I have a vyos install on an ESXi 6.7 host. My vyos install has 4 WAN ports, and 1 LAN port on a switch trunk port.
The inside VMs can ping their gateway, ping the outside address, but for some reason, only traffic is going out of eth2. If I ping out of specific interfaces, can only get out, and get a reply from my next hop (the gateway I’ve been assigned) on eth2. The others all time out. Is there some specific config I need to use that will allow me to have multiple WAN interfaces/addresses?
These aren’t for failover, they all just have different services and some duplicate services behind them.
edit for clarity -
I have 4 vlans inside
all 4 vlans have a snat rule that is telling them to go out eth0, eth1, eth2, eth3 respectively.
Everything seems to be configured correctly, but only eth2 can talk to the outside world (even the gateway)
OK, I’ve assigned all WAN IPs to a single interface, and set the nat source rules to push the traffic out the correct IP for the internal subnet, but now I’m stuck on how to assign a firewall to an IP vs an interface. Is that even possible? If not, how can I have a separate ruleset for each WAN IP?
Edit again for clarity -
I need to have a separate ruleset for each IP because each are providing different services, and some duplicate services.
So, the goal is to have separate firewall and dnat rules for each ip.
A little more reading and it appears that zone based firewalls is the way to go. If I’m wrong there, and it won’t accomplish what I need, then the question still stands.
Firewall rules are releated to a interface or zone, please look here or here
When i understand your case correctly. You can do the following.
set firewall group address-group WANIPs address <IP-Address 1>
set firewall group address-group WANIPs address <IP-Address 2>
set firewall name INSIDE-OUT default-action drop
set firewall name INSIDE-OUT rule 10 action accept
set firewall name INSIDE-OUT rule 10 destination port 443
set firewall name INSIDE-OUT rule 10 destination address <IP-Address 1>
set firewall name INSIDE-OUT rule 20 action accept
set firewall name INSIDE-OUT rule 20 destination port 8080
set firewall name INSIDE-OUT rule 20 destination address <IP-Address 2>
set firewall name INSIDE-OUT rule 30 action accept
set firewall name INSIDE-OUT rule 30 destination port 25
set firewall name INSIDE-OUT rule 30 destination group WANIPs
rule 10 only match on ip1
rule 20 only match on ip2
rule 30 match on both
Thanks so much for your reply -
That’s basically what I’m looking at, but instead of inside > out it’s for managing outside > in, but if the same thing applies and I can do -
set firewall group address-group WANIP1 address
and then attach a firewall to that address group, that would be ideal.
If you can’t tell, I’m still pretty new to this network stuff, so I’m floundering pretty badly trying to get where I want to be, and help is much appreciated.
I looked at zone based firewalls, and that doesn’t seem to do what I need, or maybe it does and it’s going over my head (the latter is more likely).
I’ve looked around for an example of exactly what I want to do, and the example you provided (again, I may just not understand it) seems to be backwards to what I want to do.
Just to make it clear from my side -
I have
2 web servers (same ports)
2 game servers (same ports on both)
The destination wan IP will be different for each server (1 web server and 1 game server on each WAN IP)
So, for example, lets say wan IP 1 is 10.10.10.1 and wan IP 2 is 10.10.10.2
Internal IP for server 1 is 172.16.1.10 and Sever 2 is 172.16.2.10
The internal interface (internal gateway for lan > internet) on the vyos box are assigned to vifs, and are .1 respectively
Both servers need ports 80,443 and 7777,27015 accessible from the outside world, on WAN IP 1 and WAN IP 2. Both WAN IPs are assigned to the same interface (eth0) and the vifs for the internal are assigned to eth1.
Again, maybe you told me exactly how to do it, but I just don’t understand how it functions. The vyos user guide on this seems to be a little vague for this particular type of config.
set nat destination rule 10 description '1-to-1 NAT SRV1'
set nat destination rule 10 destination address '10.10.10.1'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 translation address '172.16.1.10'
set nat destination rule 10 description '1-to-1 NAT SRV2'
set nat destination rule 10 destination address '10.10.10.2'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 translation address '172.16.2.10'
then do the firewall setup.
In this example below you just limited the access from the WAN side, SRV1 and SRV2 have no firewall between them.
set firewall group address-group WANIPs address 10.10.10.1
set firewall group address-group WANIPs address 10.10.10.2
set firewall group port-group MYSRVPORTS port 80
set firewall group port-group MYSRVPORTS port 443
set firewall group port-group MYSRVPORTS port 7777
set firewall group port-group MYSRVPORTS port 27015
set firewall name WAN default-action drop
set firewall name WAN rule 10 action accept
set firewall name WAN rule 10 protocol tcp_udp
set firewall name WAN rule 10 destination group port-group MYSRVPORTS
set firewall name WAN rule 10 destination group WANIPs
bind the firewall ruleset on you interface:
set interfaces ethernet eth0 firewall local name WAN
80 and 443 are tcp ports, but the i don’t know the other service. So you have to check with protocol it is and alter this common on your needs: set firewall name WAN rule 10 protocol tcp_udp
@rob Thanks so much! I was close, but I wasn’t adding the destination IP along with the translation IP. That made it all come together. I appreciate you writing that up.