Double NAT trouble(lab)

etnicor · October 25, 2023, 5:02am

Hello,
in the past i have created a new VLAN on my old router and have been able to lab when setting up a new router behind. However with vyos I can’t get it to work.

Router 1 networks
192.168.1.0/24
192.168.11.0/24

Vyos(1.4)
WAN eth0 is given a ip on router1 192.168.11.0/24 network
masquerade is setup on outbound WAN for 192.168.0.0/16 nets
eth1 is setup to have LAN network 192.168.1.0/24

When I confiigure network on eth1 in vyos I loose all network access from router1 network 192.168.1.0/24 to vyos box on ip 192.168.11.103.

TBH. I do not really understand why it has worked in the past with different router os’s which comes with default settings(opnsense/unifi). So trying to understand what’s going on.

ADESTIS · October 25, 2023, 6:12am

Hi etnicor,

your masquarading (192.168.0.0/16) also includes your WAN uplink prefix 192.168.11.0/24.
Have you tried whether it’s working when you have a NAT exclude rules before your masq rule?

/Markus

etnicor · October 25, 2023, 6:26am

Hello,
I actually tried setting masquerade for only 192.168.1.0/24 net but had the same issue still.

Have not looked into nat exclude rules. Will have a look at that tonight.

ADESTIS · October 25, 2023, 6:35am

You probably have to paste your config because details often matters.

etnicor · October 25, 2023, 6:40am

It’s quite minimal, this is the config from ansible.
Can’t find any docs regarding nat exclude rules.

      - set system host-name vyos
      - set system ipv6 disable-forwarding
      - set service ssh port '22'
      - set system name-server 1.1.1.1

      - set interfaces ethernet "{{ IF_WAN }}" address dhcp
      - set interfaces ethernet "{{ IF_WAN }}" description 'WAN'
      - set interfaces ethernet "{{ IF_LAN }}" address '192.168.1.1/24'
      - set interfaces ethernet "{{ IF_LAN }}" description 'LAN'

      - set nat source rule 100 outbound-interface '{{ IF_WAN }}'
      - set nat source rule 100 source address '192.168.0.0/16'
      - set nat source rule 100 translation address masquerade

Apachez · October 25, 2023, 6:51am

Wouldnt it be better to instead of source address (which overlaps in your current setup) use inbound-interface?

So that everything from lets say LAN (whatever IP it got) will be masqueraded into the WAN IP when egressing WAN interface?

etnicor · October 25, 2023, 7:32am

True didn’t think of that, this nat rule set comes from vyos example

So you mean basically like this. Will trie it out.

      - set nat source rule 100 outbound-interface '{{ IF_WAN }}'
      - set nat source rule 100 inbound-interface '{{ IF_LAN }}'
      - set nat source rule 100 translation address masquerade

Apachez · October 25, 2023, 8:11am

Yup!

Thats the way I would do that, of course depends on what else you got at your IF_LAN.

Firewall rules in filter forward is also needed to allow the packets through.

etnicor · October 25, 2023, 8:23am

Well this is all the config I am testing atm. and I belive default-actions are accept on all basic rules.

But I am wondering if this is really a NAT issue and not a routing issue? How do vyos know return traffic should go back through WAN interface when source ip is on the 192.168.1.0/24 net which is the same as LAN net in vyos?

When I think of it in my old labs I never started new connections from outside-in, I think all my tests have been from inside-out. Will have todo some more testing.

Apachez · October 25, 2023, 8:28pm

Unless you do PBR (Policy Based Routing - aka routing based on source ip or some other parameter) then the routing will look at the destination IP and match which interface it will egress at.

Then a few things happens such as DNAT and SNAT but at various stages.

Here you can see what happens when aka in which order:

https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks

https://docs.vyos.io/en/latest/configuration/firewall/index.html#netfilter-based

So for example SNAT (aka masquerade) is applied in the postrouting hook just before the packet is sent out on the interface (aka egress interface aka interface which the routing table says the packet should be sent out through based on the packet destination IP).

“Normally” you have a default route pointing at a nexthop reachable through the WAN interface. So if there isnt any more specific (longest prefix match that is a route defined as /24 will win over a route defined as /16) then the default of 0.0.0.0/0 will be used.

So what a NAT rule who acts on inbound-interface and outbound-interface will trigger at is that the routing have decided that the packet will egress (be sent out) at WAN interface. And then it matches if it arrived at LAN interface then the masquerade action tells the NAT engine to translate the source IP to whatever source IP the WAN-interface is using.

Then when answer returns to WAN interface from whatever your client at LAN was speaking to at WAN that packet will be matched (normally) in the conntrack table (normally you have defined to let through packets that matches established or related flows (established is for example TCP/UDP while related is for example an icmp echo-reply arriving after a icmp echo-request moments ago was sent in the other direction).

Conntrack table will tell the NAT engine on how to translate this answering packet so it finds it way back to the LAN client and whatever srcport that were using for its original request.