The vyos configuration is as follows:
firewall {
all-ping enable
group {
network-group private {
network 192.168.0.0/24
network 192.168.101.0/24
network 192.168.1.0/24
network 192.168.2.0/24
network 192.168.3.0/24
network 192.168.4.0/24
}
}
name out-global-rule {
default-action accept
rule 1 {
action accept
protocol all
source {
group {
network-group private
}
}
}
}
}
interfaces {
bridge br1 {
address 192.168.0.1/24
aging 300
description "Private switch"
firewall {
out {
name out-global-rule
}
}
hello-time 2
ip {
enable-arp-accept
}
max-age 20
priority 0
stp true
}
bridge br2 {
address 192.168.101.1/24
aging 300
description "private switch"
firewall {
out {
name out-global-rule
}
}
ip {
enable-arp-accept
}
max-age 20
priority 0
stp true
}
bridge br3 {
address 192.168.2.1/24
aging 300
description "private switch"
firewall {
out {
name out-global-rule
}
}
hello-time 2
ip {
enable-arp-accept
}
max-age 20
priority 32768
stp true
}
bridge br4 {
address 192.168.3.1/24
aging 300
description "private switch"
firewall {
out {
name out-global-rule
}
}
hello-time 2
ip {
enable-arp-accept
}
max-age 20
priority 32768
stp true
}
bridge br5 {
address 192.168.4.1/24
aging 300
description "private switch"
firewall {
out {
name out-global-rule
}
}
hello-time 2
ip {
enable-arp-accept
}
max-age 20
priority 32768
stp true
}
bridge br6 {
address 192.168.1.1/24
description "Private switch"
firewall {
out {
name out-global-rule
}
}
stp true
}
ethernet eth0 {
bridge-group {
bridge br2
}
description private
duplex auto
hw-id 00:98:2b:f8:3f:11
smp-affinity auto
speed auto
}
ethernet eth1 {
description private
duplex auto
hw-id 00:98:2b:f8:3f:12
smp-affinity auto
speed auto
vif 1 {
bridge-group {
bridge br6
}
description "private VLAN 1"
}
vif 2 {
bridge-group {
bridge br1
}
description "private VLAN 2"
}
vif 1002 {
bridge-group {
bridge br3
}
description "private VLAN 1002"
}
vif 1003 {
bridge-group {
bridge br4
}
description "private VLAN 1003"
}
vif 1004 {
bridge-group {
bridge br5
}
description "private VLAN 1004"
}
}
ethernet eth2 {
bridge-group {
bridge br2
}
description private
duplex auto
hw-id 00:98:2b:f8:3f:13
smp-affinity auto
speed auto
}
ethernet eth3 {
bridge-group {
bridge br2
}
description private
duplex auto
hw-id 00:98:2b:f8:3f:14
smp-affinity auto
speed auto
}
ethernet eth4 {
bridge-group {
bridge br2
}
description private
duplex auto
hw-id 00:98:2b:f8:3f:15
smp-affinity auto
speed auto
}
ethernet eth5 {
description public
duplex auto
hw-id 00:98:2b:f8:3f:16
pppoe 0 {
default-route auto
firewall {
out {
name out-global-rule
}
}
mtu 1492
name-server auto
password 27195008
user-id fsDSL81150434
}
smp-affinity auto
speed auto
}
loopback lo {
address 127.0.0.1/8
address ::1/128
description local
}
}
nat {
source {
rule 100 {
description "TO PUBLIC"
outbound-interface pppoe0
protocol all
source {
address 192.168.0.0/16
}
translation {
address masquerade
}
}
}
}
service {
dhcp-server {
shared-network-name lan1 {
subnet 192.168.101.0/24 {
default-router 192.168.101.1
dns-server 192.168.101.1
lease 86400
range 0 {
start 192.168.101.2
stop 192.168.101.254
}
}
}
}
dns {
forwarding {
cache-size 512
listen-address 0.0.0.0
name-server 114.114.114.114
name-server 8.8.8.8
}
}
snmp {
community v3 {
authorization ro
}
listen-address 0.0.0.0 {
port 161
}
}
ssh {
port 22
}
}
system {
console {
device ttyS0 {
speed 9600
}
}
host-name router
ip {
arp {
table-size 16384
}
}
login {
user vyos {
authentication {
encrypted-password $1$rD6QpxYO$NIq4e2xQ2eQ4k8MOMeupP1
plaintext-password ""
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Asia/Shanghai
}
This configuration seems to be normal, but there is a strange phenomenon. For the physical interface eth4, I walk a secondary router. In this case, HTTPS access is normal, but if I connect eth4 directly to the Linux computer, I can’t complete the TLS negotiation. I go from Https NAT failure - #5 by eiriknb See a problem, it seems that this phenomenon is similar to mine, because I can not complete normal access to https, and HTTP seems normal (curl is normal at least), but HTTPS can not normal TLS negotiation, I have tried to use Firefox browser to access https, the same can not normal access. Can you give me some advice to help me solve this problem?