Hello, first time VyOS user here!
I have a basic home network setup consisting of a fiber connection, a modem, and a 2-port box running VyOS as a router. I managed to get the following things working:
- working LAN with DHCP and DNS forwarding and
- a working PPPoE connection on the router.
However, I seem to be missing some configuration so that clients connected to LAN (eth2) see/use the internet connection (eth1) provided by the router. Already tried or present in some form (=taken straight from the docs) are:
- NAT rule for outbound traffic
- Basic firewall rules for
eth1 - Missing default route setting:
ojdo@vyos:~$ ip route
default nhid 18 dev pppoe1 proto static metric 20
80.146.136.13 dev pppoe1 proto kernel scope link src xxx.xxx.xxx.xxx
192.168.0.0/24 dev eth2 proto kernel scope link src 192.168.0.1
I am mostly unsure because I have VLAN tagging active and am now unsure for which settings I might need to refer to eth1.7 instead of eth1.
Fun fact: DNS forwarding works fine for clients, so nslookup google.com works, but ping 8.8.8.8 does not (except on the router itself).
So in short: what do I need to add to/remove from the following configuration so that clients on eth2 can benefit from the internet connection provided on eth1?
show configuration | strip-private:
firewall {
interface eth1 {
in {
name OUTSIDE-IN
}
local {
name OUTSIDE-LOCAL
}
}
name OUTSIDE-IN {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
}
name OUTSIDE-LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
}
}
interfaces {
ethernet eth1 {
address dhcp
description OUTSIDE
hw-id xx:xx:xx:xx:xx:c1
vif 7 {
description "needed for ISP"
}
}
ethernet eth2 {
address xxx.xxx.0.1/24
description INSIDE
hw-id xx:xx:xx:xx:xx:c2
}
loopback lo {
}
pppoe pppoe1 {
authentication {
password xxxxxx
user xxxxxx
}
description "fiber internet FTW"
ip {
adjust-mss 1452
}
mtu 1492
source-interface eth1.7
}
wireless wlan0 {
disable
hw-id xx:xx:xx:xx:xx:ad
physical-device phy0
}
}
nat {
source {
rule 100 {
outbound-interface eth1
source {
address xxx.xxx.0.0/24
}
translation {
address masquerade
}
}
}
}
service {
dhcp-server {
hostfile-update
host-decl-name
shared-network-name xxxxxx {
authoritative
subnet xxx.xxx.0.0/24 {
default-router xxx.xxx.0.1
domain-name xxxxxx
lease 86400
name-server xxx.xxx.0.1
range 0 {
start xxx.xxx.0.9
stop xxx.xxx.0.254
}
}
}
}
dns {
forwarding {
allow-from xxx.xxx.0.0/24
cache-size 0
listen-address xxx.xxx.0.1
}
}
ssh {
access-control {
deny {
user vyos
}
}
disable-password-authentication
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name xxxxxx
login { /* snip */ }
ntp { /* snip */ }
syslog { /* snip */ }
}