Simple SNAT does not work

htoyoda · April 24, 2025, 12:38pm

Hi,

I want to configure a very simple SNAT.
VYOS itself is connected to the Internet.
For example, the following works fine.

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=1.20 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=1.21ms

However, I am unable to connect to the internet via SNAT from the PC running VYOS.
i.e., from client PC: ping 8.8.8.8 fails

Could you please offer your advice on this issue?

$ show version 
Version:          VyOS 1.5-stream-2025-Q1
Release train:    circinus
Release flavor:   generic

Built by:         VyOS Networks Iberia S.L.U.
Built on:         Thu 13 Feb 2025 18:06 UTC
Build UUID:       b38b28e0-a516-4f56-a596-5502ae094d3b
Build commit ID:  5128f5e45cdb73-dirty

$ show configuration 
interfaces {
    ethernet eth0 {
        address 133.130.98.92/23
        description Internet
        duplex auto
        speed auto
    }
    ethernet eth1 {
        address 192.168.0.1/24
        description Private-network
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
nat {
    source {
        rule 10 {
            outbound-interface {
                name eth0
            }
            source {
                address 192.168.0.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 133.130.98.1 {
            }
        }
    }
}

$ show interface
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address        MAC                VRF        MTU  S/L    Description
-----------  ----------------  -----------------  -------  -----  -----  ---------------
eth0         133.130.98.92/23  02:01:85:82:62:5c  default   1500  u/u    Internet
eth1         192.168.0.1/24    fa:16:3e:3b:88:f8  default   1500  u/u    Private-network
lo           127.0.0.1/8       00:00:00:00:00:00  default  65536  u/u

$ show nat source rules
Rule    Source          Destination    Proto    Out-Int    Translation
------  --------------  -------------  -------  ---------  -------------
10      192.168.0.0/24  0.0.0.0/0      IP       eth0       masquerade
        sport any       dport any

$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

S>* 0.0.0.0/0 [1/0] via 133.130.98.1, eth0, weight 1, 00:23:05
C>* 133.130.98.0/23 is directly connected, eth0, 00:23:08
C>* 192.168.0.0/24 is directly connected, eth1, 00:21:07

Apachez · April 24, 2025, 12:56pm

Im confused of your first sentences.

Am I correct that your setup is this:

Internet ↔ VyOS ↔ Client PC

And VyOS can ping 8.8.8.8 but not Client PC?

If so, can the Client PC ping the IP-address of VyOS (LAN)?

Do Client PC have the IP of VyOS configured as default gateway?

htoyoda · April 24, 2025, 1:34pm

Yes. The following configuration is correct.

Internet ↔ (eth0:133.130.98.92) VyOS(eth1:192.168.0.1) ↔ (192.168.0.3) Client PC

From VyOS, ping 8.8.8.8 and ping 192.168.0.3 both work fine.

From the Client PC, pingi192.168.0.1 works fine, but
from the Client PC, ping 8.8.8.8 and ping 133.130.98.92 fail.

Of course, the default gateway for the Client PC is 192.168.0.1.

Apachez · April 24, 2025, 2:22pm

It looks correct when comparing with NAT44 — VyOS 1.5.x (circinus) documentation

What version do you use and have you tried commit, save and then reboot (just to rule out “did you turn it off and on again?”)?

Apachez · April 24, 2025, 2:23pm

Might be that you need to setup firewall aswell but as I recall it its open by default (unless changed recently)?

Example I found online:

netadmina · April 24, 2025, 2:56pm

Hi.
Delete source address:
delete nat source rule 10 source address

n.fort · April 24, 2025, 6:37pm

No PBR or firewall?
NAT rule looks ok.
You can check with tcpdump traffic on LAN and WAN interface.
While pinging 8.8.8.8 try

# LAN interface
sudo tcpdump -ni eth1 icmp
sudo tcpdump -ni eth2 icmp

you can also filter by host

sudo tcpdump -ni eth1 host 8.8.8.8
sudo tcpdump -ni eth2 host 8.8.8.8

And even combine those two options

htoyoda · April 24, 2025, 11:41pm

Thank you!

Please give me your advice.

$ show firewall
Rulesets Information

$ show policy route
Ruleset Information

And the following is the tcpdump results.

LAN:

$ tcpdump -ni eth1 host 8.8.8.8
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
08:25:15.338846 IP 192.168.0.3 > 8.8.8.8: ICMP echo request, id 1, seq 15, length 40
08:25:15.340130 IP 8.8.8.8 > 192.168.0.3: ICMP echo reply, id 1, seq 15, length 40
08:25:20.338954 IP 192.168.0.3 > 8.8.8.8: ICMP echo request, id 1, seq 16, length 40
08:25:20.340366 IP 8.8.8.8 > 192.168.0.3: ICMP echo reply, id 1, seq 16, length 40
08:25:25.339288 IP 192.168.0.3 > 8.8.8.8: ICMP echo request, id 1, seq 17, length 40
08:25:25.340808 IP 8.8.8.8 > 192.168.0.3: ICMP echo reply, id 1, seq 17, length 40
08:25:30.339382 IP 192.168.0.3 > 8.8.8.8: ICMP echo request, id 1, seq 18, length 40
08:25:30.340687 IP 8.8.8.8 > 192.168.0.3: ICMP echo reply, id 1, seq 18, length 40
08:25:35.338723 IP 192.168.0.3 > 8.8.8.8: ICMP echo request, id 1, seq 19, length 40
08:25:35.340032 IP 8.8.8.8 > 192.168.0.3: ICMP echo reply, id 1, seq 19, length 40

$ tcpdump -ni eth1 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
08:27:00.341228 IP 192.168.0.3 > 8.8.8.8: ICMP echo request, id 1, seq 36, length 40
08:27:00.342697 IP 8.8.8.8 > 192.168.0.3: ICMP echo reply, id 1, seq 36, length 40
08:27:05.341239 IP 192.168.0.3 > 8.8.8.8: ICMP echo request, id 1, seq 37, length 40
08:27:05.342918 IP 8.8.8.8 > 192.168.0.3: ICMP echo reply, id 1, seq 37, length 40
08:27:10.340831 IP 192.168.0.3 > 8.8.8.8: ICMP echo request, id 1, seq 38, length 40
08:27:10.342129 IP 8.8.8.8 > 192.168.0.3: ICMP echo reply, id 1, seq 38, length 40
08:27:15.341066 IP 192.168.0.3 > 8.8.8.8: ICMP echo request, id 1, seq 39, length 40
08:27:15.342436 IP 8.8.8.8 > 192.168.0.3: ICMP echo reply, id 1, seq 39, length 40
08:27:20.331394 IP 192.168.0.3 > 8.8.8.8: ICMP echo request, id 1, seq 40, length 40
08:27:20.333264 IP 8.8.8.8 > 192.168.0.3: ICMP echo reply, id 1, seq 40, length 40

WAN:

$ tcpdump -ni eth0 host 8.8.8.8
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
08:25:30.339438 IP 133.130.98.92 > 8.8.8.8: ICMP echo request, id 1, seq 18, length 40
08:25:30.340641 IP 8.8.8.8 > 133.130.98.92: ICMP echo reply, id 1, seq 18, length 40
08:25:35.338788 IP 133.130.98.92 > 8.8.8.8: ICMP echo request, id 1, seq 19, length 40
08:25:35.339980 IP 8.8.8.8 > 133.130.98.92: ICMP echo reply, id 1, seq 19, length 40
08:25:40.338273 IP 133.130.98.92 > 8.8.8.8: ICMP echo request, id 1, seq 20, length 40
08:25:40.339551 IP 8.8.8.8 > 133.130.98.92: ICMP echo reply, id 1, seq 20, length 40
08:25:45.341400 IP 133.130.98.92 > 8.8.8.8: ICMP echo request, id 1, seq 21, length 40
08:25:45.342785 IP 8.8.8.8 > 133.130.98.92: ICMP echo reply, id 1, seq 21, length 40

$ tcpdump -ni eth0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
08:26:45.341314 IP 133.130.98.92 > 8.8.8.8: ICMP echo request, id 1, seq 33, length 40
08:26:45.342425 IP 8.8.8.8 > 133.130.98.92: ICMP echo reply, id 1, seq 33, length 40
08:26:50.341147 IP 133.130.98.92 > 8.8.8.8: ICMP echo request, id 1, seq 34, length 40
08:26:50.342316 IP 8.8.8.8 > 133.130.98.92: ICMP echo reply, id 1, seq 34, length 40
08:26:55.341197 IP 133.130.98.92 > 8.8.8.8: ICMP echo request, id 1, seq 35, length 40
08:26:55.342591 IP 8.8.8.8 > 133.130.98.92: ICMP echo reply, id 1, seq 35, length 40
08:27:00.341284 IP 133.130.98.92 > 8.8.8.8: ICMP echo request, id 1, seq 36, length 40
08:27:00.342669 IP 8.8.8.8 > 133.130.98.92: ICMP echo reply, id 1, seq 36, length 40

Apachez · April 24, 2025, 11:59pm

The tcpdump looks perfectly fine.

Your Client-PC with 192.168.0.3 is sending ICMP echo request to 8.8.8.8 on the LAN side.

These packets are SNATed to 133.130.98.92 on the WAN side before egressing towards 8.8.8.8.

The 8.8.8.8 replies back with ICMP echo reply to 133.130.98.92 who then forward this packet back to 192.168.0.3.