Litlle PBR question

Hello mates, in my precedent topic: Routing all traffic eth1 through wireguard interface wg0 - V1.3

@Viacheslav help me to configure my VPN with wireguard interface (with PBR rules), now vpn works good but i have another problem. wireguard

I can’t access to my IPS router or another device(like my ESX) on the lan “192.168.1.0/24”.

my conf:

set interfaces ethernet eth0 address '192.168.1.254/24'
set interfaces ethernet eth1 address '192.168.3.254/24'
set interfaces ethernet eth1 policy route 'PBR'
set interfaces wireguard wg0 address '10.205.212.10/32'
set interfaces wireguard wg0 description 'VPN-to-wg-PEER01-172.105.244.6'
set interfaces wireguard wg0 peer PEER01 address '172.105.244.6'
set interfaces wireguard wg0 peer PEER01 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer PEER01 port '12345'
set interfaces wireguard wg0 peer PEER01 pubkey 'key='
set interfaces wireguard wg0 port '12345'
set nat source rule 900 outbound-interface 'wg0'
set nat source rule 900 source address '192.168.3.0/24'
set nat source rule 900 translation address 'masquerade'
set nat source rule 999 outbound-interface 'eth0'
set nat source rule 999 translation address 'masquerade'
set policy route PBR rule 10 set table '100'
set policy route PBR rule 10 source address '192.168.3.0/24'
set protocols static interface-route 10.205.212.0/24 next-hop-interface wg0
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
set protocols static table 100 route 0.0.0.0/0 next-hop 10.205.212.1 next-hop-interface 'wg0'
set service dhcp-server shared-network-name LAN_192 authoritative
set service dhcp-server shared-network-name LAN_192 subnet 192.168.3.0/24 default-router '192.168.3.254'
set service dhcp-server shared-network-name LAN_192 subnet 192.168.3.0/24 range RANG01 start '192.168.3.100'
set service dhcp-server shared-network-name LAN_192 subnet 192.168.3.0/24 range RANG01 stop '192.168.3.200'
set system host-name 'r2-dhcp-s'

Thanks for your help :slight_smile:

You need to have a policy rule for that subnet and set it to use the main table instead of the wg one. So make another rule (let’s say 5) in your PBR policy, with a destination 192.168.1.0/24 and set table main.

thank you for your answer but it doesn’t work, I added this :

set policy route PBR rule 5 destination address '192.168.3.0/24'
set policy route PBR rule 5 destination address '192.168.1.0/24'
set policy route PBR rule 5 set table 'main'

I can ping 192.168.1.254 from my client (its working with or without the rule “table main” ), but for example I can’t go out of the 192.168.1.254 to the 192.168.1.1

Example : if from my client i ping the 192.168.1.40 as you can see the packet don’t follow the main rule, he use wg0 instead eth1 to use eth0:

tcpdump -nvv host 192.168.1.40 -i wg0

15:56:13.945634 IP (tos 0x0, ttl 63, id 9747, offset 0, flags [DF], proto ICMP (1), length 84)
    10.205.212.10 > 192.168.1.40: ICMP echo request, id 21181, seq 1, length 64
15:56:14.953498 IP (tos 0x0, ttl 63, id 9762, offset 0, flags [DF], proto ICMP (1), length 84)
    10.205.212.10 > 192.168.1.40: ICMP echo request, id 21181, seq 2, length 64

(sorry i my english was not perfect, thanks from France)

Try to check dump on 192.168.1.40

Nothing, and its logic because ICPM go out from WG0 instead eth0 interface.

192.168.1.40 (ESX)

tcpdump-uw: listening on vmk0, link-type EN10MB (Ethernet), capture size 262144 bytes

0 packets captured
0 packets received by filter
0 packets dropped by kernel

If I undestand correct, you need to exclude source 192.168.3.0/24 to destination 192.168.1.0/24 from nat rules.

set nat source rule 850 outbound-interface 'wg0'
set nat source rule 850 source address '192.168.3.0/24'
set nat source rule 850 destination address '192.168.1.0/24'
set nat source rule 850 exclude

Hello @Viacheslav thanks for you help, yes I want exclude 192.168.1.0 to go in the wg0 trough the PBR, I have try your command, but still don’t work, i continue to see the packets to go out by wg0, the good interface was eth0.

Results with your command, (tcpdump from VyOS with a ping from my client R1 on diagram)

vyos@vyos# tcpdump -nvv -i wg0
tcpdump: listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
07:57:50.054782 IP (tos 0x0, ttl 63, id 65091, offset 0, flags [DF], proto ICMP (1), length 84)
    10.205.212.10 > 192.168.1.1: ICMP echo request, id 12506, seq 36980, length 64
07:57:50.630832 IP (tos 0x0, ttl 63, id 65211, offset 0, flags [DF], proto ICMP (1), length 84)
    10.205.212.10 > 192.168.1.1: ICMP echo request, id 13459, seq 77, length 64

I have try some modification like this:

conf
set nat source rule 850 outbound-interface 'wg0'
set nat source rule 850 protocol icmp
set nat source rule 850 exclude
commit

but exactly the same result.

Lets try to modify these rule

set policy route PBR rule 10 set table '100'
set policy route PBR rule 10 source address '192.168.3.0/24'
set policy route PBR rule 10 destination address !192.168.1.0/24
1 Like

Ok now the packets don’t go to wg0 but they are stuck in the eth1 and don’t go to eth0, I think I need to add a little rule and we are good !

EDIT: ok i have add new PRB for this address and now its works! thanks again @Viacheslav !
Send me your address I send you a good wine from france :stuck_out_tongue:

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.