New VyOS user and I am not seeing the default route being used as expected.
Utilizing a UniFi access layer, VyOS as the core, and then a Palo Alto firewall.
This network utilizes VRFs to land zones as an aggregated ethernet subinterface on the firewall. The firewall is then supposed to take care of switching between the VLANs and zones/VRFs.
My current issue:
From a PC connected on a UniFi access port VLAN68 I can ping the IP of the local gateway 192.168.1.1/24
I can also ping the IP of the subinterface on the firewall of 10.10.10.4/29
My DNS/DHCP are in a different subnet/VRF, lets say 192.168.50.0/24
I would expect a ping to 192.168.50.50 from the 192.168.1.0/24 network to be forwarded up to 10.10.10.4/29
I do not see any entries coming into the firewall when I ping to 192.168.50.50 – I’d expect to see an inter-zone default deny
When using ‘monitor traffic bond0.68’ I can see the request from the PC reach VyOS but never makes it to the firewall using the default route
Thanks for taking a look!
VRF and Default Route
set vrf name HelloWorld table '110'
set protocols static route 0.0.0.0/0 next-hop 10.10.10.4 vrf 'HelloWorld'
eth0 Trunk to UniFi Access Layer
set interfaces bonding bond0 hash-policy 'layer2+3'
set interfaces bonding bond0 member interface 'eth0'
set interfaces bonding bond0 mode '802.3ad'
set interfaces bonding bond0 vif 68 address '192.168.1.1/24'
set interfaces bonding bond0 vif 68 description 'VLAN68-Wired'
set interfaces bonding bond0 vif 68 vrf 'HelloWorld'
eth3 Trunk to Palo Alto Firewall
set interfaces bonding bond3 hash-policy 'layer3+4'
set interfaces bonding bond3 lacp-rate 'fast'
set interfaces bonding bond3 member interface 'eth3'
set interfaces bonding bond3 mode '802.3ad'
set interfaces bonding bond3 vif 10 address '10.10.10.1/29'
set interfaces bonding bond3 vif 10 description 'Transit-HelloWorld'
set interfaces bonding bond3 vif 10 vrf 'HelloWorld'
Thanks! It’s been fun so far. For context, I am building this all from scratch as this is to replace my current network which is a full UniFi setup.
I installed the VyOS version below recently and from the base config I added these types of bonds, VLANs, VRFs, and default routes only.
On the PAN firewall, yes, I would anticipate this to hit either the policy I created allowing this VRF/Zone to talk to the other VRF/Zone (any subnets, any communication type to 10.10.50.60)
OR
the default policy that says you can’t go inbetween zones and I have it set to capture on packet start and end.
vyos@CORE:~$ sh ver | match Version Version: VyOS 1.5-rolling-202406280020
vyos@CORE:~$ sh arp
Address Interface Link layer address State
------------ ----------- -------------------- ---------
10.10.10.4 bond3.10 3c:fa:30:ce:7f:30 STALE
10.10.50.60 bond0.50 b8:27:eb:c4:bb:ef STALE
192.168.1.100 bond0.68 60:7d:09:37:5b:ea STALE
10.10.10.4 transit IP on firewall
10.10.50.60 is the DNS/DHCP server
192.168.1.100 is the client PC
10.10.10.1 (the /29 IP on the bond3 vif 10 interface) is replying back to 192.168.1.100 that 10.10.50.60 unreachable
I can see the same from the PC terminal
Stephen ~ $ ping 10.10.50.60
PING 10.10.50.60 (10.10.50.60): 56 data bytes
92 bytes from 10.10.10.1: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 d35b 0 0000 40 01 24b9 192.168.1.100 10.10.50.60
Hey @talmakion you are correct! I can now see the traffic hitting the firewall and this is resolved! Thank you for noticing that.
I think my issue was that I learned how to do VIFs first (and didn’t read the documents closely enough) and you tagged the VRF after the command issuance so I just kept going with that. I even mentioned this regarding the KEA DHCP not being VRF aware but now understand why the original syntax that was suggested in there is correct.