ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    VyOS Port Address Translation for HTTPS

    Scheduled Pinned Locked Moved IT Discussion
    vyosvyattarouternatpatnetworking
    17 Posts 2 Posters 7.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @JaredBusch
      last edited by

      @JaredBusch said in VyOS Port Address Translation for HTTPS:

      @scottalanmiller said in VyOS Port Address Translation for HTTPS:

      I am trying to get HTTPS forwarded through a VyOS router. Here is where I am...

      VyOS or EdgeOS? They are not the same thing. Most likely nothing has changed here, but EdgeOS is not the same fork as VyOS.

      Actual VyOS.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller
        last edited by

        I had the firewall rule wrong so I cleaned that up. But still not working...

                rule 40 {
                    action accept
                    destination {
                        address 192.168.1.31
                        port 443
                    }
                    protocol tcp
                    state {
                        new enable
                    }
                }
        
        1 Reply Last reply Reply Quote 0
        • JaredBuschJ
          JaredBusch
          last edited by

          Here are my EdgeOS Firewall rules for WAN_IN at one client.

           rule 1 {
               action accept
               description "Accept Established and Related"
               log disable
               state {
                   established enable
                   related enable
               }
           }
           rule 2 {
               action drop
               description "Drop Invalid"
               log enable
               state {
                   invalid enable
               }
           }
           rule 6 {
               action accept
               description "Allow New to NginX Proxy"
               destination {
                   address 10.202.1.16
                   group {
                       port-group HTTP_HTTPS
                   }
               }
               log disable
               protocol tcp_udp
               state {
                   new enable
               }
           }
           rule 8 {
               action accept
               description "Accept New for PBX"
               destination {
                   group {
                       port-group PBX_Ports
                   }
               }
               log disable
               protocol udp
               source {
                   group {
                       address-group PBX_Addresses
                   }
               }
               state {
                   established disable
                   invalid disable
                   new enable
                   related disable
               }
           }
           rule 9 {
               action accept
               description "Accept new for RDS"
               destination {
                   address 10.202.1.13
                   group {
                       port-group RDS_Ports
                   }
               }
               log disable
               protocol tcp
               state {
                   established disable
                   invalid disable
                   new enable
                   related disable
               }
           }
           rule 10 {
               action accept
               description "Accept New RDP"
               destination {
                   address 10.202.1.13
                   port 3389
               }
               log disable
               protocol tcp
               source {
                   group {
                       address-group RDP_Allowed_IP
                   }
               }
               state {
                   established disable
                   invalid disable
                   new enable
                   related disable
               }
           }
          
          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            And here is the current NAT file...

            nat {
                destination {
                    rule 10 {
                        description "Port Forward: HTTPS to 192.168.1.31"
                        destination {
                            port 443
                        }
                        inbound-interface eth0
                        protocol tcp
                        translation {
                            address 192.168.1.31
                        }
                    }
                }
            
            1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch
              last edited by

              Here are the NAT rules.

               rule 1 {
                   description "NginX Proxy"
                   destination {
                       address XXX.XXX.XXX.43
                       group {
                           port-group HTTP_HTTPS
                       }
                   }
                   inbound-interface eth0
                   inside-address {
                       address 10.202.1.16
                   }
                   log disable
                   protocol tcp_udp
                   type destination
               }
               rule 3 {
                   description "RDS HTTPS"
                   destination {
                       address XXX.XXX.XXX.44
                       port 443
                   }
                   inbound-interface eth0
                   inside-address {
                       address 10.202.1.13
                       port 443
                   }
                   log disable
                   protocol tcp
                   type destination
               }
               rule 4 {
                   description "RDS RDP"
                   destination {
                       address XXX.XXX.XXX.44
                       port 3389
                   }
                   inbound-interface eth0
                   inside-address {
                       address 10.202.1.13
                       port 3389
                   }
                   log disable
                   protocol tcp
                   source {
                       group {
                           address-group RDP_Allowed_IP
                       }
                   }
                   type destination
               }
               rule 5 {
                   description "PBX Restricted Port Forward"
                   destination {
                       address XXX.XXX.XXX.42
                       group {
                           port-group PBX_Ports
                       }
                   }
                   inbound-interface eth0
                   inside-address {
                       address 10.202.1.9
                   }
                   log disable
                   protocol udp
                   type destination
               }
               rule 5000 {
                   description "Nginx Proxy"
                   destination {
                   }
                   log disable
                   outbound-interface eth0
                   outside-address {
                       address XXX.XXX.XXX.43
                   }
                   protocol all
                   source {
                       address 10.202.1.16
                       group {
                       }
                   }
                   type source
               }
               rule 5002 {
                   description "RDS HTTPS"
                   log disable
                   outbound-interface eth0
                   outside-address {
                       address XXX.XXX.XXX.44
                       port 443
                   }
                   protocol tcp
                   source {
                       address 10.202.1.13
                       port 443
                   }
                   type source
               }
               rule 5003 {
                   description "RDS RDP"
                   destination {
                       group {
                           address-group RDP_Allowed_IP
                       }
                   }
                   log disable
                   outbound-interface eth0
                   outside-address {
                       address XXX.XXX.XXX.44
                       port 3389
                   }
                   protocol tcp
                   source {
                       address 10.202.1.13
                       port 3389
                   }
                   type source
               }
               rule 5005 {
                   description "Default NAT Masquerade"
                   log disable
                   outbound-interface eth0
                   protocol all
                   type masquerade
               }
              
              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller
                last edited by

                I'm working from the examples here...

                http://vyos.net/wiki/User_Guide

                1 Reply Last reply Reply Quote 0
                • JaredBuschJ
                  JaredBusch
                  last edited by

                  just comparing my Nginx rules to yours, it all looks laid out right.

                  1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch
                    last edited by

                    Did you apply the firewall rule to the interface?

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @JaredBusch
                      last edited by

                      @JaredBusch said in VyOS Port Address Translation for HTTPS:

                      Did you apply the firewall rule to the interface?

                      I've even rebooted!

                      1 Reply Last reply Reply Quote 0
                      • JaredBuschJ
                        JaredBusch
                        last edited by JaredBusch

                        Do you have a source rule to match this? or does the source rule work on the default masquerade? i.e. you only have a single static IP involved here.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch
                          last edited by

                          You can see in my RDP rules that I have a source rule setup because it is a different IP than the default IP of the router.

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @JaredBusch
                            last edited by

                            @JaredBusch said in VyOS Port Address Translation for HTTPS:

                            Do you have a source rule to match this? or does the source rule work on the default masquerade? i.e. you only have a single static IP involved here.

                            I just removed the source rule to test. There is only one static IP at the moment.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller
                              last edited by

                              Got it working. The firewall rule was in the wrong section of the firewall.

                              JaredBuschJ 1 Reply Last reply Reply Quote 1
                              • JaredBuschJ
                                JaredBusch @scottalanmiller
                                last edited by

                                @scottalanmiller said in VyOS Port Address Translation for HTTPS:

                                Got it working. The firewall rule was in the wrong section of the firewall.

                                You had it on eth0 local instead of eth0 in?

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @JaredBusch
                                  last edited by

                                  @JaredBusch said in VyOS Port Address Translation for HTTPS:

                                  @scottalanmiller said in VyOS Port Address Translation for HTTPS:

                                  Got it working. The firewall rule was in the wrong section of the firewall.

                                  You had it on eth0 local instead of eth0 in?

                                  Yuppers.

                                  1 Reply Last reply Reply Quote 0
                                  • 1 / 1
                                  • First post
                                    Last post