[solved] Port forwarding not working

firewall
vyos-1-2
nat

#1

Hi all,

I’d appreciate some help getting DNAT working. I want to achieve SSH access to be forwarded from the internet to my local machine 192.168.99.9 .

My VyOS is behind another router (a cheap box from my ISP) and has a WAN address of 192.168.0.66 .

The ISP device forwards port 22 to 192.168.0.66 .

Here is what I have done:

``
vyos@vyos# run sh nat destination rules
Disabled rules are not shown
Codes: X - exclude rule

rule intf translation


10 eth0 daddr ANY to 192.168.99.9
proto-tcp dport 22
Desc: Port forward: SSH to 192.168.99.9
``

vyos@vyos# sh nat destination rule 10 description "Port forward: SSH to 192.168.99.9" destination { port 22 } inbound-interface eth0 protocol tcp translation { address 192.168.99.9 }

vyos@vyos# sh firewall na WAN-in default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept destination { address 192.168.99.9 port 22 } protocol tcp }

When I try to connect to port 22 from the outside, the NAT rule gets triggered:

``
vyos@vyos# run sh nat dest sta
rule pkts bytes interface


10 5 300 eth0
``

And so does the firewall rule:

``
vyos@vyos# run sh fire na WAN-in statistics


Rulesets Information

IPv4 Firewall “WAN-in”:

Active on (eth0,IN)

rule packets bytes action source destination


10 4.03K 6.03M ACCEPT 0.0.0.0/0 0.0.0.0/0
20 5 300 ACCEPT 0.0.0.0/0 192.168.99.9
10000 0 0 DROP 0.0.0.0/0 0.0.0.0/0
``

However, each time I try to log in from the outside, there is only 1 packet forwarded and the login attempt times out. What am I doing wrong here?


#2

I finally got it to work. It was an asymmetric routing issue; I have set up my DMZ such that outgoing traffic is routed through a VPN tunnel via PBR.

An addition to my PBR ruleset did the trick:

vyos@vyos# sh policy route vpn-out rule 19 destination { group { network-group !local-networks } } protocol tcp set { table main } source { address 192.168.99.0/24 port 22 }