Page MenuHomeVyOS Platform
Create Task
Maniphest T4

NAT rule applies to networks behind ipsec
Closed, InvalidPublicBUG
Actions

Description

Hello,
Daniil we had issue described in subject on vyos installation

  • VyOS with public network, internal network, ipsec network(far end)
  • several DNAT rules from public ip to internal network hosts(like FTP and WEB)

When host from ipsec network(far end) try to access any port which is used in DNAT it will be always forwarded to DNAT destination host, even if explicitly used ip address from internal network range

Details

Difficulty level
Hard (possibly days)
Version
1.1.8
Why the issue appeared?
Will be filled on close

Event Timeline

syncer created this task.Feb 21 2016, 12:37 AM
syncer created this object with edit policy "Subscribers".
syncer assigned this task to dmbaturin.Mar 2 2016, 12:59 AM
syncer triaged this task as Normal priority.
EwaldvanGeffen added a subscriber: EwaldvanGeffen.Apr 9 2016, 10:08 AM

recap from irc: one fix would be to negate the vpn-subnet in the source part of your dnat rule.

syncer added a comment.Apr 9 2016, 10:49 AM

@EwaldvanGeffen real setup now inactive, i will try to recreate similar setup

syncer reassigned this task from dmbaturin to EwaldvanGeffen.Aug 21 2017, 12:59 AM
syncer edited projects, added VyOS 1.2 Crux; removed VyOS 1.1.x.

Moved this to 1.2 series

syncer removed EwaldvanGeffen as the assignee of this task.Jun 10 2018, 4:20 AM
syncer edited subscribers, added: c-po, Active contributors, Maintainers; removed: EwaldvanGeffen, dmbaturin, syncer.Sep 3 2018, 3:42 PM

@c-po @dmbaturin this one is old

pasik added a subscriber: pasik.Oct 1 2018, 9:53 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux.Oct 13 2018, 10:09 AM
syncer changed the subtype of this task from "Task" to "Bug".Oct 18 2018, 5:52 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc5); removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).Oct 24 2018, 4:40 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM
dmbaturin added a comment.Nov 3 2018, 11:37 PM

It's a classic issue. You need to create rules with "exclude" option for such networks.

The question is where is the line between sensible defaults and trying to outsmart the user. Some people want their traffic to be NATed before IPsec kicks in, for example to fix subnet conflicts, or make a fixup for double NAT.

dmbaturin edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux (VyOS 1.2.0-rc6).Nov 3 2018, 11:37 PM
dmbaturin set Version to 1.1.8.
dmbaturin set Why the issue appeared? to Will be filled on close.
syncer closed this task as Invalid.Nov 8 2018, 11:24 PM
syncer edited projects, added Invalid; removed VyOS 1.3 Equuleus.