Override source address of local (VyOS-originated) traffic

This is a rehash of a similar question I asked last year:

The original scenario was a router speaking BGP and announcing IPv4/IPv6 prefixes, but the upstream interface only had IPv6 address assigned (no v4 address, announcing v4 routes over BGPv6 session). In this case, VyOS is defaulting to my unrouted local network for source IP on all router-originated traffic exiting towards the internet, which obviously does not work.

I have a separate environment that is now suffering from a similar issue with different configuration: the underlying physical ISP connection is used exclusively to establish an IPSEC tunnel. IPSEC is configured with VTI, and VTI interface has an address assigned from RFC6598 space. There is a dummy interface dum0 with a publicly routed IPv4 assigned as a /32. The far end is configured to route traffic to dum0’s /32 over the VTI interface. SNAT rules are configured with outbound-interface vti0 / address <addr-of-dum0>.

This configuration works as expected for clients behind VyOS, but all traffic originated from VyOS itself still attempts to use the upstream WAN IPv4 as source address.

In both cases, any locally originated traffic from VyOS must manually specify the correct source address, which is annoying at best and not possible with some services. This type of local traffic rewrite is totally possible with nftables and postrouting SNAT, but I don’t see any way to do it in VyOS - are there any plans to support SNAT for locally originated traffic? I seem to recall Vyatta and maybe early VyOS supported such configurations. Perhaps I am just approaching the problem incorrectly?

I tried SNAT with the VTI local address as source and … surprisingly, it actually works as expected. I also tried in my other environment, assign a throwaway /32 to the upstream interface with no existing v4 address, create a SNAT rule to rewrite that throwaway address, and it also works as expected.

Not entirely sure why I didn’t expect it to work, I recall locally-originated traffic being treated distinctly from forwarded traffic in older Vyatta/VyOS revisions, so perhaps it was a mistaken idea all along. It doesn’t solve the actual problem of choosing a single loopback address for a router, which would be a very nice feature to have, but it solves the immediate problem of having to specify source-address whenever running commands, or having to download upgrade images with curl and then install them in separate steps, instead of using add system image https://... directly.

I might have to try this for WAN load balancing. As I’ve been having issues where if the allow local networks option is enabled, local networking is broken, and also containers don’t seem to follow it anyway.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.