Policy Route not working in VyOS 1.4 while using gateway as source interface for ping

somsinha · June 2, 2023, 5:19am

I have a simple topology:

topo
R1 has a “public” interface on a VRF, INET. The problem is packets from R2 can’t reach the main routing table of R1, despite a route policy asking it to do that.

vyos@vyos:~$ sh ip route 192.168.0.1
Routing entry for 0.0.0.0/0
  Known via "static", distance 1, metric 0, best
  Last update 00:15:25 ago
  * 1.1.1.2, via eth0, weight 1

vyos@R2:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
^C
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1002ms

UPDATE: the PBR works fine when a host is pinging the destination instead of an interface on the router R1!

PC1> 
PC1> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=63 time=4.357 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=63 time=2.438 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=63 time=2.652 ms

PC1> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
 1   192.168.0.1   1.186 ms  1.056 ms  0.866 ms
 2   *8.8.8.8   1.910 ms (ICMP type:3, code:3, Destination port unreachable)

Here’s the config:
PC1:

PC1> sh ip

NAME        : PC1[1]
IP/MASK     : 192.168.0.2/24
GATEWAY     : 192.168.0.1
DNS         : 
MAC         : 00:50:79:66:68:00
LPORT       : 10001
RHOST:PORT  : 127.0.0.1:10002
MTU:        : 1500

R1 config:

vyos@R1:~$ sh conf comm
set interfaces ethernet eth0 address '1.1.1.2/30'
set interfaces ethernet eth0 hw-id '0c:c6:a2:08:00:00'
set interfaces ethernet eth0 vrf 'INET'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth1 hw-id '0c:c6:a2:08:00:01'
set interfaces ethernet eth2 hw-id '0c:c6:a2:08:00:02'
set interfaces loopback lo

set policy route PR-LAN-RTN interface 'eth0'
set policy route PR-LAN-RTN rule 10 destination address '192.168.0.0/24'
set policy route PR-LAN-RTN rule 10 set table 'main'

set protocols static route 0.0.0.0/0 next-hop 1.1.1.1 vrf 'INET'
set protocols static route 0.0.0.0/0 next-hop 1.1.1.2

set system config-management commit-revisions '100'
set system host-name 'R1'
set system login banner post-login ''
set system login user vyos authentication encrypted-password '$6$QxPS.uk6mfo$9QBSo8u1FkH16gMyAVhus6fU3LOzvLR9Z9.82m3tiHFAxTtIkhaZSWssSgzt4v4dGAL8rhVQxTg0oAG9/q11h/'
set system login user vyos authentication plaintext-password ''
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'

set vrf name INET protocols static route 0.0.0.0/0 next-hop 1.1.1.1
set vrf name INET table '100'

R2 Config:

set interfaces dummy dum0 address '8.8.8.8/32'
set interfaces ethernet eth0 address '1.1.1.1/30'
set interfaces ethernet eth0 hw-id '0c:8e:68:24:00:00'
set interfaces ethernet eth1 hw-id '0c:8e:68:24:00:01'
set interfaces ethernet eth2 hw-id '0c:8e:68:24:00:02'
set interfaces loopback lo

set protocols static route 0.0.0.0/0 next-hop 1.1.1.2

set system config-management commit-revisions '100'
set system host-name 'R2'
set system login user vyos authentication encrypted-password '$6$QxPS.uk6mfo$9QBSo8u1FkH16gMyAVhus6fU3LOzvLR9Z9.82m3tiHFAxTtIkhaZSWssSgzt4v4dGAL8rhVQxTg0oAG9/q11h/'
set system login user vyos authentication plaintext-password ''
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'

TCPDump reveals that the interface eth0 actively drops packets instead of sending them to the correct routing table (Output captured on R1 while R2’s 1.1.1.1 was pinging 192.168.0.1 on R1):

vyos@R1:~$ sudo tcpdump -i eth0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
05:06:57.515711 IP 1.1.1.1 > 192.168.0.1: ICMP echo request, id 23697, seq 1, length 64
05:06:58.548014 IP 1.1.1.1 > 192.168.0.1: ICMP echo request, id 23697, seq 2, length 64
05:06:59.572708 IP 1.1.1.1 > 192.168.0.1: ICMP echo request, id 23697, seq 3, length 64
05:07:00.608865 IP 1.1.1.2 > 1.1.1.1: ICMP host 192.168.0.1 unreachable, length 92
05:07:00.609032 IP 1.1.1.2 > 1.1.1.1: ICMP host 192.168.0.1 unreachable, length 92
05:07:00.609109 IP 1.1.1.2 > 1.1.1.1: ICMP host 192.168.0.1 unreachable, length 92
05:07:02.644076 ARP, Request who-has 1.1.1.2 tell 1.1.1.1, length 46
05:07:02.644104 ARP, Reply 1.1.1.2 is-at 0c:c6:a2:08:00:00 (oui Unknown), length 28
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel

j.landicho · June 4, 2023, 3:36am

Hi, please check this link for a similar issue. This seems a limitation in Linux implementation of VRFs wherein you cannot use ICMP to access the local IPs.