I have a pair of routers that serve an IP on the lan using high availability as well as the ISP network. I have several ips assigned to me out of a /24 public network
I would like to be able to assign the public address directly to DMZ hosts, is this possible? I know I cant typically create a station, /32 route to a private address in the dmz
My only specific need is to maintain the current highavailability functionality between the two Routers
I has tried bridging ETH0 with the DMZ network, bur that predictibly caused a loop between the ISP and my network
Assign it to a dummy interface
set interfaces dummy address
Thank you, Can you clarify this?
set interfaces dummy dum0 address 123.4.5.6/32
And then I can assign 123.4.5.6/32 to a VM in the DMZ?
in theory yes it’s the way i redistribute via BGP, the way mine is setup i have DMVPN to the hub BGP inside have it distribute /24 route to the spoke assign a IP to an interface where public facing hosts will sit that’s all set the GW as the VyOS interface you should be able to use the IP’s
I think I understand what you’re suggesting and maybe not applicable to my situation.
I have a router with eth0 connected to the ISP. I’ve been assigned 5 ip’s from a /24 public network, and I want to assign one to a device on eth1. Is that a similar situation to what you are using?\
I just want to be sure that the dummy if will work in this way before I spin my tires.
Try to figure out why do you get a loop.
I know why because I have another router so if I bridge ETH 0 and ETH 3 on both there an l2 loop created. If I use STP then one router is blocked
I know I could use vrrp scripts to remove/add a bridge to ETH 3 on the inactive router, but im hoping there’s a less invasive method
Any other ideas? It seems this functionality is cose to what some CPE call IP Passthrough or “routed IP Lan”. I just can’t even find a method to recreate this using raw cli regardless if it’s a vyos supported function.
You need exclude loop from topology.
Or use nat 1:1 from vyos to lan host
Ok thanks for confirming those are the only options.
I’m currently trying to set up a network with a DMZ containing a web server and an e-mail server separated from the Internet by a network address translating firewall!