Access Isolated Network

Hi

I want to create a clone of our production servers to test upgrades etc, but I need some help figuring out how to provide network access to the isolated network.

I have a dedicated Hyper-v host where I am going to restore a full copy of the servers and connect the VM’s to a “Private Network”.

The servers need to retain their IP’s from the production network (10.47.2.0/24).

I have created a vyos VM with 2 nics, eth0 is connected to the Private Network with an interface address of 10.47.2.1 to simulate the production gateway.

I want to be able to remote desktop to the cloned virtual servers through the eth1 nic in the VYOS VM using a masqurade IP.

Example:
Client wants to connect to cloned server with real ip of 10.47.2.10 using a masqurade ip of 172.47.2.10.
On the client will be added a static route to the IP of VYOS eth1. ROUTE ADD 172.47.2.0 MASK 255.255.255.0 IP_ADDRESS_OF_VYOS_ETH1

Client [10.47.20.105] —> Eth1_VYOS —> VYOS_Eth0 [10.47.2.1] —> Server1 [10.47.2.10]

The cloned servers in the isolated network are not allowed to initiate traffic out from the isolated network to avoid conflicts with production servers.

Basically I want to use the same functionality as Veeam Virtual Lab described here, but this virtual lab is not permanent meaning changes are destroyed once the lab is shut down.

Hello,
yes, it´s possible,
you don´t need to have a route to 10.47.2.10 on the client
You will have VyOS eth0 with let’s say 10.47.20.251
you will configure source nat rule for 10.47.2.0/24 to masquerade it with 10.47.20.251
then you configure destination nat rule which forwards 3389 port from 10.47.20.251 to port 3389 on 10.47.2.10
You can find how to configure rules on VyOS User Guide — VyOS 1.3.x (equuleus) documentation
Thanks

Wouldnt that allow the cloned servers to initiate traffic out of the isolated network. Also I need to access every isolated server on any port.

Hello,
yes it will,
if you need an isolated environment, just don’t add snat rule than

Not really understood what you mean.

For isolation: On eth0_IN firewall ruleset (=serverSide): Default action= block. rule 1=Allow established/related. This way your test environment is contained.

add a destination nat rule on eth1, translating entire /24 range:
set nat destination rule 5 inbound-interface eth1
set nat destination rule 5 translation address 10.47.2.0/24
set nat destination rule 5 destination address 172.47.2.0/24

Add masquerade rule on eth0
set nat source rule 5000 description masquerade
set nat source rule 5000 outbound-interface eth0
set nat source rule 5000 source
set nat source rule 5000 translation address masquerade

And indeed, if client PC has different default gateway, a static route needs to be added

Lets say I have 3 cloned servers inside the isolated network.

Server1: 10.47.2.11
Server2: 10.47.2.12
Server3: 10.47.2.13

From my client, I need to access those 3 servers, but I can’t just connect to those IP addresses because that would connect me to the real production servers.

I need to access Server1 using 172.31.2.11, Server2 using 172.31.2.12 and Server3 using 172.31.2.13

The VYOS router has an IP address of 10.47.2.1 in the Isolated Network, and an IP address of 10.47.100.10 in the production network.

I would then create a static route on my PC, ROUTE ADD 172.31.2.0 MASK 255.255.255.0 10.47.100.10

Now I just need to figure out how to configure VYOS to translate from 172.31.2.11 to 10.47.2.11, 172.31.2.12 to 10.47.2.12 and 172.31.2.13 to 10.47.2.13.

Atleast that’s the idea.

It seems that what I needed was a Destionat NAT rule.

This is what I have done.

nat {
destination {
rule 100 {
destination {
address 172.31.2.249
}
inbound-interface eth1
translation {
address 10.47.2.249
}
}
}
}

For some reason I can’t ping, but RDP works fine.

I think that right now the isolated server can reach production networks but will never get a reply back because my cisco routers are not sending the packets back to the VYOS router. I guess I can stop this traffic by using firewall rules on the eth0 interface?

For anyone else who might come across this, this is what I ended up doing.

[code]set interfaces ethernet eth0 address ‘10.47.2.1/24’
set interfaces ethernet eth0 description ‘LAB’

set interfaces ethernet eth1 address ‘10.47.100.10/24’
set interfaces ethernet eth1 description ‘PROD’

set nat destination rule 100 destination address ‘172.31.2.249’
set nat destination rule 100 inbound-interface ‘eth1’
set nat destination rule 100 translation address ‘10.47.2.249’

set firewall name LAB-IN default-action ‘drop’
set firewall name LAB-IN ‘enable-default-log’

set firewall name LAB-IN rule 1 action ‘accept’
set firewall name LAB-IN rule 1 state established ‘enable’
set firewall name LAB-IN rule 1 state related ‘enable’

set firewall name LAB-IN rule 2 action ‘drop’
set firewall name LAB-IN rule 2 log ‘enable’
set firewall name LAB-IN rule 2 state invalid ‘enable’
set firewall name LAB-IN rule 2 state new ‘enable’

set interfaces ethernet eth0 firewall in name ‘LAB-IN’[/code]

Cool!
Glad that you found the way!

Is there something missing from here? I’ve setup exactly as you have laid out and still don’t have access into the Isolated (LAB) network…

Here are my rules…

set interfaces ethernet eth0 address ‘10.8.112.1/22’
set interfaces ethernet eth0 description ‘ISOLATED’

set interfaces ethernet eth1 address ‘10.8.96.151/24’
set interfaces ethernet eth1 description ‘MANAGEMENT’

set nat destination rule 100 destination address ‘192.168.112.101’
set nat destination rule 100 inbound-interface ‘eth1’
set nat destination rule 100 translation address ‘10.8.112.101’

set firewall name ISOLATED-IN default-action ‘drop’
set firewall name ISOLATED-IN ‘enable-default-log’

set firewall name ISOLATED-IN rule 1 action ‘accept’
set firewall name ISOLATED-IN rule 1 state established ‘enable’
set firewall name ISOLATED-IN rule 1 state related ‘enable’

set firewall name ISOLATED-IN rule 2 action ‘drop’
set firewall name ISOLATED-IN rule 2 log ‘enable’
set firewall name ISOLATED-IN rule 2 state invalid ‘enable’
set firewall name ISOLATED-IN rule 2 state new ‘enable’

set interfaces ethernet eth0 firewall in name 'ISOLATED-IN’