How to make lan as the default gateway and make static routing for wan works

echowings · February 1, 2020, 2:15am

Hi, All
I met an issue that I need LAN as the gateway ,but wan was not working. Here is my configuration:

vpn# run show configuration | strip-private
firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disablessh
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address xxx.xxx.74.61/29
        duplex auto
        smp-affinity auto
        speed auto
    }
    ethernet eth1 {
        address xxx.xxx.0.121/22
        duplex auto
        smp-affinity auto
        speed auto
    }
    loopback lo {
    }
}
nat {
    source {
        rule 120 {
            outbound-interface eth1
            source {
                address xxx.xxx.255.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route xxx.xxx.0.0/0 {
            next-hop xxx.xxx.0.252 {
            }
        }
        route xxx.xxx.74.56/29 {
            next-hop xxx.xxx.74.57 {
            }
        }
    }
}
service {
    ssh {
        port 22
    }
}
system {
    acceleration {
    }
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    domain-name xxxxxx
    host-name xxxxxx
    login {
        user xxxxxx {
            authentication {
                encrypted-password xxxxxx
                plaintext-password xxxxxx
                public-keys xxxx@xxx.xxx {
                    key xxxxxx
                    type ssh-rsa
                }
            }
            level admin
        }
    }
    name-server xxx.xxx.0.8
    ntp {
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }

}
vpn {
    ipsec {
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network xxx.xxx.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                mode radius
                radius {
                    server xxxxx.tld {
                        key xxxxxx
                    }
                }
            }
            client-ip-pool {
                start xxx.xxx.255.2
                stop xxx.xxx.255.254
            }
            dns-servers {
                server-1 xxx.xxx.0.8
            }
            idle 1800
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret xxxxxx
                }
                ike-lifetime 3600
                lifetime 3600
            }
            outside-address xxx.xxx.74.61
            outside-nexthop xxx.xxx.0.121
        }
    }
}

Viacheslav · February 1, 2020, 11:33am

Hi @echowings .
eth0 - WAN
eth1 - LAN
That correct?
If you have a route on the interface (eth0 address xxx.xxx.74.61/29) as connected, then you don’t need to create an additional static route. Directly connected routes will be preferable then static or dynamic routes.

route xxx.xxx.74.56/29 {
            next-hop xxx.xxx.74.57

Example xxx.xxx.74.57 - your default gw for WAN network.
Without vpn, example if you need to connect from PC 5.5.5.5 to host xxx.xxx.74.61.
You need create route to PC host 5.5.5.5 via WAN interface.

set protocols static route 5.5.5.5/32 next-hop xxx.xxx.74.57

echowings · February 1, 2020, 3:41pm

@viacheslav I tried but failed ,since vyos make the directly connected routing mertic is 0. so this routing policy will be never work.

.

Viacheslav · February 1, 2020, 4:08pm

xxx.xxx.74.57 it’s your WAN gw? Which routing policy? I don’t see it in your configuration.
Do you have access to internet via this gw without LAN ?

echowings · February 1, 2020, 4:11pm

This policy is not working , it is inactived. after follow your suggestion. it is actived. but vyos has a highest priority policy for xxx.xxxx.74.56/29 routing to wan interface with C flag . So we will never make the manually routing policy works.

        route xxx.xxx.74.56/29 {
            next-hop xxx.xxx.74.57 {
            }

Viacheslav · February 1, 2020, 4:21pm

You don’t need this route as static, because it directly connected route to eth0.
You need some route via WAN, correct?
Which route should be routed through the WAN interface?
And provide routing information
show ip route

echowings · February 1, 2020, 4:24pm

Please check my topology on the first post. I need manually setup wan address and gateway to make it can connect ISP A network. but i switch the default gateway to lan xxx.xxx.0.252 that make WAN disconnected since the wan network can not find the next-hop. At the same time vyos just make the interface as the default routing for wan network.

Dmitry · February 3, 2020, 12:45pm

Hello @echowings, I reproduced this schema in our laboratory, and I think I have workaround.

On GW2 needs to add static route to l2tp client

set protocols static route 192.168.255.0/24 next-hop 10.0.0.2

And in VyOS-l2tp node add ip rule (not VyOS CLI command)

sudo ip rule add from 192.168.255.0/24 table 100

#and
set protocols static table 100 route 0.0.0.0/0 next-hop 10.0.0.1

ps:// Thanks @Viacheslav for idea

echowings · March 2, 2020, 11:46pm

It works, Thanks your a tone!


sudo ip rule add from 172.20.0/24 table 100
# Then add the route table 100
set table 100 route 0.0.0.0/0 next-hop x.x.x.252

# To keep the command working after reboot ,we need add a booting script
vi /config/scripts/vyos-postconfig-bootup.script
#add the command in the script
sudo ip rule add from 172.20.0/24 table 100

zakwan · March 10, 2020, 1:54am

Hi Sir,

I’m a new Vyos user. May I ask if this PBR only works with static route?
Can PBR routing table is using other than static route such as OSPF?

Looking forward for your advise.

zakwan · March 10, 2020, 8:56am

One more thing. Can we use route-map to store the access list just like Cisco PBR?

Dmitry · March 10, 2020, 5:29pm

Hi @zakwan, I think you can. Read at first Policy — VyOS 1.5.x (circinus) documentation

Please, explain detailed.

zakwan · March 11, 2020, 1:55am

Hi @Dmitry ,
Currently I trying to create an environment with 4 vyos router with OSPF routing.
And i try to change routing using PBR but its not working probably because its not feasible with OSPF?

Below (Cisco) is the situation that I want to try on Vyos.

Below is Vyos design on my gns3:

Viacheslav · March 11, 2020, 8:10am

Do you need PBR match protocol or match some rules in acl? Can you describe by steps what you need?