Help with access into an isolated network through masquerading IP

mwpr3ston · October 6, 2021, 3:52pm

Hey everyone - I’m hoping to get a little help with my vyOS configuration here.

I’m trying to create an isolated network where I can restore my VMs into, and run various tests against them to test recoverability. I want to be able to simply restore them, and not have to mess with networking so I thought vyOS would be a great router to put in between the isolated network and prod. The isolated network would essentially be a clone of my production network. I want to then be able to get into the isolated network using a different subnet, say 192.168.112.0.

Basically, this is my setup

vyOS with 2 nics

eth1 is my management NIC and IP’d on my MGMT network, IPd at 10.8.96.151/24
eth0 is a nic connected to an isolated network within vSphere (no uplinks at all). The IP on this nic is the same as my VM Network production gateway (10.8.112.1) This allows the VMs placed on this network to see their gateway, and talk to each other, but not get out to the outside networks.

Have setup a static route on my client machine, to route traffic destined to 192.168.112.0 to the eth1 IP of 10.8.96.151

Basically, the traffic flow I’m looking for is as follows
Client issues ssh request to 192.168.112.101
Route table sends that to vyOS eth1 of 10.8.96.151
vyOS eth1 sees IP of 192.168.112.101, translates it to 10.8.112.101
vyOS forwards request to eth0
vyOS eth0 sends request to VM inside isolated network on it’s original IP 10.8.112.101
All is well in the world

I did get some rules from another post here looking to do the same, and this is what I’ve done thus far.

set interfaces ethernet eth0 address ‘10.8.112.1/22’
set interfaces ethernet eth0 description ‘ISOLATED’

set interfaces ethernet eth1 address ‘10.8.96.151/24’
set interfaces ethernet eth1 description ‘MANAGEMENT’

set nat destination rule 100 destination address ‘192.168.112.101’
set nat destination rule 100 inbound-interface ‘eth1’
set nat destination rule 100 translation address ‘10.8.112.101’

set firewall name ISOLATED-IN default-action ‘drop’
set firewall name ISOLATED-IN ‘enable-default-log’

set firewall name ISOLATED-IN rule 1 action ‘accept’
set firewall name ISOLATED-IN rule 1 state established ‘enable’
set firewall name ISOLATED-IN rule 1 state related ‘enable’

set firewall name ISOLATED-IN rule 2 action ‘drop’
set firewall name ISOLATED-IN rule 2 log ‘enable’
set firewall name ISOLATED-IN rule 2 state invalid ‘enable’
set firewall name ISOLATED-IN rule 2 state new ‘enable’

set interfaces ethernet eth0 firewall in name 'ISOLATED-IN’

This doesn’t seem to work. The VMS in the isolated network are functioning fine, can see each other, ping each other and ping their gateway while not being able to ping outside the isolated network - but the access into the network isn’t working.
IE, ssh admin@192.168.112.101 seems to do nothing…

Any thoughts/help?

Viacheslav · October 6, 2021, 4:03pm

Try to add the next nat rule:

set nat source rule 100 outbound-interface eth1
set nat source rule 100 source address 10.8.112.101
set nat source rule 100 translation address 192.168.112.101

n.fort · October 6, 2021, 4:29pm

Hello @mwpr3ston .
Looks like a routing problem.
If I don’t misunderstand you, VyOS router has 2 networks defined:

eth0: 10.8.112.0/22
eth1: 10.8.96.0/24

You are trying to ssh from a host located in network 10.8.112.0/22 to a host located in network 192.168.112.0/24.
Does VyOS router reach the host? Is there a static route for that network?
If you are trying to connect to a host located in network 192.168.112.0/24, there should be a route entry for that destination. Simple NAT won’t work, because destination nat occurs when destination address (in this case the ssh connection to host 192.168.122.101) is an IP associated to the router itself.

mwpr3ston · October 6, 2021, 4:36pm

Hi,

So, yes, vyOS config is as described by you.

My 10.8.112.0/22 is a production VM network - what I’ve done is attached eth0 to an isolated vSwitch, and assigned it an IP of that networks gateway (10.8.112.1) in hopes of being able to restore virtual machines into that isolated network, giving them a gateway and not have to mess with their IPs.

My thoughts were, what I’d like to do, is be able to access those restored VMs in that network, through the use of another IP subnet (the 192.168.112.0/22), and have vyos translate that to the 10.8.112.0/22 and push it through eth0.

I can ping an isolated VM through eth0 on it’s IP (10.8.112.101), but not the translated one (192.168.112.0).

Basically, I’m trying to achieve what is laid out in this post - Access Isolated Network - #7 by noise

mwpr3ston · October 6, 2021, 4:40pm

Will this inturn allow outbound access from the ISOLATED NETWORK, because I don’t want that…

mwpr3ston · October 6, 2021, 5:02pm

Actually, just confirmed that it is working without these above NAT rules. So as long as I add a static route on my client, and the client is configured on the same network as vyOS eth1 (10.8.96.0) I can ssh into the isolated VM using 192.168.112.101.

My problem now is I would like to actually be able to ssh to this from the vyOS router itself, but that is not working…

n.fort · October 6, 2021, 5:22pm

Yes, mi mistake. Dst Nat is actually done in prerouting, so it works.
Also, if you need to ssh from vyos router itself, you may need to use real IP address of those VMs