While port nat is done, ipv6 + port translation is written in a wrong way, that it's acceptable to netfilter, so no error is found while commit, but translation does not occur.
Example:
vyos@vyos# run show config comm | grep nat66 set nat66 destination rule 10 destination address '2307:e4c0:3::85' set nat66 destination rule 10 destination port '1522' set nat66 destination rule 10 inbound-interface 'eth0' set nat66 destination rule 10 protocol 'tcp' set nat66 destination rule 10 translation address 'fc01::2' set nat66 destination rule 10 translation port '2222'
NFT rule in nat generated with this config:
vyos@vyos# sudo nft list ruleset | grep DST-NAT66-1 iifname "eth0" ip6 daddr 2307:e4c0:3::85 tcp dport 1522 counter packets 2 bytes 160 dnat to fc01::2:2222 comment "DST-NAT66-10" [edit] vyos@vyos#
Error --> fc01::2:2222 is an ipv6 address, and not ipv6+port
Manual fix: write full ipv6 address, without ::
Example:
## Config set nat66 destination rule 20 destination address '2307:e4c0:3::85' set nat66 destination rule 20 destination port '1522' set nat66 destination rule 20 inbound-interface 'eth0' set nat66 destination rule 20 protocol 'tcp' set nat66 destination rule 20 translation address 'fc01:0:0:0:0:0:0:2' set nat66 destination rule 20 translation port '2222 ## Correct rule vyos@vyos# sudo nft list ruleset | grep DST-NAT66-20 iifname "eth0" ip6 daddr 2307:e4c0:3::85 tcp dport 1522 counter packets 0 bytes 0 dnat to [fc01::2]:2222 comment "DST-NAT66-20" [edit] vyos@vyos#