I have below scenario - Where I am setting vyos in front of my firewall. Vyos will have 2 ISP links
100.1.1.30
200.1.1.30
Plus I have VPN tunnel between vyos and R1 which is VTI dynamic tunnels with R1. Now traffic destined to Internet from 192.168.40.x and 192.168.47.x will not be natted on firewall but will be load balanced by Vyos.
However I may need to exclude traffic from source 192.168.47.x and 192.168.4.x to 10.10.11.x since its tunnel traffic.
Am I doing anything wrong here? Will my scenario work in this case?
How do I exclude such traffic then?
I believe I don’t need to exclude the Lan traffic since it will be routed by firewall and I am not natting it on firewall since its a plain forward.
And last but most important, traffic leaving from v1 or v3 going out from v2 and is part of WAN load balancing gets natted/masquerade on v2 or v5 or v8?
In this case how do I exclude traffic from 192.168.40.x to 10.10.11.x? Since I have tunnel between vyos and R1 and and traffic is load balanced for 192.168.47.x even my traffic from 192.168.40.x is getting load balanced as well.
Shall I add rule 2 for exclude from 192.168.40.x and 5 for other load balancing so that 2 will be checked first?
@RyVolodya It was same issue like my earlier threat and no default gateway present and I was using policy based VPN.
It worked perfectly.
Here is my config vyos
set interfaces ethernet eth0 address '10.10.20.14/24'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:0c:29:fd:4d:e9'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '100.1.1.30/24'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id '00:0c:29:fd:4d:f3'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 address '200.1.1.30/24'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 hw-id '00:0c:29:fd:4d:fd'
set interfaces ethernet eth2 smp-affinity 'auto'
set interfaces ethernet eth2 speed 'auto'
set interfaces loopback lo
set load-balancing wan interface-health eth1 failure-count '1'
set load-balancing wan interface-health eth1 nexthop '100.1.1.40'
set load-balancing wan interface-health eth1 success-count '1'
set load-balancing wan interface-health eth2 failure-count '1'
set load-balancing wan interface-health eth2 nexthop '200.1.1.40'
set load-balancing wan interface-health eth2 success-count '1'
set load-balancing wan rule 2 destination address '10.10.11.0/24'
set load-balancing wan rule 2 exclude
set load-balancing wan rule 2 inbound-interface 'eth+'
set load-balancing wan rule 2 source address '192.168.40.0/24'
set load-balancing wan rule 10 inbound-interface 'eth0'
set load-balancing wan rule 10 interface eth1 weight '3'
set load-balancing wan rule 10 interface eth2 weight '1'
set load-balancing wan rule 10 protocol 'all'
set protocols static route 0.0.0.0/0 next-hop 100.1.1.40
set protocols static route 192.168.40.0/24 next-hop 10.10.20.12
set protocols static route 192.168.47.0/24 next-hop 10.10.20.12
set vpn ipsec esp-group ESPG compression 'disable'
set vpn ipsec esp-group ESPG lifetime '3600'
set vpn ipsec esp-group ESPG mode 'tunnel'
set vpn ipsec esp-group ESPG pfs 'enable'
set vpn ipsec esp-group ESPG proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESPG proposal 1 hash 'sha256'
set vpn ipsec ike-group IKEG close-action 'none'
set vpn ipsec ike-group IKEG ikev2-reauth 'no'
set vpn ipsec ike-group IKEG key-exchange 'ikev1'
set vpn ipsec ike-group IKEG lifetime '28800'
set vpn ipsec ike-group IKEG proposal 1 dh-group '2'
set vpn ipsec ike-group IKEG proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKEG proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 100.1.1.40 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 100.1.1.40 authentication pre-shared-secret 'admin@123'
set vpn ipsec site-to-site peer 100.1.1.40 connection-type 'initiate'
set vpn ipsec site-to-site peer 100.1.1.40 ike-group 'IKEG'
set vpn ipsec site-to-site peer 100.1.1.40 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 100.1.1.40 local-address '100.1.1.30'
set vpn ipsec site-to-site peer 100.1.1.40 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 100.1.1.40 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 100.1.1.40 tunnel 1 esp-group 'ESPG'
set vpn ipsec site-to-site peer 100.1.1.40 tunnel 1 local prefix '192.168.40.0/24'
set vpn ipsec site-to-site peer 100.1.1.40 tunnel 1 remote prefix '10.10.11.0/24'
I am still wondering what does regex eth+ do? I understand + means any thing after eth but does that mean apply on all interfaced or whatever be the inbound-interface?
set load-balancing wan rule 2 inbound-interface ‘eth+’
Source NAT (masquerade) happens at post routing
Destination NAT at pre-routing: We must change the destination address, before we take routing decision based on destination address.
eth+ means: match on all eth interfaces.
In your LB rule 2, it makes no sense to use eth+. Packets from 192.168.40.0/24 destined to 10.10.11.0/24 always enter on eth0
To make sNAT not kick in for vpn destination: Start source-nat ruleset with an exclude rule , having destination 10.10.11.0/24.
Alternatively, block specific destination on masq rule
set nat source rule 1 destination address !10.10.11.0/24
Note your LB exclude rules only makes a packet use main route table. For policy based VPN, make sure main route table has a route for 10.10.11.0/24.
Also won’t hurt to have a route towards ipsec peer, so correct WAN is used (in your test setup, connected route for 100.1.1.40 takes care of this
I have not put the explicit SNAT rules and instead have used the wan load-balancing option which by default mangles the packet with egress interface and hence wanted to exclude those.
I agree with @16again. This scenario will not do without a route. Load balancing on the VyOS router creates an SNAT and converts the 192.168.40.0/24 network to 100.1.1.30 or 200.1.1.30. Traffic will not pass through the tunnel. Create tun or vti interfaces and give them IP addresses and configure static route.
Question: Two lines connected from VyOS to R1, can you try connecting via the bonding interface?
Documentation for VyOS v.1.2.x: https://docs.vyos.io/en/crux/configuration/interfaces/bonding.html?highlight=bonding
