Page MenuHomeVyOS Platform

NAT rule applies to networks behind ipsec
Closed, InvalidPublicBUG


Daniil we had issue described in subject on vyos installation

  • VyOS with public network, internal network, ipsec network(far end)
  • several DNAT rules from public ip to internal network hosts(like FTP and WEB)

When host from ipsec network(far end) try to access any port which is used in DNAT it will be always forwarded to DNAT destination host, even if explicitly used ip address from internal network range


Difficulty level
Hard (possibly days)
Why the issue appeared?
Will be filled on close

Event Timeline

syncer created this object with edit policy "Subscribers".
syncer triaged this task as Normal priority.

recap from irc: one fix would be to negate the vpn-subnet in the source part of your dnat rule.

@EwaldvanGeffen real setup now inactive, i will try to recreate similar setup

syncer edited projects, added VyOS 1.2 Crux; removed VyOS 1.1.x.

Moved this to 1.2 series

syncer changed the subtype of this task from "Task" to "Bug".Oct 18 2018, 5:52 AM

It's a classic issue. You need to create rules with "exclude" option for such networks.

The question is where is the line between sensible defaults and trying to outsmart the user. Some people want their traffic to be NATed before IPsec kicks in, for example to fix subnet conflicts, or make a fixup for double NAT.

dmbaturin set Version to 1.1.8.
dmbaturin set Why the issue appeared? to Will be filled on close.
syncer edited projects, added Invalid; removed VyOS 1.3 Equuleus.