Hey everyone - I’m hoping to get a little help with my vyOS configuration here.
I’m trying to create an isolated network where I can restore my VMs into, and run various tests against them to test recoverability. I want to be able to simply restore them, and not have to mess with networking so I thought vyOS would be a great router to put in between the isolated network and prod. The isolated network would essentially be a clone of my production network. I want to then be able to get into the isolated network using a different subnet, say 192.168.112.0.
Basically, this is my setup
vyOS with 2 nics
- eth1 is my management NIC and IP’d on my MGMT network, IPd at 10.8.96.151/24
- eth0 is a nic connected to an isolated network within vSphere (no uplinks at all). The IP on this nic is the same as my VM Network production gateway (10.8.112.1) This allows the VMs placed on this network to see their gateway, and talk to each other, but not get out to the outside networks.
Have setup a static route on my client machine, to route traffic destined to 192.168.112.0 to the eth1 IP of 10.8.96.151
Basically, the traffic flow I’m looking for is as follows
Client issues ssh request to 192.168.112.101
Route table sends that to vyOS eth1 of 10.8.96.151
vyOS eth1 sees IP of 192.168.112.101, translates it to 10.8.112.101
vyOS forwards request to eth0
vyOS eth0 sends request to VM inside isolated network on it’s original IP 10.8.112.101
All is well in the world
I did get some rules from another post here looking to do the same, and this is what I’ve done thus far.
set interfaces ethernet eth0 address ‘10.8.112.1/22’
set interfaces ethernet eth0 description ‘ISOLATED’
set interfaces ethernet eth1 address ‘10.8.96.151/24’
set interfaces ethernet eth1 description ‘MANAGEMENT’
set nat destination rule 100 destination address ‘192.168.112.101’
set nat destination rule 100 inbound-interface ‘eth1’
set nat destination rule 100 translation address ‘10.8.112.101’
set firewall name ISOLATED-IN default-action ‘drop’
set firewall name ISOLATED-IN ‘enable-default-log’
set firewall name ISOLATED-IN rule 1 action ‘accept’
set firewall name ISOLATED-IN rule 1 state established ‘enable’
set firewall name ISOLATED-IN rule 1 state related ‘enable’
set firewall name ISOLATED-IN rule 2 action ‘drop’
set firewall name ISOLATED-IN rule 2 log ‘enable’
set firewall name ISOLATED-IN rule 2 state invalid ‘enable’
set firewall name ISOLATED-IN rule 2 state new ‘enable’
set interfaces ethernet eth0 firewall in name 'ISOLATED-IN’
This doesn’t seem to work. The VMS in the isolated network are functioning fine, can see each other, ping each other and ping their gateway while not being able to ping outside the isolated network - but the access into the network isn’t working.
IE, ssh admin@192.168.112.101 seems to do nothing…
Any thoughts/help?