Hi !
I set zone-based firewall with 2 x ISP load-balancing.
eth0 - wan1, eth1 - wan2, eth2 - DMZ (192.168.1.1), eth3 - LAN (192.168.0.1)
Internet server IP (on DMZ) = 192.168.1.2
Outgoing traffic from DMZ and LAN travels correctly.
Unfortunately, DNAT from WAN zone to DMZ do not function.
Some rules in FW_WAN_DMZ are redundant but I tried everything to make it work.
How to fix this?
Thanks in advance.
set firewall name FW_WAN_DMZ description ‘WAN to DMZ’
set firewall name FW_WAN_DMZ rule 700 action accept
set firewall name FW_WAN_DMZ rule 700 state established enable
set firewall name FW_WAN_DMZ rule 700 state related enable
set firewall name FW_WAN_DMZ rule 701 action drop
set firewall name FW_WAN_DMZ rule 701 state invalid enable
set firewall name FW_WAN_DMZ rule 702 action accept
set firewall name FW_WAN_DMZ rule 702 protocol tcp
set firewall name FW_WAN_DMZ rule 702 source port ‘http,https,ftp,smtp,pop3,imap’
set firewall name FW_WAN_DMZ rule 702 destination port ‘http,https,ftp,smtp,pop3,imap’
set zone-policy zone ZONE_DMZ from ZONE_WAN firewall name FW_WAN_DMZ
set nat destination rule 10 description ‘WAN_eth0_TO_DMZ’
set nat destination rule 10 destination port ‘http,https,ftp,smtp,pop3,imap’
set nat destination rule 10 inbound-interface ‘eth0’
set nat destination rule 10 protocol ‘tcp’
set nat destination rule 10 translation address 192.168.1.2
set nat destination rule 20 description ‘WAN_eth1_TO_DMZ’
set nat destination rule 20 destination port ‘http,https,ftp,smtp,pop3,imap’
set nat destination rule 20 inbound-interface ‘eth1’
set nat destination rule 20 protocol ‘tcp’
set nat destination rule 20 translation address 192.168.1.2
vyos@vyos# run show nat destination rules
Disabled rules are not shown
Codes: X - exclude rule
rule intf translation
10 eth0 daddr ANY to 192.168.1.2
proto-tcp dport http,https,ftp,smtp,pop3,imap
Desc: WAN_eth0_TO_DMZ
20 eth1 daddr ANY to 192.168.1.2
proto-tcp dport http,https,ftp,smtp,pop3,imap
Desc: WAN_eth1_TO_DMZ