Advertised Static Route of VPN tunnel via BGP, but cannot reach via ping

Hello,

I feel like I am missing something simple, but am not sure. I have a UniFi router, and two VyOS machines that I am connecting in the pattern below

UniFi (192.168.2.0/24) <--------VPN mode = tunnel ----------> VyOS-1 (10.4.96.0/20) <—DMVPN-----> VyOS-2 (10.1.112.0/20)

I advertised the 192.168.2.0/24 as a static route in BGP and see it on the VyOS-1 and VyOS-2 instances.

I can ping from UniFi → VyOS-1, VyOS-1 → UniFi, and VyOS-1 → VyOS-2, VyOS-2 to VyOS-1. I am not sure why can’t reach VyOS-2 —> UniFi. The UniFi uses a trap based policy by default, so I’ve added the subnet of VyOS-2.

Could it be a NAT rule issue or traffic coming across with the incorrect address?

Thanks

I think you should start by checking your firewall and NAT settings
If I understand correctly, you are getting a BGP route from UniFi on VyOS-2, so basic connectivity works

Also, using tcpdump on vyos interfaces, you could see if icmp requests/reply are going in/ou on every desired interface.
For example, when pinging from Unifi, try (replace interface_name in each case):

# On VyOS-1 check icmp packets on interface facing Unifi router
sudo tcpdump -i <interface_name> icmp
# On VyOS-1 check icmp packets on interface facing VyOS-2
sudo tcpdump -i <interface_name> icmp

Same test can be done on VyOS 2.

With these test you can know if icmp request are going as expected from one side to the other, and also evaluate icmp reply behavior.

I don’t have BGP on the UniFi setup. Since I am using the “interface” to set it up, it only supports a trap-based IPSEC tunnel. I just manually published the static route from VyOS-1.

I can see the ping destined for UnFi from VyOS-2, show up on VyOS-1 (I didn’t know about TCP dump!!). I have no firewall rules right since for testing. My only NAT rule is to exclude packets any packets going from VyOS-1 to UniFi

destination {
address 192.168.2.0/24
}
exclude
outbound-interface eth0

I assume since it is a trap based VPN, either the source of the packet needs to show up as 10.112.0.x (is there a way I can find out if it is? - TCP dump records it as coming from the tunnel IP) or I need to NAT the address of those pings as coming from 10.4.96.x.

Does that sound right?