However, everything breaks unless there’s a default route on Vyos, and then it only fixes one of the two if I run a set protocol static 0.0.0.0/0 dhcp-interface eth[0/1] – which is kind of expected.
I’m running out of ideas and my google-fu is running dry.
In the “Multiple Uplinks” section is all you need.
In a example “OPTIONAL: Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) from PBR” is little error, there shoulde be:
set policy route PBR rule 10 description 'VLAN10 <-> VLAN11 shortcut'
set policy route PBR rule 10 destination address '192.168.188.0/24'
set policy route PBR rule 10 set table 'main'
set policy route PBR rule 11 description 'VLAN10 <-> VLAN11 shortcut'
set policy route PBR rule 11 destination address '192.168.189.0/24'
set policy route PBR rule 11 set table 'main'
or
set firewall group network-group local-nets network '192.168.188.0/24'
set firewall group network-group local-nets network '192.168.189.0/24'
set policy route PBR rule 10 description 'VLAN10 <-> VLAN11 shortcut'
set policy route PBR rule 10 destination group network-group 'local-nets'
set policy route PBR rule 10 set table 'main'
Create tables and define default gateways for both tables
set protocol static table 10 route 0.0.0.0/0 dhcp-interface eth0
set protocol static table 20 route 0.0.0.0/0 dhcp-interface eth1
Create Policies
set policy route PBR rule 10 set table '10'
set policy route PBR rule 10 description 'Route LAN1 traffic to table 10'
set policy route PBR rule 10 source address '192.168.69.0/24'
set policy route PBR rule 20 set table '20'
set policy route PBR rule 20 description 'Route LAN2 traffic to table 20'
set policy route PBR rule 20 source address '172.16.6.0/24'
# Allow LAN1-LAN2 communication through main table
set policy route PBR rule 30 description 'LAN1 shortcut'
set policy route PBR rule 30 destination address '192.168.69.0/24'
set policy route PBR rule 30 set table 'main'
set policy route PBR rule 40 description 'LAN2 shortcut'
set policy route PBR rule 40 destination address '172.16.6.0/24'
set policy route PBR rule 40 set table 'main'
Assing policy to interfaces:
set interfaces ethernet eth4 policy route 'PBR'
set interfaces ethernet eth7 policy route 'PBR'
Also, I guess that NAT rules should be present in your case
set nat source rule 10 description "Nat to Internet through WAN1"
set nat source rule 10 outbound-interface eth0
set nat source rule 10 translation address masquerade
set nat source rule 20 description "Nat to Internet through WAN2"
set nat source rule 20 outbound-interface eth1
set nat source rule 20 translation address masquerade
Okay, applied… but now I lost inter-lan, wouldn’t the rule 10/20 be executed before the rule 30/40, causing stuff to go out the WAN before it hits the main table?
Well, good news, I’m over that hump, now I’m trying to get some ipsec goodness over to vultr so that I can share my BGP ip space… from what it sounds like is that I need to use vti because of pbr, right?
I have a VULTR vps that’s advertising my V4/24 space. I’ve carved out a /27, BGP announces fine, however, I cannot for the life of me get the inbound traffic to the public IPs to traverse. I’m to the point where I think it’s something, really, really simple that I’m missing because I’m so focused somewhere else.
The only thing I haven’t done is put everything on a NAT, but, if I’m routing the IPs publicly over wireguard, I shouldn’t need to NAT it, right?
I can ping from wireguard to wireguard, so that’s up, so, wireguard config looks good.