What routes should I add in my scenario?

blason · January 21, 2024, 3:09pm

Hi Team.

In my below scenario I would like create four tunnels between R1 and R3
i.e

10.10.10.100 <=> 10.10.30.100
10.10.10.100 <=> 10.10.40.100
10.10.20.100 <=> 10.10.30.100
10.10.20.100 <=> 10.10.40.100

Well I am mimicking the scenario in my home lab. Here R2 can consider as Internet.
Now my query is

And then same scenario with R1 ISP links

Can someone please advise!

blason · January 21, 2024, 5:24pm

Can I use interface name with two default gateways? Will that solve my purpose?

set protocols static route 0.0.0.0/0 next-hop 10.10.10.200 interface eth0
set protocols static route 0.0.0.0/0 next-hop 10.10.20.200 interface eth1

echowings · January 23, 2024, 1:01am

Maybe you can try OSPF dynamic routing will be easier. It can dynamicially found the routing by OSPF.

blason · January 23, 2024, 4:01am

I agree OSPF is better but I am wondering about my next hops of my ISP. Can I add two default gateways on my vyos router? So that other link can reach to other peer IP address through Internet?

16again · January 29, 2024, 6:27am

Use this as starting point:
https://docs.vyos.io/en/equuleus/configuration/policy/index.html
And get used to the idea of having multiple routing tables.

blason · January 29, 2024, 2:46pm

Thanks let me try doing that.

blason · January 29, 2024, 6:20pm

So probably local-route could be my solution. But let me test that out in my lab environment and revert.
And thanks again for the pointer.

blason · January 29, 2024, 6:57pm

Something is wrong or not sure I am not able to understad. In my same case for which I uploaded my diagram above. I created tables and applied default gateways

R1
set policy local-route rule 100 set table '100'
set policy local-route rule 100 source '10.10.10.100'
set policy local-route rule 150 set table '150'
set policy local-route rule 150 source '10.10.20.100'
set protocols static table 100 route 0.0.0.0/0 next-hop 10.10.10.200
set protocols static table 150 route 0.0.0.0/0 next-hop 10.10.20.200

And on R3

set policy local-route rule 100 set table '100'
set policy local-route rule 100 source '10.10.30.100'
set policy local-route rule 150 set table '150'
set policy local-route rule 150 source '10.10.40.100'
set protocols static table 100 route 0.0.0.0/0 next-hop 10.10.30.200
set protocols static table 150 route 0.0.0.0/0 next-hop 10.10.40.200

Now I try to ping 10.10.30.100 from R1

vyos@R1# ping 10.10.40.100
ping: connect: Network is unreachable
[edit]
vyos@R1# ^C
[edit]
vyos@R1# ping 10.10.30.100
ping: connect: Network is unreachable
[edit]
vyos@R1#

And from R3

vyos@R3# ping 10.10.10.100
ping: connect: Network is unreachable
[edit]
vyos@R3# ping 10.10.20.100
ping: connect: Network is unreachable

So in this case if the default gateway is added then I guess I should be able to ping other router interfaces?
I dont see routes are installed on my routing table.

vyos@R3# run show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

C>* 10.10.30.0/24 is directly connected, eth0, 00:29:40
C>* 10.10.40.0/24 is directly connected, eth2, 00:29:39
C>* 169.254.1.0/30 is directly connected, vti1, 00:10:46
C>* 169.254.2.0/30 is directly connected, vti2, 00:29:38
C>* 192.168.30.0/24 is directly connected, eth1, 00:29:40
[edit]

While table does apper

[edit]
vyos@R1# run show ip route table 100
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF default table 100:
S>* 0.0.0.0/0 [1/0] via 10.10.10.200, eth0, weight 1, 00:17:29
[edit]
vyos@R1# run show ip route table 150
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF default table 150:
S>* 0.0.0.0/0 [1/0] via 10.10.20.200, eth1, weight 1, 00:17:32
[edit]
vyos@R1#

echowings · January 30, 2024, 5:52am

you need to add static routing line by line in each router. if you perfer to static routing. 0.0.0.0/0 is not enough, I thought.

blason · January 30, 2024, 4:07pm

Then PBR local-route will not take effect? What if I need to configure two tunnels from two different ISP providers using their ISP IP addresses?

16again · February 3, 2024, 9:11pm

What source IP is being used?
if it isn’t ‘10.10.10.100’ or '10.10.20.100 , then PBR rules won’t kick in, you fall back to main table which has no default route.
Add /24 routes for connected subnets on eth0 and eth1 too

blason · February 5, 2024, 2:27am

When I am pinging from R1 or R3 obviously egress interfaces will be used, right? That means traffic will go out using 10.10.10.100 and 10.10.20.100

skynw · February 5, 2024, 3:54am

Aloha,

What is problem you are trying to solve?
I dont get it from you drawing

Uusally on a NOS you can have the same route, poiting to different next-hops,
which will result in form of load-balancing.

I personally woould never use policy routing,
and static routing is maybe in the beginning more easier to create,
but ith a dynamic routing protocol, once its setup, life is much more easy.

Cheers
Marcel

blason · February 5, 2024, 3:58am

I understand, and the issue I am attempting to address is the need to establish four tunnels, with two originating from each Internet Service Provider (ISP). However, I am currently pondering how to incorporate routes while taking into account that R2 serves as the internet gateway.

To provide further context, R1 represents my current location, while R3 denotes the remote location. It is important to note that only a single default gateway can be added.

I trust this clarifies any uncertainties.

echowings · February 5, 2024, 7:30am

Why not ospf and bgp or vrrp ?

skynw · February 5, 2024, 7:48am

For me not

Let me go one Step back
So you have a router R1

This router will be or is connected to 2 ISP?
2 different ISP with differen AS or same ISP?
What do you mean you have to connect through a tunnel to the ISP?
You use in your example R2 to simulate one ISP?

As I tried to expliabn, you can configure multipe default routes with different NH.
question does it make sense?
If the cost are the same, normally a router would do Load-balancing over 2 equal-cost-path (ECMP)

Also when you use static routes, you always need to configure both directions, a static route is unidirectional.

Cheers
Marcel

L0crian · February 5, 2024, 1:12pm

Will the tunnel destinations be static at the remote site? If so, a simple solution is to just do static routes for those specific /32 routes instead of a default.

blason · February 6, 2024, 2:40am

Here are you answers of your questions -

R2 is just to mimic the ISP.
I have configured 2 links on R1 which are two different ISPs connected to R2
As I said above I have two ISps terminated on Vyos

16again · February 10, 2024, 11:03pm

@blason
Normally egress interface IP is used as source IP. But main table has no route to destination.

blason · February 11, 2024, 12:45pm

The scenario I mentioned can not be achieved. Since VTI is created over IPsec if I try to create one more tunnel from R1 to R3. It gets overwritten the existing one.
I.e. If I have two tunnels ready
10.10.10.100 <==> 10.10.30.100
And
10.10.20.100 <==> 10.10.40.100
And If I try to create tunnel with
10.10.10.100 <==> 10.10.40.100
It gets overwritten with 10.10.20.100 and not able to create one more backup VPN tunnel as such