Finally getting around to migrating an old router from Vyatta 6.3 to VyOS and am having some issues.
Due to the incompatibility of 6.3, the VyOS configuration was rewritten while referencing the old VC config.boot and the VyOS example.
The IPv6 configuration probably isn't quite what it should be, but that's not the primary issue I'm having. When the new VyOS server is running, the internal network can't access any of the addresses in the CIDR block. Further, addresses in the CIDR block, other than the gateway (.17), which were accessible from the internet became inaccessible after around 8 hours. Rebooting into the old VC config didn't display any of these symptoms.
Would appreciate if someone could look over the config and check if there's some obvious issues I'm missing.
Some basic config:
Internal network 10.2.0.0/24
External Static IP: 123.234.234.207/27
External Static Gateway: 123.234.234.193
CIDR Block (routed subnet): 123.123.123.16-31/28
CIDR Gateway: 123.123.123.17
Remote Network: 192.168.0.0/24
And the actual config...
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-name WANFW {
default-action drop
description "Firewall to block incoming connections from IPv6 Tunnel"
rule 5 {
action accept
description "Must be allowed or MTU discovery will break"
icmpv6 {
type packet-too-big
}
protocol icmpv6
}
rule 10 {
action accept
description "Allow ping replies"
icmpv6 {
type pong
}
protocol icmpv6
}
rule 15 {
action accept
description "May cause fragmentation issues otherwise"
icmpv6 {
type time-exceeded
}
protocol icmpv6
}
rule 20 {
action accept
description "Allow incoming IPSec"
ipsec {
match-ipsec
}
}
rule 30 {
action accept
description "Allow established TCP connections"
protocol tcp
tcp {
flags ACK
}
}
rule 35 {
action accept
description "Allow stateless UDP"
protocol udp
}
rule 40 {
action accept
description "Allow http calls"
destination {
port http,https
}
protocol tcp
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name OUTSIDE-IN {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
description Murmur
destination {
address 10.2.0.70
port 64738
}
protocol tcp_udp
state {
new enable
}
}
}
name OUTSIDE-LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 30 {
action drop
destination {
port 22
}
protocol tcp
recent {
count 4
time 60
}
state {
new enable
}
}
rule 31 {
action accept
destination {
port 22
}
protocol tcp
state {
new enable
}
}
rule 40 {
action accept
protocol esp
}
rule 41 {
action accept
destination {
port 500
}
protocol udp
}
rule 42 {
action accept
destination {
port 4500
}
protocol udp
}
rule 43 {
action accept
destination {
port 1701
}
ipsec {
match-ipsec
}
protocol udp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address 123.234.234.207/27
description WAN
duplex auto
firewall {
in {
name OUTSIDE-IN
}
local {
name OUTSIDE-LOCAL
}
}
hw-id 0a:2d:35:b5:4a:25
smp_affinity auto
speed auto
}
ethernet eth1 {
address 123.123.123.17/28
description CIDR-Gateway
dhcpv6-options {
parameters-only
}
duplex auto
firewall {
in {
name OUTSIDE-IN
}
local {
name OUTSIDE-LOCAL
}
}
hw-id 4e:ca:69:29:f4:ce
smp_affinity auto
speed auto
}
ethernet eth2 {
address 10.2.0.11/24
address 2001:470::::11/64
description LAN
duplex auto
hw-id ae:61:af:ca:71:59
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
default-preference high
link-mtu 0
managed-flag false
max-interval 600
other-config-flag true
prefix 2001:470::::/64 {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
smp_affinity auto
speed auto
}
loopback lo {
}
tunnel tun0 {
address 2001:470::::2/64
description "HE.NET IPv6 Tunnel"
encapsulation sit
local-ip 123.123.123.17
multicast disable
remote-ip 66.220.18.42
}
}
nat {
destination {
rule 150 {
description "Murmur Server"
destination {
port 64738
}
inbound-interface eth0
protocol tcp_udp
source {
address 0.0.0.0/0
}
translation {
address 10.2.0.70
port 64738
}
}
}
source {
rule 100 {
destination {
address !192.168.0.0/24
}
outbound-interface eth0
source {
address 10.2.0.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
interface-route6 ::/0 {
next-hop-interface tun0 {
}
}
route 0.0.0.0/0 {
next-hop 123.234.234.193 {
}
}
}
}
service {
dhcpv6-server {
shared-network-name workipv6 {
subnet 2001:470::::/64 {
domain-search work.local
name-server 2001:4860:4860::8888
}
}
}
dns {
forwarding {
cache-size 0
listen-on eth2
name-server 8.8.8.8
name-server 8.8.4.4
}
}
https {
http-redirect disable
}
ssh {
port 22
}
}
system {
gateway-address 123.234.234.193
host-name miyuki
name-server 8.8.8.8
name-server 8.8.4.4
}
vpn {
ipsec {
esp-group work_esp {
compression disable
lifetime 28800
mode tunnel
pfs disable
proposal 2 {
encryption 3des
hash sha1
}
}
esp-group transmitter_esp {
compression disable
lifetime 28800
mode tunnel
pfs disable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group work_ike {
dead-peer-detection {
action clear
interval 20
timeout 60
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 2 {
dh-group 2
encryption 3des
hash sha1
}
}
ike-group transmitter_ike {
dead-peer-detection {
action clear
interval 20
timeout 60
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal disable
site-to-site {
peer 210.210.210.128 {
authentication {
mode pre-shared-secret
pre-shared-secret Nope
}
connection-type initiate
ike-group work_ike
ikev2-reauth inherit
local-address 123.234.234.207
tunnel 2 {
allow-nat-networks disable
allow-public-networks disable
esp-group work_esp
local {
prefix 10.2.0.0/24
}
remote {
prefix 192.168.0.0/24
}
}
}
}
}
}
