VyOS Port Address Translation for HTTPS

JaredBusch

Here are the NAT rules.

 rule 1 {
     description "NginX Proxy"
     destination {
         address XXX.XXX.XXX.43
         group {
             port-group HTTP_HTTPS
         }
     }
     inbound-interface eth0
     inside-address {
         address 10.202.1.16
     }
     log disable
     protocol tcp_udp
     type destination
 }
 rule 3 {
     description "RDS HTTPS"
     destination {
         address XXX.XXX.XXX.44
         port 443
     }
     inbound-interface eth0
     inside-address {
         address 10.202.1.13
         port 443
     }
     log disable
     protocol tcp
     type destination
 }
 rule 4 {
     description "RDS RDP"
     destination {
         address XXX.XXX.XXX.44
         port 3389
     }
     inbound-interface eth0
     inside-address {
         address 10.202.1.13
         port 3389
     }
     log disable
     protocol tcp
     source {
         group {
             address-group RDP_Allowed_IP
         }
     }
     type destination
 }
 rule 5 {
     description "PBX Restricted Port Forward"
     destination {
         address XXX.XXX.XXX.42
         group {
             port-group PBX_Ports
         }
     }
     inbound-interface eth0
     inside-address {
         address 10.202.1.9
     }
     log disable
     protocol udp
     type destination
 }
 rule 5000 {
     description "Nginx Proxy"
     destination {
     }
     log disable
     outbound-interface eth0
     outside-address {
         address XXX.XXX.XXX.43
     }
     protocol all
     source {
         address 10.202.1.16
         group {
         }
     }
     type source
 }
 rule 5002 {
     description "RDS HTTPS"
     log disable
     outbound-interface eth0
     outside-address {
         address XXX.XXX.XXX.44
         port 443
     }
     protocol tcp
     source {
         address 10.202.1.13
         port 443
     }
     type source
 }
 rule 5003 {
     description "RDS RDP"
     destination {
         group {
             address-group RDP_Allowed_IP
         }
     }
     log disable
     outbound-interface eth0
     outside-address {
         address XXX.XXX.XXX.44
         port 3389
     }
     protocol tcp
     source {
         address 10.202.1.13
         port 3389
     }
     type source
 }
 rule 5005 {
     description "Default NAT Masquerade"
     log disable
     outbound-interface eth0
     protocol all
     type masquerade
 }

scottalanmiller

I'm working from the examples here...

http://vyos.net/wiki/User_Guide

JaredBusch

just comparing my Nginx rules to yours, it all looks laid out right.

JaredBusch

Did you apply the firewall rule to the interface?

scottalanmiller

@JaredBusch said in VyOS Port Address Translation for HTTPS:

Did you apply the firewall rule to the interface?

I've even rebooted!

JaredBusch

Do you have a source rule to match this? or does the source rule work on the default masquerade? i.e. you only have a single static IP involved here.

JaredBusch

You can see in my RDP rules that I have a source rule setup because it is a different IP than the default IP of the router.

scottalanmiller

@JaredBusch said in VyOS Port Address Translation for HTTPS:

Do you have a source rule to match this? or does the source rule work on the default masquerade? i.e. you only have a single static IP involved here.

I just removed the source rule to test. There is only one static IP at the moment.

scottalanmiller

Got it working. The firewall rule was in the wrong section of the firewall.

JaredBusch

@scottalanmiller said in VyOS Port Address Translation for HTTPS:

Got it working. The firewall rule was in the wrong section of the firewall.

You had it on eth0 local instead of eth0 in?

scottalanmiller

@JaredBusch said in VyOS Port Address Translation for HTTPS:

@scottalanmiller said in VyOS Port Address Translation for HTTPS:

Got it working. The firewall rule was in the wrong section of the firewall.

You had it on eth0 local instead of eth0 in?

Yuppers.