Source NAT and VRRP - Traffic is being NATed to the original source

Hi,

I’m trying to set up a simple scenario where 2 vyos routers are running VRRP and are routing traffic from an internal network to the internet.
eth1 is the external interface, eth2 is the internal interface and eth4 is the link connecting both routers (bridged interface).
When an internal device pings an IP on the internet using the VRRP IP as its default gateway, the traffic will show on the NAT source translations but will be translated to the same IP (which means, not translation happens).

vyos@vyos# run show nat source translations
Pre-NAT Post-NAT Prot Timeout
10.150.0.1 10.150.0.1 icmp 11

vyos@vyos# run monitor traffic interface eth1 filter ‘icmp’
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
12:22:28.135826 IP 10.150.0.1 > 8.8.8.8: ICMP echo request, id 4096, seq 0, length 64
12:22:29.136024 IP 10.150.0.1 > 8.8.8.8: ICMP echo request, id 4096, seq 1, length 64

If I point the internal device to the IP of one of the routers, then everything works:

vyos@vyos# run monitor traffic interface eth1 filter ‘icmp’
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
12:24:27.292617 IP 10.200.0.252 > 8.8.8.8: ICMP echo request, id 4352, seq 0, length 64
12:24:27.310403 IP 8.8.8.8 > 10.200.0.252: ICMP echo reply, id 4352, seq 0, length 64
12:24:28.292889 IP 10.200.0.252 > 8.8.8.8: ICMP echo request, id 4352, seq 1, length 64
12:24:28.310436 IP 8.8.8.8 > 10.200.0.252: ICMP echo reply, id 4352, seq 1, length 64

And I can see the correct entry in the NAT translations table:
vyos@vyos# run show nat source translations
Pre-NAT Post-NAT Prot Timeout
10.150.0.1 10.200.0.252 icmp 25

Is VRRP supported in this case? Or am I doing something wrong?
Here’s the relevant part of my config:

vyos@vyos# show nat
source {
rule 10 {
destination {
address 0.0.0.0/0
}
outbound-interface eth1
protocol all
source {
address 10.150.0.0/24
}
translation {
address masquerade
}
}
}

vyos@vyos# show interfaces
bridge br0 {
address 10.150.0.252/24
aging 300
hello-time 2
max-age 20
priority 32768
stp false
}
ethernet eth0 {
bridge-group {
bridge br0
}
duplex auto
hw-id 02:09:70:14:04:01
smp-affinity auto
speed auto
}
ethernet eth1 {
address 10.200.0.252/24
duplex auto
hw-id 02:09:70:14:02:03
smp-affinity auto
speed auto
}
ethernet eth2 {
bridge-group {
bridge br0
}
duplex auto
hw-id 02:09:70:14:05:01
smp-affinity auto
speed auto
}
ethernet eth3 {
address 10.0.0.2/24
duplex auto
hw-id 02:09:70:14:06:01
smp-affinity auto
speed auto
}
loopback lo {
}

vyos@vyos# ip route show
default via 10.200.0.254 dev eth1 proto static metric 20
10.0.0.0/24 dev eth3 proto kernel scope link src 10.0.0.2
10.150.0.0/24 dev br0 proto kernel scope link src 10.150.0.252
10.150.0.0/24 dev br0v20 proto kernel scope link src 10.150.0.254
10.200.0.0/24 dev eth1 proto kernel scope link src 10.200.0.252

vyos@vyos# run sh ver
Version: VyOS 1.2.6
Release Train: crux

Thanks in advance for any help you can provide.

Hi @sec7
First of all, you may want to upgrade to a newer VyOS version.
Now, searching old labs, here’s a demo working on crux 1.2.7, where:

• eth1 → WAN interface, connected to “ISP”
• eth3 → LAN, connected to switch.

Configurations:

# Interfaces configs
set interfaces ethernet eth1 address '4.4.4.2/24'
set interfaces ethernet eth3 address '10.0.0.253/24'

# NAT source configs:
set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 translation address 'masquerade'

# VRRP Config
set high-availability vrrp group Test interface 'eth3'
set high-availability vrrp group Test priority '254'
set high-availability vrrp group Test virtual-address '10.0.0.1/24'
set high-availability vrrp group Test vrid '10'

Status while router is master, and host is pinging 8.8.8.8:

# VRRP Status:
vyos@R02Slave:~$ show vrrp
Name    Interface      VRID  State    Last Transition
------  -----------  ------  -------  -----------------
Test    eth3             10  MASTER   8m20s

# Interfaces IP addresses
vyos@R02Slave:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             -                                 u/u   
eth1             4.4.4.2/24                        u/u  To R04 
eth2             -                                 u/D  
eth3             10.0.0.253/24                     u/u  LAN 
                 10.0.0.1/24

# NAt source translations
vyos@R02Slave:~$ show nat source translations 
Pre-NAT              Post-NAT             Prot  Timeout 
10.0.0.126           4.4.4.2              icmp  21      
10.0.0.126           4.4.4.2              icmp  24      

# TCP on eth1, to see outgoing icmp with nated IP address
vyos@R02Slave:~$ sudo tcpdump -n -i eth1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
10:40:10.468192 IP 4.4.4.2 > 8.8.8.8: ICMP echo request, id 47799, seq 1, length 64
10:40:10.494171 IP 8.8.8.8 > 4.4.4.2: ICMP echo reply, id 47799, seq 1, length 64
10:40:11.495789 IP 4.4.4.2 > 8.8.8.8: ICMP echo request, id 48055, seq 2, length 64
10:40:11.521202 IP 8.8.8.8 > 4.4.4.2: ICMP echo reply, id 48055, seq 2, length 64

And host used for test has IP 10.0.0.1 as default gatway

PC2> show ip

NAME        : PC2[1]
IP/MASK     : 10.0.0.126/24
GATEWAY     : 10.0.0.1
DNS         : 8.8.8.8  
DHCP SERVER : 10.0.0.253

Thank you @n.fort
My config is quite similar to yours.
I’ll try upgrading and see if that solves it.