Can't ping external ip from one client?

This is probably something simple, but not sure what the issue is. I can’t ping the secondary external IP of VyOS1 from the client. The UniFi router has an IPSEC + BGP session to VyOS1 (VTI)

I have three routers connected in the topology below:

Client -->> UniFi (also running a VyOS spin-off) <----BGP—> VyOS1 <—BGP—> VyOS2

  1. No firewalls on routers on VyOS1, VyOS2
  2. UniFi/client can ping external IP of VyOS2 just fine, and is an exact clone of VyOS except the external IPs
  3. Can ping external IPs of VyOS1 if move to a different internet connection than Client (a.k.a. my uncle’s wifi)
  4. Each router has two IPs (the 2nd IP is a floating IP)

NAT rules on VyOS1 and VyOS2 —> are set to the 2nd IP. I’ve had no issue with this.

Update: this happens with the VPN is connected and online, not offline.

Hello @keneshhagard

Make sure you broadcast all the necessary networks in bgp;
If you have a nat check if you have set exceptions for internal addresses that go through vpn (if I understand correctly).
You can provide your configuration so that it can be reproduced in a network lab:
vyos@vyos:~$ show configuration commands | strip-private

Thank you!

//VRRP
set high-availability vrrp group eth0 advertise-interval '1'
set high-availability vrrp group eth0 authentication password xxxxxx
set high-availability vrrp group eth0 authentication type 'plaintext-password'
set high-availability vrrp group eth0 interface 'eth0'
set high-availability vrrp group eth0 no-preempt
set high-availability vrrp group eth0 priority '200'
set high-availability vrrp group eth0 rfc3768-compatibility
set high-availability vrrp group eth0 virtual-address 'xxx.xxx.159.199/23'
set high-availability vrrp group eth0 vrid '10'
set high-availability vrrp group eth1 advertise-interval '1'
set high-availability vrrp group eth1 authentication password xxxxxx
set high-availability vrrp group eth1 authentication type 'plaintext-password'
set high-availability vrrp group eth1 interface 'eth1'
set high-availability vrrp group eth1 no-preempt
set high-availability vrrp group eth1 priority '200'
set high-availability vrrp group eth1 rfc3768-compatibility
set high-availability vrrp group eth1 virtual-address 'xxx.xxx.96.101/20'
set high-availability vrrp group eth1 vrid '11'
set high-availability vrrp sync-group MAIN member 'eth0'
set high-availability vrrp sync-group MAIN member 'eth1'
set high-availability vrrp sync-group MAIN transition-script backup '/config/scripts/vrrp_backup.sh'
set high-availability vrrp sync-group MAIN transition-script master '/config/scripts/vrrp_master.sh'

//interfaces
set interfaces ethernet eth0 address 'xxx.xxx.83.248/22'
set interfaces ethernet eth0 address 'xxx.xxx.159.199/23'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address 'xxx.xxx.96.5/20'
set interfaces ethernet eth1 description 'LAN'
set interfaces loopback lo
set interfaces tunnel tun0 address 'xxx.xxx.1.2/20'
set interfaces tunnel tun0 description 'ORD-HUB'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key xxxxxx
set interfaces tunnel tun0 source-address 'xxx.xxx.0.0'
set interfaces tunnel tun1 address 'xxx.xxx.17.1/20'
set interfaces tunnel tun1 description 'AMS-HUB'
set interfaces tunnel tun1 encapsulation 'gre'
set interfaces tunnel tun1 multicast 'enable'
set interfaces tunnel tun1 parameters ip key xxxxxx
set interfaces tunnel tun1 source-address 'xxx.xxx.0.0'
set interfaces tunnel tun100 address 'xxx.xxx.10.22/30'
set interfaces tunnel tun100 description 'SEA-PDX'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 multicast 'enable'
set interfaces tunnel tun100 remote 'xxx.xxx.197.250'
set interfaces tunnel tun100 source-address 'xxx.xxx.159.199'

//NAT rules
set nat source rule 1 description 'Exclude IPSEC traffic for local LAN from NAT on WAN eth0 interface'
set nat source rule 1 destination address 'xxx.xxx.4.96/20'
set nat source rule 1 exclude
set nat source rule 1 outbound-interface 'eth0'
set nat source rule 100 description 'Show traffic from any LAN source as originating from the WAN eth0 interface'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address 'xxx.xxx.96.0/20'
set nat source rule 100 translation address 'xxx.xxx.159.199'

//BFD
set protocols bfd peer xxxxx.tld interval multiplier '3'
set protocols bfd peer xxxxx.tld interval receive '300'
set protocols bfd peer xxxxx.tld interval transmit '300'
set protocols bfd peer xxxxx.tld multihop
set protocols bfd peer xxxxx.tld source address 'xxx.xxx.1.2'
set protocols bfd peer xxxxx.tld interval multiplier '3'
set protocols bfd peer xxxxx.tld interval receive '300'
set protocols bfd peer xxxxx.tld interval transmit '300'
set protocols bfd peer xxxxx.tld multihop
set protocols bfd peer xxxxx.tld source address 'xxx.xxx.1.2'
set protocols bfd peer xxxxx.tld interval multiplier '3'
set protocols bfd peer xxxxx.tld interval receive '300'
set protocols bfd peer xxxxx.tld interval transmit '300'
set protocols bfd peer xxxxx.tld multihop
set protocols bfd peer xxxxx.tld source address 'xxx.xxx.17.1'

//BGP
set protocols bgp XXXXXX address-family ipv4-unicast network xxx.xxx.96.0/20
set protocols bgp XXXXXX neighbor xxx.xxx.10.21 peer-group 'DMVPN'
set protocols bgp XXXXXX neighbor xxx.xxx.10.21 remote-as '70000'
set protocols bgp XXXXXX neighbor xxx.xxx.0.1 peer-group 'DMVPN'
set protocols bgp XXXXXX neighbor xxx.xxx.0.1 remote-as '65000'
set protocols bgp XXXXXX neighbor xxx.xxx.0.2 peer-group 'DMVPN'
set protocols bgp XXXXXX neighbor xxx.xxx.0.2 remote-as '65001'
set protocols bgp XXXXXX neighbor xxx.xxx.16.1 peer-group 'DMVPN'
set protocols bgp XXXXXX neighbor xxx.xxx.16.1 remote-as '65001'
set protocols bgp XXXXXX parameters default no-ipv4-unicast
set protocols bgp XXXXXX parameters log-neighbor-changes
set protocols bgp XXXXXX peer-group DMVPN address-family ipv4-unicast
set protocols bgp XXXXXX timers holdtime '30'
set protocols bgp XXXXXX timers keepalive '10'

//NHRP
set protocols nhrp tunnel tun0 cisco-authentication xxxxxx
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 map xxx.xxx.0.1/20 nbma-address 'xxx.xxx.112.72'
set protocols nhrp tunnel tun0 map xxx.xxx.0.1/20 register
set protocols nhrp tunnel tun0 multicast 'nhs'
set protocols nhrp tunnel tun0 redirect
set protocols nhrp tunnel tun0 shortcut
set protocols nhrp tunnel tun1 cisco-authentication xxxxxx
set protocols nhrp tunnel tun1 holding-time '300'
set protocols nhrp tunnel tun1 map xxx.xxx.16.1/20 nbma-address 'xxx.xxx.129.82'
set protocols nhrp tunnel tun1 map xxx.xxx.16.1/20 register
set protocols nhrp tunnel tun1 multicast 'nhs'
set protocols nhrp tunnel tun1 redirect
set protocols nhrp tunnel tun1 shortcut

//static route for external and BGP blackhole
set protocols static route xxx.xxx.0.0/0 next-hop xxx.xxx.82.1
set protocols static route xxx.xxx.96.0/20 blackhole distance '200'

//Other
set service dns forwarding allow-from 'xxx.xxx.96.0/20'
set service dns forwarding listen-address 'xxx.xxx.96.101'
set service dns forwarding system
set service snmp community routers authorization 'ro'
set service snmp location xxxxxx
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system domain-name xxxxxx
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system name-server 'xxx.xxx.8.8'
set system name-server 'xxx.xxx.4.4'
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'America/Los_Angeles'

//VPN
set vpn ipsec esp-group ESP-SPOKE compression 'disable'
set vpn ipsec esp-group ESP-SPOKE lifetime '3600'
set vpn ipsec esp-group ESP-SPOKE mode 'tunnel'
set vpn ipsec esp-group ESP-SPOKE pfs 'dh-group21'
set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-SPOKE proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP-SPOKE proposal 2 hash 'sha256'
set vpn ipsec esp-group ESP-SSN compression 'disable'
set vpn ipsec esp-group ESP-SSN lifetime '3600'
set vpn ipsec esp-group ESP-SSN mode 'tunnel'
set vpn ipsec esp-group ESP-SSN pfs 'dh-group21'
set vpn ipsec esp-group ESP-SSN proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-SSN proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP-SSN proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP-SSN proposal 2 hash 'sha256'
set vpn ipsec ike-group IKE-SPOKE close-action 'none'
set vpn ipsec ike-group IKE-SPOKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE-SPOKE key-exchange 'ikev2'
set vpn ipsec ike-group IKE-SPOKE lifetime '28800'
set vpn ipsec ike-group IKE-SPOKE proposal 1 dh-group '21'
set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-SPOKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-SPOKE proposal 2 dh-group '21'
set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE-SPOKE proposal 2 hash 'sha256'
set vpn ipsec ike-group IKE-SSN close-action 'none'
set vpn ipsec ike-group IKE-SSN ikev2-reauth 'no'
set vpn ipsec ike-group IKE-SSN key-exchange 'ikev2'
set vpn ipsec ike-group IKE-SSN lifetime '28800'
set vpn ipsec ike-group IKE-SSN proposal 1 dh-group '21'
set vpn ipsec ike-group IKE-SSN proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-SSN proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-SSN proposal 2 dh-group '21'
set vpn ipsec ike-group IKE-SSN proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE-SSN proposal 2 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec logging log-level '1'
set vpn ipsec logging log-modes 'dmn'
set vpn ipsec logging log-modes 'mgr'
set vpn ipsec logging log-modes 'knl'
set vpn ipsec logging log-modes 'net'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret xxxxxx
set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
set vpn ipsec profile NHRPVPN bind tunnel 'tun1'
set vpn ipsec profile NHRPVPN esp-group 'ESP-SPOKE'
set vpn ipsec profile NHRPVPN ike-group 'IKE-SPOKE'
set vpn ipsec site-to-site peer xxxxx.tld authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer xxxxx.tld authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer xxxxx.tld connection-type 'respond'
set vpn ipsec site-to-site peer xxxxx.tld default-esp-group 'ESP-SSN'
set vpn ipsec site-to-site peer xxxxx.tld description 's2s SEA -> PDX'
set vpn ipsec site-to-site peer xxxxx.tld ike-group 'IKE-SSN'
set vpn ipsec site-to-site peer xxxxx.tld ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer xxxxx.tld local-address 'xxx.xxx.159.199'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 100 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 100 allow-public-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 100 protocol 'gre'

VPN is on the 2nd IP (floating)

I do have an exception for internal addresses in my NAT.

Hello @keneshhagard
Change the ip address: ‘xxx.xxx.159.199 / 23’ at the eth0 interface.
You have the same address:

set high-availability vrrp group eth0 virtual-address 'xxx.xxx.159.199/23'
set interfaces ethernet eth0 address 'xxx.xxx.159.199/23'