Would like to request help / assistance on NAT VyOS configuration

Hi,

i would like to request help / assistance on NAT VyOS configuration.
i’m new to it, so please bear with me :slight_smile:

from the diagram, what i would like to accomplish is to configure NAT from my VyOS. this is to be able to host private servers (10.10.10.0/24) to public (internet).
but i want specific public ip address to specific private ip address NAT.

example: if a client visit sub1.domain.com (123.123.123.100) this public IP address
should only corresponds to 10.10.10.100 private server. this would be the same as for other subdomains (color coded to match public to private ip address)

how do i start, and what would likely the NAT configuration for this.

thanks

You simply need to create a destination NAT rule for each public IP address. Example:

set nat destination rule 100 description ‘put a description here’
set nat destination rule 100 destination address ‘123.123.123.100’
set nat destination rule 100 destination port ‘80,443’
set nat destination rule 100 inbound-interface ‘eth0’
set nat destination rule 100 protocol ‘tcp’
set nat destination rule 100 translation address ‘10.10.10.100’

set nat destination rule 101 description ‘put a description here’
set nat destination rule 101 destination address ‘123.123.123.101’
set nat destination rule 101 destination port ‘80,443’
set nat destination rule 101 inbound-interface ‘eth0’
set nat destination rule 101 protocol ‘tcp’
set nat destination rule 101 translation address ‘10.10.10.200’

and so on.

(replace eth0 by the Internet facing interface)

3 Likes

Hi Jeff,

thank you very much, i will try this

Hi Jeff,

thanks for the DNAT example.

would like to ask, another question. for the rule 100 example.
i want the server only available to specific ip address in public.
what would i need to add or change?

thanks

You can restrict the source IP address to a specific IP / network by adding:

set nat destination rule 100 source address <IP address>

However currently VyOs doesn’t support NAT groups (the firewall does), so if you need to allow several network you need either to:

  • configure several NAT rules
  • have a single NAT rule without source restriction and a firewall rule that use a network group that will allow only the desired networks.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.