We have a Problem with one of our vyos setups and it seems to be a Bug in how Traffic is NATed that is supposedly excluded from NAT.
Setup:
Customer Devices <> vyos Firewall <IPSEC> customer Firewall <> customer devices
10.1.2.0/24 1.2.3.4 5.6.7.8 10.3.4.0/24
So As you can see we have a vyos Firewall and another Firewall on the Customer side connected via IPSEC. The Devices from the customer Firewall Side (10.3.4.0/24 Network) can reach (ping etc.) devices on the 10.1.2.0/24 network without Issue. But the devices on the 10.1.2.0/24 network can not reach the devices on the 10.3.4.0/24 netowork. The firewall rules seem to be ok since the packets actually are sent out the WAN interface (in tcpdump) but the outgoing packages seem to be NATed to the WAN IP (1.2.3.4) and never arrive at the customers firewall.
There is also a specific NAT rule that excludes that Network in source NAT:
rule X {
destination {
network 10.3.4.0/24
}
exclude
outbound-interface eth0
}
However this rule does not seem to work since we can still see the source address from the 10.1.2.0/24 network being NATed to the WAN-IP
10.1.2.99 1.2.3.4 icmp 27 0