Page MenuHomeVyOS Platform
Create Task
Maniphest T7243

Add NAT OUTPUT
Open, LowPublic
Actions

Description

My case is about Clash, a VPN-like service. It listens on a DNS port and accepts and redirects traffic based on rules.

It works well for LAN traffic, but I want to make the router itself able to reach GitHub, Google, etc., which are blocked in China.

My Clash instance listens on 0.0.0.0:7874 and creates a utun interface. It resolves domains to a fake IP range, such as 198.18.0.0/15. I redirect LAN DNS traffic to 7874 (which was originally sent to port 53). If the DNS results fall within the fake IP range, the traffic goes to utun, allowing LAN devices to access GitHub and Google.

I need to achieve the same on the router itself. Here is what I do manually:

sudo nft add chain ip vyos_nat OUTPUT { type nat hook output priority -100 \; }
sudo nft add rule ip vyos_nat OUTPUT tcp dport 53 dnat to 127.0.0.1:7874
sudo nft add rule ip vyos_nat OUTPUT udp dport 53 dnat to 127.0.0.1:7874

I haven't found any other way to achieve this.

I plan to add an entry like this:

nat/
    output/
        rule xxx/
            destionation ...
            outbound-interface ...
            protocol ...
            translation/
                address ...
                port ...

Maybe I can copy config tree from nat/destination.

Additionally, I plan to add chain OUTPUT in nftables-nat.j2.

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

sskaje created this task.Fri, Mar 14, 11:32 AM
sskaje created this object in space S1 VyOS Public.
sskaje added a comment.EditedFri, Mar 14, 1:51 PM

Case 1: Forward 127.0.0.1:53 to 127.0.0.1:7874

127.0.0.1 was not listened by any service, 127.0.0.1:7874 is listened by clash DNS.

set nat output rule 100 destination address '127.0.0.1'
set nat output rule 100 destination port '53'
set nat output rule 100 protocol 'tcp_udp'
set nat output rule 100 translation address '127.0.0.1'
set nat output rule 100 translation port '7874'

Case 2: Forward 192.168.10.3:53 to 192.168.10.1:7874

192.168.10.3 is not up, just test for external ips. 192.168.10.1:7874 is clash on another vyos

set nat output rule 110 destination address '192.168.10.3'
set nat output rule 110 destination port '53'
set nat output rule 110 protocol 'tcp_udp'
set nat output rule 110 translation address '192.168.10.1'
set nat output rule 110 translation port '7874'

Case 3: forward 127.0.0.200:53 to 127.0.0.1:7874

forward among lookback ips

set nat output rule 120 destination address '127.0.0.200'
set nat output rule 120 destination port '53'
set nat output rule 120 protocol 'tcp_udp'
set nat output rule 120 translation address '127.0.0.1'
set nat output rule 120 translation port '7874'

Case 4: forward 127.0.0.1:53 to 192.168.10.1:7874
OUTPUT + SNAT not working.

pasik subscribed.Fri, Mar 14, 11:00 PM
sskaje updated the task description. (Show Details)Sat, Mar 15, 2:58 PM