Hi,
I’ve setup an AWS instance of VyOS and got a number of site-to-site tunnels setup and running. However, the instance has only one interface eth0 (EIP attached)
My question: is it possible to setup the VyOS instance to look more like a traditional firewall with outside and inside interfaces - eth0 and eth1 respectively.
I want to be able to add Firewall Rules (ACL’s) on the traffic, but it gets confusing fast with only the one interface as all traffic goes in/out the same interface.
You could add another ENI on another subnet. I’ve seen this done where a NAT instance sits in a “public” (has an internet gateway) subnet and other hosts are in a “private” subnet (with internet gateway pointed to NAT instance). Assume you have your eth0 in subnet A, and are adding eth1 to subnet B. Subnet B could be a private subnet, with hosts pointing all of their traffic to eth1 of your VyOS. Or, Subnet B could be a public subnet with its own internet gateway, and then the hosts in subnet B needing to access the VPN tunnels would need static routes pointing to your VyOS instance. If you have 2 interfaces in 2 different subnets, it will be easy to add some ACL/Firewall filtering.
Figured out what was going on -
When you have only one NIC (ENI) associated to an instance then you can set the ‘Source/Destination Check’ at the instance level. In fact, when you check the ‘source/destination check’ from the instance it will show you the setting for the primary ENI.
My error was that I did not also disable the ‘source/destination checks’ on the second ENI i added. After much going round in circles, I found an article that spoke about this, as as soon as i disabled the ‘source/destination checks’ on the second ENI eth1 - the traffic started flowing through the VyOS box.
Thanks JL3128 for making me stick on this one - it’s good to have it finally working like I felt it should be.
E.