Page MenuHomeVyOS Platform
Create Task
Maniphest T4375

hairpin nat (nat reflector) "hijacks" all outgoing traffic on specified port to any destination
Closed, DuplicatePublicFEATURE REQUEST
Actions

Description

I have a dynamic address on my external interface. When configuring hairpin nat (nat reflection) on port 80 on that interface, all outgoing traffic on port 80 is "hijacked".

I am following the nat44 example from the VyOS documentation
https://docs.vyos.io/en/latest/configuration/nat/nat44.html

vyos@vyos# show nat
 destination {

     rule 100 {
         description "Regular destination NAT from external"
         destination {
             port 80
         }
         inbound-interface eth0
         protocol tcp
         translation {
             address 10.0.10.1
         }
     }
     rule 110 {
         description "NAT Reflection: INSIDE"
         destination {
             port 80
         }
         inbound-interface eth4
         protocol tcp
         translation {
             address 10.0.10.1
         }
     }
 }
 source {
     rule 110 {
         description "NAT Reflection: INSIDE"
         destination {
             address 10.0.0.0/16
         }
         outbound-interface eth4
         protocol tcp
         source {
             address 10.0.0.0/16
         }
         translation {
             address masquerade
         }
     }
 }

Details

Version
VyOS 1.4-rolling-202204190217
Is it a breaking change?
Perfectly compatible
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

ajgnet created this task.Apr 19 2022, 9:53 AM
Viacheslav subscribed.EditedApr 19 2022, 12:59 PM

Set destination external address, it is required. In other case you set all traffic to local server.

ajgnet added a comment.Apr 19 2022, 2:05 PM

Is there a way to get this to work with a dhcp assigned WAN address?

In either case, might be good to update the documentation below to reflect either use of a static ip, or another way if possible. The current example does not work as intended:
https://docs.vyos.io/en/latest/configuration/nat/nat44.html

Viacheslav added a comment.EditedApr 19 2022, 3:40 PM

Related to task T2196
Also there can be an issue if you get by DHCP non external addresses which behind nat.
So you need some external scripts which will give you your external address, like

curl ifconfig.me
pasik subscribed.Apr 19 2022, 5:20 PM
Viacheslav changed the subtype of this task from "Bug" to "Feature Request".Jul 30 2022, 1:48 PM
danhusan subscribed.Sep 18 2022, 3:42 PM
Alfa80 subscribed.Feb 6 2023, 6:38 PM
dmbaturin triaged this task as High priority.Jan 9 2024, 8:53 PM
hsw0 subscribed.Mar 18 2024, 9:33 PM
syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta.May 7 2024, 8:03 AM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.1); removed VyOS 1.4 Sagitta (1.4.0-GA).Jul 2 2024, 7:28 PM
dmbaturin added a project: Bugs.Sep 15 2024, 5:03 PM
dmbaturin closed this task as a duplicate of T2196: Dynamic ipv4 interface list hairpin.Sep 24 2024, 4:00 PM
dmbaturin subscribed.

I've merged this into the feature request because the real issue is that we don't have dynamic hairpin NAT yet, while this behavior for "static" NAT is not wrong. We'll get to it.

dmbaturin removed a project: Bugs.Oct 8 2024, 8:50 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Bug (incorrect behavior) to improvement.
dmbaturin edited projects, added VyOS Rolling; removed VyOS 1.4 Sagitta (1.4.1).Dec 3 2024, 5:15 PM
dmbaturin changed Issue type from improvement to Unspecified (please specify).