Expose public IP to DMZ host instead of NAT

ACiD_GRiM · April 8, 2021, 3:54am

I have a pair of routers that serve an IP on the lan using high availability as well as the ISP network. I have several ips assigned to me out of a /24 public network

I would like to be able to assign the public address directly to DMZ hosts, is this possible? I know I cant typically create a station, /32 route to a private address in the dmz

My only specific need is to maintain the current highavailability functionality between the two Routers

I has tried bridging ETH0 with the DMZ network, bur that predictibly caused a loop between the ISP and my network

CiscoNCS · April 10, 2021, 10:53pm

Assign it to a dummy interface

set interfaces dummy address

ACiD_GRiM · April 11, 2021, 7:21pm

Thank you, Can you clarify this?

set interfaces dummy dum0 address 123.4.5.6/32

And then I can assign 123.4.5.6/32 to a VM in the DMZ?

CiscoNCS · April 11, 2021, 7:33pm

in theory yes it’s the way i redistribute via BGP, the way mine is setup i have DMVPN to the hub BGP inside have it distribute /24 route to the spoke assign a IP to an interface where public facing hosts will sit that’s all set the GW as the VyOS interface you should be able to use the IP’s

ACiD_GRiM · April 12, 2021, 11:08am

I think I understand what you’re suggesting and maybe not applicable to my situation.
I have a router with eth0 connected to the ISP. I’ve been assigned 5 ip’s from a /24 public network, and I want to assign one to a device on eth1. Is that a similar situation to what you are using?\

I just want to be sure that the dummy if will work in this way before I spin my tires.

Viacheslav · April 13, 2021, 9:38am

Try to figure out why do you get a loop.

ACiD_GRiM · April 13, 2021, 3:42pm

I know why because I have another router so if I bridge ETH 0 and ETH 3 on both there an l2 loop created. If I use STP then one router is blocked

I know I could use vrrp scripts to remove/add a bridge to ETH 3 on the inactive router, but im hoping there’s a less invasive method

ACiD_GRiM · April 16, 2021, 8:04am

Any other ideas? It seems this functionality is cose to what some CPE call IP Passthrough or “routed IP Lan”. I just can’t even find a method to recreate this using raw cli regardless if it’s a vyos supported function.

Viacheslav · April 16, 2021, 9:18am

You need exclude loop from topology.
Or use nat 1:1 from vyos to lan host

ACiD_GRiM · April 16, 2021, 4:59pm

Ok thanks for confirming those are the only options.

Abrams17 · May 12, 2021, 10:25am

I’m currently trying to set up a network with a DMZ containing a web server and an e-mail server separated from the Internet by a network address translating firewall!