Masquerading outbound traffic that has passed twice over Vyos policy based router


#1

I would like to be able to use Vyos in a lab to help simulate a special network flow.

VYOS has been installed with 4 NICs; 1, Client network, 2, Pre-Processing network, 3, Post processing, 4, External network.
There are a few policy routes defined; If arriving on Client network all packets should be redirected to the processing node via pre-processing. The packet will be processed, then using the same src ip and port, be sent back to Vyos via post-processing network.
Then Vyos should route the packet to the external network, and NAT the src to its own external ip (masquerade).

The problem I have is that the masquerade on these specific packets fail and they leave Vyos with their original src ip (which is unroutable).

NAT works for all subnets (including the client) if I only hit Vyos once, eg if I change the client policy to route directly to external the NAT works.

Is there something I’m missing? Is there a possible kernel param that needs to be changed? I thought maybe rp_filter as the client subnet is not routable via post-processing but it’s disabled in Vyos (and makes sense as it should be dropped otherwise…).