VyOS Port Address Translation for HTTPS
-
I am trying to get HTTPS forwarded through a VyOS router. Here is where I am...
Firewall Settings for Port 443:
rule 40 { action drop destination { port 443 } protocol tcp recent { count 4 time 60 } state { new enable } } rule 41 { action accept destination { port 443 } protocol tcp state { new enable } }And here are the NAT rules...
nat { destination { rule 100 { description "Port Forward: HTTPS to 192.168.1.31" destination { port 443 } inbound-interface eth0 protocol tcp translation { address 192.168.1.31 } } } source { rule 100 { outbound-interface eth0 source { address 192.168.0.0/22 } translation { address masquerade } } } }I can ping 192.168.1.31 and if I use curl I can see the contents of the web page. So I know that things are working up until that point.
-
@scottalanmiller said in VyOS Port Address Translation for HTTPS:
I am trying to get HTTPS forwarded through a VyOS router. Here is where I am...
VyOS or EdgeOS? They are not the same thing. Most likely nothing has changed here, but EdgeOS is not the same fork as VyOS.
-
@JaredBusch said in VyOS Port Address Translation for HTTPS:
@scottalanmiller said in VyOS Port Address Translation for HTTPS:
I am trying to get HTTPS forwarded through a VyOS router. Here is where I am...
VyOS or EdgeOS? They are not the same thing. Most likely nothing has changed here, but EdgeOS is not the same fork as VyOS.
Actual VyOS.
-
I had the firewall rule wrong so I cleaned that up. But still not working...
rule 40 { action accept destination { address 192.168.1.31 port 443 } protocol tcp state { new enable } } -
Here are my EdgeOS Firewall rules for WAN_IN at one client.
rule 1 { action accept description "Accept Established and Related" log disable state { established enable related enable } } rule 2 { action drop description "Drop Invalid" log enable state { invalid enable } } rule 6 { action accept description "Allow New to NginX Proxy" destination { address 10.202.1.16 group { port-group HTTP_HTTPS } } log disable protocol tcp_udp state { new enable } } rule 8 { action accept description "Accept New for PBX" destination { group { port-group PBX_Ports } } log disable protocol udp source { group { address-group PBX_Addresses } } state { established disable invalid disable new enable related disable } } rule 9 { action accept description "Accept new for RDS" destination { address 10.202.1.13 group { port-group RDS_Ports } } log disable protocol tcp state { established disable invalid disable new enable related disable } } rule 10 { action accept description "Accept New RDP" destination { address 10.202.1.13 port 3389 } log disable protocol tcp source { group { address-group RDP_Allowed_IP } } state { established disable invalid disable new enable related disable } } -
And here is the current NAT file...
nat { destination { rule 10 { description "Port Forward: HTTPS to 192.168.1.31" destination { port 443 } inbound-interface eth0 protocol tcp translation { address 192.168.1.31 } } } -
Here are the NAT rules.
rule 1 { description "NginX Proxy" destination { address XXX.XXX.XXX.43 group { port-group HTTP_HTTPS } } inbound-interface eth0 inside-address { address 10.202.1.16 } log disable protocol tcp_udp type destination } rule 3 { description "RDS HTTPS" destination { address XXX.XXX.XXX.44 port 443 } inbound-interface eth0 inside-address { address 10.202.1.13 port 443 } log disable protocol tcp type destination } rule 4 { description "RDS RDP" destination { address XXX.XXX.XXX.44 port 3389 } inbound-interface eth0 inside-address { address 10.202.1.13 port 3389 } log disable protocol tcp source { group { address-group RDP_Allowed_IP } } type destination } rule 5 { description "PBX Restricted Port Forward" destination { address XXX.XXX.XXX.42 group { port-group PBX_Ports } } inbound-interface eth0 inside-address { address 10.202.1.9 } log disable protocol udp type destination } rule 5000 { description "Nginx Proxy" destination { } log disable outbound-interface eth0 outside-address { address XXX.XXX.XXX.43 } protocol all source { address 10.202.1.16 group { } } type source } rule 5002 { description "RDS HTTPS" log disable outbound-interface eth0 outside-address { address XXX.XXX.XXX.44 port 443 } protocol tcp source { address 10.202.1.13 port 443 } type source } rule 5003 { description "RDS RDP" destination { group { address-group RDP_Allowed_IP } } log disable outbound-interface eth0 outside-address { address XXX.XXX.XXX.44 port 3389 } protocol tcp source { address 10.202.1.13 port 3389 } type source } rule 5005 { description "Default NAT Masquerade" log disable outbound-interface eth0 protocol all type masquerade } -
I'm working from the examples here...
-
just comparing my Nginx rules to yours, it all looks laid out right.
-
Did you apply the firewall rule to the interface?
-
@JaredBusch said in VyOS Port Address Translation for HTTPS:
Did you apply the firewall rule to the interface?
I've even rebooted!
-
Do you have a source rule to match this? or does the source rule work on the default masquerade? i.e. you only have a single static IP involved here.
-
You can see in my RDP rules that I have a source rule setup because it is a different IP than the default IP of the router.
-
@JaredBusch said in VyOS Port Address Translation for HTTPS:
Do you have a source rule to match this? or does the source rule work on the default masquerade? i.e. you only have a single static IP involved here.
I just removed the source rule to test. There is only one static IP at the moment.
-
Got it working. The firewall rule was in the wrong section of the firewall.
-
@scottalanmiller said in VyOS Port Address Translation for HTTPS:
Got it working. The firewall rule was in the wrong section of the firewall.
You had it on eth0 local instead of eth0 in?
-
@JaredBusch said in VyOS Port Address Translation for HTTPS:
@scottalanmiller said in VyOS Port Address Translation for HTTPS:
Got it working. The firewall rule was in the wrong section of the firewall.
You had it on eth0 local instead of eth0 in?
Yuppers.
