Hi,
See schema =
Tunnel Are UP =
Issue =
Ping from the OFFICE -VyOS got a reply echo from the distant LAN Site-A or B
But not a device in the OFFICE - LAN
Static route are configured as below =
And rule nat source exist to exclude the translation to this LAN.
Difficult to predict what happens without configurations.
Which VyOS version do you use?
firewall GROUP HIDDEN
set firewall ip-src-route 'enable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall name FROM-INTERNET default-action 'drop'
set firewall name FROM-INTERNET description 'FROM-INTERNET-FW-to-PAT-OR-NAT-Get-IA'
set firewall name FROM-INTERNET enable-default-log
set firewall name FROM-INTERNET rule 1 action 'accept'
set firewall name FROM-INTERNET rule 1 protocol 'tcp_udp'
set firewall name FROM-INTERNET rule 1 state established 'enable'
set firewall name FROM-INTERNET rule 1 state related 'enable'
set firewall name FROM-INTERNET rule 2 action 'accept'
set firewall name FROM-INTERNET rule 2 protocol 'icmp'
set firewall name FROM-INTERNET rule 2 state established 'enable'
set firewall name FROM-INTERNET rule 2 state related 'enable'
set firewall name FROM-INTERNET rule 3 action 'accept'
set firewall name FROM-INTERNET rule 3 source group network-group 'VPN-PEER'
set firewall name FROM-ROUTING default-action 'drop'
set firewall name FROM-ROUTING rule 1 action 'accept'
set firewall name FROM-ROUTING rule 1 protocol 'tcp_udp'
set firewall name FROM-ROUTING rule 1 state established 'enable'
set firewall name FROM-ROUTING rule 1 state related 'enable'
set firewall name FROM-ROUTING rule 999998 action 'accept'
set firewall name FROM-ROUTING rule 999998 description 'Tunnel-Wireguard_Site-to-Site'
set firewall name FROM-ROUTING rule 999998 destination address '...56.0/24'
set firewall name FROM-ROUTING rule 999998 destination port '51820'
set firewall name FROM-ROUTING rule 999998 protocol 'tcp_udp'
set firewall name FROM-ROUTING rule 999998 source address '...56.0/24'
set firewall name FROM-ROUTING rule 999999 action 'accept'
set firewall name FROM-ROUTING rule 999999 description 'Tunnel-Wireguard_Site-to-Site'
set firewall name FROM-ROUTING rule 999999 destination address '...56.0/24'
set firewall name FROM-ROUTING rule 999999 destination port '51820'
set firewall name FROM-ROUTING rule 999999 protocol 'tcp_udp'
set firewall name FROM-ROUTING rule 999999 source address '...56.0/24'
set firewall name INTERNAL-ROUTING default-action 'drop'
set firewall name INTERNAL-ROUTING rule 1 action 'accept'
set firewall name INTERNAL-ROUTING rule 1 destination port '22,23,443'
set firewall name INTERNAL-ROUTING rule 1 protocol 'tcp_udp'
set firewall name INTERNAL-ROUTING rule 1 source address '...50.0/24'
set firewall name INTERNAL-ROUTING rule 2 action 'accept'
set firewall name INTERNAL-ROUTING rule 2 destination address '...50.0/24'
set firewall name INTERNAL-ROUTING rule 2 protocol 'tcp_udp'
set firewall name INTERNAL-ROUTING rule 2 source port '22,23,443'
set firewall name INTERNAL-ROUTING rule 3 action 'accept'
set firewall name INTERNAL-ROUTING rule 3 protocol 'icmp'
set firewall name LAN default-action 'drop'
set firewall name LAN description 'For-ALL-LAN-OUT-to-FROM-INTERNET'
set firewall name LAN enable-default-log
set firewall name LAN rule 1 action 'accept'
set firewall name LAN rule 1 protocol 'tcp_udp'
set firewall name LAN rule 1 source address '...50.0/24'
set firewall name LAN rule 2 action 'accept'
set firewall name LAN rule 2 protocol 'icmp'
set firewall name LAN rule 2 source address '...50.0/24'
set firewall name LAN rule 3 action 'accept'
set firewall name LAN rule 3 destination group network-group 'SWITCH-ACCESS-WAN'
set firewall name LAN rule 3 protocol 'tcp_udp'
set firewall name LAN rule 3 source address '...24.0.0/19'
set firewall name LAN rule 4 action 'accept'
set firewall name LAN rule 4 destination group network-group 'SWITCH-ACCESS-WAN'
set firewall name LAN rule 4 protocol 'icmp'
set firewall name LAN rule 4 source address '...24.0.0/19'
set firewall receive-redirects 'disable'
set firewall source-validation 'strict'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'enable'
set firewall zone Cisco-CAPWAP default-action 'drop'
set firewall zone Cisco-CAPWAP from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone Cisco-CAPWAP interface 'eth1.9'
set firewall zone Cisco-CAPWAP intra-zone-filtering action 'drop'
set firewall zone Cisco-WIFI default-action 'drop'
set firewall zone Cisco-WIFI from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone Cisco-WIFI interface 'eth1.6'
set firewall zone Cisco-WIFI intra-zone-filtering action 'drop'
set firewall zone DSLAM default-action 'drop'
set firewall zone DSLAM from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone DSLAM interface 'eth1.17'
set firewall zone DSLAM intra-zone-filtering action 'drop'
set firewall zone MGMT-100 default-action 'drop'
set firewall zone MGMT-100 from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone MGMT-100 interface 'eth1.100'
set firewall zone MGMT-100 intra-zone-filtering action 'drop'
set firewall zone MGMT-AMFAR default-action 'drop'
set firewall zone MGMT-AMFAR from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone MGMT-AMFAR interface 'eth1.887'
set firewall zone MGMT-AMFAR intra-zone-filtering action 'drop'
set firewall zone MGMT-ESX default-action 'drop'
set firewall zone MGMT-ESX from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone MGMT-ESX interface 'eth1.16'
set firewall zone MGMT-ESX intra-zone-filtering action 'drop'
set firewall zone MGMT-Mikrotik default-action 'drop'
set firewall zone MGMT-Mikrotik from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone MGMT-Mikrotik interface 'eth1.807'
set firewall zone MGMT-Mikrotik intra-zone-filtering action 'drop'
set firewall zone MGMT-SW default-action 'drop'
set firewall zone MGMT-SW from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone MGMT-SW from WAN firewall name 'FROM-INTERNET'
set firewall zone MGMT-SW interface 'eth1'
set firewall zone MGMT-SW intra-zone-filtering action 'drop'
set firewall zone OFFICE default-action 'drop'
set firewall zone OFFICE from Cisco-CAPWAP firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from Cisco-WIFI firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from DSLAM firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from MGMT-100 firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from MGMT-AMFAR firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from MGMT-ESX firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from MGMT-Mikrotik firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from MGMT-SW firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from ROUTING firewall name 'FROM-ROUTING'
set firewall zone OFFICE from TUN firewall name 'LAN'
set firewall zone OFFICE from WAN firewall name 'FROM-INTERNET'
set firewall zone OFFICE from WIFI6 firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE interface 'eth2'
set firewall zone OFFICE intra-zone-filtering action 'drop'
set firewall zone ROUTING default-action 'drop'
set firewall zone ROUTING from OFFICE firewall name 'LAN'
set firewall zone ROUTING from ROUTING-INT firewall name 'FROM-ROUTING'
set firewall zone ROUTING interface 'wg0'
set firewall zone ROUTING intra-zone-filtering action 'drop'
set firewall zone ROUTING-INT default-action 'drop'
set firewall zone ROUTING-INT from OFFICE firewall name 'LAN'
set firewall zone ROUTING-INT from ROUTING firewall name 'FROM-ROUTING'
set firewall zone ROUTING-INT interface 'eth3'
set firewall zone ROUTING-INT intra-zone-filtering action 'drop'
set firewall zone TUN default-action 'drop'
set firewall zone TUN from OFFICE firewall name 'LAN'
set firewall zone TUN interface 'vti0'
set firewall zone TUN intra-zone-filtering action 'drop'
set firewall zone WAN default-action 'drop'
set firewall zone WAN from MGMT-SW firewall name 'LAN'
set firewall zone WAN from OFFICE firewall name 'LAN'
set firewall zone WAN interface 'eth0'
set firewall zone WAN intra-zone-filtering action 'drop'
set firewall zone WIFI6 default-action 'drop'
set firewall zone WIFI6 from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone WIFI6 interface 'eth1.18'
set firewall zone WIFI6 intra-zone-filtering action 'drop'
set interfaces ethernet eth0 address '...11/24'
set interfaces ethernet eth0 address '...0.28/24'
set interfaces ethernet eth0 address '...0.7/24'
set interfaces ethernet eth0 description 'WAN'
# INTERFACE MANAGEMENT HIDDEN
set interfaces ethernet eth2 address '....50.1/24'
set interfaces ethernet eth2 description 'OFFICE'
set interfaces ethernet eth2 hw-id '40:62:31:06:e7:ac'
set interfaces ethernet eth3 address '....56.4/24'
set interfaces ethernet eth3 description 'Routing-VyOS-InterSite'
set interfaces ethernet eth3 hw-id '40:62:31:06:e7:ad'
set interfaces loopback lo
set interfaces vti vti0 address '...50.254/24'
set interfaces vti vti0 description 'Tunnel-Int_Site-to-Site'
set interfaces wireguard wg0 address '...56.4/24'
set interfaces wireguard wg0 description 'Wireguard-VyOS-Intersite'
set interfaces wireguard wg0 peer CANNES address '....56.1'
set interfaces wireguard wg0 peer CANNES allowed-ips '....53.0/24'
set interfaces wireguard wg0 peer CANNES allowed-ips '...65.0/24'
set interfaces wireguard wg0 peer CANNES allowed-ips '...56.0/24'
set interfaces wireguard wg0 peer CANNES allowed-ips '...50.0/24'
set interfaces wireguard wg0 peer CANNES persistent-keepalive '10'
set interfaces wireguard wg0 peer CANNES port '51820'
set interfaces wireguard wg0 peer CANNES preshared-key 'Q/Cq0+wxYBnqT4MTzdFwgFecl7l0gwD6KDMaYbbkNTE='
set interfaces wireguard wg0 peer CANNES public-key '2IpOP06h6+uein4AGcFvT9GVXeWtM157yT2NGtH96TQ='
set interfaces wireguard wg0 peer EUCLYDE address '....56.2'
set interfaces wireguard wg0 peer EUCLYDE allowed-ips '....54.0/24'
set interfaces wireguard wg0 peer EUCLYDE allowed-ips '....66.0/24'
set interfaces wireguard wg0 peer EUCLYDE allowed-ips '....50.0/24'
set interfaces wireguard wg0 peer EUCLYDE allowed-ips '....56.0/24'
set interfaces wireguard wg0 peer EUCLYDE port '51820'
set interfaces wireguard wg0 peer EUCLYDE preshared-key 'Q/Cq0+wxYBnqT4MTzdFwgFecl7l0gwD6KDMaYbbkNTE='
set interfaces wireguard wg0 peer EUCLYDE public-key 'hta8QB/BL+tIk0f2HtSQC8y2luu1GQ+IokTKaPPJ8xY='
set interfaces wireguard wg0 peer PARIS address '....56.3'
set interfaces wireguard wg0 peer PARIS allowed-ips '....50.0/24'
set interfaces wireguard wg0 peer PARIS allowed-ips '....55.0/24'
set interfaces wireguard wg0 peer PARIS allowed-ips '....67.0/24'
set interfaces wireguard wg0 peer PARIS allowed-ips '....56.0/24'
set interfaces wireguard wg0 peer PARIS port '51820'
set interfaces wireguard wg0 peer PARIS preshared-key 'Q/Cq0+wxYBnqT4MTzdFwgFecl7l0gwD6KDMaYbbkNTE='
set interfaces wireguard wg0 peer PARIS public-key 'nNplzcI1QEI0j/2EBY6UFlRVQRIV4WiEz5NGt4vv0iM='
set interfaces wireguard wg0 peer XPRESS address '....56.5'
set interfaces wireguard wg0 peer XPRESS allowed-ips '....32/28'
set interfaces wireguard wg0 peer XPRESS allowed-ips '....50.0/24'
set interfaces wireguard wg0 peer XPRESS allowed-ips '....56.0/24'
set interfaces wireguard wg0 peer XPRESS port '51820'
set interfaces wireguard wg0 peer XPRESS preshared-key 'Q/Cq0+wxYBnqT4MTzdFwgFecl7l0gwD6KDMaYbbkNTE='
set interfaces wireguard wg0 peer XPRESS public-key 'uFvm/rS3wl24W6qkTp53OcAor4ApfEneGTPt5eRc0Sc='
set interfaces wireguard wg0 port '51820'
set interfaces wireguard wg0 private-key 'sMana+QzKo35IPrFS/tkYaLzlWqx8CyKjpGul1s18VY='
set nat source rule 10 destination address '172.24.219.0/24'
set nat source rule 10 exclude
set nat source rule 10 outbound-interface 'vti0'
set nat source rule 10 source address '....50.0/24'
set nat source rule 11 destination address '10.1.0.0/24'
set nat source rule 11 exclude
set nat source rule 11 outbound-interface 'eth0'
set nat source rule 11 source address '....50.0/24'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '....50.0/24'
set nat source rule 100 translation address '...11'
set protocols static route 0.0.0.0/0 next-hop ...1 distance '1'
set protocols static route 10.1.0.0/24 interface vti0
set protocols static route ....53.0/24 next-hop ....56.1 interface 'wg0'
set protocols static route ....54.0/24 next-hop ....56.2 interface 'wg0'
set protocols static route ....55.0/24 next-hop ....56.3 interface 'wg0'
set protocols static route ....65.0/24 next-hop ....56.1 interface 'wg0'
set protocols static route ....66.0/24 next-hop ....56.2 interface 'wg0'
set protocols static route ....67.0/24 next-hop ....56.3 interface 'wg0'
set protocols static route 172.24.219.0/24 interface vti0
set protocols static route 192.168.211.32/28 next-hop ....56.5 interface 'wg0'
set service dhcp-server listen-address '....50.1'
set service dhcp-server shared-network-name OFFICE authoritative
set service dhcp-server shared-network-name OFFICE description 'DHCP-Office-LAN'
set service dhcp-server shared-network-name OFFICE domain-name 'viapass.com'
set service dhcp-server shared-network-name OFFICE domain-search 'viapass.com'
set service dhcp-server shared-network-name OFFICE name-server '....50.1'
set service dhcp-server shared-network-name OFFICE subnet ....50.0/24 default-router '....50.1'
set service dhcp-server shared-network-name OFFICE subnet ....50.0/24 lease '14400'
set service dhcp-server shared-network-name OFFICE subnet ....50.0/24 range 0 start '....50.130'
set service dhcp-server shared-network-name OFFICE subnet ....50.0/24 range 0 stop '....50.200'
set service dns forwarding allow-from '....50.0/24'
set service dns forwarding ignore-hosts-file
set service dns forwarding listen-address '....50.1'
set service dns forwarding name-server ...162
set service dns forwarding name-server ...80
set service ssh listen-address '....50.1'
set service ssh port '666'
set system time-zone 'Europe/Paris'
set vpn ipsec authentication psk AC-AMBASSADEUR id '...7'
set vpn ipsec authentication psk AC-AMBASSADEUR id '...219'
set vpn ipsec authentication psk AC-AMBASSADEUR secret 'Amba55adeurAC'
set vpn ipsec authentication psk MADRID id '...7'
set vpn ipsec authentication psk MADRID id '...7'
set vpn ipsec authentication psk MADRID secret 'Mad1C@nnes'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption '3des'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'md5'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption '3des'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'md5'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer AC-AMBASSADEUR authentication local-id '...7'
set vpn ipsec site-to-site peer AC-AMBASSADEUR authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer AC-AMBASSADEUR authentication remote-id '...219'
set vpn ipsec site-to-site peer AC-AMBASSADEUR ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer AC-AMBASSADEUR local-address '...7'
set vpn ipsec site-to-site peer AC-AMBASSADEUR remote-address '...219'
set vpn ipsec site-to-site peer AC-AMBASSADEUR tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer AC-AMBASSADEUR tunnel 0 local prefix '....50.0/24'
set vpn ipsec site-to-site peer AC-AMBASSADEUR tunnel 0 remote prefix '...0/24'
set vpn ipsec site-to-site peer AC-AMBASSADEUR vti bind 'vti0'
set vpn ipsec site-to-site peer AC-AMBASSADEUR vti esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer MADRID authentication local-id '...7'
set vpn ipsec site-to-site peer MADRID authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer MADRID authentication remote-id '...7'
set vpn ipsec site-to-site peer MADRID ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer MADRID local-address '...7'
set vpn ipsec site-to-site peer MADRID remote-address '...7'
set vpn ipsec site-to-site peer MADRID tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer MADRID tunnel 0 local prefix '....50.0/24'
set vpn ipsec site-to-site peer MADRID tunnel 0 remote prefix '10.1.0.0/24'
set vpn ipsec site-to-site peer MADRID vti bind 'vti0'
set vpn ipsec site-to-site peer MADRID vti esp-group 'office-srv-esp'
Resolved With
New Firewall name
set firewall name VPN-IN-OUT default-action 'drop'
set firewall name VPN-IN-OUT rule 1 action 'accept'
set firewall name VPN-IN-OUT rule 1 destination address '...50.0/24'
set firewall name VPN-IN-OUT rule 1 protocol 'icmp'
set firewall name VPN-IN-OUT rule 1 source address '...50.0/24'
set firewall name VPN-IN-OUT rule 2 action 'accept'
set firewall name VPN-IN-OUT rule 2 destination group network-group 'VPN-LAN'
set firewall name VPN-IN-OUT rule 2 destination port '22,23,443'
set firewall name VPN-IN-OUT rule 2 protocol 'tcp_udp'
set firewall name VPN-IN-OUT rule 2 source address '...50.0/24'
set firewall name VPN-IN-OUT rule 3 action 'accept'
set firewall name VPN-IN-OUT rule 3 destination address '...50.0/24'
set firewall name VPN-IN-OUT rule 3 protocol 'icmp'
set firewall name VPN-IN-OUT rule 3 source group network-group 'VPN-LAN'
set firewall name VPN-IN-OUT rule 4 action 'accept'
set firewall name VPN-IN-OUT rule 4 destination address '...50.0/24'
set firewall name VPN-IN-OUT rule 4 protocol 'tcp_udp'
set firewall name VPN-IN-OUT rule 4 source group network-group 'VPN-LAN'
set firewall name VPN-IN-OUT rule 4 source port '22,23,443'
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.