VRF Default Route Not Being Used as Expected

Hello,

New VyOS user :wave: and I am not seeing the default route being used as expected.

Utilizing a UniFi access layer, VyOS as the core, and then a Palo Alto firewall.

This network utilizes VRFs to land zones as an aggregated ethernet subinterface on the firewall. The firewall is then supposed to take care of switching between the VLANs and zones/VRFs.

My current issue:

  • From a PC connected on a UniFi access port VLAN68 I can ping the IP of the local gateway 192.168.1.1/24
  • I can also ping the IP of the subinterface on the firewall of 10.10.10.4/29
  • My DNS/DHCP are in a different subnet/VRF, lets say 192.168.50.0/24
  • I would expect a ping to 192.168.50.50 from the 192.168.1.0/24 network to be forwarded up to 10.10.10.4/29
  • I do not see any entries coming into the firewall when I ping to 192.168.50.50 – I’d expect to see an inter-zone default deny

When using ‘monitor traffic bond0.68’ I can see the request from the PC reach VyOS but never makes it to the firewall using the default route

Thanks for taking a look!

VRF and Default Route

set vrf name HelloWorld table '110'
set protocols static route 0.0.0.0/0 next-hop 10.10.10.4 vrf 'HelloWorld'

eth0 Trunk to UniFi Access Layer

set interfaces bonding bond0 hash-policy 'layer2+3'
set interfaces bonding bond0 member interface 'eth0'
set interfaces bonding bond0 mode '802.3ad'
set interfaces bonding bond0 vif 68 address '192.168.1.1/24'
set interfaces bonding bond0 vif 68 description 'VLAN68-Wired'
set interfaces bonding bond0 vif 68 vrf 'HelloWorld'

eth3 Trunk to Palo Alto Firewall

set interfaces bonding bond3 hash-policy 'layer3+4'
set interfaces bonding bond3 lacp-rate 'fast'
set interfaces bonding bond3 member interface 'eth3'
set interfaces bonding bond3 mode '802.3ad'
set interfaces bonding bond3 vif 10 address '10.10.10.1/29'
set interfaces bonding bond3 vif 10 description 'Transit-HelloWorld'
set interfaces bonding bond3 vif 10 vrf 'HelloWorld'

Welcome to the Vyos forums!

Some quick things to check/verify:

  1. What version of Vyos are you using?
  2. Do you have an arp entry for 10.10.10.4?
  3. Sure you don’t have any Firewall rules blocking your traffic?

Thanks! It’s been fun so far. For context, I am building this all from scratch as this is to replace my current network which is a full UniFi setup.

I installed the VyOS version below recently and from the base config I added these types of bonds, VLANs, VRFs, and default routes only.

On the PAN firewall, yes, I would anticipate this to hit either the policy I created allowing this VRF/Zone to talk to the other VRF/Zone (any subnets, any communication type to 10.10.50.60)
OR
the default policy that says you can’t go inbetween zones and I have it set to capture on packet start and end.

vyos@CORE:~$ sh ver | match Version
Version: VyOS 1.5-rolling-202406280020

vyos@CORE:~$ sh arp

Address       Interface    Link layer address    State
------------  -----------  --------------------  ---------
10.10.10.4    bond3.10     3c:fa:30:ce:7f:30     STALE
10.10.50.60   bond0.50     b8:27:eb:c4:bb:ef     STALE
192.168.1.100   bond0.68     60:7d:09:37:5b:ea     STALE

10.10.10.4 transit IP on firewall
10.10.50.60 is the DNS/DHCP server
192.168.1.100 is the client PC

I redid the ‘monitor traffic interface bond0.68’

10.10.10.1 (the /29 IP on the bond3 vif 10 interface) is replying back to 192.168.1.100 that 10.10.50.60 unreachable

I can see the same from the PC terminal

Stephen ~ $ ping 10.10.50.60

PING 10.10.50.60 (10.10.50.60): 56 data bytes
92 bytes from 10.10.10.1: Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 d35b   0 0000  40  01 24b9 192.168.1.100  10.10.50.60

Is the intention here to create a route inside the HelloWorld VRF, or a route leak from global to HelloWorld?

From the setup you’ve described, I assume the former, from the PC in 192.168.1.x to the default gateway in the same VRF.

The syntax you’ve used is for route leaks between VRFs, for static routes inside a VRF, you want the protocol nodes under the VRF node, eg:

set vrf name <name> protocols static ...

Instead of:

set protocols static ... vrf <name>

Looking at the doco for static routing, admittedly this isn’t super clear.

5 Likes

Hey @talmakion you are correct! I can now see the traffic hitting the firewall and this is resolved! Thank you for noticing that.

I think my issue was that I learned how to do VIFs first (and didn’t read the documents closely enough) and you tagged the VRF after the command issuance so I just kept going with that. I even mentioned this regarding the KEA DHCP not being VRF aware but now understand why the original syntax that was suggested in there is correct.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.