[solved] Reaching private addresses with default interface-route

vyos-1-2

#1

Hello,

this is my very first post here, so please be gentle :wink:

I have set up a number of (sub-)interfaces with discrete private subnets on them. Also, there are several OpenVPN interfaces which I want to selectively use for outgoing traffic. Specifically, I want to send out traffic to the internet either through one of the vtunX interfaces or directly through the WAN interface.

This is what the interfaces look like:

``
vyos@vyos:~$ sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description


eth0 192.168.0.66/24 u/u WAN
eth1 192.168.1.1/24 u/u LAN
eth1.2 192.168.2.1/24 u/u untrusted
eth1.3 192.168.3.1/24 u/u WiFi_guest
eth1.99 192.168.99.1/24 u/u DMZ
lo 127.0.0.1/8 u/u
::1/128
vtun0 172.21.32.32/23 u/u VPN_out_ipvdeffm_40
vtun1 172.21.32.139/23 u/u VPN_out_ipvnlams_69
vtun2 172.21.35.79/23 u/u VPN_out_ipvsesto_05
vtun3 172.21.37.61/23 u/u VPN_out_ipvuakie_02
vtun4 172.21.36.134/23 u/u VPN_out_ipvusnyc_07
``

For starters, I have created a policy-based interface-route and bound it to eth1. Thus, traffic originating from 192.168.1.0/24 goes out on vtun0. This works as intended:

set policy route vpn-out rule 10 destination address 0.0.0.0/0 set policy route vpn-out rule 10 set table 1 set policy route vpn-out rule 10 source address 192.168.1.0/24 set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0 set interfaces ethernet eth1 policy route vpn-out

However, I am now unable to reach hosts in other private subnets, say LAN --> DMZ. To remedy this, I have unsuccessfully tried to add another rule to the PBR table, like so:

set policy route vpn-out rule 9 destination address 192.168.0.0/16 set policy route vpn-out rule 9 set table 1 set policy route vpn-out rule 9 source address 192.168.1.0/24 set protocols static table 1 interface-route 192.168.0.0/16 next-hop-interface eth1

This did not work. I then tried it this way:

set policy route vpn-out rule 9 destination address 192.168.0.0/16 set policy route vpn-out rule 9 set table 1 set policy route vpn-out rule 9 source address 192.168.1.0/24 set protocols static table 1 route 192.168.0.0/16 next-hop 192.168.1.1

This did not work either.

So please help me out here: How can I have all traffic to the internet originating from a specific subnet or from a specific interface (both will work for me) routed through OpenVPN and at the same time have the same source net (or interface) reach other private subnets?


#2

Hello!
You can try to do next:

  1. Delete all rules in vpn-out policy.
  2. Add network group with local addresses:
    set firewall group network-group local-networks network 192.168.0.0/16
    set firewall group network-group local-networks network X.X.X.X/X (if you need another one)
  3. Create new rule in your vpn-out policy:
    set policy route vpn-out rule 10 destination group network-group !local-networks
    set policy route vpn-out rule 10 set table 1
  4. Commit. :slight_smile:

With this configuration all traffic, except with destination in networks defined in local-network group, will be forwarded with routes in table 1. All other will be use main table.

To insert preformatted text put it between `` symbols.


#3

Your solution works like a charm, thank you very much!


#4

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.