NAT with VRRP configuration

keneshhagard · December 14, 2021, 5:07am

I was trying to understand if this is the correct behavior when setting up an outbound NAT with VRRP

When using VRRP and the router is master additional virtual interfaces will be added:

eth0 → WAN IP
eth0v10 → Additional WAN IP
eth1 → LAN IP
eth1v11 → Additional LAN IP

My NAT rule which works as of now using the eth0v10 IP is

nat {
 source {
    rule 101 {
       outbound-interface eth0
       source {
            address <LAN Subnet>
       }
      translation {
        address <additional WAN IP>
     }
  }
}

Why is the outbound interface eth0v10 not work, but eth0 does? Are virtual interfaces not valid for NAT? The command line gives you an option to use the eth0v10. Is this correct behavior?

16again · December 15, 2021, 7:26am

sNAT rule should be applied to the interface where packet is routed out. Not onto some internal interface , holding the IP address you want to use.

keneshhagard · December 15, 2021, 8:07am

Ok, that makes sense.

I have a site-to-site VPN setup where I can’t ping from the router on Site A (VyOS) to Site B. I think my ping traffic to 192.168.2.0/24 is getting NAT’d when it shouldn’t be, but based on the rule below it shouldn’t be. Maybe a routing? Basically I have the IPSEC connection setup to a floating IP that moves when VRRP failover happens.

Here is what I’ve tested:

Ping from Site A router → Site B local machine = No
Ping from Site A local machine → Site B local machine = Yes
Ping from Site B local machine → Site A router = Yes

Interfaces:
   eth0 -> WAN IP
   eth0v10 -> Secondary WAN IP created by VRRP

nat {
 source {
    //prevent IPSEC traffic from getting NAT'd
    rule 1 {
       outbound-interface eth0
       destination {
            address 192.168.2.0/24 //remote subnet
       }
      exclude
    }
   //NAT regular internet traffic
    rule 101 {
       outbound-interface eth0
       source {
            address 10.4.96.0/20 //cloud subnet
       }
      translation {
        address <Secondary WAN IP>
     }
  }
}

protocols {
   static route 0.0.0.0/0 {
     next-hop <Secondary WAN IP gateway>
   }
}

16again · December 16, 2021, 7:48pm

What source IP address is used when pinging from RouterA to siteB ?
(Look into conntrack session list while pinging)
This should be an IP address which matches ipsec policy.

keneshhagard · December 17, 2021, 12:06am

If I ping from a machine behind the VyOS router (Router A) the conntrack table to me is correct

10.4.96.4 (machine behind router A) → 192.168.2.6 (Site B) [ICMP]

The ping just won’t work from the VyOS router in itself. Going to play around a bit more

keneshhagard · December 17, 2021, 4:53am

So I had to fix the following things:

Updated my default route to my primary WAN IP instead of Secondary (pretty sure this wasn’t the issue). Vultr doesn’t provide a default gateway for the Secondary (floating)
My NAT rules use ETH0, not ETH0V10 created by VRRP (also don’t think this was the cause)
Added Secondary WAN IP to ETH0 (this was the issue)
Changed IPSEC interface to ETH0 from ETH0V10

Basically I was trying to avoid the same IP show up twice in the “show interfaces” command

Eth0 - Show my Primary and Secondary IP
Eth0v10 - Shows my Secondary IP

All in all the following have to line up

Your IP on the WAN needs to have the matching static route Gateway IP
That interface needs to be configured in the IPSEC settings

16again · December 17, 2021, 10:06pm

Instead of adjusting default route, you could also use specific route for
192.168.2.0/24 , pointing to GW used on interface doing ipsec
Same goes for a /32 route for remote ipsec peer

system · December 19, 2021, 10:06pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.