DNat source address is wrong

Hi,

I have a vyos in a datacenter with public ip
set interfaces ethernet eth0 address ‘x.x.x.x/24’
set interfaces ethernet eth0 description ‘WAN’

set interfaces tunnel tun0 address ‘192.168.0.1/30’
set interfaces tunnel tun0 encapsulation ‘ipip’
set interfaces tunnel tun0 local-ip ‘x.x.x.X’
set interfaces tunnel tun0 multicast ‘disable’
set interfaces tunnel tun0 remote-ip ‘y.y.y.y’
set interfaces vti vti0 address ‘10.0.0.2/31’
set interfaces vti vti0 description ‘Tunnel to 192.168.0.2’
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 172.40.40.0/24
set nat source rule 100 translation address masquerade
set nat destination rule 10
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 protocol tcp
set nat destination rule 10 destination port 80
set nat destination rule 10 translation address 172.40.40.100-172.40.40.103
set nat destination rule 10 log

We have installed 4 vyos systems in the company we have create ipsec tunnels this tunnels are up and running. This vyos systems are connected to a switch on this switch is a webserver connected.

if we run the command wget 172.40.40.10 on the vyos on the DC the webpage is loaded it work fine
In the packet 192.168.0.2 -> 172.40.40.100
the webserver returned the package back to 192.168.0.2 this is 1 of the vyos systems in the company
the traffic go back over the vpn to the dc

if i load the webpage from the internet then it do not work any more.
I see the source address in the packet is the public ipaddres from the public computer.
In the packet 162.59.60.20 -> 172.40.40.100 the webser do not now where to send the package.

Can you help me please?

Can you provide a simple network diagram?
Which default route for the webserver?
Is webserver use vpn connection? Or only vyos? How Vyos know about network 172.40.40.0/24? What happens if you use only one translation address for dnat?
Which version of vyos? Do you use any other pbr/loadbalancing rules?

VIOS DATACENTER

interfaces {
    ethernet eth0 {
        address u.u.u.u/24
        description WAN
        hw-id 00:0c:29:a5:86:cf
    }
    loopback lo {
    }
    tunnel tun0 {
        address 192.168.0.1/30
        encapsulation ipip
        local-ip u.u.u.u
        multicast disable
        remote-ip x.x.x.x
    }
    tunnel tun1 {
        address 192.168.1.1/30
        encapsulation ipip
        local-ip u.u.u.u
        multicast disable
        remote-ip y.y.y.y
 }
    tunnel tun2 {
        address 192.168.2.1/30
        encapsulation ipip
        local-ip u.u.u.u
        multicast disable
        remote-ip z.z.z.z
    }
    tunnel tun3 {
        address 192.168.3.1/30
        encapsulation ipip
        local-ip u.u.u.u
        multicast disable
        remote-ip w.w.w.w
    }
    vti vti0 {
        address 10.0.0.2/31
        description "Tunnel to 192.168.0.2"
    }
    vti vti1 {
        address 10.1.1.2/31
        description "Tunnel to 192.168.1.2"
    }
    vti vti2 {
        address 10.2.2.2/31
        description "Tunnel to 192.168.2.2"
    }
    vti vti3 {
        address 10.3.3.2/31
        description "Tunnel to 192.168.3.2"
    }
}
nat {
    destination {
        rule 10 {
            destination {
                port 80
            }
            inbound-interface eth0
            log
            protocol tcp
            translation {
                address 172.40.40.100-104
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop u.u.u.u gateway dc {
            }
        }
        route 172.40.40.100/32 {
            interface tun0 {
            }
        }
        route 172.40.40.101/32 {
            interface tun2 {
            }
        }
        route 172.40.40.102/32 {
            interface tun1 {
            }
        }
        route 172.40.40.103/32 {
            interface tun3 {
            }
        }
        route 192.168.11.0/24 {
            next-hop 192.168.111.1 {
            }
        }
    }
}
vpn {
    ipsec {
        esp-group group-ESP {
            compression disable
            lifetime 3600
            mode tunnel
            pfs dh-group19
            proposal 10 {
                encryption aes256gcm128
                hash sha256
            }
        }
        ike-group group-IKE {
            close-action none
            dead-peer-detection {
                action hold
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev2
            lifetime 28000
            mobike disable
            proposal 10 {
                dh-group 19
                encryption aes256gcm128
                hash sha256
            }
        }
        ipsec-interfaces {
            interface tun0
            interface tun1
            interface tun2
            interface tun3
        }
        site-to-site {
            peer 192.168.0.2 {
                authentication {
                    id 192.168.0.1
                    mode pre-shared-secret
                    pre-shared-secret ****************
                    remote-id 192.168.0.2
                }
                connection-type initiate
                ike-group group-IKE
                ikev2-reauth inherit
                local-address 192.168.0.1
                vti {
                    bind vti0
                    esp-group group-ESP
                }
            }
            peer 192.168.1.2 {
                authentication {
                    id 192.168.1.1
                    mode pre-shared-secret
                    pre-shared-secret ****************
                    remote-id 192.168.1.2
                }
                connection-type initiate
                ike-group group-IKE
                ikev2-reauth inherit
                local-address 192.168.1.1
                vti {
                    bind vti1
                    esp-group group-ESP
                }
            }
            peer 192.168.2.2 {
                authentication {
                    id 192.168.2.1
                    mode pre-shared-secret
                    pre-shared-secret ****************
                    remote-id 192.168.2.2
                }
                connection-type initiate
                ike-group group-IKE
                ikev2-reauth inherit
                local-address 192.168.2.1
                vti {
                    bind vti2
                    esp-group group-ESP
                }
            }
            peer 192.168.3.2 {
                authentication {
                    id 192.168.3.1
                    mode pre-shared-secret
                    pre-shared-secret ****************
                    remote-id 192.168.3.2
                }
                connection-type initiate
                ike-group group-IKE
                ikev2-reauth inherit
                local-address 192.168.3.1
                vti {
                    bind vti3
                    esp-group group-ESP
                }
            }
        }
    }
}

Mod Edit: Made config readable - @tjh

The default route for the webserver 0.0.0.0/0 is not defined
default route for 172.40.40.100 101 102 103 is defined
if the package come from the vpn then the specific route is used

Is webserver use vpn connection? yes 4 vpn connections for loadballancing

Or only vyos? vios in dc as well
inbound-interface eth0
log
protocol tcp
translation {
address 172.40.40.100-104

How Vyos know about network 172.40.40.0/24? the vios in the datacenter have a route

What happens if you use only one translation address for dnat?
Then it work fine the webserver know where to send the traffic by route over 1 of the for vpn tunnels

Which version of vyos? version 1.3-rolling-202012141037

Do you use any other pbr/loadbalancing rules? no

The intension is on the company we have 4 slow internet connections if we bundle this connections then we have more bandwidth and failover

Hi,

Can you please upgrade to the latest 1.3 equuleus release and check if the translation works.

1 Like