[solved] Reaching private addresses with default interface-route

matzus · October 14, 2018, 7:47pm

Hello,

this is my very first post here, so please be gentle

I have set up a number of (sub-)interfaces with discrete private subnets on them. Also, there are several OpenVPN interfaces which I want to selectively use for outgoing traffic. Specifically, I want to send out traffic to the internet either through one of the vtunX interfaces or directly through the WAN interface.

This is what the interfaces look like:

``
vyos@vyos:~$ sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description

eth0 192.168.0.66/24 u/u WAN
eth1 192.168.1.1/24 u/u LAN
eth1.2 192.168.2.1/24 u/u untrusted
eth1.3 192.168.3.1/24 u/u WiFi_guest
eth1.99 192.168.99.1/24 u/u DMZ
lo 127.0.0.1/8 u/u
::1/128
vtun0 172.21.32.32/23 u/u VPN_out_ipvdeffm_40
vtun1 172.21.32.139/23 u/u VPN_out_ipvnlams_69
vtun2 172.21.35.79/23 u/u VPN_out_ipvsesto_05
vtun3 172.21.37.61/23 u/u VPN_out_ipvuakie_02
vtun4 172.21.36.134/23 u/u VPN_out_ipvusnyc_07
``

For starters, I have created a policy-based interface-route and bound it to eth1. Thus, traffic originating from 192.168.1.0/24 goes out on vtun0. This works as intended:

set policy route vpn-out rule 10 destination address 0.0.0.0/0 set policy route vpn-out rule 10 set table 1 set policy route vpn-out rule 10 source address 192.168.1.0/24 set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0 set interfaces ethernet eth1 policy route vpn-out

However, I am now unable to reach hosts in other private subnets, say LAN --> DMZ. To remedy this, I have unsuccessfully tried to add another rule to the PBR table, like so:

set policy route vpn-out rule 9 destination address 192.168.0.0/16 set policy route vpn-out rule 9 set table 1 set policy route vpn-out rule 9 source address 192.168.1.0/24 set protocols static table 1 interface-route 192.168.0.0/16 next-hop-interface eth1

This did not work. I then tried it this way:

set policy route vpn-out rule 9 destination address 192.168.0.0/16 set policy route vpn-out rule 9 set table 1 set policy route vpn-out rule 9 source address 192.168.1.0/24 set protocols static table 1 route 192.168.0.0/16 next-hop 192.168.1.1

This did not work either.

So please help me out here: How can I have all traffic to the internet originating from a specific subnet or from a specific interface (both will work for me) routed through OpenVPN and at the same time have the same source net (or interface) reach other private subnets?

zsdc · October 14, 2018, 8:21pm

Hello!
You can try to do next:

Delete all rules in vpn-out policy.
Add network group with local addresses:
set firewall group network-group local-networks network 192.168.0.0/16
set firewall group network-group local-networks network X.X.X.X/X (if you need another one)
Create new rule in your vpn-out policy:
set policy route vpn-out rule 10 destination group network-group !local-networks
set policy route vpn-out rule 10 set table 1
Commit.

With this configuration all traffic, except with destination in networks defined in local-network group, will be forwarded with routes in table 1. All other will be use main table.

To insert preformatted text put it between `` symbols.

matzus · October 15, 2018, 7:25am

Your solution works like a charm, thank you very much!

system · October 17, 2018, 7:25am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.