our upstream ISP gave us 104.223.67.177/28 subnet and ask me to configure gateway 107.174.198.62 to reach the internet which is outside the public IP /28 range.
when i configure it on windows or Linux machine i got the internet on it without any issue but when i configure the same on vyos 1.4.3 version i didn’t get the internet on vyos and they said the vyos VyOS does not reliably install the default route, resulting in loss of internet connectivity because This version does not support configuring a default gateway that lies outside the assigned subnet. Since the upstream gateway (107.174.198.62) is outside the public /28 range.
is there any solution for this to get the internet on vyos 1.4.3
Can you also check your route table (`show ip route`) for any routes which could interfere?
Please use tcpdump on a second connection to see if any packets are send out via this interface while do try to ping s.th. on the internet, like 1.1.1.1
I would wager they are routing that /28 to you over a point to point link of 107.174.198.62/31, which your IP would be 107.174.198.63/31, then you set your default gateway to 107.174.198.62. Otherwise it may be a /30, so you would be 107.174.198.61/30 and they would be 107.174.198.62/30
Can you share how you have configured it on a working Linux machine?
VyOS is a Linux kernel so it shouldn’t be hard to figure out how to get it working if you can share the config you put on your other Linux device to get it working.
As far as I know, the gateway address MUST be within the same subnet as the interface through which traffic is routed to that gateway. It’s not possible to configure a gateway if the host doesn’t have an interface in that same subnet, except if a point-to-point interface like PPPoE is used. However, an Ethernet interface cannot be used to redirect traffic to the gateway unless that interface isn’t also point-to-point.
The process of routing traffic to a gateway requires resolving the gateway’s MAC address using ARP, and ARP cannot be used if the gateway’s IP address is not on the same network.
This applies to VyOS, but also to Linux and Windows. On a Windows PC, you CANNOT configure a gateway that is not on the same subnet as the interface.
Can you provide an IP config /all out showing the Windows configuration for the interface on the 104.223.67.177/28 network and the gateway 107.174.198.62?
You say the ISP gave you 104.223.67.177/28 as a public subnet, but that’s NOT a network address; it’s a valid host IP address on that subnet. The subnet should be 104.223.64.176/28.
Are you sure the information provided in this case is correct?
You can 100% have a gateway outside of the subnet on the interface. All that is required is an on-link route to force VyOS to ARP.
This is a (somewhat) common approach to IP conservation by smaller providers. The idea being if you had say 128 customers, and each had a /31 for connectivity, that is a full 256 addresses (/24) that could otherwise be sold as blocks to customers. That could be valued anywhere from $500-$2000 USD depending on the market.
You can have all 128 customers have a shared gateway (like the 107.174.198.62 address in this example), so only a single IP is burned for all of them.
Okay, VyOS has that configuration option, but for it to work, you need a static route to the gateway IP address through a valid gateway on an interface.
That is, to reach IP address 107.174.198.62, you need a route like this: set protocols static route 107.174.198.62/32 next-hop x.x.x.x
and also: set protocols static 0.0.0.0/0 next-hop 107.174.198.62
And that gateway IP address, x.x.x.x, must belong to the subnet of one of the interfaces, because otherwise, it’s not possible to determine the outgoing interface and resolve the routes recursively.
On the other hand, the IP address savings you mentioned aren’t usually associated with connections to ISPs that assign a public /28 subnet, right? If you’re assigned a /28 address, there are already enough IP addresses available to reserve one as a gateway, the one assigned by the ISP on its connection to your router, right?
What you’re describing is normal in point-to-point internet connections like PPPoE, where the gateway assigned to the connection is shared by many clients and is usually an RFC1918 IP address, because the actual routing is done by interface or PVC.
Furthermore, this configuration might work for VyOS with recursive routing, but I don’t see how you can make it work on a Windows PC.
You don’t need a static route to a next hop like that for this to work, you just need an on-link route. ARP does not care at all about belonging to a subnet on the interface, you just need a route that will trigger ARP (e.g. a connected route).
Some providers will only provide a floating subnet. The idea there is if you give someone a /30 or /31 as an interconnect, you’re only selling them 1 address (since the provider needs to home one of those addresses). But if it’s floating, you’re selling them either 2 or 4 addresses, which they can charge more for.
This works the same way on Windows as well, the gateway behaves as an on-link route. You can see here that ARP is being requested to a gateway outside of the interfaces subnet.
Ethernet II, Src: ASRockIncorp_a8:8d:40 (70:85:c2:a8:8d:40), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
Sender MAC address: ASRockIncorp_a8:8d:40 (70:85:c2:a8:8d:40)
Sender IP address: 10.1.2.3
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 192.168.2.1
I’ve been avoiding responding to this thread because the OP has posted a number of times and is not marking solutions or providing updates, which is the only way community support works. But here is a quick way to achieve what I mentioned since maybe this will provide help to people that find this thread later (or are just generally interested how to implement this):
set interfaces ethernet eth1 address 104.223.67.176/32
set protocols static route 0.0.0.0/0 next-hop 107.174.198.62
set protocols static route 107.174.198.62/32 interface eth1
The set protocols static route 107.174.198.62/32 interface eth1 specifically is what creates a connected route which will trigger ARP. The ARP request would use 104.223.67.176 as the source for the request.
To use additional IPs from the /28, you’d use either proxy-arp, or add additional /32s to the interface.