Send all traffic to next-hop

Hi,

  • i have a nic that carries 2 ips, one of them is 195.201.13.8/26.
  • All traffic must go via 195.201.13.1 .
  • What i see is that:
    • kernel creates the following route: 195.201.13.0/26 dev eth0 proto kernel scope link src 195.201.13.8
    • Attempt 1: my static route 195.201.13.0/26 via 195.201.13.1 does not show up at all
    • Attempt 2: a more specific route 195.201.13.0/27 via 195.201.13.1 does not show up at all
    • Attempt 2: a more specific route 195.201.13.32/27 via 195.201.13.1 is working fine.

How do i convince the kernel to send all traffic to the next-hop ?

sru@gate-02:~$ show version | head -1
Version:          VyOS 1.2.7-epa1

sru@gate-02:~$ ip address show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:01:01:c3 brd ff:ff:ff:ff:ff:ff

    inet 195.201.13.8/26 brd 195.201.13.63 scope global eth0
       valid_lft forever preferred_lft forever

    inet x.x.x.x
       ...

sru@gate-02# ip r | grep 195
default via 195.201.13.1 dev eth0 proto static metric 20
195.201.13.0/26 dev eth0 proto kernel scope link src 195.201.13.8
# line above causes traffic to *not* reach the gateway.
195.201.13.32/27 via 195.201.13.1 dev eth0 proto static metric 20
[edit]

sru@gate-02# sh inter ethernet eth0
 address 195.201.13.8/26
 address x.x.x.x/26
 duplex auto
 firewall {
     in {
         name WAN_IN
     }
     local {
         name WAN_LOCAL
     }
     out {
         name WAN_OUT
     }
 }
 hw-id 00:xx:xx:xx:xx:xx
 smp-affinity auto
 speed auto
[edit]

sru@gate-02# sh proto | grep -B1 -A2 195
     route 0.0.0.0/0 {
         next-hop 195.201.13.1 {
         }
     }
     # lower half of the range
     route 195.201.13.0/27 {
         next-hop 195.201.13.1 {
         }
     }
     # upperhalf of the range
     route 195.201.13.32/27 {
         next-hop 195.201.13.1 {
         }
     }
[edit]

Hello,

Please can you send us the firewall settings?
Follow next comands:

sru@gate-02# run show firewall
sru@gate-02# run show firewall summary

Thanks!

@RyVolodya ,

Here is a minimum config that shows the problem.
i must reach 192.168.200.18 via 192.168.200.1 because our isp forces us to, they control the switch the vyos is plugged into.

hope that helps.

Last login: Wed May 19 01:10:12 2021 from 192.168.200.6
vyos@vyos:~$ show firewall

-----------------------------
Rulesets Information
-----------------------------
vyos@vyos:~$ show firewall summary

------------------------
Firewall Global Settings
------------------------

------------------------
Firewall Rulesets
------------------------

------------------------
Firewall Groups
------------------------
vyos@vyos:~$ show configuration commands
set interfaces ethernet eth0 address '192.168.200.8/26'
set interfaces ethernet eth0 address '192.168.201.8/26'
set interfaces ethernet eth0 description 'outside'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '08:00:27:6f:b8:54'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '192.168.100.8/24'
set interfaces ethernet eth1 description 'inside'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id '08:00:27:33:88:47'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces loopback lo
set protocols static route 0.0.0.0/0 next-hop 192.168.200.1
set protocols static route 192.168.200.0/26 next-hop 192.168.200.1
set service ssh port '22'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '9600'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$NmTcAUVB$mUuz2RVxyLQa4vvx1zkB8D44sIbHtYilD3vyrEuLYeYfBmX3b6JzxYwJiStlpVyvPddhVdG2o2LOgBJyRFXyC0'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'UTC'
vyos@vyos:~$
vyos@vyos:~$ ip r
default via 192.168.200.1 dev eth0 proto static metric 20
192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.8
192.168.200.0/26 dev eth0 proto kernel scope link src 192.168.200.8
192.168.201.0/26 dev eth0 proto kernel scope link src 192.168.201.8
vyos@vyos:~$
vyos@vyos:~$ traceroute 192.168.200.18
traceroute to 192.168.200.18 (192.168.200.18), 30 hops max, 60 byte packets
 1  192.168.200.18 (192.168.200.18)  48.611 ms  49.361 ms  49.359 ms
# This is wrong. Must go via 192.168.200.1

vyos@vyos:~$ traceroute 192.168.200.101
traceroute to 192.168.200.101 (192.168.200.101), 30 hops max, 60 byte packets
 1  192.168.200.1 (192.168.200.1)  5.282 ms  7.642 ms  7.646 ms
 2  192.168.200.101 (192.168.200.101)  8.170 ms  8.711 ms  8.714 ms
# this is fine but outside the subnet in question

The following modifications result in the desired behaviour:

vyos@vyos# set protocols static interface-route 192.168.200.1/32 next-hop-interface eth0
commit
sudo ip route del 192.168.200.0/26 dev eth0

vyos@vyos# ip r
default via 192.168.200.1 dev eth0 proto static metric 20 onlink
192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.8
192.168.200.1 dev eth0 proto static metric 20
192.168.201.0/26 dev eth0 proto kernel scope link src 192.168.201.8

vyos@vyos# traceroute 192.168.200.18
traceroute to 192.168.200.18 (192.168.200.18), 30 hops max, 60 byte packets
 1  192.168.200.1 (192.168.200.1)  4.230 ms  7.168 ms  7.156 ms
 2  192.168.200.18 (192.168.200.18)  86.616 ms  86.644 ms  95.472 ms
[edit]

vyos@vyos# traceroute 192.168.200.101
traceroute to 192.168.200.101 (192.168.200.101), 30 hops max, 60 byte packets
 1  192.168.200.1 (192.168.200.1)  5.369 ms  9.345 ms  9.328 ms
 2  192.168.200.101 (192.168.200.101)  9.273 ms  9.267 ms  9.257 ms
[edit]

How to reach that using vyos commands ?

Directly connected routes will be always preferred then static or any dynamic routes. It is a standard for any vendor/router.
Use more-specific prefixes, but they shouldn’t be directly connected
For example, prefix 195.201.13.32/27 will be work with static routes.
The prefix 195.201.13.0/27 will be as directly connected.

If you want source routing, you need to use PBR

@Viacheslav
Thanks, but policy based routing seems not to be what we need as we do not like to define different routes based on the source of the traffic, at best based on the destination of a package.

We just want to shove out everything via 192.168.200.1.

For the more specific prefixes, my example already mentions more specific rules but shows that we miss exactly that range that starts at the bottom of the block.

Servers in the subnet in question are configured this way in /etc/network/interfaces:

auto enp198s0
iface enp198s0 inet static
  address 192.168.200.23
  netmask 255.255.255.192
  gateway 192.168.200.1
  up route add -net 192.168.200.0 netmask 255.255.255.192 gw 192.168.200.1 dev enp198s0

ip r
default via 192.168.200.1 dev enp198s0 onlink
192.168.200.0/26 via 192.168.200.1 dev enp198s0
192.168.200.0/26 dev enp198s0 proto kernel scope link src 192.168.200.23

Is there really no way to reach this ?

I’m not sure if i’m missing something here or not, but isn’t this what source nat is for?

@nktech1135 thanks for taking care.
No, source nat basically means: “hide multiple internal IPs behind one external IP”.
This might or might not be needed in this scenario at a more advanced step.
Currently we discuss how to send out all pakets via the ISPs gateway - even these packets that are seen as having a destination at the same subnet as its source.
These packes normally are not routed in any way, they are just placed on the wire which is not desired here.

Hello.

You can send these address through the provider’s gateway.
Example:

vyos@vyos# set protocols static route 192.168.200.18/32 next-hop 192.168.200.1

Result:

vyos@vyos# traceroute 192.168.200.18
traceroute to 192.168.200.18 (192.168.200.18), 30 hops max, 60 byte packets
 1  192.168.200.1 (192.168.200.1)  13.713 ms  11.623 ms  11.274 ms
 2  192.168.200.18 (192.168.200.18)  11.157 ms  11.039 ms  10.955 ms
[edit]

vyos@vyos# ip r
default via 192.168.200.1 dev eth0 proto static metric 20 
192.168.100.0/26 dev eth1 proto kernel scope link src 192.168.100.8 
192.168.200.0/26 dev eth0 proto kernel scope link src 192.168.200.8 
192.168.200.18 via 192.168.200.1 dev eth0 proto static metric 20 
192.168.201.0/26 dev eth0 proto kernel scope link src 192.168.201.8 
[edit]

@RyVolodya this is what we are doing right now:
create a route for each known host.
I was hoping for a more efficient way but this is a solution to the problem.

Thanks all for the efforts !

The below covers the /26 Range with 5 routes:

# 5 additionalroutes cover the ips 1-62 ; 63 is forbidden
set protocols static route 192.168.200.2/31 next-hop 192.168.200.1 
set protocols static route 192.168.200.4/30 next-hop 192.168.200.1
set protocols static route 192.168.200.8/29 next-hop 192.168.200.1
set protocols static route 192.168.200.16/28 next-hop 192.168.200.1
set protocols static route 192.168.200.32/27 next-hop 192.168.200.1
1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.