RESOLVED Port forward troubles

usrbinkat · September 18, 2021, 12:19am

I have begun using vyos between networks in my homelab. I am trying to setup basic ssh port forwarding.

From my understanding, DNAT is sufficient and synonymous with “Port Forwarding”. I believe that besides creating the nat rules, I also need to create the firewall rule to allow ssh. As I understand it, this is supposed to allow me to ssh into a host behind the vyos instance from the outside.

Based on that, here is my config cli snippet:

# Public iface: eth0
# Public subnet: 192.168.1.0/24
# Private iface: eth1
# Private subnet: 192.168.16.0/24
set nat destination rule 70 description 'Port Forward public ssh port 22 to bastion 192.168.16.12 port 22'
set nat destination rule 70 inbound-interface 'eth0'
set nat destination rule 70 translation address '192.168.16.12'
set nat destination rule 70 destination port '22'
set nat destination rule 70 translation port '22'
set nat destination rule 70 protocol 'tcp'
set firewall name OUTSIDE-IN rule 71 description 'Allow Port Forward public ssh port 22 to bastion 192.168.16.12 port 22'
set firewall name OUTSIDE-IN rule 71 action 'accept'
set firewall name OUTSIDE-IN rule 71 destination address '192.168.1.139'
set firewall name OUTSIDE-IN rule 71 destination port '22'
set firewall name OUTSIDE-IN rule 71 protocol 'tcp'
set firewall name OUTSIDE-IN rule 71 state new 'enable'

And firewall state:

vyos@vyos-dmz:~$ show firewall

-----------------------------
Rulesets Information
-----------------------------
IPv4 Firewall "PUBLIC-IN":

 Inactive - Not applied to any interfaces or zones.

rule  action   proto     packets  bytes                                   
----  ------   -----     -------  -----                                   
10    accept   all       930817   1393372951                              
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 PUBLIC-IN-10 */                   

71    accept   tcp       0        0                                       
  condition - saddr 0.0.0.0/0 daddr 192.168.1.139 dpt:22 /* PUBLIC-IN-71 */     

10000 drop     all       12       720                                     
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

For completeness, here is my complete running config
And the full list of config commands running from scratch

For reasons I’m not groking, ssh does not work through the vyos instance.

Troubleshooting:

[works] ssh to the vyos instance works over it’s 2222 port
[works] ssh from the vyos instance to the internal ssh bastion
[works] pinging the vyos instance’s public interface
[works] nat from the inside to the outside world is working
[works] ssh to outside boxes from inside the 192.168.16.0/24 network.

usrbinkat · September 18, 2021, 2:11am

RESOLVED with DIFF