Routing not working in VyOS VM

spickardau · January 31, 2022, 1:26pm

I’m having issues with my first VyOS config. I’ve been following along with a known working config, but for some reason it’s not working the same.

do a “route”, I get:

Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 20 0 0 eth1
23.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

I can ping 192.168.1.1 with no issues, but when pinging 8.8.8.8, I get 100% packet loss.

Config below:

vyos@vyos:~$ show config
interfaces {
    ethernet eth0 {
        address 23.1.2.1/24
        hw-id 00:0c:29:7f:cc:8b
    }
    ethernet eth1 {
        address dhcp
        hw-id 00:0c:29:7f:cc:95
    }
    loopback lo {
    }
}
nat {
    source {
        rule 100 {
            outbound-interface eth1
            source {
                address 23.1.2.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
    }
}
service {
    ssh {
        listen-address 10.23.2.1
        listen-address 192.168.1.43
    }
}
system {
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}

If anyone has any suggestions, I’d really appreciate it.

fernando · January 31, 2022, 2:49pm

Hi

first ,you should check if it’s possible to reach internet with 192.168.1.x/eth1 ,after you can change the source to 23.1.2.1/eth0 (on VyOS’s instance) ,here’s an example:

vyos@vyos:~$ ping 8.8.8.8 interface eth1

spickardau · January 31, 2022, 10:28pm

Hi Fernando, thank you for the reply. This is what I got:

vyos@vyos:~$ ping 8.8.8.8 interface eth1
PING 8.8.8.8 (8.8.8.8) from 192.168.1.43 eth1: 56(84) bytes of data.
^C
— 8.8.8.8 ping statistics —
5 packets transmitted, 0 received, 100% packet loss, time 102ms

Nikolay · February 1, 2022, 1:30am

I don’t see a suitable default route
Can you show the output of these commands?
sh ip route
sh config comm | match static

spickardau · February 1, 2022, 3:57am

Hi Nikolay,

Details below:

vyos@vyos:~$ sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

S>* 0.0.0.0/0 [210/0] via 192.168.1.1, eth1, weight 1, 00:03:28
C>* 23.1.2.0/24 is directly connected, eth0, 00:03:28
C>* 192.168.1.0/24 is directly connected, eth1, 00:03:28

vyos@vyos:~$ sh config comm | match static
set protocols static

Nikolay · February 1, 2022, 5:08am

Based on the settings - the gateway towards the Internet is 192.168.1.1.
While the public SW address is configured on a different interface
Is it true? It’s usually the opposite
You can delete the blank command just in case
delete protocols static
Also in the VyOS 1.4-rolling-202201260317 there is a bug with DHCP
What version do you have?
sh version

spickardau · February 1, 2022, 5:53am

Hi Nikolay,

I’m running 1.3.0-rc6.

My eth0 is running the network side IP (I’m doing a CBT Nuggets NSE4 Training lab), that’s imitating the public internet, while the eth1 interface is actually connecting to my firewall, which is the true gateway.

The true gateway (a fortigate firewall) has the ip address of 192.168.1.1.

spickardau · February 1, 2022, 5:58am

I’ve also run the delete protocols static commmand, tried a ping and still received no response from 8.8.8.8

vyos@vyos:~$ sh config comm | match static
vyos@vyos:~$

vyos@vyos:~$ ping 8.8.8.8 interface eth1
PING 8.8.8.8 (8.8.8.8) from 192.168.1.43 eth1: 56(84) bytes of data.

— 8.8.8.8 ping statistics —
21 packets transmitted, 0 received, 100% packet loss, time 537ms

Viacheslav · February 1, 2022, 6:14am

If you don’t have access to the internet via eth1 it seems it is not issue with VyOS, check and dump traffic on your gateway.

spickardau · February 1, 2022, 11:02am

What I seem to be able to do is a traceroute. Details below:

vyos@vyos:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  0.358 ms  0.327 ms  0.298 ms
 2  202.63.66.1 (202.63.66.1)  13.637 ms  13.600 ms  13.532 ms
 3  27.122.114.132 (27.122.114.132)  13.154 ms  13.118 ms  13.061 ms
 4  103.200.13.109 (103.200.13.109)  25.360 ms  25.271 ms  25.304 ms
 5  72.14.197.210 (72.14.197.210)  24.874 ms  19.211 ms  24.835 ms
 6  108.170.247.33 (108.170.247.33)  26.587 ms  25.970 ms 108.170.247.65 (108.170.247.65)  24.500 ms
 7  209.85.247.133 (209.85.247.133)  26.038 ms  25.903 ms 142.250.224.191 (142.250.224.191)  24.542 ms
 8  8.8.8.8 (8.8.8.8)  19.682 ms  23.478 ms  22.990 ms

fernando · February 1, 2022, 12:42pm

I think you may have an ACL/Filter rule , then if you don’t reach internet with dhcp prefix(192.168.1.X) , any setting around it shouldn’t work.

spickardau · February 1, 2022, 10:49pm

I didn’t have any access-list in place, so I created one.

vyos@vyos# show policy access-list
 access-list 1 {
     rule 1 {
         action permit
         source {
             any
         }
     }
 }

This is my firewall summary:

vyos@vyos:~$ show firewall summary

------------------------
Firewall Global Settings
------------------------

------------------------
Firewall Rulesets
------------------------

------------------------
Firewall Groups
------------------------

And finally, this is my ping to google:

vyos@vyos:~$ ping 8.8.8.8 interface eth1
PING 8.8.8.8 (8.8.8.8) from 192.168.1.43 eth1: 56(84) bytes of data.

— 8.8.8.8 ping statistics —
8 packets transmitted, 0 received, 100% packet loss, time 156ms

spickardau · February 2, 2022, 9:51pm

Thank you to all that have helped so far, I really appreciate your input.

Does anyone have any recommendations? I’m totally out of ideas here. I’ve tried messing with my vmware interfaces, but there was no change either. It really stumps me that I can traceroute but can’t ping, and there aren’t any visible firewall rules. Should there be a firewall rule?

Viacheslav · February 3, 2022, 5:33am

VyOS by default don’t use any firewall rules if you don’t configure them manually.
So check configuration on the upstream/hyper visor/switches/etc

spickardau · February 3, 2022, 6:41am

Hi Viacheslav,

The traceroute seems to be getting to the internet, which makes me believe that the vswitch is working, and I’ve got other vms using the same without any hassles.

Viacheslav · February 3, 2022, 7:48am

Try to re-install vm.

16again · February 3, 2022, 10:33pm

I’d use tcpdump on eth1 interface, to verify if ping packets are sent out.
Also, on the VM, test with all hardware acceleration on NIC disabled, or try different NIC type

spickardau · February 14, 2022, 11:26am

Update: This was purely user error, and completely unrelated to the VyOS VM. I forgot to allow the IP from my firewall.

Thanks everyone for your assistance.

system · February 16, 2022, 6:08am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.