VRF dns forwarding

dbenson · November 19, 2020, 1:58pm

Board,

Working with VRFs, it seems the DNS forwarding function does not to work when the source LAN making the request is in a VRF.

Config:
ethernet eth2 {
hw-id 52:55:00:d1:55:03
vif 5 {
address 192.168.5.1/24
vrf hs

service {
dns {
forwarding {
allow-from 192.168.5.0/24
dhcp eth2.5
listen-address 192.168.5.1
name-server 199.244.86.2
}
}
}

tcpdump on the vy interface:

vbash-4.1# tcpdump -i eth2.5 port 53 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.5, link-type EN10MB (Ethernet), capture size 262144 bytes
13:55:24.725861 IP 192.168.5.100.61736 > 192.168.5.1.53: 42102+ A? dell dot com. (26)(modified to post)
13:55:29.730015 IP 192.168.5.100.61736 > 192.168.5.1.53: 42102+ A? dell dot com (26)(modified to post)
13:55:34.735016 IP 192.168.5.100.61736 > 192.168.5.1.53: 42102+ A? dell dot com (26)(modified to post)

Request from pc on LAN:

ITMBP2009:Desktop$ nslookup dell dot com 192.168.5.1 (modified to post)

;; connection timed out; no servers could be reached

ITMBP2009:Desktop$

I am assuming this is just part of the development of VRF and all the services that tie into it.

Thanks in advance!

db

dbenson · November 20, 2020, 4:33pm

FYI,

I just moved to 1.3-rolling-202011200217 and this issue is still present.

Thanks,

db

dbenson · December 2, 2020, 6:35pm

Board,

I am still trying to track this down. Diving in deeper, it seems that with VRF enabled, the NAT inside LAN address is not actually getting NAT’d correctly. When I try to ping from the LAN address of 192.168.5.1 to 8.8.8.8, I see traffic on the outside interface coming from 192.168.5.1 when it should be NAT’d to my WAN address.

Ping to 8.8.8.8 from a pc on the LAN. This TCPdump is on the WAN interface
18:29:59.833730 IP 10.83.119.66 > 8.8.8.8: ICMP echo request, id 38920, seq 0, length 64
18:30:00.432213 IP 8.8.8.8 > 10.83.119.66: ICMP echo reply, id 38920, seq 0, length 64
18:30:00.834117 IP 10.83.119.66 > 8.8.8.8: ICMP echo request, id 38920, seq 1, length 64
18:30:01.432335 IP 8.8.8.8 > 10.83.119.66: ICMP echo reply, id 38920, seq 1, length 64

Ping to 8.8.8.8 from the VY CLI using the LAN ethernet as a source address. This TCPdump is on the WAN interface
18:31:30.488486 IP 192.168.5.1 > 8.8.8.8: ICMP echo request, id 15479, seq 1, length 64
18:31:31.491263 IP 192.168.5.1 > 8.8.8.8: ICMP echo request, id 15479, seq 2, length 64
18:31:32.515267 IP 192.168.5.1 > 8.8.8.8: ICMP echo request, id 15479, seq 3, length 64
18:31:33.539393 IP 192.168.5.1 > 8.8.8.8: ICMP echo request, id 15479, seq 4, length 64

Output from my vy cli command
vyos@user-vr:~$ ping 8.8.8.8 vrf hs interface 192.168.5.1
PING 8.8.8.8 (8.8.8.8) from 192.168.5.1 : 56(84) bytes of data.
^C
— 8.8.8.8 ping statistics —
13 packets transmitted, 0 received, 100% packet loss, time 279ms

Thanks in advance,

db