I have a route table that has connected interfaces, and also static routes.
the interfaces are 10.0.10.0/24 and 10.0.20.0/24 and the routes are a next hop for both.
traceroute shows that the next-hop is not being used, the interfaces are routing directly between each other. How can I turn off this default forwarding?
Hi @gmaples , you can use VRF or just create Zone-Firewall rules for each Zone Firewall — VyOS 1.3.x (equuleus) documentation
1 Like
I’m new to this, can you expand a little?
While using zone based Firewall, you define zones and attach interfaces to each zone.
Finally, you design your firewall rules to allow/deny traffic from one zone to another.
Pleae, refer to the link provided by @Dmitry.
Also, here is an example config in our docs
If you want a better route than a connected route, split it into 2 halves
so connected route for 10.0.10.0/24 can be overruled by 2 routes , for 10.0.10.0/25 and 10.0.10.128/25
I still don’t understand why you need it.
I am building a lab proxy environment. The router has four networks hanging off of it, .10. 20. 30. and 40.
hanging off of 30.1 and 40.1 is a mitm proxy at 30.105 and 40.105. I need a way to ‘transparently’ force the traffic from 10 to 20 and from 20 to 10 through 30 and 40 respectively. I need to be able to traceroute the path.
In that case, sounds like you need policy based routing (PBR).
A simple example of your request, that you may use as a guide: Transparent proxy using PBR.
@Dmitry’s answer worked well for me to get a VRF working for eth1 to eth3 and eth2 to eth4.
Now I need to get an additional routing zone added in and I can’t seem to figure out the right syntax/approach.
What’s working is routing between eastside and westside by forcing it through a proxy box. What I’d like to ad for both zones (eastside, westside) is a default route to go to ‘outside’ for both.
here’s my running config (this is all completely virtualized):
set interfaces ethernet eth0 address ‘172.16.27.106/24’
set interfaces ethernet eth0 vrf ‘outside’
set interfaces ethernet eth1 address ‘10.0.10.1/24’
set interfaces ethernet eth1 vrf ‘eastside’
set interfaces ethernet eth2 address ‘10.0.20.1/24’
set interfaces ethernet eth2 vrf ‘westside’
set interfaces ethernet eth3 address ‘10.0.30.1/24’
set interfaces ethernet eth3 vrf ‘eastside’
set interfaces ethernet eth4 address ‘10.0.40.1/24’
set interfaces ethernet eth4 vrf ‘westside’
set interfaces loopback lo
set protocols static route 0.0.0.0/0 next-hop 172.16.27.1 interface ‘eth0’
set service ssh disable-host-validation
set vrf bind-to-all
set vrf name eastside protocols static route 0.0.0.0/0 next-hop 172.16.27.1 interface ‘eth0’
set vrf name eastside protocols static route 10.0.20.0/24 next-hop 10.0.30.105 interface ‘eth3’
set vrf name eastside table ‘1000’
set vrf name outside protocols static route 0.0.0.0/0 next-hop 172.16.27.1 interface ‘eth0’
set vrf name outside protocols static route 10.0.10.0/24 next-hop 10.0.40.105 interface ‘eth4’
set vrf name outside protocols static route 10.0.20.0/24 next-hop 10.0.30.105 interface ‘eth3’
set vrf name outside table ‘3000’
set vrf name westside protocols static route 0.0.0.0/0 next-hop 172.16.27.1 interface ‘eth0’
set vrf name westside protocols static route 10.0.10.0/24 next-hop 10.0.40.105 interface ‘eth4’
set vrf name westside table ‘2000’
What might I be missing?
For “outside” routing, you need to leak routes through vrfs in both ways.
For example, for eastisde:
set vrf name eastside protocols static route 0.0.0.0/0 next-hop 172.16.27.1 vrf 'outside'
set vrf name outside protocols static route 10.0.10.0/24 interface eth1 vrf 'eastside'