can you please confirm which IP you have taken as Public IP and which IP you taken as Private IP because as i checked i have found 3 IP series on your whole configuration that is :-
2001:1111:1111:1111::20 - Public IPv6 address;
fd00:1111:1111:1111::/64 - don’t pay attention to the address, I tested the exclude in rule 1000 nat 66;
fd00:2222:2222:2222::/64 - Private IPv6 address.
fd00:2222:2222:2222:70b0:1ba6:152f:2a16 - Test computer to which I connect via RDP (3389)
As today i tried to install the latest nightly-builds 202211120317 version of vyos and i checked iam not able to verify arp table for ipv6 and and below two commands also not working as the earlier version it was working.
#set interfaces ethernet eth1 firewall in ipv6-name ‘FIREWALL_IN_IPV6’
#set interfaces ethernet eth2 firewall out ipv6-name ‘FIREWALL_OUT_IPV6’
Please help me to resolve this issue and let us know is it possible to configure NAT64 in this version of vyos.
Firewall was re-written, and now attaching rulesets to interfaces is done under firewall section, and not under interface section. Doc was already updated: Firewall — VyOS 1.4.x (sagitta) documentation
In your config:
set firewall interface eth1 in ipv6-name FIREWALL_IN_IPV6
set firewall interface eth2 out ipv6-name FIREWALL_OUT_IPV6
Please let us know how to configure Port forwarding in ipv6 because i configure the below commands but its not working , is there any other commands which i missed or please share the exact working configuration.
Public Ipv6 address = 2307:e4c0:3::85
Private Ipv6 address = fdeb:b39a:29f8:bfd5::41
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 description ‘wsrv150’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination address ‘fdeb:b39a:29f8:bfd5::41’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination port ‘3389’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 log ‘disable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 protocol ‘tcp’
set nat66 destination rule 30 description ‘DNAT for wsrv150-ind - One To One’
set nat66 destination rule 30 destination address ‘2307:e4c0:3::85’
set nat66 destination rule 30 destination port 9296
set nat66 destination rule 30 inbound-interface ‘any’
set nat66 destination rule 30 protocol tcp
set nat66 destination rule 30 translation address ‘fdeb:b39a:29f8:bfd5::41’
set nat66 destination rule 30 translation port 3389
set nat66 source rule 30 description ‘SNAT wsrv150’
set nat66 source rule 30 outbound-interface eth1
set nat66 source rule 30 protocol all
set nat66 source rule 30 source prefix fdeb:b39a:29f8:bfd5::41/128
set nat66 source rule 30 translation address 2307:e4c0:3::85
actually mr volodya on trail chat gave me the configuration for port forwarding but that configuration was also not working and i also shared my configuration to him. please check once on trail chat.
So how long we can expect that Port forwarding and port translation and NAT64 will come in the newly created version of vyos??
we have change the same but nothing happens. Please help us or providing the working port forwarding configuration for ipv6.
below are my current configuration.
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 description ‘wsrv150’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination address ‘fdeb:b39a:29f8:bfd5:0:0:0:41’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination port ‘3389’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 log ‘disable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 protocol ‘tcp’
set nat66 destination rule 30 description ‘DNAT for wsrv150-ind - One To One’
set nat66 destination rule 30 destination address ‘2307:e4c0:3::85’
set nat66 destination rule 30 destination port 9296
set nat66 destination rule 30 inbound-interface ‘any’
set nat66 destination rule 30 protocol tcp
set nat66 destination rule 30 translation address ‘fdeb:b39a:29f8:bfd5:0:0:0:41’
set nat66 destination rule 30 translation port 3389
set nat66 source rule 30 description ‘SNAT wsrv150’
set nat66 source rule 30 outbound-interface eth1
set nat66 source rule 30 protocol all
set nat66 source rule 30 source prefix fdeb:b39a:29f8:bfd5::41/128
set nat66 source rule 30 translation address 2307:e4c0:3::85
But i need to one more thing in vyos , can we configure HA ???
Actually i configured VRRP on 2 firewall , one is master and other is backup
when one is down other will take the responsibility but only the interface IPs are sync not the whole configuration like port forwarding rules , any policy rules or ipsec configuration ,etc.
i want that over all configuration will be sync on secondary firewall when first firewall will be down
do you have the configuration for the same, Please share with us
Regarding NAT issue, in latest build it should be fixed, and now you should be able to use :: in ipv6 addresses.
Regarding HA: migration of configuration is not supported. For advanced setups. you’ll need to work on custom scripts executed during state transitions: High availability — VyOS 1.4.x (sagitta) documentation
set high-availability vrrp group Green_interface interface ‘eth2’
set high-availability vrrp group Green_interface priority ‘100’
set high-availability vrrp group Green_interface rfc3768-compatibility
set high-availability vrrp group Green_interface virtual-address ‘10.10.0.1/16’
set high-availability vrrp group Green_interface vrid ‘10’
set high-availability vrrp group Red_interface interface ‘eth1’
set high-availability vrrp group Red_interface priority ‘100’
set high-availability vrrp group Red_interface rfc3768-compatibility
set high-availability vrrp group Red_interface virtual-address ‘103.110.88.238/24’
set high-availability vrrp group Red_interface vrid ‘10’
my concern is if one of my interface goes down then only that interface become master on my backup firewall like below
vyos@i2k2-nod-az1-fw1-v39:~$ sh vrrp
Name Interface VRID State Last Transition
now because of this my Red interface which is the source of internet for server is master on secondary firewall and my green interface which is the gateway address for server is master on primary firewall
now due to this iam not able to run internet on my server , is there any solution for this