Hello
I have recently implemented vyos in a service provider environment and I am looking to route traffic matching a certain source address coming on an ingress tunnel to push out to another tunnel. Everything works fine, however I see a lot of drops.
Although I am seeing drops counting up, I am wondering if this count are packets that dont match the policy and are “dropped” back into the general forwarding rules, or the packets are dropped (i.e. null0) altogether?
(from my testing with live connections, it would seem that packets are generally forwarded on)
example of the counters below:
(there are two policies, one to adjust TCP MSS and the other to route the packets)
$ sh policy
Rulesets Information
IPv4 Policy Route “TUN_0_POLICY”:
Active on (tun0,ROUTE)
rule action proto packets bytes
1 set tcp 5752 346740
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 tcpflags: 0x02/0x02 TCPMSS set 135
0
5832 351784 TCPMSS tcp – * * 0.0.0.0/0
0.0.0.0/0 /* TUN_0_POLICY-1 */ tcpflags:
0x02/0x02 TCPMSS set 1350
100 set all 263638 21888051
condition - saddr 10.128.128.0/24 daddr 0.0.0.0/0
10000 drop all 1901194 2609051068
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0