Page MenuHomeVyOS Platform
Create Task
Maniphest T4375

hairpin nat (nat reflector) "hijacks" all outgoing traffic on specified port to any destination
Open, HighPublicFEATURE REQUEST
Actions

Description

I have a dynamic address on my external interface. When configuring hairpin nat (nat reflection) on port 80 on that interface, all outgoing traffic on port 80 is "hijacked".

I am following the nat44 example from the VyOS documentation
https://docs.vyos.io/en/latest/configuration/nat/nat44.html

vyos@vyos# show nat
 destination {

     rule 100 {
         description "Regular destination NAT from external"
         destination {
             port 80
         }
         inbound-interface eth0
         protocol tcp
         translation {
             address 10.0.10.1
         }
     }
     rule 110 {
         description "NAT Reflection: INSIDE"
         destination {
             port 80
         }
         inbound-interface eth4
         protocol tcp
         translation {
             address 10.0.10.1
         }
     }
 }
 source {
     rule 110 {
         description "NAT Reflection: INSIDE"
         destination {
             address 10.0.0.0/16
         }
         outbound-interface eth4
         protocol tcp
         source {
             address 10.0.0.0/16
         }
         translation {
             address masquerade
         }
     }
 }

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202204190217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

ajgnet created this task.Apr 19 2022, 9:53 AM
Viacheslav added a subscriber: Viacheslav.EditedApr 19 2022, 12:59 PM

Set destination external address, it is required. In other case you set all traffic to local server.

ajgnet added a comment.Apr 19 2022, 2:05 PM

Is there a way to get this to work with a dhcp assigned WAN address?

In either case, might be good to update the documentation below to reflect either use of a static ip, or another way if possible. The current example does not work as intended:
https://docs.vyos.io/en/latest/configuration/nat/nat44.html

Viacheslav added a comment.EditedApr 19 2022, 3:40 PM

Related to task T2196
Also there can be an issue if you get by DHCP non external addresses which behind nat.
So you need some external scripts which will give you your external address, like

curl ifconfig.me
pasik added a subscriber: pasik.Apr 19 2022, 5:20 PM
Viacheslav changed the subtype of this task from "Bug" to "Feature Request".Jul 30 2022, 1:48 PM
danhusan added a subscriber: danhusan.Sep 18 2022, 3:42 PM
Alfa80 added a subscriber: Alfa80.Feb 6 2023, 6:38 PM
dmbaturin triaged this task as High priority.Jan 9 2024, 8:53 PM
hsw0 added a subscriber: hsw0.Mar 18 2024, 9:33 PM