Accessing internet while exposing the host IP

The_Sky_Heart · May 11, 2015, 2:53pm

Hi Guys,

I wish if I can get some help with my poor setup of VyOS,

I have 3 interfaces

eth0= internet
eth1= connected to hosts
eth2= Management only

the main purpose of the setup is to assign some public IP’s to hosts,

i have a bunch of public subnets, that is already routed through a Juniper router,
eth0 is directly connected to the router and it has 185.x.x.x/29
default gateway is the juniper router IP

eth1, added those public subnets to it and I can assign public IP’s that is connected to this interface.

my problem now is when the host connect to internet it shows the eth0 IP address not the host IP address which i guess is a NAT masquerade

how can i make those public ip’s connect to internet and use their own IP’s?

thanks

JFL · May 11, 2015, 2:58pm

It’s curious because by default there’s no NAT configured.

you can easily check this with “show nat” in configuration mode.

if you have a nat source rule , you can delete it or, for testing purpose, just disable it with the command

set nat source rule XX disable

cgb · May 11, 2015, 3:32pm

Another possibility is ‘The Sky Heart’ has enabled the webproxy service, which by default transparently redirects HTTP. That might be affecting their ‘whatismyip’ type check.

The_Sky_Heart · May 11, 2015, 4:26pm

thanks a lot for the help guys

disabling the NAT did worked now i can see the host real IP instead of the eth0 IP,

sorry but what is the command to enable it back, i didn’t find the way to enable it.

I have one more question, as i mentioned the VyOS router is used to manage public subnet’s and route between those subnet’s so everything connected to the eth1 should have a public IP,

my question is I want to separate each subnet with different VLAN, I can do that but my problem is the hosts that is connected might have many IP’s form different subnets, so is there a way that i can use one IP as a gateway for all the subnets, since the host will only have one default gateway.

here is my poor configuration i didn’t enable any firewall or anything else so any recommendation is also appreciated.

firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects enable
source-validation disable
state-policy {
established {
action accept
}
invalid {
action drop
log {
enable
}
}
related {
action accept
}
}
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address 185.x.x.x/29
duplex auto
hw-id 00:50:56:b3:60:40
smp_affinity auto
speed auto
}
ethernet eth1 {
address 185.32.x.1/24
address 185.41.x.1/24
address 185.39.x.1/24
address 185.51.x.1/24
address 94.46.x.1/24
address 94.47x.1/24
duplex auto
hw-id 00:50:56:b3:09:bf
smp_affinity auto
speed auto
}
ethernet eth2 {
address 172.16.160.20/24
duplex auto
hw-id 00:50:56:b3:0f:a0
smp_affinity auto
speed auto
}
loopback lo {
}
}
nat {
source {
rule 100 {
disable
outbound-interface eth0
translation {
address masquerade
}
}
}
}
protocols {
static {
}
}
service {
https {
http-redirect enable
}
ssh {
allow-root
port 19422
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
gateway-address 185.x.x.26
host-name vyosrouter
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ****************
url http://packages.vyos.net/vyos
username “”
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
ipsec-interfaces {
interface eth0
}
}
}

JFL · May 11, 2015, 5:46pm

to re-enable the nat rule , delete the disable statement

ie :

delete nat source rule xx disable

if you want to multi-home a host, you can. But in any case, it’s better to have a single default gateway, and you need to set routes on the host. It can be done easily on any OS.

The_Sky_Heart · May 11, 2015, 6:10pm

Thanks again,

with this configuration i don’t need to add any routes on the host it just works, but i just need more protection for the firewall and the subnets, and adding routes to the host might be too much since some times each host can have 100 of ip’s and each ip from different subnet.