Q: Analog of Shorewall routeback option


#1

Hi !

What is VyOS analog of Shorewall routeback option?

routeback[={0|1}]
If specified, indicates that Shorewall should include rules that allow traffic arriving on this interface to be routed back out that same interface. This option is also required when you have used a wildcard in the INTERFACE column if you want to allow traffic between the interfaces that match the wildcard.

This is what is it for - when someone from the INTERNAL (private LAN) network tries to open e.g. web via our external IP or our domain name (isp1.xx.xx.ip1 -> eth0 or isp2.yy.yy.ip2 -> eth1, we have 2 load balanced ISP links), traffic is routed to external IP interface(s).
And it can’t be routed back with DNAT rules back to DMZ server 192.168.1.2.

These DNAT rules alone not working:

set nat destination rule 730 description 'DNAT_R1'
set nat destination rule 730 destination port 'http,https,ftp,smtp,pop3,imap'
set nat destination rule 730 destination address isp1.xx.xx.ip1
set nat destination rule 730 inbound-interface 'eth3' # internal private LAN
set nat destination rule 730 protocol 'tcp'
set nat destination rule 730 translation address 192.168.1.2 # DMZ server

set nat destination rule 740 description 'DNAT_R2'
set nat destination rule 740 destination port 'http,https,ftp,smtp,pop3,imap'
set nat destination rule 740 destination address isp2.yy.yy.ip2
set nat destination rule 740 inbound-interface 'eth3'  # internal private LAN
set nat destination rule 740 protocol 'tcp'
set nat destination rule 740 translation address 192.168.1.2 # DMZ server

What is the proper way to handle this situation ?
Policy based source routing ? Should it be attached to INTERNAL (private LAN) eth3 or I’m something missing here?

set interfaces ethernet eth3 policy route 'PBR_TO_DMZ') ?

Please advise.
Thanks in advance