Page MenuHomeVyOS Platform

Ability to set DNAT translation address incorrectly
Open, NormalPublicBUG


This isn't so much a bug-report, as it does not really "break" the router.
More of a change to validation on the router.

When creating DNAT rules you have the ability to set the address to translate to.

dickins@gateway# show nat destination
 rule 5 {
     destination {
         port 24800
     inbound-interface eth1
     protocol tcp
     translation {

In the above example, inbound packets to TCP/24800 going to on Interface eth1 are re-written to a destination of
However, the validation of creating a DNAT rule gives you the following options;

dickins@gateway# set nat destination rule 5 translation address
Possible completions:
   <x.x.x.x>    IPv4 address to match
   <x.x.x.x/x>  IPv4 prefix to match
                IPv4 address range to match


The above examples, when configuring - implies that you may use a subnet prefix or IP range when creating a NAT rule.
When in reality - you're only able to set a single IP Address.
Setting a range does not forward any packets and the router does allow you to set a range.

How I came across this issue?
I wanted to create some kind of load balancing.
Basically I've got three computers which all accept this connection of TCP/24800.
I thought it would be a good config to set a range of IP's of which the PC's are on and perhaps NAT would "round-robin" connections until one connects.
That was not the case ๐Ÿ˜†


Difficulty level
Normal (likely a few hours)
VyOS 1.4-rolling-202101281254
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

Viacheslav changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).

You can use <x.x.x.x>-<x.x.x.x>
Or you need "multi" addresses not in "range"? Something like

set nat destination rule 5 translation member
set nat destination rule 5 translation member
set nat destination rule 5 translation member