Hopefully I can explain this correct. Basically, I’m looking to isolate my management network behind an interface on vyOS to perform backup testing, etc. I’ve setup the router with an IP on my management network, and another interface on my isolated network(built in VMware). The interface address on my management network is 10.8.96.151 - and the interface on the my isolated network is 10.8.96.1 (my default gateway) - that way, when I spawn VMs in the isolated network they can see the gateway and talk to each other!
This part is working - however, what I’m trying to do is masquerade a network on the management interface so I can setup static routes and allow access into the isolated network. What I have setup so far is as follows
set nat destination rule 100 inbound-interface eth0 ← the management network
set nat destination rule 100 destination address 192.168.96.0/24 ← My masqerade range
set nat destination rule 100 translation address 10.8.96.0/24
set firewall name management-isolated rule 1 action accept
set firewall name management-isolated rule 1 state established enable
set firewall name management-isolated rule 1 state related enable
set firewall name management-isolated rule 2 action drop
set firewall name management-isolated rule 2 log enable
set firewall name management-isolated rule 2 state invalid enable
set firewall name management-isolated rule 2 state new enable
set interfaces etherenet eth1 firewall in name management-isolated
Basically, what is happening is the request for 192.168.96.0 is coming in on eth0, it’s transalating to 10.8.96.0, and then sending it right back out eth0. How can I force this to go through eth1? Remember, I still want my default gateway for eth0 to be 10.8.96.1 so it can talk to the outside world, basically, jsut anything coming in on eth0 bound for 192.168.96.0 I want to translate and send through eth1…
This whole setup works when I use another network for the isolated network (say 10.8.112.0), but when it’s the same network as the management network it fails…
If I remove my default route of 10.8.96.0 0.0.0.0 eth0, leaving only 10.8.96.0 0.0.0.0 eth1, then I’m able to to get the access into the isolated network (only from the vyOS VM). That said, obviously when I do that I have no access into the vyOS VM from the rest of the network as it has no real gateway…
Hi @mwpr3ston. I don’t get exactly what you have configured, and what you are trying to achieve.
Please expose in a clear way IP addresses and interfaces of vyos router, and traffic direction desired.
If i didn’t get it wrong, you have:
interface eth0 --> IP address 10.8.96.151, netmask /24?
interface eth1 --> IP address and netmask? Is it 10.8.91.1?
Let me try and clarify it - you are pretty much right…
interface eth0 → IP 10.8.96.151/24 GW 10.8.96.1 (connected to prod network, real prod gateway)
interface eth1 → IP 10.8.96.1/24 (No GW, acts as gateway for isolated prod network)
To help illustrate traffic flow let’s say I have a server inside the isolated network, IP of 10.8.96.30, GW 10.8.96.1 (gateway is eth1 of vyOS).
From an outside client on the real production gateway I have a route setup to direct all traffic to 192.168.96.0/24 to 10.8.96.151 (vyOS eth0)
Request to 192.168.96.30
vyOS recieves this on eth0, translates address to 10.8.96.30
vyOS sends this out eth1 to isolated network
Currently, with my setup above it’s translating the address on eth0 and sending it right back out eth0 to the real prod network. Somehow I need to translate and forward all traffic bound for 192.168.96.0/24 to eth1… I’ve attached a horrible diagram
The whole scenario works when I isolate a different network than the one the vyOS router lives on, say 10.8.112.0/24 - but trying to do it with the same network the routers management interface is on causes problems…
You can’t have multiple addresses in same subnet on different interfaces
Maybe you can do some pseudo-bridging using proxy-ARP
Keep .151 address on eth0 , and add some dummy IP on other subnet on eth1
enable proxy-arp on both eth interfaces.
On eth1, add next-hop-interface route for 10.8.96.1/32 onto interface eth1
Then clinet on eth0 should be able to access 10.8.96.30, no NAT required
Other alternative:
Use 2 interconnected VRF instance each with its own 10.8.96.x/24 interface. Then use NAT so each VRF instance isn’t aware the other VRF has same 10.8.96.x/24 subnet
Not a network guru! 