This issue was reported by customer while upgrading the device from 1.3.6 to 1.4.0-epa1 and lost his entire NAT definition.
How to reproduce the issue:
- NAT definition in 1.3.6:
set nat destination rule 2058 destination port '8080' set nat destination rule 2058 inbound-interface 'eth4' set nat destination rule 2058 protocol 'tcp' set nat destination rule 2058 translation address '10.250.1.156' set nat destination rule 2058 translation port '80' set nat destination rule 2059 destination port '8999' set nat destination rule 2059 inbound-interface 'eth4' set nat destination rule 2059 protocol 'tcp_udp' set nat destination rule 2059 translation address '10.250.1.2' set nat destination rule 2059 translation port '8999' set nat destination rule 2060 destination port '5060,10000-20000' set nat destination rule 2060 inbound-interface 'eth4' set nat destination rule 2060 protocol 'udp' set nat destination rule 2060 source address '192.0.2.226/27' set nat destination rule 2060 translation address '10.250.1.3' set nat destination rule 2061 destination port '10000-20000' set nat destination rule 2061 inbound-interface 'eth4' set nat destination rule 2061 protocol 'udp' set nat destination rule 2061 source address '192.0.2.226/27' set nat destination rule 2061 translation address '10.250.1.3' set nat source rule 1000 outbound-interface 'eth4' set nat source rule 1000 source address '10.250.1.0/24' set nat source rule 1000 translation address 'masquerade' set nat source rule 1002 outbound-interface 'eth4' set nat source rule 1002 source address '10.250.2.0/14' set nat source rule 1002 translation address 'masquerade' set nat source rule 1250 outbound-interface 'eth4' set nat source rule 1250 source address '10.250.250.0/24' set nat source rule 1250 translation address 'masquerade'
Then upgrade the device to 1.4.0-epa1, then you receive configuration migration failed error:
'192.0.2.226/27' and '10.250.2.0/14' are not valid networks.
vyos@vyos:~$ conf WARNING: There was a config error on boot: saving the configuration now could overwrite data. You may want to check and reload the boot config
If you try to configure, directly the rules in 1.4.0-epa1, you receive validation error:
vyos@vyos# set nat destination rule 2060 source address '192.0.2.226/27' Error: 192.0.2.226/27 is not a valid IPv4 address range Error: 192.0.2.226/27 is not a valid IPv4 prefix Error: 192.0.2.226/27 is not a valid IPv4 address Invalid value Value validation failed Set failed
In 1.4.0-epa1 seems more strict validation being added. As this configuration was working fine in 1.3.6, there should either be error messages on conversion, OR only the failing nat rules should fail - not ALL rules