[SOLVED] Hyperv + Bridge + NAT + VLAN across multi DC

socket · April 19, 2017, 7:54pm

Hi all,

I have two small hyperv server in two different datacenter.
I was able to set up almost everything but there is still one thing which does not work: accessing internet (or maybe any natted network) from across the bridge.
What is strange is that the destination NAT does work across bridge but not source NAT.
Everything else works just fine, including traffic from/to OpenVPN TUN to/from client across the bridge.

Attached you find a scheme (hope you like it '^_^) and sanitized configs.

Any help would be really appreciated.

socket · April 20, 2017, 9:29am

I think the problem is some NAT rule missing but don’t know if it is config related or vyos related.

Here you are my findings:

In VYOS1 (left side) i created a source NAT rule to NAT a single server (192.168.50.41) on the right side to exit to internet with masquerade.
I put this rule (190) above the source NAT rule that allow my LAN to go out (200).
Here you are the 190 and 200 rule:

rule 190 { log enable outbound-interface eth0 source { address 192.168.50.41/32 } translation { address masquerade } } rule 200 { log enable outbound-interface eth0 source { address 192.168.50.0/24 } translation { address masquerade } }

Then I opened a continuos ping to 8.8.8.8

Then I run show nat source translations address 192.168.50.41 on left side vyos

Pre-NAT src Pre-NAT dst Post-NAT src Post-NAT dst 192.168.50.41 8.8.8.8 192.168.50.41 8.8.8.8 icmp: 192.168.50.41 ==> 192.168.50.41 timeout: 29 use: 1

which means no NAT to me.

Infact if I check nat statistics with show nat source statistics on left side vyos I get:

[code]rule pkts bytes interface

… … … …
190 0 0 eth0
200 17822 1236K eth0
… … … …
[/code]

Please not that there is no firewall rule in left side nor in right side (will add them when NAT works properly)
And there are no NAT rule at all on right side, just one OpenVPN TAP interface and a bridge like described before.

How can I fix this NAT problem?
I think I am missing just a little bit but don’t know which one

socket · April 21, 2017, 8:14am

I think I solved it (at least it is working right now)
I will test if everything works as expected, if it does survive reboots and then post sanitized configs here or in how to.

What I have right now: two servers on two different provider, running HyperV 2016 with replicas working and no need to edit interfaces when migrating VM.
I still don’t know if this solution can scale out or if it would be advisable to run it in production, but I am not running anything too important on it at the moment (just some websites and mail server)
Next I would check if I can improve performance (already acceptable right now) on the bridge link.

I love VYOS!

socket · April 21, 2017, 9:27pm

It works and it survives reboots.

Here you are the sanitezed configurations.
Basically I removed eth2, added eth1.50 to the bridge and moved eth1.50 address to the bridge br0.
Issued this configuration on both side vyos.

Working so far: 2 x HyperV + bridge + NAT + VLAN. No matter where a VM is it can browse internet with “remote” gateway
There is room for improvement for sure (for example VLAN scaling).