Quick and easy question -
I have 2 /29 subnets and have them on eth0 and eth1
Let’s say subnet 1 is
10.10.10.2/29
and subnet 2 is
100.100.100.2/29
When I have both subnets configured, and 2 static routes set up to 0.0.0.0/0, both with the default distance of 1, traffic breaks. I have translation addresses set up for internal networks, so, for example,
172.16.1.1/24 has a translation address of 10.10.10.3
and
192.168.1.1/24 has a translation address of 10.10.10.4
I don’t have anything behind the second subnet yet. (100.100.100.2/29)
Half the time traffic won’t leave the network.
I figured this was because it was trying to load balance, so I set the distance on the 10.10.10.2/29 default route to 1, and the 100.100.100.2/29 to 10
This fixed the problem of traffic not leaving the 10.10.10.2/29 subnet.
My worry is that once I get something trying to use one of the second subnets IPs as a translation address, it’s going to try to go out the shorter distance. Or, is vyos smart enough to route over the gateway that’s within the /29 subnet?
Can you attach your configuration? Your question not clear. What exactly doesn’t work?
Add descriptions which interfaces in lan network, which in wan.
Sent ping, traceroute, other additional info.
Traffic from the subnet 1 doesn’t leave the vyos box when the default routes for both /29 WAN subnets have a default distance of 1. Well, sometimes it does, sometimes it doesn’t. When I changes the distance on WAN subnet 2 to 10, everything was able to leave the vyos box on WAN subnet 1 without issue.
My basic question is -
Is vyos smart enough to use the 0.0.0.0/0 gateway that is within the /29 subnet on WAN subnet 2 without trying to use the shorter distance 0.0.0.0/0 gateway with the distance set to 1, even though it’s on a different subnet.
A quick look over your config looks good. You are on the right track that you need to use different distance metrics on your router to address the connectivity issue. To answer your question about the Source NAT, your NAT rules specify outbound interface, source address, and translation address; so yes, VyOS will know which WAN IP goes to which subnet when you switch between ISPs.
I would suggest configuring WAN Load-Balance to give you system better management options for load balancing (with health tests). Then the static routes will only be used by the local router. I ran into a similar issue when trying to address inbound traffic issues with Load Balanced ISPs. See my thread here for some notes and ideas.
I need to look over your config more, but I would also suggest if you’re going to go to the effort of setting up network and/or port groups, use them in your firewall instead of re-entering the same ports. And this is a personal choice, but if you don’t need to have separate firewalls for specific interfaces, use single firewalls like WAN-LOCAL and WAN-LAN instead of creating the same rules on multiple firewalls because you have more than 1 ISP. Then you can simplify and 1 change will help when the ISPs failover.