I expected NAT rule with action dst-nat not to catch any connection from my local network unless it is changed to src-nat. So I guess connections outside goes thru both src-nat and then dst-nat?
SRC-NAT and DST-NAT are very distinct operations, they happen at very different times (dst-nat is pretty early in packet processing, before firewall, and src-nat happens pretty late, after firewall) and both can affect same packet/connection ... if there are src-nat and dst-nat rules which match against same packet/connection. Which means that one has to be careful when constructing rules, one needs to add appropriate matching criteria so that rules only apply to packets needing it.
Which means that connection going outside should only hit src-nat and if it's not, then dst-nat is "too greedy". OTOH connection being directed at internal server should hilt only dst-nat and specific src-nat (see bellow), it should not hit the default "masquerade traffic going out" rule ...
When looking at your diagram I'm guessing you'll need hair-pin NAT for those SSH connections (so both dst-nat and src-nat for elligible connections).
Statistics: Posted by mkx — Sun Jan 12, 2025 10:57 am