All router (RT1-x) and VPN (VPN1-x) devices on SITE1 are VMs running VyOS 1.4. Routing/OSPF is working fine so far, I can reach all resources on both sites. There are two devices/VMs of each type for redundancy. If one VM goes down traffic flow will continue undisturbed.
In the next step I want to enable zone-based firewalling mainly on the RT1-x devices as this are the core routers for SITE1 and with a basic ruleset the VPN1-x devices as well.
I had set up two “interconnect links” (IC) between the devices for redundancy. I thought it was important for the VPN1-x devices in case a tunnel goes down. I am not sure if I really need this IC links as they make setting up the firewall rules more complicated. I think I can remove the RT1-IC link as both RT1-x routers have the transfer network for OSPF communication (broadcast mode).
I am not sure if I need the VPN1-IC link as well. I had created this link in case a tunnel goes down so that the VPN1-x devices on SITE1 can still see each other.
Getting rid of both interconnect (IC) links would make the setup of zone-based firewall rules much more easier and less complicated. I could use the very same rulesets on both partner devices (e.g. on RT1-1 and RT1-2) and I would not have to take care of traffic beeing routed through the IC link.
As I am new to OSPF, any suggestions and recommendations are appreciated.
I have a couple of questions if possible. #1 I’m guessing that the “transfer” device is a switch and that the four connections between RT1-1, RT1-2, VPN1-1, VPN1-2 and the “transfer” switch are all on the same subnet? #2 I’m also guessing that “internal” is also a switch and only it’s two connections to RT1-1 and RT1-2 will use the VRRP protocol so that one router is “active” and one router is “backup”? #3 Why so many firewalls? Do you really need a firewall on each router?
Just looking at this from a broad view, I don’t think you need the VPN1-IC connection but you may need the RT1-IC connection for a up/down health check between routers. I’ve never used VRRP before but from what I’ve read I think you might need that connection. Just not sure why you need four firewalls. I can understand the two on the VPN edgerouters but why are they also on RT1-1 and RT2-2? Last but not least, you don’t show any WAN or public connections, is that what is between VPN1-1, VPN1-2, and VPN2-1 (tunnels 1&2)?
#1: “transfer” is a vlan on the switches and all four VyOS devices (RT1-1, RT1-2, VPN1-1, VPN1-2) have a sub-interface in this vlan
#2: “internal” are a couple of vlans as well on the switches which have VRRP configured on the routers (RT1-1 and RT1-2) for redundancy (active/backup); the “internal” vlans connect the end devices (e.g. PCs, access points, …) to the network
#3: as RT1-1 and RT1-2 are my core routers (connecting the “internal” networks and the internet), I have at least set up zone-based firewalling on both devices; I am not really sure if I will set up firewalling on the VPN1-1 and VPN1-2 devices as well - maybe only some basic rulesets when I will terminate VPNs of mobile devices here as well
As to your question about the internet connection … the ISP router is conneted to routers RT1-1 and RT1-2. I wanted the core routers (RT1-1 and RT1-2) to handle all routing of this site (SITE1). VPN1-1 and VPN1-2 do only handle VPN connections the the other site (SITE2) and soon also VPN connections of mobile devices (e.g. mobile phones).
I have omitted the internet connection in my drawing so it doesn’t get to complicated. It just represents the logical view regarding what is configured in OSPF.
I did some researching the last couple of days and changed the setup regarding routing/OSPF. I kept the IC-links between each pair but I removed them from OSPF by using networks that I don’t advertise. RT1-1 and RT1-2 use this link for connection synchronization.
I did a couple of tests with my new setup by rebooting some of the devices and by disabling links. Everything went fine so far.
RT1-1/VPN1-1 are running on one ESXi host and RT1-2/VPN1-2 on a different host. In case one host fails or is beeing updated, the VMs on the other host will guarantee network connectivity.
This network is what I use at home - also if it looks more complicated/oversized compared to what the average people use. This way I better get to know the VyOS OS and other network techniques, e.g. OSPF.
Thank you for the info. It sounds like you’ve pretty much figured out what you were asking about. I totally agree with your solution in regards to the RT1-IC and VPN1-IC connections. It would be interesting to see exactly what you have here. Any way you could provide the configuration output for RT1-1 and VPN1-1 without including any private data? Is the ISP router something that was provided by the ISP or are you using Vyos for that connection too?
My ISP router is my own Fritz!Box (VDSL) over which I have full control. I can add the port forwardings needed for my setup.
As to my setup … of course I’m happy to share my configuration. I will send you a PM after this weekend when I have reviewed the configurations and removed any private data.
Thank you for allowing me to see your configuration. In addition to RT1-1 and VPN1-1, maybe you could add VPN2-1 so that I can see the full path from end to end? I setup something similar but used only one OSPF area.
Beware of triangular routing:
VRRP sends data received from clients, make sure it is also the preferred OSPF return path.
If data is returned vai VRRP slave, stateful firewall rules won’t function properly
Thanks Indy for the config files! What you are doing is very interesting and much more complicated that the original block diagrams implies. I thinks it’s very cool that you’ve implemented this many Vyos options. I think I might try to mimic what you here in my test environment so that I may learn more about the router software. Thanks again for taking the time to provide the files.