocol tcp_udp
translation {
address 10.28.10.28
port 443
}
}
}
source {
rule 100 {
outbound-interface eth0.2
source {
address 10.28.10.0/24
}
translation {
address masquerade
}
}
}
}
zone-policy {
zone LOCAL {
default-action drop
from PRIVATE {
firewall {
name PRIVATE-LOCAL
}
}
from WAN {
firewall {
name WAN-LOCAL
}
}
local-zone
}
zone PRIVATE {
default-action drop
from LOCAL {
firewall {
name LOCAL-PRIVATE
}
}
from WAN {
firewall {
name WAN-PRIVATE
}
}
interface eth0.10
}
zone WAN {
default-action drop
from LOCAL {
firewall {
name LOCAL-WAN
}
}
from PRIVATE {
firewall {
name PRIVATE-WAN
}
}
interface eth0.2
}
}