Page MenuHomeVyOS Platform

hairpin nat (nat reflector) "hijacks" all outgoing traffic on specified port to any destination
Closed, DuplicatePublicFEATURE REQUEST

Description

I have a dynamic address on my external interface. When configuring hairpin nat (nat reflection) on port 80 on that interface, all outgoing traffic on port 80 is "hijacked".

I am following the nat44 example from the VyOS documentation
https://docs.vyos.io/en/latest/configuration/nat/nat44.html

vyos@vyos# show nat
 destination {

     rule 100 {
         description "Regular destination NAT from external"
         destination {
             port 80
         }
         inbound-interface eth0
         protocol tcp
         translation {
             address 10.0.10.1
         }
     }
     rule 110 {
         description "NAT Reflection: INSIDE"
         destination {
             port 80
         }
         inbound-interface eth4
         protocol tcp
         translation {
             address 10.0.10.1
         }
     }
 }
 source {
     rule 110 {
         description "NAT Reflection: INSIDE"
         destination {
             address 10.0.0.0/16
         }
         outbound-interface eth4
         protocol tcp
         source {
             address 10.0.0.0/16
         }
         translation {
             address masquerade
         }
     }
 }

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202204190217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Set destination external address, it is required. In other case you set all traffic to local server.

Is there a way to get this to work with a dhcp assigned WAN address?

In either case, might be good to update the documentation below to reflect either use of a static ip, or another way if possible. The current example does not work as intended:
https://docs.vyos.io/en/latest/configuration/nat/nat44.html

Related to task T2196
Also there can be an issue if you get by DHCP non external addresses which behind nat.
So you need some external scripts which will give you your external address, like

curl ifconfig.me
Viacheslav changed the subtype of this task from "Bug" to "Feature Request".Jul 30 2022, 1:48 PM
dmbaturin subscribed.

I've merged this into the feature request because the real issue is that we don't have dynamic hairpin NAT yet, while this behavior for "static" NAT is not wrong. We'll get to it.