Specifying outbound interface on destination/translation nat

Hopefully I can explain this correct. Basically, I’m looking to isolate my management network behind an interface on vyOS to perform backup testing, etc. I’ve setup the router with an IP on my management network, and another interface on my isolated network(built in VMware). The interface address on my management network is - and the interface on the my isolated network is (my default gateway) - that way, when I spawn VMs in the isolated network they can see the gateway and talk to each other!

This part is working - however, what I’m trying to do is masquerade a network on the management interface so I can setup static routes and allow access into the isolated network. What I have setup so far is as follows

set nat destination rule 100 inbound-interface eth0 ← the management network
set nat destination rule 100 destination address ← My masqerade range
set nat destination rule 100 translation address

set firewall name management-isolated rule 1 action accept
set firewall name management-isolated rule 1 state established enable
set firewall name management-isolated rule 1 state related enable
set firewall name management-isolated rule 2 action drop
set firewall name management-isolated rule 2 log enable
set firewall name management-isolated rule 2 state invalid enable
set firewall name management-isolated rule 2 state new enable
set interfaces etherenet eth1 firewall in name management-isolated

Basically, what is happening is the request for is coming in on eth0, it’s transalating to, and then sending it right back out eth0. How can I force this to go through eth1? Remember, I still want my default gateway for eth0 to be so it can talk to the outside world, basically, jsut anything coming in on eth0 bound for I want to translate and send through eth1…

This whole setup works when I use another network for the isolated network (say, but when it’s the same network as the management network it fails…

Any takers???

If I remove my default route of eth0, leaving only eth1, then I’m able to to get the access into the isolated network (only from the vyOS VM). That said, obviously when I do that I have no access into the vyOS VM from the rest of the network as it has no real gateway…

So confused lol :slight_smile: Not a network guru! :slight_smile:

Hi @mwpr3ston. I don’t get exactly what you have configured, and what you are trying to achieve.
Please expose in a clear way IP addresses and interfaces of vyos router, and traffic direction desired.
If i didn’t get it wrong, you have:

interface eth0 --> IP address, netmask /24?
interface eth1 --> IP address and netmask? Is it

Hi @n.fort

Let me try and clarify it - you are pretty much right…

interface eth0 → IP GW (connected to prod network, real prod gateway)
interface eth1 → IP (No GW, acts as gateway for isolated prod network)

To help illustrate traffic flow let’s say I have a server inside the isolated network, IP of, GW (gateway is eth1 of vyOS).

From an outside client on the real production gateway I have a route setup to direct all traffic to to (vyOS eth0)

  1. Request to
  2. vyOS recieves this on eth0, translates address to
  3. vyOS sends this out eth1 to isolated network

Currently, with my setup above it’s translating the address on eth0 and sending it right back out eth0 to the real prod network. Somehow I need to translate and forward all traffic bound for to eth1… I’ve attached a horrible diagram :slight_smile:

The whole scenario works when I isolate a different network than the one the vyOS router lives on, say - but trying to do it with the same network the routers management interface is on causes problems…

You can’t have multiple addresses in same subnet on different interfaces
Maybe you can do some pseudo-bridging using proxy-ARP
Keep .151 address on eth0 , and add some dummy IP on other subnet on eth1
enable proxy-arp on both eth interfaces.
On eth1, add next-hop-interface route for onto interface eth1
Then clinet on eth0 should be able to access, no NAT required

Other alternative:
Use 2 interconnected VRF instance each with its own 10.8.96.x/24 interface. Then use NAT so each VRF instance isn’t aware the other VRF has same 10.8.96.x/24 subnet

1 Like