VyOS Port Address Translation for HTTPS
- 
 I am trying to get HTTPS forwarded through a VyOS router. Here is where I am... Firewall Settings for Port 443: rule 40 { action drop destination { port 443 } protocol tcp recent { count 4 time 60 } state { new enable } } rule 41 { action accept destination { port 443 } protocol tcp state { new enable } }And here are the NAT rules... nat { destination { rule 100 { description "Port Forward: HTTPS to 192.168.1.31" destination { port 443 } inbound-interface eth0 protocol tcp translation { address 192.168.1.31 } } } source { rule 100 { outbound-interface eth0 source { address 192.168.0.0/22 } translation { address masquerade } } } }I can ping 192.168.1.31 and if I use curl I can see the contents of the web page. So I know that things are working up until that point. 
- 
 @scottalanmiller said in VyOS Port Address Translation for HTTPS: I am trying to get HTTPS forwarded through a VyOS router. Here is where I am... VyOS or EdgeOS? They are not the same thing. Most likely nothing has changed here, but EdgeOS is not the same fork as VyOS. 
- 
 @JaredBusch said in VyOS Port Address Translation for HTTPS: @scottalanmiller said in VyOS Port Address Translation for HTTPS: I am trying to get HTTPS forwarded through a VyOS router. Here is where I am... VyOS or EdgeOS? They are not the same thing. Most likely nothing has changed here, but EdgeOS is not the same fork as VyOS. Actual VyOS. 
- 
 I had the firewall rule wrong so I cleaned that up. But still not working... rule 40 { action accept destination { address 192.168.1.31 port 443 } protocol tcp state { new enable } }
- 
 Here are my EdgeOS Firewall rules for WAN_IN at one client. rule 1 { action accept description "Accept Established and Related" log disable state { established enable related enable } } rule 2 { action drop description "Drop Invalid" log enable state { invalid enable } } rule 6 { action accept description "Allow New to NginX Proxy" destination { address 10.202.1.16 group { port-group HTTP_HTTPS } } log disable protocol tcp_udp state { new enable } } rule 8 { action accept description "Accept New for PBX" destination { group { port-group PBX_Ports } } log disable protocol udp source { group { address-group PBX_Addresses } } state { established disable invalid disable new enable related disable } } rule 9 { action accept description "Accept new for RDS" destination { address 10.202.1.13 group { port-group RDS_Ports } } log disable protocol tcp state { established disable invalid disable new enable related disable } } rule 10 { action accept description "Accept New RDP" destination { address 10.202.1.13 port 3389 } log disable protocol tcp source { group { address-group RDP_Allowed_IP } } state { established disable invalid disable new enable related disable } }
- 
 And here is the current NAT file... nat { destination { rule 10 { description "Port Forward: HTTPS to 192.168.1.31" destination { port 443 } inbound-interface eth0 protocol tcp translation { address 192.168.1.31 } } }
- 
 Here are the NAT rules. rule 1 { description "NginX Proxy" destination { address XXX.XXX.XXX.43 group { port-group HTTP_HTTPS } } inbound-interface eth0 inside-address { address 10.202.1.16 } log disable protocol tcp_udp type destination } rule 3 { description "RDS HTTPS" destination { address XXX.XXX.XXX.44 port 443 } inbound-interface eth0 inside-address { address 10.202.1.13 port 443 } log disable protocol tcp type destination } rule 4 { description "RDS RDP" destination { address XXX.XXX.XXX.44 port 3389 } inbound-interface eth0 inside-address { address 10.202.1.13 port 3389 } log disable protocol tcp source { group { address-group RDP_Allowed_IP } } type destination } rule 5 { description "PBX Restricted Port Forward" destination { address XXX.XXX.XXX.42 group { port-group PBX_Ports } } inbound-interface eth0 inside-address { address 10.202.1.9 } log disable protocol udp type destination } rule 5000 { description "Nginx Proxy" destination { } log disable outbound-interface eth0 outside-address { address XXX.XXX.XXX.43 } protocol all source { address 10.202.1.16 group { } } type source } rule 5002 { description "RDS HTTPS" log disable outbound-interface eth0 outside-address { address XXX.XXX.XXX.44 port 443 } protocol tcp source { address 10.202.1.13 port 443 } type source } rule 5003 { description "RDS RDP" destination { group { address-group RDP_Allowed_IP } } log disable outbound-interface eth0 outside-address { address XXX.XXX.XXX.44 port 3389 } protocol tcp source { address 10.202.1.13 port 3389 } type source } rule 5005 { description "Default NAT Masquerade" log disable outbound-interface eth0 protocol all type masquerade }
- 
 I'm working from the examples here... 
- 
 just comparing my Nginx rules to yours, it all looks laid out right. 
- 
 Did you apply the firewall rule to the interface? 
- 
 @JaredBusch said in VyOS Port Address Translation for HTTPS: Did you apply the firewall rule to the interface? I've even rebooted! 
- 
 Do you have a source rule to match this? or does the source rule work on the default masquerade? i.e. you only have a single static IP involved here. 
- 
 You can see in my RDP rules that I have a source rule setup because it is a different IP than the default IP of the router. 
- 
 @JaredBusch said in VyOS Port Address Translation for HTTPS: Do you have a source rule to match this? or does the source rule work on the default masquerade? i.e. you only have a single static IP involved here. I just removed the source rule to test. There is only one static IP at the moment. 
- 
 Got it working. The firewall rule was in the wrong section of the firewall. 
- 
 @scottalanmiller said in VyOS Port Address Translation for HTTPS: Got it working. The firewall rule was in the wrong section of the firewall. You had it on eth0 local instead of eth0 in? 
- 
 @JaredBusch said in VyOS Port Address Translation for HTTPS: @scottalanmiller said in VyOS Port Address Translation for HTTPS: Got it working. The firewall rule was in the wrong section of the firewall. You had it on eth0 local instead of eth0 in? Yuppers. 

