Everything you asked for.. nothing you wanted

General questions
,
1

I think I already have the answer…

Routing happens first…

set interfaces ethernet eth5 vif 42 policy route 'GWv4_HVDN'
set interfaces ethernet eth5 vif 515 policy route 'GWv4_HVDN'
set policy route GWv4_HVDN rule 9 destination group network-group 'LOCAL_NETs'
set policy route GWv4_HVDN rule 9 set table 'main'
set policy route GWv4_HVDN rule 10 description 'Route to HVDN'
set policy route GWv4_HVDN rule 10 set table '10'

vif 42 is a network that requires nat to reach the rest of the network… (192.168.48.0/24)

vif 515 is a network with copiers on it… (10.120.51.0/24)

when someone on the eth5.42 network tries to access the eth5.515 network… no nat happens…

 tcpdump -i eth5 -qlp -vv dst host 10.120.51.102 and not arp
tcpdump: listening on eth5, link-type EN10MB (Ethernet), capture size 262144 bytes
12:08:10.227853 IP (tos 0x0, ttl 128, id 52186, offset 0, flags [DF], proto TCP (6), length 48)
    192.168.48.128.9847 > 10.120.51.102.http: tcp 0
12:08:12.242950 IP (tos 0x0, ttl 128, id 52187, offset 0, flags [DF], proto TCP (6), length 48)
    192.168.48.128.9847 > 10.120.51.102.http: tcp 0
12:08:21.620320 IP (tos 0x0, ttl 128, id 52188, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.48.128 > 10.120.51.102: ICMP echo request, id 1, seq 52, length 40
12:08:24.721269 IP (tos 0x0, ttl 128, id 52189, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.48.128 > 10.120.51.102: ICMP echo request, id 1, seq 53, length 40
^C
4 packets captured
307 packets received by filter
42 packets dropped by kernel

curl -v -I http://10.120.51.102

then a ping

I do have nat source rules… but I think the policy routing is kicking in first…

set nat source rule 100 outbound-interface 'eth3.2004'
set nat source rule 100 source address '192.168.48.0/24'
set nat source rule 100 translation address 'masquerade'
set nat source rule 110 outbound-interface 'eth6'
set nat source rule 110 source address '192.168.48.0/24'
set nat source rule 110 translation address 'masquerade'

(this works… but I didn’t think I should have to do this… )

set nat source rule 120 outbound-interface 'eth5.515'
set nat source rule 120 source address '192.168.48.0/24'
set nat source rule 120 translation address 'masquerade'

when 192.168.48.0/24 goes anywhere, out any interface, except eth5.42 it should be with nat…

or

when 192.168.48.0/24 goes to 10.20/16, 10.120/16, 10.121/16, 172.16/16, it should be with nat…

Thank you in advance…

2

Here is in what ordning stuff happens:

https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks

and:

https://docs.vyos.io/en/latest/configuration/firewall/index.html#netfilter-based

1 Like