Hello,
I am trying to run a container based on cloudflare/gortr and it appeared to break my policy based routes. I’m running VyOS 1.4-rolling-202306190317.
My container configuration
set container network dn42-roa prefix 172.19.0.0/16
set container name dn42-roa image fransking/vyos-gortr
set container name dn42-roa network dn42-roa
set container name dn42-roa port roa source 38082
set container name dn42-roa port roa destination 8082
set container name dn42-roa port roa protocol tcp
set container name dn42-roa environment 'CACHE' value 'https://dn42.burble.com/roa/dn42_roa_46.json'
set container name dn42-roa environment 'VERIFY' value 'false'
set container name dn42-roa environment 'CHECKTIME' value 'false'
and an example policy based route directing DNS traffic over a VPN
set protocols static table 60 route 0.0.0.0/0 interface wg60
set policy route VPN_ROUTE rule 60 destination port 53
set policy route VPN_ROUTE rule 60 set table 60
set policy route VPN_ROUTE rule 60 protocol tcp_udp
set policy route VPN_ROUTE interface eth1 # LAN
Once committed, DNS appears to be blocked from the LAN i.e.
host google.com 1.1.1.1
times out from any computers on the LAN network.
Removing the container does not fix the problem until VyOS is rebooted. I noticed that NETAVARK_FORWARD was still referenced in iptables (although the chain was now empty) until the reboot when it disappeared and PBR started working again.
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NETAVARK_FORWARD all -- anywhere anywhere /* netavark firewall plugin rules */
Running the container with host networking + PBR is fine so I am using that as a workaround for now.
Before I dig further with a lab router I wanted to check if anyone else has experienced this.
Thanks,
Frans