Looking through the output of "sudo nft -s list ruleset" in VyOS 1.5-rolling-202310110022 the following can be observed:
table ip vyos_conntrack { ... chain VYOS_CT_IGNORE { return } chain VYOS_CT_TIMEOUT { return } chain PREROUTING { type filter hook prerouting priority raw; policy accept; counter jump VYOS_CT_HELPER counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK counter jump NAT_CONNTRACK counter jump WLB_CONNTRACK notrack } chain OUTPUT { type filter hook output priority raw; policy accept; counter jump VYOS_CT_HELPER counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK counter jump NAT_CONNTRACK notrack } chain VYOS_CT_HELPER { return } chain FW_CONNTRACK { accept } chain NAT_CONNTRACK { return } chain WLB_CONNTRACK { return } } table ip6 vyos_conntrack { ... chain VYOS_CT_IGNORE { return } chain VYOS_CT_TIMEOUT { return } chain PREROUTING { type filter hook prerouting priority raw; policy accept; counter jump VYOS_CT_HELPER counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK counter jump NAT_CONNTRACK notrack } chain OUTPUT { type filter hook output priority raw; policy accept; counter jump VYOS_CT_HELPER counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK counter jump NAT_CONNTRACK notrack } chain VYOS_CT_HELPER { return } chain FW_CONNTRACK { accept } chain NAT_CONNTRACK { return } }
My interpretation of above is that when "jump FW_CONNTRACK" occurs the action is "accept" which means that the chains that comes after FW_CONNTRACK (in chain PREROUTING and OUTPUT) are never evaluated:
counter jump NAT_CONNTRACK counter jump WLB_CONNTRACK
Suggested fix:
chain FW_CONNTRACK { return }