How to make lan as the default gateway and make static routing for wan works

Hi, All
I met an issue that I need LAN as the gateway ,but wan was not working. Here is my configuration:

vpn# run show configuration | strip-private
firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disablessh
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address xxx.xxx.74.61/29
        duplex auto
        smp-affinity auto
        speed auto
    }
    ethernet eth1 {
        address xxx.xxx.0.121/22
        duplex auto
        smp-affinity auto
        speed auto
    }
    loopback lo {
    }
}
nat {
    source {
        rule 120 {
            outbound-interface eth1
            source {
                address xxx.xxx.255.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route xxx.xxx.0.0/0 {
            next-hop xxx.xxx.0.252 {
            }
        }
        route xxx.xxx.74.56/29 {
            next-hop xxx.xxx.74.57 {
            }
        }
    }
}
service {
    ssh {
        port 22
    }
}
system {
    acceleration {
    }
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    domain-name xxxxxx
    host-name xxxxxx
    login {
        user xxxxxx {
            authentication {
                encrypted-password xxxxxx
                plaintext-password xxxxxx
                public-keys xxxx@xxx.xxx {
                    key xxxxxx
                    type ssh-rsa
                }
            }
            level admin
        }
    }
    name-server xxx.xxx.0.8
    ntp {
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }

}
vpn {
    ipsec {
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network xxx.xxx.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                mode radius
                radius {
                    server xxxxx.tld {
                        key xxxxxx
                    }
                }
            }
            client-ip-pool {
                start xxx.xxx.255.2
                stop xxx.xxx.255.254
            }
            dns-servers {
                server-1 xxx.xxx.0.8
            }
            idle 1800
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret xxxxxx
                }
                ike-lifetime 3600
                lifetime 3600
            }
            outside-address xxx.xxx.74.61
            outside-nexthop xxx.xxx.0.121
        }
    }
}

Hi @echowings .
eth0 - WAN
eth1 - LAN
That correct?
If you have a route on the interface (eth0 address xxx.xxx.74.61/29) as connected, then you don’t need to create an additional static route. Directly connected routes will be preferable then static or dynamic routes.

route xxx.xxx.74.56/29 {
            next-hop xxx.xxx.74.57

Example xxx.xxx.74.57 - your default gw for WAN network.
Without vpn, example if you need to connect from PC 5.5.5.5 to host xxx.xxx.74.61.
You need create route to PC host 5.5.5.5 via WAN interface.

set protocols static route 5.5.5.5/32 next-hop xxx.xxx.74.57

@viacheslav I tried but failed ,since vyos make the directly connected routing mertic is 0. so this routing policy will be never work.

.

xxx.xxx.74.57 it’s your WAN gw? Which routing policy? I don’t see it in your configuration.
Do you have access to internet via this gw without LAN ?

This policy is not working , it is inactived. after follow your suggestion. it is actived. but vyos has a highest priority policy for xxx.xxxx.74.56/29 routing to wan interface with C flag . So we will never make the manually routing policy works.

        route xxx.xxx.74.56/29 {
            next-hop xxx.xxx.74.57 {
            }

You don’t need this route as static, because it directly connected route to eth0.
You need some route via WAN, correct?
Which route should be routed through the WAN interface?
And provide routing information
show ip route

Please check my topology on the first post. I need manually setup wan address and gateway to make it can connect ISP A network. but i switch the default gateway to lan xxx.xxx.0.252 that make WAN disconnected since the wan network can not find the next-hop. At the same time vyos just make the interface as the default routing for wan network.

Hello @echowings, I reproduced this schema in our laboratory, and I think I have workaround.
06
On GW2 needs to add static route to l2tp client

set protocols static route 192.168.255.0/24 next-hop 10.0.0.2

And in VyOS-l2tp node add ip rule (not VyOS CLI command)

sudo ip rule add from 192.168.255.0/24 table 100

#and
set protocols static table 100 route 0.0.0.0/0 next-hop 10.0.0.1

ps:// Thanks @Viacheslav for idea

1 Like