Routing between two VyOS Routers


#1

Hello, please can you assist me in configuring my lab setup.

I have a lab environment with a VyOS router setup on my desktop PC using VMware workstation and I have now added a second VyOS router to a separate lab environment on my laptop. Both internal LAN interfaces are using different subnets, 192.168.0.0/24 and 192.168.20.0/24.

From each router I can ping the WAN interface of the other, but from the internal LAN I cannot access the internal LAN of the other router. I have tried adding a static route using the command:

set protocols static route 192.168.0.0/24 next-hop 192.168.50.208

192.168.50.208 is the IP address assigned to the WAN interface by DHCP on the other router. But this doesn’t work.

Can someone please advise on the best way to configure routing between the two routers?

Thanks,


#2

Can you copy here the config of your 2 VyOS routers (the interfaces and protocols part)
there’s too few information in your post to allow us to respond.

Also don’t forget that you always need the routes properly configured in both way to have communication.

For example if you have

192.168.0.0/24 - VYOS1 - 192.168.50.208/24 – 192.168.50.210/24 - VyOS2 - 192.168.1.0/24

you need :

  • on VyOS1 a route : 192.168.1.0/24 next-hop 192.168.50.210
  • on VyOS2 a route : 192.168.0.0/24 next-hop 192.168.50.208

and it should work


#3

This is the configuration of Router02 in one of my lab environments, I will post the other one shortly.

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description


eth0 192.168.50.212/24 u/u WAN
eth1 192.168.20.254/24 u/u LAN
lo 127.0.0.1/8 u/u
::1/128

[edit]

vyos@vyos# show interfaces
ethernet eth0 {
address dhcp
description WAN
hw-id 00:0c:29:8c:bb:eb
}
ethernet eth1 {
address 192.168.20.254/24
description LAN
hw-id 00:0c:29:8c:bb:f5
}
loopback lo {
}

vyos@vyos# show protocols static route
route 0.0.0.0/0 {
next-hop 192.168.50.1 {
distance 1
}
}
route 192.168.0.0/24 {
next-hop 192.168.50.208 {
}


Below is the configuration of my other router

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description


eth0 192.168.50.208/24 u/u WAN
eth1 192.168.0.254/24 u/u Site1-LAN
eth2 192.168.10.254/24 u/u Site2-LAN
lo 127.0.0.1/8 u/u
::1/128

[edit]
vyos@Router01# show interfaces
ethernet eth0 {
address dhcp
description WAN
duplex auto
hw-id 00:0c:29:44:66:50
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.0.254/24
description Site1-LAN
duplex auto
hw-id 00:0c:29:44:66:5a
smp_affinity auto
speed auto
}
ethernet eth2 {
address 192.168.10.254/24
description Site2-LAN
duplex auto
hw-id 00:0c:29:44:66:64
smp_affinity auto
speed auto

vyos@Router01# show protocols static route
route 0.0.0.0/0 {
next-hop 192.168.50.1 {
}
}
route 192.168.20.0/24 {
next-hop 192.168.50.212 {
}
}


192.168.50.1 is the IP address of my broadband router


#4

with this config, the hosts in the 192.168.20.0/24 network should be able to communicate with the hosts in site 1 - 192.168.0.0/24
(but not with hosts in site 2 - 192.168.10.254/24 since there’s no route to this network on router vyos)

does it work ?

you can test from “vyos” router in mode configure with “ping -I 192.168.20.254 192.168.0.254”
or from “router01” with “ping -I 192.168.0.254 192.168.20.254”


#5

Unfortunately no it does not work. Any other ideas?


#6

hm curious, I assume that in Vmware workstation the interfaces are bridged to your physical NICs

a local firewall on your desktop and / or laptop may block the trafic.
I had the case with BitDefender running on Windows 7 with Vmware workstation.

Try disabling any firewall.

Also try traceroute from each router to the remote networks.


#7

My WAN interfaces Eth0 are bridged to the physical NICs on both routers. Eth1 are both set to VMNET1 on both routers.

Traceroute just times out, but I can ping the WAN interfaces of each router from the other side. I just cannot get to the LAN interfaces.

I do have Bitdefender running on both computers, but just the AV no Firewall component is installed, however I’ve just tried disabling it completely as well as turning off Windows firewall but still nothing.


When adding the static route, i’m specifying the next-hop as the WAN interface on the other router, is this correct?

Is there anything I have to do on each WAN interface to accept traffic from an unknown network?


#8

Yes next-hop must be the wan interface of the other router.

Nothing special to do, if you don’t have firewall rule (there’s none by default)

did you configure some NAT on the routers?

Also if you can ping the other router wan interface the traceroute should at least respond with the other router wan interface as first hop, so it’s curious.

to debug this I would use tcpdump on each router wan interface to see what’s going out / in


#9

I have configured the following NAT rules:

vyos@Router01# show nat
source {
rule 100 {
outbound-interface eth0
source {
address 192.168.0.0/24
}
translation {
address masquerade
}
}
rule 101 {
outbound-interface eth0
source {
address 192.168.10.0/24
}
translation {
address masquerade
}

vyos@Router02# show nat
source {
rule 100 {
outbound-interface eth0
source {
address 192.168.20.0/24
}
translation {
address masquerade
}

I’ll look into tcpdump


#10

ok so it’s normal you don’t have communication, because of NAT

either remove your nat to test routing or set exclusion rule, for example :

router01
nat source rule 10
exclude
source address 192.168.0.0/24
destination address 192.168.20.0/24
outbound-interface eth0

router02
nat source rule 10
exclude
source address 192.168.20.0/24
destination address 192.168.0.0/24
outbound-interface eth0

(note that the exclude rule must be set with a lower rule number than your generic rule 100)


#11

Ok, my config for both Routers is below. It looks like a fairly basic setup. I’ve removed all NAT rules.

My WAN interfaces are bridged to the physical NICs and I can still Ping the WAN interfaces of each router from the other router. But a traceroute and ping to the LAN interface of the other side just times out.

Router01 Config

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description


eth0 192.168.50.208/24 u/u WAN
eth1 192.168.0.254/24 u/u Site1
eth2 192.168.10.254/24 u/u Site2
lo 127.0.0.1/8 u/u
::1/128

vyos@Router01# show
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
hw-id 00:0c:29:44:66:50
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.0.254/24
description Site1
duplex auto
hw-id 00:0c:29:44:66:5a
smp_affinity auto
speed auto
}
ethernet eth2 {
address 192.168.10.254/24
description Site2
duplex auto
hw-id 00:0c:29:44:66:64
smp_affinity auto
speed auto
}
loopback lo {
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.168.50.1 {
distance 1
}
}
route 192.168.20.0/24 {
next-hop 192.168.50.212 {
distance 1
}
}
}
}
service {
ssh {
listen-address 0.0.0.0
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
host-name Router01
login {
user vyos {
authentication {
encrypted-password $1$2MLB7Sgt$FDses2bWJLkEdlIE47Z0U/
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
name-server 208.67.222.222
name-server 208.67.220.220
ntp {
server uk.pool.ntp.org {
prefer
}
}
package {
auto-sync 1
repository community {
components main
distribution hydrogen
password “”
url http://packages.vyos.net/vyos
username “”
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/London

Router02 Config

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description


eth0 192.168.50.212/24 u/u WAN
eth1 192.168.20.254/24 u/u LAN
lo 127.0.0.1/8 u/u
::1/128

vyos@Router02# show
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
hw-id 00:0c:29:8c:bb:eb
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.20.254/24
description LAN
duplex auto
hw-id 00:0c:29:8c:bb:f5
smp_affinity auto
speed auto
}
loopback lo {
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.168.50.1 {
distance 1
}
}
route 192.168.0.0/24 {
next-hop 192.168.50.208 {
distance 1
}
}
route 192.168.10.0/24 {
next-hop 192.168.50.208 {
distance 1
}
}
}
}
service {
ssh {
listen-address 0.0.0.0
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
host-name Router02
login {
user vyos {
authentication {
encrypted-password $1$xoQZPJfp$iQ5eA7LhFqsCgK/Eby/N41
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
name-server 208.67.222.222
name-server 208.67.220.220
ntp {
server uk.pool.ntp.org {
prefer
}
}
package {
auto-sync 1
repository community {
components main
distribution hydrogen
password “”
url http://packages.vyos.net/vyos
username “”
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/London

Traceroute from Router01 to WAN interface of Router02

vyos@Router01# traceroute 192.168.50.212
traceroute to 192.168.50.212 (192.168.50.212), 30 hops max, 60 byte packets
1 192.168.50.212 (192.168.50.212) 7.712 ms 8.290 ms 9.432 ms

Traceroute from Router01 to LAN interface of Router02

vyos@Router01# traceroute 192.168.20.254
traceroute to 192.168.20.254 (192.168.20.254), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *


#12

Hi JFL,

Many thanks for your assistance in trying to resolve this issue. I now have two working routers that are able to route between each other. I think in the end it was the fact that my Outbound interface was configured as DHCP. When I changed it to static, routing began to work.

Below is my working config from Router02 which also allows internet access from the 192.168.20.x subnet.

vyos@Router02# show
interfaces {
ethernet eth0 {
address 192.168.50.201/24
description WAN
duplex auto
hw-id 00:0c:29:8c:bb:eb
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.20.254/24
description LAN
duplex auto
hw-id 00:0c:29:8c:bb:f5
smp_affinity auto
speed auto
}
loopback lo {
}
}
nat {
source {
rule 100 {
outbound-interface eth0
source {
address 192.168.20.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 192.168.0.0/24 {
next-hop 192.168.50.200 {
distance 1
}
}
route 192.168.10.0/24 {
next-hop 192.168.50.200 {
distance 1
}
}
}
}
service {
ssh {
listen-address 0.0.0.0
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
gateway-address 192.168.50.1
host-name Router02
login {
user vyos {
authentication {
encrypted-password $1$xoQZPJfp$iQ5eA7LhFqsCgK/Eby/N41
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
name-server 208.67.222.222
name-server 208.67.220.220
ntp {
server uk.pool.ntp.org {
prefer
}
}
package {
auto-sync 1
repository community {
components main
distribution hydrogen
password “”
url http://packages.vyos.net/vyos
username “”
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/London
}