Assigning Static Address to etho in VyOS AWS Instance When Config Is Set for DHCP

I am new to VyOS and want to experiment with it a bit in Amazon web services before possibly deploying in a home lab. My first goal is to create a VyOS NAT instance in Amazon Web Services to allow instances in a private subnet to access the internet.

The address space for the virtual private cloud is with a public subnet of and a private subnet of

I built a VyOS instance with eth0 in the public subnet at and eth1 in the private subnet at In addition, I assigned an elastic IP address to eth0.

I was able to deploy the instance based on the AMI provided in the AMI marketplace, connected via SSH and started to configure it to suit my needs. I was able to get the repositories as needed to upgrade the image to the VyOS 1.1.6.

I ran into some problems when configuring eth0 and eth1.

Even though eth0 appeared correctly at, the configuration indicated a DHCP address for that interface when I had assigned it a static private address.

I attempted to change this by executing:

delete interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 address ‘’

When I save the change the ssh session hung. I rebooted from the AWS console but was unable to get back into the system.

I redeployed as before but this time edited /config/config.boot to make the change and then rebooted the system.

I was back in the same position as I had been before, namely, I was unable to connect via SSH directly using the public address assigned by AWS to eth0 that has worked successfully before, or by using SSH from another instance in the subnet.

I’m stumped. All I am trying to do is tell VyOS that it’s got a good static address.

Any idea what I’ve run into?

I think it has to do with the was the external EIP is mapped to the internal private IP. At instance launch time, you can define a private IP address. It will be like a “DHCP reservation”, so that every time you boot up that instance, even though dhcp is set on eth0, it should come up with the Private IP you assign it in the EC2 console.

That’s certainly what it seems like. I had assumed that assigning the static IP would be as safe as safe could be. But I suppose I won’t get too hung up on this. Now I need to figure out what the configuration settings should be for a NAT instance. I’m not sure what belongs in the firewall and what to put in the security groups for the instance. Is there some prior learning on this that I ought to be focusing on?

Sometimes I’m my own worst enemy.

I just realized that I had made things much more complicated than they needed to be.

There was no reason for me to configure the VyOS instance with two network interfaces. A single interface sitting at 10.0.0.x (i.e., part of the public subnet) on a network will be able to see activity from the private subnet.

The AWS VPC security group will handle the firewall rules that would normally be embedded in the gateway firewall.

The AWS route table just needs a single entry to route non-local traffic coming from instances in the private subnet to the VyOS instance sitting in the public subnet and then the only thing I need to do for VyOS configuration is to configure the NAT. Which I believe means that all I need is:

set nat source rule 100 outbound-interface ‘eth0’
set nat source rule 100 source address ‘’
set nat source rule 100 translation address masquerade

The last part is to turn off source and destination checking in the VyOS AWS instance.

Also, since the AWS Security Group is not aware of connection state tracking, you might have to configure the SG to allow all ports TCP, and UDP inward access to your NAT instance for RETURN traffic coming back to the NAT instance. You could limit the range of ports allowed for masquerade NAT, they will probably be high ports >1024

Well, my one interface idea won’t work as the DHCP address given by AWS to the VyOS system is on the /24 subnet and not the larger /16 network. Back to the two interface approach. And I will open up the SG as you suggest.

Success! It turns out that I simply didn’t have the route tables and security groups done up correctly in AWS.

I built an Amazon linux NAT gateway, including the route tables and security groups as specified in the AWS documentation and then took a look at the iptables command left behind in the working linux instance. It was, in effect, a variation on what I set forth above, i.e., in VyOS configuration commands,

set nat source rule 100 outbound-interface ‘eth0’
set nat source rule 100 source address ‘’
set nat source rule 100 translation address masquerade

I was surprised to see that the AWS linux variant uses a source network setting of when all that the NAT is intended to do is to handle the private subnet ast

So now I’ve got a very clean and simple VyOS NAT gateway running in my Amazon Web services virtual private cloud. It may not be as powerful or have the availability of an AWS NAT instance but it’s much less expensive and suits my needs.

Hi! Could you possibly post your VyOS config? Im experiencing similar problems.


In the end I took the VyOS AWS appliance and added only the configuration lines I listed above. I also was delighted to realize that I only needed a single NIC on the VyOS instance. I posted a longer description here.

Had I wanted to remain with a dual NIC approach I would have stopped fighting with VyOS to force a static assignment on the interface that was set up as receiving a DHCP address because AWS was consistently assigning the desired IP address through it’s internal DHCP server.

What problems are you having?

I’m having a similar issue to that listed above - I know that my instance will always have the private IP address assigned to it, but when setting up some VPN stuffs it complains (understandably) if eth0 is set to DHCP. Any advice appreciated :slight_smile:

Still having issue with my VyOS instance, not sure why.

Essentially, on a fresh install, I’m attempting to change eth0 from ‘address dhcp’ to a static ip address (set interfaces ethernet eth0 address ‘x.x.x.x/y’)

I run a 'delete interfaces ethernet eth0 address ‘dhcp’ to remove the dhcp config. However when I commit the config, I am no longer able to logon to the device - I’ve effectively ‘trimmed the branch I’m standing on’. No idea why this is happening - perhaps I’m missing some config? Any advice much appreciated

EDIT: Nevermind - sorted now

Hi stoz - you mention you sorted it; what was the resolution?

I think this is a fairly common issue worth documenting. You ran into it, I ran into in March when I was setting up an instance, and I’m running into it again now (but can’t find my own documentation - doh!).

One of the problems is most likely the missing default-route when you change from dhcp to static ip-addressing. Keep in mind you also need to set the system DNS servers most likely.

The other issue about VPN and DHCP binding should be reviewed in a separate topic. Please create your topic describing your use-case with your configuration file anonymized preferably.