wan load balancing and openvpn


#1

Hello everyone!

I have a configuration (attached) with two wan interfaces configured to failover and some vpns.
My problem is that on site-to-site OpenVPN I can ping hosts on the other side only from the router (vyos) but I can’t ping anything from computers on the local lan.

if I ping 10.100.1.50 from 192.168.0.200 tcpdump shows the ping request (192.168.0.200 > 10.100.1.50) on eth4 and eth0 instead of eth4 and vtun0. So the request is routed to the default gateway instead of th tunnel even if a satic route exists that points the tunnel for 10.100.0.0/16.

Can anyone help?
Thank you!

firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name OUTSIDE-ID {
default-action drop
rule 5 {
action accept
disable
}
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 15 {
action accept
protocol esp
}
rule 20 {
action accept
destination {
port 22
}
protocol tcp
}
rule 50 {
action accept
destination {
port 1723
}
protocol tcp
}
rule 60 {
action accept
destination {
port 500,4500
}
protocol udp
}
rule 65 {
action accept
destination {
port 1701
}
ipsec {
match-ipsec
}
protocol udp
}
rule 70 {
action accept
destination {
port 1194
}
protocol tcp_udp
}
}
name OUTSIDE-LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
}
rule 25 {
action accept
destination {
port 2222
}
protocol tcp
}
rule 39 {
action accept
destination {
port 22
}
protocol tcp
}
rule 50 {
action accept
destination {
port 1723
}
protocol tcp
}
rule 51 {
action accept
description “Allow PPTP access from the Internet”
protocol gre
}
rule 60 {
action accept
protocol esp
}
rule 65 {
action accept
destination {
port 500,4500
}
protocol udp
}
rule 67 {
action accept
destination {
port 1701
}
protocol udp
}
rule 70 {
action accept
destination {
port 1701
}
ipsec {
match-ipsec
}
protocol udp
}
rule 80 {
action accept
destination {
port 1194
}
protocol tcp_udp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address aa.aa.aa.aa/26
duplex auto
firewall {
in {
name OUTSIDE-ID
}
local {
name OUTSIDE-LOCAL
}
}
hw-id xx:xx:xx:xx:xx:xx
smp_affinity auto
speed auto
}
ethernet eth1 {
duplex auto
hw-id xx:xx:xx:xx:xx:xx
pppoe 0 {
default-route auto
firewall {
in {
name OUTSIDE-ID
}
local {
name OUTSIDE-LOCAL
}
}
mtu 1492
name-server auto
password xxxxxxxxx
policy {
route PPPOE-IN
}
user-id XXXXXXXXX
}
smp_affinity auto
speed auto
}
ethernet eth2 {
address 10.30.0.1/16
duplex auto
hw-id xx:xx:xx:xx:xx:xx
smp_affinity auto
speed auto
}
ethernet eth3 {
address 10.40.0.1/16
duplex auto
hw-id xx:xx:xx:xx:xx:xx
smp_affinity auto
speed auto
}
ethernet eth4 {
address 192.168.0.1/24
duplex auto
hw-id xx:xx:xx:xx:xx:xx
smp_affinity auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
local-address 10.100.253.52 {
}
mode site-to-site
openvpn-option “comp-lzo yes”
persistent-tunnel
remote-address 10.100.253.1
remote-host ZZZ.ZZZ.ZZZ.ZZZ
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/zzz.crt
key-file /config/auth/zzz.key
role active
}
}
}
load-balancing {
wan {
disable-source-nat
interface-health eth0 {
failure-count 2
nexthop aa.aa.aa.gw
success-count 1
test 10 {
resp-time 5
target 8.8.8.8
ttl-limit 1
type ping
}
}
interface-health pppoe0 {
failure-count 2
nexthop 10.0.0.1
success-count 1
test 10 {
resp-time 5
target 8.8.4.4
ttl-limit 1
type ping
}
}
rule 5 {
destination {
address 10.30.0.0/16
}
exclude
inbound-interface eth+
protocol all
}
rule 6 {
destination {
address 192.168.0.0/24
}
exclude
inbound-interface eth+
protocol all
}
rule 7 {
destination {
address 10.40.0.0/16
}
exclude
inbound-interface eth+
protocol all
}
rule 10 {
failover
inbound-interface eth2
interface eth0 {
weight 10
}
interface pppoe0 {
weight 1
}
protocol all
}
rule 20 {
failover
inbound-interface eth3
interface eth0 {
weight 10
}
interface pppoe0 {
weight 1
}
protocol all
}
rule 30 {
failover
inbound-interface eth4
interface eth0 {
weight 10
}
interface pppoe0 {
weight 1
}
protocol all
}
sticky-connections {
inbound
}
}
}
nat {
source {
rule 100 {
destination {
address 10.100.0.0/16
}
exclude
outbound-interface eth0
source {
address 192.168.0.0/24
}
}
rule 110 {
destination {
address 172.16.67.0/24
}
exclude
outbound-interface eth0
source {
address 192.168.0.0/24
}
}
rule 120 {
outbound-interface eth0
source {
address 192.168.100.0/24
}
translation {
address masquerade
}
}
rule 130 {
destination {
address 10.100.0.0/16
}
exclude
outbound-interface eth0
source {
address 10.30.0.0/16
}
}
rule 140 {
destination {
address 172.16.67.0/24
}
exclude
outbound-interface eth0
source {
address 10.30.0.0/16
}
}
rule 150 {
outbound-interface eth0
source {
address 10.30.0.0/16
}
translation {
address masquerade
}
}
rule 160 {
destination {
address 10.100.0.0/16
}
exclude
outbound-interface eth0
source {
address 10.40.0.0/16
}
}
rule 170 {
destination {
address 172.16.67.0/24
}
exclude
outbound-interface eth0
source {
address 10.40.0.0/16
}
}
rule 180 {
outbound-interface eth0
source {
address 10.40.0.0/16
}
translation {
address masquerade
}
}
rule 200 {
destination {
address 10.100.0.0/16
}
exclude
outbound-interface pppoe0
source {
address 192.168.0.0/24
}
}
rule 210 {
destination {
address 172.16.67.0/24
}
exclude
outbound-interface pppoe0
source {
address 192.168.0.0/24
}
}
rule 220 {
outbound-interface pppoe0
source {
address 192.168.100.0/24
}
translation {
address masquerade
}
}
rule 230 {
destination {
address 10.100.0.0/16
}
exclude
outbound-interface pppoe0
source {
address 10.30.0.0/16
}
}
rule 240 {
destination {
address 172.16.67.0/24
}
exclude
outbound-interface pppoe0
source {
address 10.30.0.0/16
}
}
rule 250 {
outbound-interface pppoe0
source {
address 10.30.0.0/16
}
translation {
address masquerade
}
}
rule 260 {
destination {
address 10.100.0.0/16
}
exclude
outbound-interface pppoe0
source {
address 10.40.0.0/16
}
}
rule 270 {
destination {
address 172.16.67.0/24
}
exclude
outbound-interface pppoe0
source {
address 10.40.0.0/16
}
}
rule 280 {
outbound-interface pppoe0
source {
address 10.40.0.0/16
}
translation {
address masquerade
}
}
}
}
policy {
route PPPOE-IN {
rule 10 {
protocol tcp
set {
tcp-mss 1415
}
tcp {
flags SYN
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop aa.aa.aa.gw {
}
}
route 8.8.4.4/32 {
next-hop 10.0.0.1 {
}
}
route 8.8.8.8/32 {
next-hop aa.aa.aa.gw {
}
}
route 10.100.1.0/24 {
next-hop 10.100.253.1 {
}
}
route 172.16.67.0/24 {
next-hop 10.100.253.1 {
}
}
}
}
service {
dhcp-server {
disabled false
shared-network-name ADMIN {
authoritative disable
subnet 192.168.0.0/24 {
default-router 192.168.0.1
dns-server 192.168.0.1
lease 86400
start 192.168.0.10 {
stop 192.168.0.20
}
}
}
shared-network-name GUEST {
authoritative disable
subnet 10.40.0.0/16 {
default-router 10.40.0.1
dns-server 10.40.0.1
lease 86400
start 10.40.0.100 {
stop 10.40.255.250
}
}
}
shared-network-name WORK {
authoritative disable
subnet 10.30.0.0/16 {
default-router 10.30.0.1
dns-server 10.30.0.1
lease 86400
start 10.30.10.1 {
stop 10.30.255.250
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth2
listen-on eth3
listen-on eth4
name-server 8.8.8.8
name-server 8.8.4.4
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
}
host-name hhhhh
login {
user vyos {
authentication {
encrypted-password
plaintext-password “”
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password “”
url http://packages.vyos.net/vyos
username “”
}
}
static-host-mapping {
host-name unifi {
inet 192.168.0.253
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
mode radius
radius-server 192.168.0.rrr {
key kkkkkk
}
}
client-ip-pool {
start 10.30.1.100
stop 10.30.1.200
}
dns-servers {
server-1 8.8.4.4
server-2 8.8.8.8
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret pskpskpsk
}
ike-lifetime 3600
}
outside-address 0.0.0.0
}
}
pptp {
remote-access {
authentication {
mode radius
radius-server 192.168.0.rrr {
key kkkkkk
}
}
client-ip-pool {
start 192.168.100.101
stop 192.168.100.110
}
dns-servers {
server-1 8.8.8.8
server-2 8.8.4.4
}
outside-address aa.aa.aa.aa
}
}
}