Hi
It seems like
connection-status { nat destination }
has been broken somewhere between 1.4.x-rolling-202312290303 and epa1.
We are seeing multiple reports:
- https://forum.vyos.io/t/any-differences-in-firewall-configuration-syntax-between-1-4-rolling-202312140147-and-1-4-0-epa1/13812/8
- https://forum.vyos.io/t/another-port-forward-firewall-issue/13815/5
that explicitly defining the protocol, ports and destination address works, but using the nat destination filter does not.
Copy of my post on the forum:
Hi
I just want to add that I am also seeing issues with DNAT after moving from 1.4.x-rolling-202312290303 to 1.4.0-epa1
Some testing seem to indicate that
connection-status { nat destination }is not working correctly.
If I add explicit rules to the firewall instead, then the traffic starts passing correctly.
In the example below rule 10 and 20 are the old rules while 30 and 40 are new rules that covers part of my DNAT.
default-action return rule 10 { action accept connection-status { nat destination } source { geoip { country-code xxx } } state new } rule 20 { action accept connection-status { nat destination } source { group { address-group XXXX } } state new } rule 30 { action accept destination { address xxx.xxx.xxx.xxx port 80 } protocol tcp_udp state new } rule 40 { action accept destination { address xxx.xxx.xxx.xxx port 443 } protocol tcp_udp state new }