Litlle PBR question

rand0m · October 17, 2020, 12:38pm

Hello mates, in my precedent topic: Routing all traffic eth1 through wireguard interface wg0 - V1.3

@Viacheslav help me to configure my VPN with wireguard interface (with PBR rules), now vpn works good but i have another problem.

I can’t access to my IPS router or another device(like my ESX) on the lan “192.168.1.0/24”.

my conf:

set interfaces ethernet eth0 address '192.168.1.254/24'
set interfaces ethernet eth1 address '192.168.3.254/24'
set interfaces ethernet eth1 policy route 'PBR'
set interfaces wireguard wg0 address '10.205.212.10/32'
set interfaces wireguard wg0 description 'VPN-to-wg-PEER01-172.105.244.6'
set interfaces wireguard wg0 peer PEER01 address '172.105.244.6'
set interfaces wireguard wg0 peer PEER01 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer PEER01 port '12345'
set interfaces wireguard wg0 peer PEER01 pubkey 'key='
set interfaces wireguard wg0 port '12345'
set nat source rule 900 outbound-interface 'wg0'
set nat source rule 900 source address '192.168.3.0/24'
set nat source rule 900 translation address 'masquerade'
set nat source rule 999 outbound-interface 'eth0'
set nat source rule 999 translation address 'masquerade'
set policy route PBR rule 10 set table '100'
set policy route PBR rule 10 source address '192.168.3.0/24'
set protocols static interface-route 10.205.212.0/24 next-hop-interface wg0
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
set protocols static table 100 route 0.0.0.0/0 next-hop 10.205.212.1 next-hop-interface 'wg0'
set service dhcp-server shared-network-name LAN_192 authoritative
set service dhcp-server shared-network-name LAN_192 subnet 192.168.3.0/24 default-router '192.168.3.254'
set service dhcp-server shared-network-name LAN_192 subnet 192.168.3.0/24 range RANG01 start '192.168.3.100'
set service dhcp-server shared-network-name LAN_192 subnet 192.168.3.0/24 range RANG01 stop '192.168.3.200'
set system host-name 'r2-dhcp-s'

Thanks for your help

ngoehring · October 17, 2020, 2:55pm

You need to have a policy rule for that subnet and set it to use the main table instead of the wg one. So make another rule (let’s say 5) in your PBR policy, with a destination 192.168.1.0/24 and set table main.

rand0m · October 17, 2020, 4:06pm

thank you for your answer but it doesn’t work, I added this :

set policy route PBR rule 5 destination address '192.168.3.0/24'
set policy route PBR rule 5 destination address '192.168.1.0/24'
set policy route PBR rule 5 set table 'main'

I can ping 192.168.1.254 from my client (its working with or without the rule “table main” ), but for example I can’t go out of the 192.168.1.254 to the 192.168.1.1

Example : if from my client i ping the 192.168.1.40 as you can see the packet don’t follow the main rule, he use wg0 instead eth1 to use eth0:

tcpdump -nvv host 192.168.1.40 -i wg0

15:56:13.945634 IP (tos 0x0, ttl 63, id 9747, offset 0, flags [DF], proto ICMP (1), length 84)
    10.205.212.10 > 192.168.1.40: ICMP echo request, id 21181, seq 1, length 64
15:56:14.953498 IP (tos 0x0, ttl 63, id 9762, offset 0, flags [DF], proto ICMP (1), length 84)
    10.205.212.10 > 192.168.1.40: ICMP echo request, id 21181, seq 2, length 64

(sorry i my english was not perfect, thanks from France)

Viacheslav · October 17, 2020, 4:57pm

Try to check dump on 192.168.1.40

rand0m · October 17, 2020, 5:09pm

Nothing, and its logic because ICPM go out from WG0 instead eth0 interface.

192.168.1.40 (ESX)

tcpdump-uw: listening on vmk0, link-type EN10MB (Ethernet), capture size 262144 bytes

0 packets captured
0 packets received by filter
0 packets dropped by kernel

Viacheslav · October 19, 2020, 7:09am

If I undestand correct, you need to exclude source 192.168.3.0/24 to destination 192.168.1.0/24 from nat rules.

set nat source rule 850 outbound-interface 'wg0'
set nat source rule 850 source address '192.168.3.0/24'
set nat source rule 850 destination address '192.168.1.0/24'
set nat source rule 850 exclude

rand0m · October 19, 2020, 8:07am

Hello @Viacheslav thanks for you help, yes I want exclude 192.168.1.0 to go in the wg0 trough the PBR, I have try your command, but still don’t work, i continue to see the packets to go out by wg0, the good interface was eth0.

Results with your command, (tcpdump from VyOS with a ping from my client R1 on diagram)

vyos@vyos# tcpdump -nvv -i wg0
tcpdump: listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
07:57:50.054782 IP (tos 0x0, ttl 63, id 65091, offset 0, flags [DF], proto ICMP (1), length 84)
    10.205.212.10 > 192.168.1.1: ICMP echo request, id 12506, seq 36980, length 64
07:57:50.630832 IP (tos 0x0, ttl 63, id 65211, offset 0, flags [DF], proto ICMP (1), length 84)
    10.205.212.10 > 192.168.1.1: ICMP echo request, id 13459, seq 77, length 64

I have try some modification like this:

conf
set nat source rule 850 outbound-interface 'wg0'
set nat source rule 850 protocol icmp
set nat source rule 850 exclude
commit

but exactly the same result.

Viacheslav · October 19, 2020, 8:24am

Lets try to modify these rule

set policy route PBR rule 10 set table '100'
set policy route PBR rule 10 source address '192.168.3.0/24'
set policy route PBR rule 10 destination address !192.168.1.0/24

rand0m · October 19, 2020, 8:35am

Ok now the packets don’t go to wg0 but they are stuck in the eth1 and don’t go to eth0, I think I need to add a little rule and we are good !

EDIT: ok i have add new PRB for this address and now its works! thanks again @Viacheslav !
Send me your address I send you a good wine from france

system · October 21, 2020, 8:36am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.