Reference dynamic WAN IP on NAT Rule

Ralm · June 8, 2023, 3:54am

Hi there,

I’m running Vyos 1.3 and I’ve been trying to configure Hairpin NAT/NAT Reflection.
https://docs.vyos.io/en/latest/configuration/nat/nat44.html#hairpin-nat-nat-reflection

The configuration works fine to an extent, with the only problem that is redirecting everything targeting the port in question.

For example, if I do an Hairpin on Port 80, filtered with source being my Lan network, it will redirect everything to my internal server that is sent targeting port 80, regardless if the initial target IP is my public IP or not.

I’m looking for a way to filter the Destination NAT “destination address”, where my public IP is being assigned dynamically via DHCP (from the ISP).
Is there any way or trick to achieve this? Essentially reference my WAN interface public IP on my Destination NAT rule dynamically, such as some sort of tag?

Thanks.

Viacheslav · June 8, 2023, 4:06am

Impossible with dynamic ip
There is the task ⚓ T2196 Dynamic ipv4 interface list

rayzilt · June 8, 2023, 8:31am

I’ve solved this by using a firewall group, maybe this helps:

firewall {
    group {
        address-group v4-external-ip {
            address 1.1.1.1
        }
    }
}
nat {
    destination {
        rule 11 {
            description "HTTP Haproxy"
            destination {
                port 80,443
            }
            inbound-interface pppoe0
            protocol tcp
            translation {
                address 192.168.221.101
            }
        }
        rule 91 {
            description "HAIRPIN: HTTP Haproxy"
            destination {
                group {
                    address-group v4-external-ip
                }
                port 80,443
            }
            inbound-interface eth1.220
            protocol tcp
            translation {
                address 192.168.221.101
            }
        }
    }
    source {
        rule 92 {
            description "HAIRPIN: HTTP Haproxy"
            destination {
                address 192.168.221.101
                port 80,443
            }
            outbound-interface eth2.221
            protocol tcp
            source {
                address 192.168.221.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}

system · June 15, 2023, 4:15pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.