i have a nic that carries 2 ips, one of them is 195.201.13.8/26.
All traffic must go via 195.201.13.1 .
What i see is that:
kernel creates the following route: 195.201.13.0/26 dev eth0 proto kernel scope link src 195.201.13.8
Attempt 1: my static route 195.201.13.0/26 via 195.201.13.1 does not show up at all
Attempt 2: a more specific route 195.201.13.0/27 via 195.201.13.1 does not show up at all
Attempt 2: a more specific route 195.201.13.32/27 via 195.201.13.1 is working fine.
How do i convince the kernel to send all traffic to the next-hop ?
sru@gate-02:~$ show version | head -1
Version: VyOS 1.2.7-epa1
sru@gate-02:~$ ip address show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:01:01:c3 brd ff:ff:ff:ff:ff:ff
inet 195.201.13.8/26 brd 195.201.13.63 scope global eth0
valid_lft forever preferred_lft forever
inet x.x.x.x
...
sru@gate-02# ip r | grep 195
default via 195.201.13.1 dev eth0 proto static metric 20
195.201.13.0/26 dev eth0 proto kernel scope link src 195.201.13.8
# line above causes traffic to *not* reach the gateway.
195.201.13.32/27 via 195.201.13.1 dev eth0 proto static metric 20
[edit]
sru@gate-02# sh inter ethernet eth0
address 195.201.13.8/26
address x.x.x.x/26
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
out {
name WAN_OUT
}
}
hw-id 00:xx:xx:xx:xx:xx
smp-affinity auto
speed auto
[edit]
sru@gate-02# sh proto | grep -B1 -A2 195
route 0.0.0.0/0 {
next-hop 195.201.13.1 {
}
}
# lower half of the range
route 195.201.13.0/27 {
next-hop 195.201.13.1 {
}
}
# upperhalf of the range
route 195.201.13.32/27 {
next-hop 195.201.13.1 {
}
}
[edit]
Here is a minimum config that shows the problem.
i must reach 192.168.200.18 via 192.168.200.1 because our isp forces us to, they control the switch the vyos is plugged into.
hope that helps.
Last login: Wed May 19 01:10:12 2021 from 192.168.200.6
vyos@vyos:~$ show firewall
-----------------------------
Rulesets Information
-----------------------------
vyos@vyos:~$ show firewall summary
------------------------
Firewall Global Settings
------------------------
------------------------
Firewall Rulesets
------------------------
------------------------
Firewall Groups
------------------------
vyos@vyos:~$ show configuration commands
set interfaces ethernet eth0 address '192.168.200.8/26'
set interfaces ethernet eth0 address '192.168.201.8/26'
set interfaces ethernet eth0 description 'outside'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '08:00:27:6f:b8:54'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '192.168.100.8/24'
set interfaces ethernet eth1 description 'inside'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id '08:00:27:33:88:47'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces loopback lo
set protocols static route 0.0.0.0/0 next-hop 192.168.200.1
set protocols static route 192.168.200.0/26 next-hop 192.168.200.1
set service ssh port '22'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '9600'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$NmTcAUVB$mUuz2RVxyLQa4vvx1zkB8D44sIbHtYilD3vyrEuLYeYfBmX3b6JzxYwJiStlpVyvPddhVdG2o2LOgBJyRFXyC0'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'UTC'
vyos@vyos:~$
vyos@vyos:~$ ip r
default via 192.168.200.1 dev eth0 proto static metric 20
192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.8
192.168.200.0/26 dev eth0 proto kernel scope link src 192.168.200.8
192.168.201.0/26 dev eth0 proto kernel scope link src 192.168.201.8
vyos@vyos:~$
vyos@vyos:~$ traceroute 192.168.200.18
traceroute to 192.168.200.18 (192.168.200.18), 30 hops max, 60 byte packets
1 192.168.200.18 (192.168.200.18) 48.611 ms 49.361 ms 49.359 ms
# This is wrong. Must go via 192.168.200.1
vyos@vyos:~$ traceroute 192.168.200.101
traceroute to 192.168.200.101 (192.168.200.101), 30 hops max, 60 byte packets
1 192.168.200.1 (192.168.200.1) 5.282 ms 7.642 ms 7.646 ms
2 192.168.200.101 (192.168.200.101) 8.170 ms 8.711 ms 8.714 ms
# this is fine but outside the subnet in question
The following modifications result in the desired behaviour:
vyos@vyos# set protocols static interface-route 192.168.200.1/32 next-hop-interface eth0
commit
sudo ip route del 192.168.200.0/26 dev eth0
vyos@vyos# ip r
default via 192.168.200.1 dev eth0 proto static metric 20 onlink
192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.8
192.168.200.1 dev eth0 proto static metric 20
192.168.201.0/26 dev eth0 proto kernel scope link src 192.168.201.8
vyos@vyos# traceroute 192.168.200.18
traceroute to 192.168.200.18 (192.168.200.18), 30 hops max, 60 byte packets
1 192.168.200.1 (192.168.200.1) 4.230 ms 7.168 ms 7.156 ms
2 192.168.200.18 (192.168.200.18) 86.616 ms 86.644 ms 95.472 ms
[edit]
vyos@vyos# traceroute 192.168.200.101
traceroute to 192.168.200.101 (192.168.200.101), 30 hops max, 60 byte packets
1 192.168.200.1 (192.168.200.1) 5.369 ms 9.345 ms 9.328 ms
2 192.168.200.101 (192.168.200.101) 9.273 ms 9.267 ms 9.257 ms
[edit]
Directly connected routes will be always preferred then static or any dynamic routes. It is a standard for any vendor/router.
Use more-specific prefixes, but they shouldn’t be directly connected
For example, prefix 195.201.13.32/27 will be work with static routes.
The prefix 195.201.13.0/27 will be as directly connected.
@Viacheslav
Thanks, but policy based routing seems not to be what we need as we do not like to define different routes based on the source of the traffic, at best based on the destination of a package.
We just want to shove out everything via 192.168.200.1.
For the more specific prefixes, my example already mentions more specific rules but shows that we miss exactly that range that starts at the bottom of the block.
Servers in the subnet in question are configured this way in /etc/network/interfaces:
auto enp198s0
iface enp198s0 inet static
address 192.168.200.23
netmask 255.255.255.192
gateway 192.168.200.1
up route add -net 192.168.200.0 netmask 255.255.255.192 gw 192.168.200.1 dev enp198s0
ip r
default via 192.168.200.1 dev enp198s0 onlink
192.168.200.0/26 via 192.168.200.1 dev enp198s0
192.168.200.0/26 dev enp198s0 proto kernel scope link src 192.168.200.23
@nktech1135 thanks for taking care.
No, source nat basically means: “hide multiple internal IPs behind one external IP”.
This might or might not be needed in this scenario at a more advanced step.
Currently we discuss how to send out all pakets via the ISPs gateway - even these packets that are seen as having a destination at the same subnet as its source.
These packes normally are not routed in any way, they are just placed on the wire which is not desired here.
You can send these address through the provider’s gateway.
Example:
vyos@vyos# set protocols static route 192.168.200.18/32 next-hop 192.168.200.1
Result:
vyos@vyos# traceroute 192.168.200.18
traceroute to 192.168.200.18 (192.168.200.18), 30 hops max, 60 byte packets
1 192.168.200.1 (192.168.200.1) 13.713 ms 11.623 ms 11.274 ms
2 192.168.200.18 (192.168.200.18) 11.157 ms 11.039 ms 10.955 ms
[edit]
vyos@vyos# ip r
default via 192.168.200.1 dev eth0 proto static metric 20
192.168.100.0/26 dev eth1 proto kernel scope link src 192.168.100.8
192.168.200.0/26 dev eth0 proto kernel scope link src 192.168.200.8
192.168.200.18 via 192.168.200.1 dev eth0 proto static metric 20
192.168.201.0/26 dev eth0 proto kernel scope link src 192.168.201.8
[edit]
@RyVolodya this is what we are doing right now:
create a route for each known host.
I was hoping for a more efficient way but this is a solution to the problem.
Thanks all for the efforts !
The below covers the /26 Range with 5 routes:
# 5 additionalroutes cover the ips 1-62 ; 63 is forbidden
set protocols static route 192.168.200.2/31 next-hop 192.168.200.1
set protocols static route 192.168.200.4/30 next-hop 192.168.200.1
set protocols static route 192.168.200.8/29 next-hop 192.168.200.1
set protocols static route 192.168.200.16/28 next-hop 192.168.200.1
set protocols static route 192.168.200.32/27 next-hop 192.168.200.1