Incomming Traffic from Firewall over Vyos to the Client Network


#1

Hi Gents,

my vyos config confuse me

ive set the following on the vyos:


br0 10.0.0.254/22 u/u
172.16.0.100/24
eth0 192.168.0.101/24 u/u MNGT-LINK (Management NIC)
eth1 - u/u TEST-OUTBOUND-INT (Interface to Gateway)

eth2 - u/D SPN-UPLNK (not used at the moment)

eth3 - u/u SPN-BRIDGE
eth4 - u/u SPN-BRIDGE
eth5 - u/u SPN-BRIDGE

eth6 - u/u DMZ-BRIDGE
eth7 - u/u DMZ-BRIDGE
eth8 - u/u DMZ-BRIDGE

eth9 - u/D DMZ-UPLNK (not used at the moment)


the “SPN-BRIDGE” Ports represent the local internal Network where the Clients with IPs 10.0.0.x are connected.

the “DMZ-BRIDGE” Ports represent the local DMZ Network where an Authentication Gateway is present with IP Address 172.16.0.XXX for User Authentication from the Internet over HTTPS.

Booth Networks are bridged in BR0 with the IP Addresses 10.0.0.254/22 and 172.16.0.100/24

The outbound Interface is eth2 at the moment.

NAT is set to:

nat {
source {
rule 110 {
destination {
}
outbound-interface eth1
source {
address 10.0.0.0/22
}
translation {
address masquerade
}

DNS is set to:

service {
dns {
forwarding {
cache-size 0
listen-on br0
name-server 8.8.8.8
name-server 8.8.4.4
system
}
}

and the Gateway Adress is:

gateway-address 172.16.0.254

which is the Firewall connected to the Internet.


Traffic which is comming from outside to inside is working fine.

The Problem is that the Clients with IP 10.0.0.X cannot connect (surf) to the internet, also its not possible to ping the Firewall / Gateway on IP 172.16.0.254

a Ping on Vyos to Client IP Addresses an to the Authentication Server in the DMZ is possible.

does anybody know where the issue can be?

thanks in advice!


#2

Gateway has to be in the same subnet. Your clients gateway would be 10.0.0.254. Nexthop would be your default route IP, then your ISP …


#3

the Windows Clients in the 10.0.0.x Network have the 10.0.0.254/22 Gateway IP Address from the Vyos NIC. The Vyos have the default Gateway Address from the Firewall 172.16.0.254/16

The Firewall is in the same subnet like the Authentication Server in the DMZ, but another subnet as the clients.

its not clear how should i configure what exactly in this config…

iam also open for another / better config in that scenario

thanks for your help!!!


#4

Sorry i can’t really follow.
For my understanding you have clients in 10.0.0.0/22, 10.0.0.254 is supposed to be their gateway.
So far so good. What interface has network 172.16.00/24?
Next is you would need also an interface which point to the internet and your ISP’s default gateway will take care of all packages with are not RFC1918 addresses. Also you should set blackholes for RFC1918 addresses, otherwise you send it to your ISP and he has to blackhole it for you.
If you can please share your config (sh conf comm).


#5

Hi Hagbard,

the Interface br0 has the IP Address 172.16.0.100…


but here is the config for better understanding:

interfaces {
bridge br0 {
address 10.0.0.254/22
address 172.16.0.100/24
aging 300
hello-time 2
max-age 20
priority 0
stp false
}
bridge br1 {
aging 300
hello-time 2
max-age 20
priority 0
stp false
}
ethernet eth0 {
address 192.168.0.101/24
description MNGT-LINK
duplex auto
hw-id 00:25:90:a2:f5:af
smp_affinity auto
speed auto
}
ethernet eth1 {
bridge-group {
bridge br0
}
description TEST-OUTBOUND-INT
duplex auto
hw-id 00:25:90:a2:f5:ae
smp_affinity auto
speed auto
}
ethernet eth2 {
bridge-group {
bridge br0
}
description SPN-UPLNK
duplex auto
hw-id 00:1c:c4:47:77:e1
smp_affinity auto
speed auto
}
ethernet eth3 {
bridge-group {
bridge br0
}
description SPN-BRIDGE
duplex auto
hw-id 00:1c:c4:47:77:e0
smp_affinity auto
speed auto
}
ethernet eth4 {
bridge-group {
bridge br0
:
interfaces {
bridge br0 {
address 10.0.0.254/22
address 172.16.0.100/24
aging 300
hello-time 2
max-age 20
priority 0
stp false
}
bridge br1 {
aging 300
hello-time 2
max-age 20
priority 0
stp false
}
ethernet eth0 {
address 192.168.0.101/24
description MNGT-LINK
duplex auto
hw-id 00:25:90:a2:f5:af
smp_affinity auto
speed auto
}
ethernet eth1 {
bridge-group {
bridge br0
}
description TEST-OUTBOUND-INT
duplex auto
hw-id 00:25:90:a2:f5:ae
smp_affinity auto
speed auto
}
ethernet eth2 {
bridge-group {
bridge br0
}
description SPN-UPLNK
duplex auto
hw-id 00:1c:c4:47:77:e1
smp_affinity auto
speed auto
}
ethernet eth3 {
bridge-group {
bridge br0
}
description SPN-BRIDGE
duplex auto
hw-id 00:1c:c4:47:77:e0
smp_affinity auto
speed auto
}
ethernet eth4 {
bridge-group {
bridge br0
}
description SPN-BRIDGE
duplex auto
hw-id 00:1c:c4:47:77:e3
smp_affinity auto
speed auto
}
ethernet eth5 {
bridge-group {
bridge br0
}
description SPN-BRIDGE
duplex auto
hw-id 00:1c:c4:47:77:e2
smp_affinity auto
speed auto
}
ethernet eth6 {
bridge-group {
bridge br0
}
description DMZ-BRIDGE
duplex auto
hw-id ac:16:2d:9d:d6:d4
smp_affinity auto
speed auto
}
ethernet eth7 {
bridge-group {
bridge br0
}
description DMZ-BRIDGE
duplex auto
hw-id ac:16:2d:9d:d6:d5
smp_affinity auto
speed auto
}
ethernet eth8 {
bridge-group {
bridge br0
}
description DMZ-BRIDGE
duplex auto
hw-id ac:16:2d:9d:d6:d6
smp_affinity auto
speed auto
}
ethernet eth9 {
bridge-group {
bridge br0
}
description DMZ-UPLNK
duplex auto
hw-id ac:16:2d:9d:d6:d7
smp_affinity auto
speed auto
}
loopback lo {
}
}
nat {
source {
rule 110 {
destination {
}
outbound-interface eth1
source {
address 10.0.0.0/22
}
translation {
address masquerade
}
}
}
}
protocols {
static {
}
}
service {
dns {
forwarding {
cache-size 0
listen-on br0
name-server 8.8.8.8
name-server 8.8.4.4
system
}
}
ssh {
listen-address 192.168.0.101
listen-address 10.0.0.254
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
gateway-address 172.16.0.254
host-name TX1
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ****************
url http://packages.vyos.net/vyos
username “”
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
[edit]


#6

Your router is 172.16.0.100 and 10.0.0.254. Is that supposed to be like that?
Should be 172.16.0.254/16 on the router? Also your networks masks are quite large, is that on purpose? (broadcasts in ipv4 can suck a bit of performance if you have large nets)


#7

You also have no default route set.


#8

the bridge have these booth address. ive gave the bridge these addresses to have the connectivity from the 10.0.0.x clients for the bridged ports to act as a router.

is that wrong?

the Firewall in front of the vyos have the 172.16.0.254 address.


the routes are:

S>* 0.0.0.0/0 [1/0] via 172.16.0.254, br0
C>* 10.0.0.0/22 is directly connected, br0
C>* 127.0.0.0/8 is directly connected, lo
C>* 172.16.0.0/24 is directly connected, br0
C>* 192.168.0.0/24 is directly connected, eth0


#9

Did you change your config?
The one you posted has:
protocols {
static {
}
}


#10

Also your networks masks differ now.


#11

i deleted a static rule because ive two entries like 172.16.0.0/16 and 172.16.0.0/24


#12

I would use a bonding interface for upstream, let’s say eth1,2 if possible LACP on your switch (etherchannel), since this is going to be upstream. That would be then in 172.16.0.0.24. Default gateway would be 172.16.0.254. Your clients than on bond2 (eth3,4) with 10.0.0.254/24. Then do your NAT on your firewall (172.16.0.100), that way you can still handle internal traffic on the firewall.
Does that make sense?


#13

that makes sense, like i remember i used a Bond for that in my old Config and it was working.

but the point is why i also tried to change the config to this one, that the two bonded nics to the outside world (internet) was connected to a single Bridge (another vyos whichs acts like a Bridge) - so a had a single point of failure …


#14

If you run bond in active/active mode you don’t have any spof. As long as you have a t least 2 interfaces connected. Bridged interfaces are being used if you need multiple different networks on the same interface and you don’t run vifs (vlans).


#15

“Bridged interfaces are being used if you need multiple different networks on the same interface and you don’t run vifs (vlans)” -> yes that is the Point on my config


#16

But you only have 2 networks. 172.16.0.0/24 and the 10.0.0.0/22, at least that’s what I see above.


#17

here is a little bit more background config …

ive running three xenserver each with two network cards in active passive bond, one NIC is connected to the first vyos router and the other one to the second vyos router

if one vyos router failes the another one should take the work - for this i need vrrp in the next config step.

you wrote:

But you only have 2 networks. 172.16.0.0/24 and the 10.0.0.0/22, at least that’s what I see above

yes because the 10.0.0.x network with the IP 10.0.0.254 is nessesary for the Windows Clients to have the GW IP 10.0.0.254 - this is the IP on the Vyos. All traffic on that interface should the router forward to the outgoing gateway address 172.16.0.254 which is not work at the moment.

tried to use monitor traffic one eth1 which is the outgoing interface to the firewall but i didnt seen packages that the vyos did forward to the firewall O_o


#18

Ok, that would be the way it would work from what I proposed. You won’t need bridges. If your default gw is set to 172.16.0.254, all your traffic which is not for 10.0.0./22 would pass that unless you filter it out. You don’t need nat on this config, you will have then 10.0.0.0/24 visible on your upstream router and can NAT it there. I personally would NAT on the system which has the feed into the internet.


#19

ok i understood and wil try to handle the NAT on the FW himself.

i will give you tomorrow feedback regarding that!

Thanks for your help and you time!


#20

If you stay for a few minutes, I’m about to make you an example config.