Hi,
I want to setup a fresh vyos based router. so I have here an empty config and at first I want give me management access through an separate interface with an separate routing table.
I tried this in vyos:
set interfaces bonding bond0 mode '802.3ad' set interfaces bonding bond0 vif 200 address '2a0c:a980:XXXX::X:5/64' set interfaces bonding bond0 vif 200 policy ipv6-route 'mgnt-vlan200' set interfaces ethernet eth0 hw-id '6c:3b:e5:b0:79:00' set interfaces ethernet eth1 bond-group 'bond0' set interfaces ethernet eth1 hw-id '6c:3b:e5:b0:79:04' set interfaces ethernet eth3 hw-id 'e8:39:35:01:f7:3d' set interfaces ethernet eth4 hw-id 'e8:39:35:01:f7:3e' set interfaces ethernet eth5 hw-id 'e8:39:35:01:f7:3f' set interfaces ethernet eth6 bond-group 'bond0' set interfaces ethernet eth6 hw-id 'd4:85:64:2f:e7:08' set interfaces ethernet eth7 hw-id 'd4:85:64:2f:e7:0c' set interfaces loopback lo set policy ipv6-route mgnt-vlan200 rule 1 destination address '::/0' set policy ipv6-route mgnt-vlan200 rule 1 set table '100' set policy ipv6-route mgnt-vlan200 rule 1 source address '2a0c:a980:XXXX::X:5' set policy ipv6-route mgnt-vlan200 rule 2 destination address '2a0c:a980:XXXX::X:5' set policy ipv6-route mgnt-vlan200 rule 2 set table '100' set policy ipv6-route mgnt-vlan200 rule 2 source address '::/0' set protocols static table 100 interface-route6 2a0c:a980:XXXX::/64 next-hop-interface bond0.200 set protocols static table 100 route6 ::/0 next-hop 2a0c:a980:XXXX::1 set service ssh set system config-management commit-revisions '100' set system console device ttyS0 speed '9600' set system host-name 'r1' set system login user vyos authentication encrypted-password 'XXXXXXX' set system login user vyos authentication plaintext-password '' set system login user vyos level 'admin' set system ntp server 0.pool.ntp.org set system ntp server 1.pool.ntp.org set system ntp server 2.pool.ntp.org set system syslog global facility all level 'info' set system syslog global facility protocols level 'debug'
But this don't work I see that vyos use ip rule but use it with fwmark instead direct.
With ip6tables-save I can see the generated rules an that no packet is hitting the chain:
:PREROUTING ACCEPT [10:672] :INPUT ACCEPT [239:26212] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [166:23562] :POSTROUTING ACCEPT [166:23562] :VYATTA_FW_IN_HOOK - [0:0] <-- zero counter :VYATTA_FW_LOCALOUT_HOOK - [0:0] :VYATTA_FW_OUT_HOOK - [0:0] :VYATTA_PBR_100 - [0:0] :VYOS_DNPT_HOOK - [0:0] :VYOS_SNPT_HOOK - [0:0] :mgnt-vlan200 - [0:0] -A PREROUTING -j VYATTA_FW_IN_HOOK -A PREROUTING -j VYOS_DNPT_HOOK -A OUTPUT -j VYATTA_FW_LOCALOUT_HOOK -A POSTROUTING -j VYATTA_FW_OUT_HOOK -A POSTROUTING -j VYOS_SNPT_HOOK -A VYATTA_FW_IN_HOOK -i bond0.200 -j mgnt-vlan200 -A VYATTA_PBR_100 -j MARK --set-xmark 0x80000063/0xffffffff -A VYATTA_PBR_100 -j ACCEPT -A VYOS_DNPT_HOOK -j RETURN -A VYOS_SNPT_HOOK -j RETURN -A mgnt-vlan200 -s 2a0c:a980:XXXX::X:5/128 -m comment --comment mgnt-vlan200-1 -j VYATTA_PBR_100 -A mgnt-vlan200 -d 2a0c:a980:XXXX::X:5/128 -m comment --comment mgnt-vlan200-2 -j VYATTA_PBR_100 -A mgnt-vlan200 -m comment --comment "mgnt-vlan200-10000 default-action accept" -j RETURN COMMIT
On an "normal" linux system I would do this functionality without fwmark:
/sbin/ip -6 route add 2a0c:a980:XXXX::/64 dev bond0.200 scope link src 2a0c:a980:XXXX::X:5 table 10 /sbin/ip -6 route add default via 2a0c:a980:XXXX::1 dev bond0.200 table 100 /sbin/ip -6 rule add from 2a0c:a980:XXXX::/64 table 100 /sbin/ip -6 rule add to 2a0c:a980:XXXX::X:5 table 100
Yes better would be to have clean vrf support but I know that this is not included in vyos 1.2.
So is there an other way to make this work?