Q: DNAT rule WAN->DMZ isn't working with Zone-based firewall


#1

Hi !

I set zone-based firewall with 2 x ISP load-balancing.
eth0 - wan1, eth1 - wan2, eth2 - DMZ (192.168.1.1), eth3 - LAN (192.168.0.1)
Internet server IP (on DMZ) = 192.168.1.2

Outgoing traffic from DMZ and LAN travels correctly.
Unfortunately, DNAT from WAN zone to DMZ do not function.
Some rules in FW_WAN_DMZ are redundant but I tried everything to make it work.
How to fix this?
Thanks in advance.

set firewall name FW_WAN_DMZ description ‘WAN to DMZ’
set firewall name FW_WAN_DMZ rule 700 action accept
set firewall name FW_WAN_DMZ rule 700 state established enable
set firewall name FW_WAN_DMZ rule 700 state related enable
set firewall name FW_WAN_DMZ rule 701 action drop
set firewall name FW_WAN_DMZ rule 701 state invalid enable
set firewall name FW_WAN_DMZ rule 702 action accept
set firewall name FW_WAN_DMZ rule 702 protocol tcp
set firewall name FW_WAN_DMZ rule 702 source port ‘http,https,ftp,smtp,pop3,imap’
set firewall name FW_WAN_DMZ rule 702 destination port ‘http,https,ftp,smtp,pop3,imap’

set zone-policy zone ZONE_DMZ from ZONE_WAN firewall name FW_WAN_DMZ

set nat destination rule 10 description ‘WAN_eth0_TO_DMZ’
set nat destination rule 10 destination port ‘http,https,ftp,smtp,pop3,imap’
set nat destination rule 10 inbound-interface ‘eth0’
set nat destination rule 10 protocol ‘tcp’
set nat destination rule 10 translation address 192.168.1.2

set nat destination rule 20 description ‘WAN_eth1_TO_DMZ’
set nat destination rule 20 destination port ‘http,https,ftp,smtp,pop3,imap’
set nat destination rule 20 inbound-interface ‘eth1’
set nat destination rule 20 protocol ‘tcp’
set nat destination rule 20 translation address 192.168.1.2

vyos@vyos# run show nat destination rules
Disabled rules are not shown
Codes: X - exclude rule

rule intf translation


10 eth0 daddr ANY to 192.168.1.2
proto-tcp dport http,https,ftp,smtp,pop3,imap
Desc: WAN_eth0_TO_DMZ

20 eth1 daddr ANY to 192.168.1.2
proto-tcp dport http,https,ftp,smtp,pop3,imap
Desc: WAN_eth1_TO_DMZ


#2

Small update
set nat destination rule 20 destination address wan2.ext.ip.addr
Didn’t change anything


#3

Adding
set firewall name FW_WAN_DMZ rule 700 state new enable
solved problem.
Seems like very few visitors on forum.