I have a scenario where I need to route and NAT traffic to different VRFs that happen to have the same subnets. I can make this work with two devices: one to route to a VLAN, then the second does the NAT… but I can’t condense this into one system.
What appears to be happening is the NAT occurs on ingress then it’s routed, which means it’s looking at routing to a colliding subnet. I need to route based on the external NAT IP then NAT it before egress if at all possible. I think I could make nftables do this if I skipped VyOS’ CLI and manually built the nf rules, but I’m trying to work within the constrains of the VyOS config.
If I add routes to VRF Default to send my 10.0.10.0/24 and 10.0.20.0/24 subnets to the respective VRFs it doesn’t work as they have already been NAT translated to the 192 addresses.
To describe a packet’s journey:
Client 10.0.0.2 sends a ping/packet/whatever to 10.0.10.2 or 10.0.20.2 and it goes to the default gateway of 10.0.0.1. That would determine the route based on the destination IP… which it can’t do since those IPs don’t actually exist. Ideally though I would have an entry in the routing table like 10.0.10.0/24 routes via eth1.10 interface. THEN NAT would kick in and change the destination IP to the 192.168.0.2 address. But I don’t see how this is possible so I’m struggling to make this work.
I’m mostly wondering if there is a way to NAT postrouting versus prerouting.
I’ll take any and all suggestions. 
