VyOS Hairpin nat

Sp1er · September 2, 2023, 9:35am

Hello everyone Sorry for my English.
There was such a problem, I had to move the mail server to the local network. The problem is that I can’t access an external IP address on port 25 from my subnet. It seems to have set up Hairpin correctly, but I can’t figure out why it doesn’t work.

admin@vyos# show nat destination rule 110
description Hairpin_SMTP_25_Port
destination {
address WAN_IP
port 25
}
inbound-interface eth0.302
protocol tcp
translation {
address 10.32.0.99
port 25
}
admin@vyos# show nat source rule 110
destination {
address 10.32.0.99
port 25
}
outbound-interface eth0.302
protocol tcp
source {
address 10.32.0.0/24
}
translation {
address masquerade
}

Inbound and outbound interface tried in “any”

Apachez · September 2, 2023, 9:56am

I assume you are using VyOS 1.3.x ?

You need to setup 3 rules:

Stuff arriving to WAN interface dstip:dstport is DNAT to the internal IP.
Stuff arriving to LAN interface dstip:dstport is DNAT to the internal IP.
Stuff leaving LAN interface dstip:dstport is SNAT to the LAN interface IP.

Se example at NAT — VyOS 1.3.x (equuleus) documentation

For 1.4-rolling: NAT44 — VyOS 1.4.x (sagitta) documentation

Sp1er · September 2, 2023, 10:06am

  admin@vyos:~$ show version 
Version: VyOS 1.0.2
Description: VyOS 1.0.2 (hydrogen)
Copyright: 2014 SO3 Group
Built by: maintainers@vyos.net
Built on: Sun Feb 2 15:49:43 UTC 2014
Build ID: 1402021549-59dba31
System type: Intel 64bit
Boot via: disk
Hypervisor: VMware
HW model: VMware Virtual Platform
HW S/N: VMware-42 0d 28 19 18 83 7d 20-93 51 0d 07 d4 7d 3e 24
HW UUID: 420D2819-1883-7D20-9351-0D07D47D3E24
Uptime: 14:04:48 up 25 days, 20:47, 1 user, load average: 0.03, 0.05, 0.05

Sp1er · September 2, 2023, 10:14am

I tried it, but not work

Спойлер

[edit]
admin@vyos# show nat destination rule 110
description Hairpin_SMTP_25_Port
destination {
address WAN_IP
port 25
}
inbound-interface eth1.900
protocol tcp
translation {
address 10.32.0.99
port 25
}
[edit]
admin@vyos# show nat destination rule 111
description “Nat Reflection Inside”
destination {
port 25
}
inbound-interface eth0.302
protocol tcp
translation {
address 10.32.0.99
port 25
}
[edit]
admin@vyos# show nat source rule 110
destination {
address 10.32.0.0/24
}
outbound-interface eth0.302
protocol tcp
source {
address 10.32.0.0/24
}
translation {
address masquerade
}

telnet: Unable to connect to remote host: Connection timed out

Vif 0.302:

vif 302 {
description “VM New Domain”
vrrp {
vrrp-group 1 {
advertise-interval 1
hello-source-address 10.250.250.1
preempt true
priority 10
sync-group istrouter
virtual-address 10.32.0.1/24
}
}
}

Apachez · September 2, 2023, 10:20am

Uhh… thats really old (1.0.2 from what it seems year 2014)… you should consider upgrading to 1.3.3 LTS or 1.4-rolling.

Sp1er · September 2, 2023, 10:23am

after the update, some systems may not work correctly. This vyos got to me in 2016 by inheritance from the last admin

16again · September 3, 2023, 3:21pm

3 Stuff leaving LAN interface dstip:dstport is SNAT to the LAN interface IP.

Make sure this rule is only active for source IP addresses in LAN range 10.32.0.0/24
Otherwise, all SMTP connections will be source natted, which could break SPF

Alternatively, use split DNS, so internal hosts can use external name, which points to 10.32.0.99