Page MenuHomeVyOS Platform

'set nat destination' incorrectly requires inbound-interface
Closed, InvalidPublicBUG

Description

My scenario is that I want to remap an IP address (10.60.192.1/30) to a 4G OOB device. These devices will be deployed in multiple places, and all have the same IP address of 192.168.5.1.

I would normally use an iptables source/dest nat to solve this. Assuming the OOB devices is on eth1:

set interfaces ethernet eth1 address 'dhcp'
set interfaces dummy dum0 address '10.60.192.1/30'
set interfaces dummy dum0 description 'NAT Remapper for OOB Device'
set nat destination rule 10 description 'OOB 4G Device'
set nat destination rule 10 destination address '10.60.192.1'
set nat destination rule 10 destination port '80,443'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '192.168.5.1'
set nat source rule 10 destination address '192.168.5.0/24'
set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 translation address 'masquerade'

However, vyos insists that I need an inbound-interface:

# commit
[ nat destination ]
Destination NAT configuration error in rule 10: inbound-interface not specified

[[nat]] failed
Commit failed
[edit]

This generates this iptables:

# iptables-save
# Generated by iptables-save v1.4.21 on Tue Jan 21 22:25:01 2020
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:VYATTA_PRE_DNAT_HOOK - [0:0]
:VYATTA_PRE_SNAT_HOOK - [0:0]
-A PREROUTING -j VYATTA_PRE_DNAT_HOOK
-A PREROUTING -d 10.60.192.1/32 -i dum0 -p tcp -m multiport --dports 80,443 -m comment --comment DST-NAT-10 -j DNAT --to-destination 192.168.5.1
-A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
-A POSTROUTING -d 192.168.5.0/24 -o eth1 -m comment --comment SRC-NAT-10 -j MASQUERADE
-A VYATTA_PRE_DNAT_HOOK -j RETURN
-A VYATTA_PRE_SNAT_HOOK -j RETURN
COMMIT
# Completed on Tue Jan 21 22:25:01 2020

As traffic could be arriving to that IP address over ANY interface, it won't (and doesn't) work.

All that needs to happen is that the destination interface needs to become optional. Removing the interface from prerouting works:

# iptables-save
# Generated by iptables-save v1.4.21 on Tue Jan 21 22:28:35 2020
*nat
:PREROUTING ACCEPT [8:500]
:INPUT ACCEPT [3:244]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:VYATTA_PRE_DNAT_HOOK - [0:0]
:VYATTA_PRE_SNAT_HOOK - [0:0]
-A PREROUTING -j VYATTA_PRE_DNAT_HOOK
-A PREROUTING -d 10.60.192.1/32 -p tcp -m multiport --dports 80,443 -m comment --comment DST-NAT-10 -j DNAT --to-destination 192.168.5.1
-A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
-A POSTROUTING -d 192.168.5.0/24 -o eth1 -m comment --comment SRC-NAT-10 -j MASQUERADE
-A VYATTA_PRE_DNAT_HOOK -j RETURN
-A VYATTA_PRE_SNAT_HOOK -j RETURN
COMMIT
# Completed on Tue Jan 21 22:28:35 2020

Details

Difficulty level
Unknown (require assessment)
Version
current
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

Turns out that 'destination-interface any' works, and I just hadn't read the help.

# set nat destination rule 10 inbound-interface [tab]
Possible completions:
   <interface>  Interface name or "any"
   any
   dum0