Pbr in 1.3 - is this just how it is?

General questions
1

I’m open to criticism; The rules may not be right…

vyos@vyos:~$ show configuration commands | grep policy
set interfaces ethernet eth5 vif 42 policy route 'GWv4_HVDN'
set policy route GWv4_HVDN rule 10 description 'Route to HVDN'
set policy route GWv4_HVDN rule 10 destination address '!10.20.0.0/16'
set policy route GWv4_HVDN rule 10 set table '10'
set policy route GWv4_HVDN rule 10 source

vyos@vyos:~$ show configuration commands | grep 'table 10'
set protocols static table 10 route 0.0.0.0/0 next-hop 10.20.245.74

vyos@vyos:~$ show configuration commands | grep 'nat source rule 110'
set nat source rule 110 outbound-interface 'eth6'
set nat source rule 110 source address '192.168.128.0/24'
set nat source rule 110 translation address 'masquerade'

128.0/24 is the network on vif 42 and needs to be masq’d as 10.20.245.73 before leaving…

when 192.168.128.x has a destination of ! 10.20/16 it goes out the next hop of the 10.20.245.74 inet host.

when host 192.168.128.x has a destination of 10.20/16 it goes out the gw of 192.168.128.1 and routes via the wan to the intended network…

(this is good)

But I have other networks that I want to route locally…

(I am replacing pfsense boxes…)

image
image1055×242 14.9 KB

(sorry for the blurring)

… if the DEST is ! LOCAL_NETs set the gw to next hop device…

Where LOCAL_NETs is a group of lan networks defined…

In vyos 1.3 I cannot seem to make a group of networks AND negate them

OR

In vyos 1.3 I cannot seem to add multiple destination addresses as it seems to overwrite the previous entry and you are left with what you entered last…

Is this just a 1.3 limitation?

OR OR

Should I rewrite my rules like this:

https://docs.vyos.io/en/equuleus/configuration/policy/index.html#local-route

and put my local routes in table ‘main’?

Am I missing something simple?

(I have been at this longer than I would like to admit; and made several typos which caused me much chaos and confusion…)

Thank you for your time…

2

I’m open to criticism;

Challenge accepted! :wink:

No, but from your config I assume you missed some when copypaste this line?

set policy route GWv4_HVDN rule 10 source

Also if you wish to remove potential sensitive information from posts you can use this:

show configuration commands | strip-private

Given your example I assume that the nexthop 10.20.245.74 is reachable through eth6?

If not (lets say eth7) you would need a second snat-rule such as:

set nat source rule 120 outbound-interface 'eth7'
set nat source rule 120 source address '192.168.128.0/24'
set nat source rule 120 translation address 'masquerade'

Its optional to define source address but often recommended (not needed if EVERYTHING egressing this interface should be source natted to whatever IP eth7 is configured with).

There were a commit not long ago regarding negating matches and I think network-groups might have been part of this.

Generally speaking if something doesnt work out in 1.3 I would recommend to try 1.4 (will be released as stable any month now) or even 1.5 and see if its resolved there because all new features ends up in the current rolling while the current stable only receives critical fixes but generally speaking no new features.

2 Likes
3

I think you should make a post for basic simple firewall rules for version 1.5 with 1 wan and one lan network

4

(just wanted to quick reply…)

I need 1.3 because of the Intel 553 driver issue…

(10G SFP+ trouble with linking (Intel X553))

Whoa on the strip-private

I missed this:

(Syslog — VyOS 1.3.x (equuleus) documentation)

will digest what you said and come back when time permits…

Thank you for the response/information

(strip-private: set firewall group network-group LOCAL_NETs network 'xxx.xxx.0.0/16'set firewa - Pastebin.com)

5

With just the vyos 1.3 as the wan router… I have an opnsense (protectli vp2420) sitting as the ids and outbound inet router…

image
image1359×566 40.7 KB

The other pfsense buildings cannot max out the connection like this can… this is why I’m replacing pfsense+ with vyos…

aside from the nightmare xml config and and and…

anyway, thanks for listening…

6

This might work…

will confirm in the AM

vyos@vyos:~$ show configuration commands | grep policy
set interfaces ethernet eth5 vif 42 policy route 'GWv4_HVDN'
set policy route GWv4_HVDN rule 9 destination group network-group 'LOCAL_NETs'
set policy route GWv4_HVDN rule 9 set table 'main'
set policy route GWv4_HVDN rule 10 description 'Route to HVDN'
set policy route GWv4_HVDN rule 10 set table '10'

vyos@vyos:~$ show configuration commands | grep table
set policy route GWv4_HVDN rule 9 set table 'main'
set policy route GWv4_HVDN rule 10 set table '10'
set protocols static table 10 route 0.0.0.0/0 next-hop 10.20.245.74

vyos@vyos:~$ show configuration commands | grep group
set firewall group network-group LOCAL_NETs network '10.20.0.0/16'
set firewall group network-group LOCAL_NETs network '172.16.0.0/16'
set firewall group network-group LOCAL_NETs network '10.120.0.0/16'
set firewall group network-group LOCAL_NETs network '10.121.0.0/16'

set policy route GWv4_HVDN rule 9 destination group network-group 'LOCAL_NETs'
set policy route GWv4_HVDN rule 10 destination group

firewall group was the only thing I could get a group of networks/addresses into

the docs for 1.3 look like you can add multiple lines… but doesn’t seem to work anymore; you get one source and destination… and you cannot negate a group

but this pushing to table main looks like it will work… and what’s left over will hit the next rule and change the next-hop

this also looks generic enough that you could apply the GWv4_HVDN to other vifs, which would be great…

vyos@vyos:~$ show policy route

-----------------------------
Rulesets Information
-----------------------------
--------------------------------------------------------------------------------
IPv4 Policy Route "GWv4_HVDN":

 Active on (eth5.42,ROUTE)

rule      action   proto     packets  bytes
----      ------   -----     -------  -----
9         set      all       5        322
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-NTWRK-GROUP LOCAL_NETs

10        set      all       40       2389
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

1000000   drop     all       9184     919505
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

At least something is matching…

7 
vyos@vyos:~$ show policy route

-----------------------------
Rulesets Information
-----------------------------
--------------------------------------------------------------------------------
IPv4 Policy Route "GWv4_HVDN":

 Active on (eth5.42,ROUTE) (eth5.1024,ROUTE)

rule      action   proto     packets  bytes
----      ------   -----     -------  -----
9         set      all       318564   46678973
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-NTWRK-GROUP LOCAL_NETs

10        set      all       36069    5745781
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

1000000   drop     all       9184     919505
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

added another interface to the policy and it’s working as intended; just awesome

vyos@vyos:~$ show configuration commands | strip-private | grep 'policy\|"table 10"\|group'
set firewall group network-group LOCAL_NETs network 'xxx.xxx.0.0/16'
set firewall group network-group LOCAL_NETs network 'xxx.xxx.0.0/16'
set firewall group network-group LOCAL_NETs network 'xxx.xxx.0.0/16'
set firewall group network-group LOCAL_NETs network 'xxx.xxx.0.0/16'

set interfaces ethernet eth5 vif 42 policy route 'GWv4_HVDN'
set interfaces ethernet eth5 vif 1024 policy route 'GWv4_HVDN'

set policy route GWv4_HVDN rule 5 destination group network-group 'LOCAL_NETs'
set policy route GWv4_HVDN rule 5 set table 'main'
set policy route GWv4_HVDN rule 10 description 'Route to HVDN'
set policy route GWv4_HVDN rule 10 set table '10'

It is just so succinct…

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.