VyOS Configuration Issue

Question

I am working on setting up a VMWare lab. I have a physical box with which I've installed ESXi 6.7 on. While I'll be adding many more, I currently have 3 vm's; a Windows 2016 Server with no server roles installed, a DC (cloned from the base image of the Windows Server 2016) with DC and DNS roles installed (and configured), and a VyOS router.

A network diagram is below, but the VyOS router has four subnets; one for the DC, one for the Server 2016 box, one that is currently empty, and the other as a route out of the network.

The DC is statically assigned 10.0.1.1. The Server 2016 box is configured for DHCP (DHCP role on the DC), and DHCP is confirmed to work as the box has been assigned 10.0.2.11 (pool is 10.0.2.1-254, with 1-9 reserved (don't know why it didn't take 10, but don't care).

However, it appears I have both a DNS issue as well as routing issue. Specifically, from the DC, I can ping loopback, each VyOS interface, ESXi NIC, management workstation (my desktop), as well as my pfSense firewall. But, I cannot ping the Server2016 box (again, I can ping the interface in its' subnet, but not the box itself) via IP (request timed out) OR hostname (ping request could not find host Server2016), nor can I ping out to 8.8.8.8 or any other external network (reply from 10.0.1.254: destiation unreachable). The same goes from the Server2016 box; I can ping loopback, each VyOS interface, ESXi NIC, workstation, and pfSense, but I cannot ping the DC via IP or hostname (it at least resolves DC1 to the IP, but then gives request timed out), nor can I ping the internet.

I am pretty certain it's simply a/multiple configuration issues. I just simply have not been able to fix it/them yet. My VyOS config (screenshots as I am unable to copy/paste out of the environment) as well as DHCP and DNS config is below:

Any help is extremely appreciated!

You didn’t share your DHCP configuration, or any IPConfig of your network interfaces on the various machines in question, especially the default gateway info on all machines. You didn’t share the default gateway configuration nor routing tables of VyOS. It’s not possible to determine the problem without this critical information. — Appleoddity, Feb 15 '22 at 17:43
You definitely have more than one problem. But one fundamental issue is that your workstation probably uses 192.168.27.1 as its default gateway and is using default routing tables. Neither your workstation nor the pfSense box have any concept of where any of the 10.x networks are. This is fundamentally incorrect because the router (VyOS) should be at the center of the network with pfSense sitting alone, on one network segment and all the other systems sitting on different segments and all systems using VyOS as their default gateway. VyOS uses pfSense as its default gateway. — Appleoddity, Feb 15 '22 at 17:51
@Appleoddity yes, I missed some screenshots and duplicated one. I've updated the OP with the screenshot showing the static route in VyOS, the ipconfig info on the DC and server, and the basic dhcp setup. Reviewing the second comment, I believe I understand what you're saying. — sbagnato, Feb 15 '22 at 21:19
@Appleoddity My goal, and clearly it may be flawed, was to create a full lab network that is completely segmented from my home network. The lab would have a router and 3 internal subnets. I'd access it via the vmware esxi web console. Any web requests would be routed out of the lab network and through the pfsense physical box to the web. Pfsense provides the routing and dhcp for my home network, but I did not want it to provide anything to the lab other than a gateway to the internet. If the logic is flawed, please correct me as I want to learn the best and correct way to do this. — sbagnato, Feb 15 '22 at 21:20
Can you add the output of `route print` on your home workstation? And add a screenshot of your routing table on pfSense? I have some ideas but not everything is adding up. First, I think you do not have your NAT rule setup properly. I think you need to add `set nat source rule 10 source address '10.0.1.1-10.0.3.254'` for internet access to work. Next, I think you need to check the firewalls on your DC and Server2016 and turn them off temporarily, to test ping between them. Finally, you'll need to add an A record for Server2016 to DNS if you want it to resolve via DNS. — Appleoddity, Feb 16 '22 at 01:08
The Server2016 is not domain joined yet so it cannot dynamically add itself to the DNS records on the DC. You'll have to add it manually. Finally, Finally, because you are using NAT, you will be able reach the internet and ping devices on your home network from within the virtual networks. But, you will not be able to communicate the other way around without port forwarding rules. I am not a VyOs expert, and I was surprised to see it is no longer free to use. If any of this works I will add an official answer with more explanation. — Appleoddity, Feb 16 '22 at 01:09
@Appleoddity awesome call regarding the firewalls and A record. Ping is no longer an issue between the DC or server 2016 box. Regarding the NAT rule, I wanted to confirm, should I remove the NAT rule I had in there or just add the one you provided? Regarding the ability for my home network to reach the virtual network and vice versa, as long as I can access the vm's via esxi browser, I actually would rather keep everything else segmented. I can work on firewall rules later. Route screenshots as requested are added to bottom of OP. — sbagnato, Feb 16 '22 at 15:51
that is an additional command to run for the NAT. I think you missed that, but I’m not sure because if it wasn’t working then you shouldn’t be able to ping your workstation or pfSense without having made routing changes on those devices. I suspect that NAT is not happening. Therefore, you cannot get to the internet because pfSense doesn’t know or trust the 10.x.x.x IP addresses. Again, not an expert on VyOS. You might need to rebuild the NAT rule including the additional command I gave you. Or that might not be a valid command as presented. Not sure. — Appleoddity, Feb 16 '22 at 15:54
@Appleoddity yup you were right, adding that NAT rule allows both vm's to ping the internet. So, I "think" the entire issue as I presented it is resolved. — sbagnato, Feb 16 '22 at 18:37
Awesome. I added an answer detailing this information. I would appreciate it if you could accept it as an answer and up vote it. Thanks! — Appleoddity, Feb 16 '22 at 20:19

score 1 · Accepted Answer · answered Feb 16 '22 at 20:19

I'll take a stab at this. Multiple issues exist.

Why can you not get internet access? (i.e. ping 8.8.8.8)

It appears that your NAT configuration is not complete in VyOS. I'm not an expert in VyOS by any means. However, it appears you are supposed to also specify the source addresses to match in the NAT rule. In this case, I believe you need to add set nat source rule 10 source address '10.0.1.1-10.0.3.254'. Without this, the traffic does not match the NAT rule and therefore the traffic is not NAT'd when it egresses to your home network towards the pfSense box. In this case, pfSense will not have the appropriate routing table or appropriate trust to pass traffic from the virtual networks. NAT hides those addresses and makes all the traffic from the Virtual network appears as a single, trusted system on your home network. The drawback here is that the communication is one way. You can ping your workstation from within the virtual network, but your workstation will not be able to ping or connect to machines in the virtual network. Unless you establish appropriate port forwarding rules in VyOS.

Why can you not ping from the DC to the Server or vice-versa?

By default the Windows firewall is turned on and will block most of that traffic. Try turning off the Windows firewall for testing purposes. If this solves the issue, then add necessary exceptions to the firewall rules. Or, once you get your domain properly functioning, it is really easy to deploy standard firewall rules across all computers in the domain using Group Policy. For instance, you can allow ICMP Echo Request/Replies so that ping will work.

Why won't Server2016 resolve to the server's IP address?

Your current configuration does not show that you have an A record added to your DNS server that matches the Server2016 name. If this were a fully functioning AD domain, then systems that are part of the domain are typically allowed to add and update their own A records on the DNS server, so this process is automatic. However, because Server2016 is not yet joined to the domain, it does not have permission to add / update records on the DNS server. Thus, you must add it manually.

VyOS Configuration Issue

1 Answers1