VPN Traffic is NATed even though it is in an exclude

skiehne · February 12, 2024, 4:13pm

We have a Problem with one of our vyos setups and it seems to be a Bug in how Traffic is NATed that is supposedly excluded from NAT.

Setup:

Customer Devices <> vyos Firewall <IPSEC> customer Firewall <> customer devices
            10.1.2.0/24       1.2.3.4   5.6.7.8         10.3.4.0/24

So As you can see we have a vyos Firewall and another Firewall on the Customer side connected via IPSEC. The Devices from the customer Firewall Side (10.3.4.0/24 Network) can reach (ping etc.) devices on the 10.1.2.0/24 network without Issue. But the devices on the 10.1.2.0/24 network can not reach the devices on the 10.3.4.0/24 netowork. The firewall rules seem to be ok since the packets actually are sent out the WAN interface (in tcpdump) but the outgoing packages seem to be NATed to the WAN IP (1.2.3.4) and never arrive at the customers firewall.

There is also a specific NAT rule that excludes that Network in source NAT:

 rule X {
     destination {
         network 10.3.4.0/24
     }
     exclude
     outbound-interface eth0
 }

However this rule does not seem to work since we can still see the source address from the 10.1.2.0/24 network being NATed to the WAN-IP

10.1.2.99         1.2.3.4        icmp     27         0

n.fort · February 12, 2024, 5:09pm

Can you share full nat and vpn settings?
If using vti, you may need to change out-bound interface eth0 to vtiX

skiehne · February 14, 2024, 3:30pm

This is all the Source NAT configuration relevant for this Tunnel/Network (sanitized for privacy reasons)

 source {
     rule 1 {
         description "Exclusion Test rule"
         destination {
             network 10.3.4.0/24
         }
         exclude
         outbound-interface eth0
     }
     rule 2 {
         description "Exclude Firewall Traffic"
         destination {
             address 1.2.3.4/32
             }
         }
         exclude
         outbound-interface eth0
     }
     rule 3 {
         outbound-interface eth0
         source {
             address 10.1.2.0
         }
         translation {
             address 1.2.3.4
         }
     }
 }

Since the interface in the “vpn ipsec” configuration is set to eth0 I don’t think I need to use vti:

 interface eth0
 options {
     interface eth0
 }