[solved] Port forwarding not working



Hi all,

I’d appreciate some help getting DNAT working. I want to achieve SSH access to be forwarded from the internet to my local machine .

My VyOS is behind another router (a cheap box from my ISP) and has a WAN address of .

The ISP device forwards port 22 to .

Here is what I have done:

vyos@vyos# run sh nat destination rules
Disabled rules are not shown
Codes: X - exclude rule

rule intf translation

10 eth0 daddr ANY to
proto-tcp dport 22
Desc: Port forward: SSH to

vyos@vyos# sh nat destination rule 10 description "Port forward: SSH to" destination { port 22 } inbound-interface eth0 protocol tcp translation { address }

vyos@vyos# sh firewall na WAN-in default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept destination { address port 22 } protocol tcp }

When I try to connect to port 22 from the outside, the NAT rule gets triggered:

vyos@vyos# run sh nat dest sta
rule pkts bytes interface

10 5 300 eth0

And so does the firewall rule:

vyos@vyos# run sh fire na WAN-in statistics

Rulesets Information

IPv4 Firewall “WAN-in”:

Active on (eth0,IN)

rule packets bytes action source destination

10 4.03K 6.03M ACCEPT
20 5 300 ACCEPT
10000 0 0 DROP

However, each time I try to log in from the outside, there is only 1 packet forwarded and the login attempt times out. What am I doing wrong here?


I finally got it to work. It was an asymmetric routing issue; I have set up my DMZ such that outgoing traffic is routed through a VPN tunnel via PBR.

An addition to my PBR ruleset did the trick:

vyos@vyos# sh policy route vpn-out rule 19 destination { group { network-group !local-networks } } protocol tcp set { table main } source { address port 22 }