Routing issues on my first vyos box

General questions
,
1

Hello all.
This is my first time using vyos, so i think my problem is missing the obvious.
We are working on switching from edgeos to vyos because of the dated hardware that ubquiti is putting out. I have vyos installed on a 6 port fanless system.
Setup went smoothly, dhcp server and interface config went smoothly. However, i can’t seem to ping something over the router. I can ping the router itself and i can ping anything i want from the router itself unless i use the lan1 source interface.
I didn’t do any nat config., i’m wondering, do i need to?
My configs are as follows.

vyos@vyos-sh:~$ show firewall

Firewall Global Settings

Firewall state-policy for all IPv4 and Ipv6 traffic

state action log

invalid drop disabled
established accept disabled
related accept disabled

Rulesets Information

IPv4 Firewall “lan2-internet”:

Active on traffic to -
zone [internet] from zone [lan2]

rule action proto packets bytes

10000 accept all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

IPv4 Firewall “lan2-local”:

Active on traffic to -
zone [local] from zone [lan2]

rule action proto packets bytes

10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

IPv4 Firewall “lan2-lan1”:

Active on traffic to -
zone [lan1] from zone [lan2]

rule action proto packets bytes

10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

IPv4 Firewall “internet-lan2”:

Active on traffic to -
zone [lan2] from zone [internet]

rule action proto packets bytes

10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

IPv4 Firewall “internet-local”:

Active on traffic to -
zone [local] from zone [internet]

rule action proto packets bytes

10 accept icmp 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

11 accept tcp 4 240
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 tcp dpt:22

10000 drop all 3229 349657
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

IPv4 Firewall “internet-lan1”:

Active on traffic to -
zone [lan1] from zone [internet]

rule action proto packets bytes

100 accept icmp 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

IPv4 Firewall “local-lan2”:

Active on traffic to -
zone [lan2] from zone [local]

rule action proto packets bytes

10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

IPv4 Firewall “local-internet”:

Active on traffic to -
zone [internet] from zone [local]

rule action proto packets bytes

10000 accept all 727 48161
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

IPv4 Firewall “local-lan1”:

Active on traffic to -
zone [lan1] from zone [local]

rule action proto packets bytes

10000 accept all 93 7812
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

IPv4 Firewall “lan1-lan2”:

Active on traffic to -
zone [lan2] from zone [lan1]

rule action proto packets bytes

10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

IPv4 Firewall “lan1-internet”:

Active on traffic to -
zone [internet] from zone [lan1]

rule action proto packets bytes

10000 accept all 9266 555960
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

IPv4 Firewall “lan1-local”:

Active on traffic to -
zone [local] from zone [lan1]

rule action proto packets bytes

10000 accept all 79 16852
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

vyos@vyos-sh# show zone-policy
zone lan2 {
default-action drop
from internet {
firewall {
name internet-lan2
}
}
from local {
firewall {
name local-lan2
}
}
from lan1 {
firewall {
name lan1-lan2
}
}
interface eth2
}
zone internet {
default-action drop
description Internet
from lan2 {
firewall {
name lan2-internet
}
}
from local {
firewall {
name local-internet
}
}
from lan1 {
firewall {
name lan1-internet
}
}
interface eth0
}
zone local {
default-action drop
from lan2 {
firewall {
name lan2-local
}
}
from internet {
firewall {
name internet-local
}
}
from lan1 {
firewall {
name lan1-local
}
}
local-zone
}
zone lan1 {
default-action drop
from lan2 {
firewall {
name lan2-lan1
}
}
from internet {
firewall {
name internet-lan1
}
}
from local {
firewall {
name local-lan1
}
}
interface eth1
interface eth3
}

vyos@vyos-sh# show interfaces
ethernet eth0 {
address dhcp
duplex auto
hw-id 00:e0:67:0e:6c:5a
smp-affinity auto
speed auto
}
ethernet eth1 {
address 10.50.50.1/24
description signhere.lan
duplex auto
hw-id 00:e0:67:0e:6c:5b
smp-affinity auto
speed auto
}
ethernet eth2 {
duplex auto
hw-id 00:e0:67:0e:6c:5c
smp-affinity auto
speed auto
}
ethernet eth3 {
address dhcp
duplex auto
hw-id 00:e0:67:0e:6c:5d
smp-affinity auto
speed auto
}
ethernet eth4 {
duplex auto
hw-id 00:e0:67:0e:6c:5e
smp-affinity auto
speed auto
}
ethernet eth5 {
duplex auto
hw-id 00:e0:67:0e:6c:5f
smp-affinity auto
speed auto
}
loopback lo {
}

Thoughts anyone?

2

issue solved.
Like i figured it was something obvious. I forgot to put in my masquariad rule. :flushed:

You can now start laughing at me for the rookie mistake, that’s what i’m doing. :laughing:

3

Glad you figured it out! We all make these sorts of mistakes, I spent 24 hours sure I’d found a bug in Vyos, only to realise it was because I’d enabled strict source-validation. Vyos was doing exactly as I’d asked.
Anyway, welcome to the Vyos forums! :slight_smile:

4

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.