Page MenuHomeVyOS Platform
Projects Known issue

Known issueBugs
ActivePublic
Watch Project

Members

  • This project does not have any members.
  • View All

Watchers

  • This project does not have any watchers.
  • View All

Recent Activity
View All

Oct 4 2023

fernando closed T3655: NAT Problem with VRF as Resolved.
Oct 4 2023, 7:54 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
Viacheslav added a comment to T3655: NAT Problem with VRF.

@rherold Could you re-check it?

Oct 4 2023, 7:54 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
fernando added a comment to T3655: NAT Problem with VRF.

for me , it's ok . I didn't see another issue related it . we can close

Oct 4 2023, 7:44 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
Viacheslav added a comment to T3655: NAT Problem with VRF.

Can we close it?

Oct 4 2023, 7:29 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Sep 14 2023

vfreex added a comment to T3655: NAT Problem with VRF.

@fernando This is really nice. Thank you for the testing!

Sep 14 2023, 7:02 AM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Sep 12 2023

fernando changed the status of T3655: NAT Problem with VRF from Backport candidate to Needs testing.
Sep 12 2023, 6:59 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
fernando added a comment to T3655: NAT Problem with VRF.

command on 1.5 :

Sep 12 2023, 6:36 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
fernando changed the status of T3655: NAT Problem with VRF from In progress to Backport candidate.
Sep 12 2023, 4:17 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
fernando updated subscribers of T3655: NAT Problem with VRF.

@vfreex I've tested in my labs related this issues , I can confirm that it work as expected . this original zone solved the problem when there was a src-nat /dst-nat with different VRFs or leaking with them ,Thanks you for this contribution .

Sep 12 2023, 4:16 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Sep 10 2023

Apachez added a comment to T3655: NAT Problem with VRF.

Oh sorry, I missed that this commit was for LTS 1.3.x series.

Sep 10 2023, 7:13 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
vfreex added a comment to T3655: NAT Problem with VRF.

@Apachez I am running kernel 6.1.49-amd64-vyos and this works fine with my local setup.
The patch is already in linux kernel since at least 4.3 (you can confirm with https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/include/net/netfilter/nf_conntrack_zones.h?h=linux-4.3.y), but it was added to nft command only since Feb 2017: https://git.netfilter.org/nftables/commit/src/ct.c?id=ed66d9966294a3bab6c8611e369861ba57374743

Sep 10 2023, 6:17 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
Apachez added a comment to T3655: NAT Problem with VRF.

@vfreex the referenced netfilter patch is from 2015, is that really valid for current version thats included in the Linux 6.1 LTS kernel?

Sep 10 2023, 6:05 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
vfreex added a comment to T3655: NAT Problem with VRF.

You can test this approach on a running VyOS router using following commands:

Sep 10 2023, 5:32 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
vfreex added a comment to T3655: NAT Problem with VRF.

I created a PR to fix this issue by using direction parameter of conntrack zones: https://github.com/vyos/vyos-1x/pull/2236
I have a very basic VRF setup and it works fine. It would be much appreciated if someone could test this with more complex VRF setup.

Sep 10 2023, 5:04 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Aug 25 2023

syncer edited projects for T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used, added: VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).
Aug 25 2023, 9:33 PM · VyOS 1.3 Equuleus (1.3.5), Known issue

Jul 12 2023

syncer edited projects for T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used, added: VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).
Jul 12 2023, 10:32 PM · VyOS 1.3 Equuleus (1.3.5), Known issue

Jun 22 2023

NeilHanlon added a comment to T3655: NAT Problem with VRF.

I'm also encountering this issue on the latest rolling release.

Jun 22 2023, 12:51 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Jun 8 2023

gusbourg added a comment to T3655: NAT Problem with VRF.

I have been able to get NAT to work with VRFs with 1.4-rolling-202306080317. However:

Jun 8 2023, 6:55 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

May 17 2023

fernando added a comment to T3655: NAT Problem with VRF.

I've done test , regarding the original issues that it was nat+route-leaking (default + foo) , which is working on the last rolling (VyOS 1.4-rolling-202305140317). however, I've tried some test using two vrf+route-leaking and NAT , I can replicated the issue:

May 17 2023, 3:19 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

May 16 2023

diodep added a comment to T3655: NAT Problem with VRF.
In T3655#148609, @bbabich wrote:
In T3655#131502, @Viacheslav wrote:

I have NAT working with vrf in VyOS 1.4-rolling-202208290458 + custom nat offload

set interfaces ethernet eth0 address '192.168.122.14/24'
set interfaces ethernet eth1 address '192.0.2.1/24'
set interfaces ethernet eth1 vrf 'foo'
set protocols static route 192.0.2.0/24 interface eth1 vrf 'foo'
set system conntrack
set vrf name foo protocols static route 0.0.0.0/0 next-hop 192.168.122.1 interface 'eth0'
set vrf name foo protocols static route 0.0.0.0/0 next-hop 192.168.122.1 vrf 'default'
set vrf name foo table '1010'

Nftables

root@r14:/home/vyos# cat nat.nft 
flush ruleset

table ip filter {
	flowtable fastnat {
		hook ingress priority filter
		devices = { eth0, eth1 }
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		ip protocol { tcp, udp } flow add @fastnat
	}
}
table ip nat {
	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 192.0.2.0/24 oif "eth0" snat to 192.168.122.14 persistent
	}

	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
	}
}

Conntrack table

vyos@r14:~$ sudo conntrack -F
conntrack v1.4.6 (conntrack-tools): connection tracking table has been emptied.
vyos@r14:~$ 
vyos@r14:~$ sudo conntrack -L
tcp      6 431999 ESTABLISHED src=192.168.122.14 dst=192.168.122.1 sport=22 dport=44462 src=192.168.122.1 dst=192.168.122.14 sport=44462 dport=22 [ASSURED] mark=0 use=1
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=33018 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=33018 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=37517 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=37517 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=59794 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=59794 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=39288 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=39288 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=39616 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=39616 [OFFLOAD] mark=0 use=2
icmp     1 29 src=192.0.2.2 dst=1.1.1.1 type=8 code=0 id=12387 src=1.1.1.1 dst=192.168.122.14 type=0 code=0 id=12387 mark=0 use=1
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=41155 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=41155 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=39829 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=39829 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=33655 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=33655 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=44835 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=44835 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=40213 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=40213 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=33729 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=33729 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=48344 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=48344 [OFFLOAD] mark=0 use=2
conntrack v1.4.6 (conntrack-tools): 14 flow entries have been shown.
vyos@r14:~$

This works for me too on current rolling releases from Jan-2023 to now.

May 16 2023, 6:57 AM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

May 12 2023

bbabich added a comment to T3655: NAT Problem with VRF.
In T3655#131502, @Viacheslav wrote:

I have NAT working with vrf in VyOS 1.4-rolling-202208290458 + custom nat offload

set interfaces ethernet eth0 address '192.168.122.14/24'
set interfaces ethernet eth1 address '192.0.2.1/24'
set interfaces ethernet eth1 vrf 'foo'
set protocols static route 192.0.2.0/24 interface eth1 vrf 'foo'
set system conntrack
set vrf name foo protocols static route 0.0.0.0/0 next-hop 192.168.122.1 interface 'eth0'
set vrf name foo protocols static route 0.0.0.0/0 next-hop 192.168.122.1 vrf 'default'
set vrf name foo table '1010'

Nftables

root@r14:/home/vyos# cat nat.nft 
flush ruleset

table ip filter {
	flowtable fastnat {
		hook ingress priority filter
		devices = { eth0, eth1 }
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		ip protocol { tcp, udp } flow add @fastnat
	}
}
table ip nat {
	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 192.0.2.0/24 oif "eth0" snat to 192.168.122.14 persistent
	}

	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
	}
}

Conntrack table

vyos@r14:~$ sudo conntrack -F
conntrack v1.4.6 (conntrack-tools): connection tracking table has been emptied.
vyos@r14:~$ 
vyos@r14:~$ sudo conntrack -L
tcp      6 431999 ESTABLISHED src=192.168.122.14 dst=192.168.122.1 sport=22 dport=44462 src=192.168.122.1 dst=192.168.122.14 sport=44462 dport=22 [ASSURED] mark=0 use=1
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=33018 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=33018 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=37517 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=37517 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=59794 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=59794 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=39288 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=39288 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=39616 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=39616 [OFFLOAD] mark=0 use=2
icmp     1 29 src=192.0.2.2 dst=1.1.1.1 type=8 code=0 id=12387 src=1.1.1.1 dst=192.168.122.14 type=0 code=0 id=12387 mark=0 use=1
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=41155 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=41155 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=39829 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=39829 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=33655 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=33655 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=44835 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=44835 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=40213 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=40213 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=33729 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=33729 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=48344 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=48344 [OFFLOAD] mark=0 use=2
conntrack v1.4.6 (conntrack-tools): 14 flow entries have been shown.
vyos@r14:~$
May 12 2023, 2:24 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

May 8 2023

diodep added a comment to T3655: NAT Problem with VRF.
In T3655#143947, @fernando wrote:

it doesn't seem the same problem as here, this logic that was applied over this version was vrf not on the table . Could you share full configuration ? there is some point over vrfs / vrf default /leaking that are not clear. So I can replicate the scenery and we see what is going on .

May 8 2023, 7:41 AM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Mar 7 2023

diodep added a comment to T3655: NAT Problem with VRF.
In T3655#143947, @fernando wrote:

it doesn't seem the same problem as here, this logic that was applied over this version was vrf not on the table . Could you share full configuration ? there is some point over vrfs / vrf default /leaking that are not clear. So I can replicate the scenery and we see what is going on .

Mar 7 2023, 4:36 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Mar 4 2023

diodep added a comment to T3655: NAT Problem with VRF.
In T3655#143947, @fernando wrote:

it doesn't seem the same problem as here, this logic that was applied over this version was vrf not on the table . Could you share full configuration ? there is some point over vrfs / vrf default /leaking that are not clear. So I can replicate the scenery and we see what is going on .

Mar 4 2023, 2:52 AM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Mar 3 2023

fernando added a comment to T3655: NAT Problem with VRF.

it doesn't seem the same problem as here, this logic that was applied over this version was vrf not on the table . Could you share full configuration ? there is some point over vrfs / vrf default /leaking that are not clear. So I can replicate the scenery and we see what is going on .

Mar 3 2023, 3:14 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
diodep added a comment to T3655: NAT Problem with VRF.

I have almost same problem here. Can't NAT between two VRFs correctly. The outgoing packet has been NATed correctly but the incoming packet seems be dropped, can't reach the source, it seems the return packet can't be tracked correctly.

Mar 3 2023, 6:21 AM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Feb 28 2023

SrividyaA placed T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used up for grabs.
Feb 28 2023, 11:58 AM · VyOS 1.3 Equuleus (1.3.5), Known issue

Feb 21 2023

Charlie-Root added a comment to T3655: NAT Problem with VRF.
Feb 21 2023, 1:45 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Oct 3 2022

n.fort added a comment to T3655: NAT Problem with VRF.

At least on my lab, with one of the latest 1.4, this is working for me:

Oct 3 2022, 2:21 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Oct 1 2022

aohanian added a comment to T3655: NAT Problem with VRF.

Is there a way to isolate a NAT rule to operate within a VRF?

Oct 1 2022, 2:31 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Aug 30 2022

Viacheslav added a comment to T3655: NAT Problem with VRF.
Aug 30 2022, 6:33 AM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Aug 29 2022

fernando added a comment to T3655: NAT Problem with VRF.

as I remember ... it has been working by this PR:

Aug 29 2022, 8:19 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
Viacheslav added a comment to T3655: NAT Problem with VRF.

I have NAT working with vrf in VyOS 1.4-rolling-202208290458 + custom nat offload

set interfaces ethernet eth0 address '192.168.122.14/24'
set interfaces ethernet eth1 address '192.0.2.1/24'
set interfaces ethernet eth1 vrf 'foo'
set protocols static route 192.0.2.0/24 interface eth1 vrf 'foo'
set system conntrack
set vrf name foo protocols static route 0.0.0.0/0 next-hop 192.168.122.1 interface 'eth0'
set vrf name foo protocols static route 0.0.0.0/0 next-hop 192.168.122.1 vrf 'default'
set vrf name foo table '1010'
Aug 29 2022, 5:14 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Aug 14 2022

dmbaturin added a project to T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used: Known issue.
Aug 14 2022, 6:39 PM · VyOS 1.3 Equuleus (1.3.5), Known issue

Jul 12 2022

Dmitry added a comment to T3655: NAT Problem with VRF.

Hi, but one more thing related NAT and VRF in 1.4 rolling. As you know it uses NF MAP, to isolate conntrack tables, so we need to create some design to fix this moment. Matbe with adding some mark

Jul 12 2022, 6:05 AM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Jul 11 2022

fernando added a comment to T3655: NAT Problem with VRF.

I've re-tested this issues with the initial configuration, nat source / mesquered/ destination , it seems to work as @Dmitry said. The conntrack doesn't show the connection as [UNREPLIED] , it's established :

Jul 11 2022, 8:31 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
Viacheslav removed a project from T3655: NAT Problem with VRF: VyOS 1.3 Equuleus (1.3.0).
Jul 11 2022, 12:03 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
Dmitry added a comment to T3655: NAT Problem with VRF.

Today I tested VRF route leaking and NAT. It works on 1.3.1-S1. Simple configuration:

Jul 11 2022, 11:49 AM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Nov 1 2021

syncer edited projects for T3655: NAT Problem with VRF, added: VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus (1.3.0-epa3).
Nov 1 2021, 10:12 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Oct 23 2021

rherold added a comment to T3655: NAT Problem with VRF.

anything new here?

Oct 23 2021, 3:07 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta

Oct 17 2021

syncer changed the status of T3655: NAT Problem with VRF from Open to In progress.
Oct 17 2021, 2:56 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
syncer edited projects for T3655: NAT Problem with VRF, added: VyOS 1.3 Equuleus (1.3.0-epa3), VyOS 1.4 Sagitta, Known issue; removed VyOS 1.3 Equuleus.
Oct 17 2021, 2:56 PM · VyOS 1.5 Circinus, Known issue, VyOS 1.4 Sagitta
syncer edited projects for T3906: [Traffic Control] Invalid Port Configuration Still Commits, added: VyOS 1.4 Sagitta, Known issue; removed VyOS 1.3 Equuleus (1.3.0-epa1).
Oct 17 2021, 12:11 PM · Known issue, VyOS 1.4 Sagitta

Mar 16 2020

qxmips added projects to T1301: bgp peer-groups don't work when "no-ipv4-unicast" is enabled.: Workaround available, Known issue.
Mar 16 2020, 12:31 PM · VyOS 1.2 Crux (VyOS 1.2.5)

Mar 15 2020

syncer created Known issue.
Mar 15 2020, 3:29 PM