I am trying to run a container based on cloudflare/gortr and it appeared to break my policy based routes. I’m running VyOS 1.4-rolling-202306190317.
My container configuration
set container network dn42-roa prefix 172.19.0.0/16 set container name dn42-roa image fransking/vyos-gortr set container name dn42-roa network dn42-roa set container name dn42-roa port roa source 38082 set container name dn42-roa port roa destination 8082 set container name dn42-roa port roa protocol tcp set container name dn42-roa environment 'CACHE' value 'https://dn42.burble.com/roa/dn42_roa_46.json' set container name dn42-roa environment 'VERIFY' value 'false' set container name dn42-roa environment 'CHECKTIME' value 'false'
and an example policy based route directing DNS traffic over a VPN
set protocols static table 60 route 0.0.0.0/0 interface wg60 set policy route VPN_ROUTE rule 60 destination port 53 set policy route VPN_ROUTE rule 60 set table 60 set policy route VPN_ROUTE rule 60 protocol tcp_udp set policy route VPN_ROUTE interface eth1 # LAN
Once committed, DNS appears to be blocked from the LAN i.e.
host google.com 220.127.116.11
times out from any computers on the LAN network.
Removing the container does not fix the problem until VyOS is rebooted. I noticed that NETAVARK_FORWARD was still referenced in iptables (although the chain was now empty) until the reboot when it disappeared and PBR started working again.
Chain FORWARD (policy ACCEPT) target prot opt source destination NETAVARK_FORWARD all -- anywhere anywhere /* netavark firewall plugin rules */
Running the container with host networking + PBR is fine so I am using that as a workaround for now.
Before I dig further with a lab router I wanted to check if anyone else has experienced this.