Hello,
in the past i have created a new VLAN on my old router and have been able to lab when setting up a new router behind. However with vyos I can’t get it to work.
Router 1 networks
192.168.1.0/24
192.168.11.0/24
Vyos(1.4)
WAN eth0 is given a ip on router1 192.168.11.0/24 network
masquerade is setup on outbound WAN for 192.168.0.0/16 nets
eth1 is setup to have LAN network 192.168.1.0/24
When I confiigure network on eth1 in vyos I loose all network access from router1 network 192.168.1.0/24 to vyos box on ip 192.168.11.103.
TBH. I do not really understand why it has worked in the past with different router os’s which comes with default settings(opnsense/unifi). So trying to understand what’s going on.
your masquarading (192.168.0.0/16) also includes your WAN uplink prefix 192.168.11.0/24.
Have you tried whether it’s working when you have a NAT exclude rules before your masq rule?
Well this is all the config I am testing atm. and I belive default-actions are accept on all basic rules.
But I am wondering if this is really a NAT issue and not a routing issue? How do vyos know return traffic should go back through WAN interface when source ip is on the 192.168.1.0/24 net which is the same as LAN net in vyos?
When I think of it in my old labs I never started new connections from outside-in, I think all my tests have been from inside-out. Will have todo some more testing.
Unless you do PBR (Policy Based Routing - aka routing based on source ip or some other parameter) then the routing will look at the destination IP and match which interface it will egress at.
Then a few things happens such as DNAT and SNAT but at various stages.
Here you can see what happens when aka in which order:
So for example SNAT (aka masquerade) is applied in the postrouting hook just before the packet is sent out on the interface (aka egress interface aka interface which the routing table says the packet should be sent out through based on the packet destination IP).
“Normally” you have a default route pointing at a nexthop reachable through the WAN interface. So if there isnt any more specific (longest prefix match that is a route defined as /24 will win over a route defined as /16) then the default of 0.0.0.0/0 will be used.
So what a NAT rule who acts on inbound-interface and outbound-interface will trigger at is that the routing have decided that the packet will egress (be sent out) at WAN interface. And then it matches if it arrived at LAN interface then the masquerade action tells the NAT engine to translate the source IP to whatever source IP the WAN-interface is using.
Then when answer returns to WAN interface from whatever your client at LAN was speaking to at WAN that packet will be matched (normally) in the conntrack table (normally you have defined to let through packets that matches established or related flows (established is for example TCP/UDP while related is for example an icmp echo-reply arriving after a icmp echo-request moments ago was sent in the other direction).
Conntrack table will tell the NAT engine on how to translate this answering packet so it finds it way back to the LAN client and whatever srcport that were using for its original request.