Linux VRF Aware SSH – Configuration Guide

azurelinux-networkingssh

I am trying to create a management vrf for a linux device (it is in Azure) which is on eth0, while using eth1 and eth2 as packet forwarding interfaces. So far using the Cumulus guides I am using this config:

sudo ip link add mgmt-vrf type vrf table 10
ip link set dev mgmt-vrf up
ip route add table 10 unreachable default metric 4278198272
sudo ip link set dev eth0 master mgmt-vrf
sudo ip route add table 10 0.0.0.0/0 dev eth0 via 10.40.255.1

I believe this should work, and I get sensible output:

ip -br link show vrf mgmt-vrf
eth0             UP             00:22:48:00:d4:8b <BROADCAST,MULTICAST,UP,LOWER_UP>

ip vrf show
Name              Table
-----------------------
mgmt-vrf            10

when I run a tcpdump, it's fairly obvious that SSH isn't responding:

sudo tcpdump -i eth0 !(port 80 or 53) -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:17:56.843175 IP 10.26.0.112.55756 > 10.40.255.4.22: Flags [S], seq 782432837, win 64960, options [nop,wscale 8,nop,nop,sackOK], length 0
11:17:58.011786 ARP, Request who-has 10.40.255.1 tell 10.40.255.4, length 28
11:17:58.012169 ARP, Reply 10.40.255.1 is-at 12:34:56:78:9a:bc, length 28
11:17:59.956102 IP 10.26.0.112.55756 > 10.40.255.4.22: Flags [S], seq 782432837, win 64960, options [nop,wscale 8,nop,nop,sackOK], length 0
11:18:05.845234 IP 10.26.0.112.55756 > 10.40.255.4.22: Flags [S], seq 782432837, win 64960, options [nop,wscale 8,nop,nop,sackOK], length 0

As I understand it, VRF isn't a network namespace, so I can't run SSH under the namespace. also I've run the following:

sudo sysctl -w net.ipv4.tcp_l3mdev_accept=1
sudo sysctl -w net.ipv4.udp_l3mdev_accept=1

But still no joy. Thanks for help

EDIT

ip -4 r ls table 10
unreachable default
10.26.0.0/21 via 10.40.255.1 dev eth0
broadcast 10.40.255.0 dev eth0 proto kernel scope link src 10.40.255.4
10.40.255.0/24 dev eth0 proto kernel scope link src 10.40.255.4
local 10.40.255.4 dev eth0 proto kernel scope host src 10.40.255.4
broadcast 10.40.255.255 dev eth0 proto kernel scope link src 10.40.255.4

ip route get 10.40.255.4 from 10.26.0.112 iif eth0
local 10.40.255.4 from 10.26.0.112 dev mgmt-vrf table 10
    cache <local> iif eth0

ip route get 10.26.0.112 from 10.40.255.4
10.26.0.112 from 10.40.255.4 via 10.40.0.1 dev eth1 uid 1000
    cache

ip route get 10.26.0.1 from 10.40.255.4 vrf mgmt-vrf
10.26.0.1 from 10.40.255.4 via 10.40.255.1 dev eth0 table 10 uid 1000
    cache

In addition the tcpdump is no longer resolving the host IP address and I am unable to ping the local interface, almost as if the services are no longer available in this VRF and the sysctl mdev commands had no effect. Hope this helps

Best Answer

thanks for the help I managed to crack the issue

I have IPtables configured to accept INPUT on the eth0 mgmt-vrf interface as per:

sudo iptables -L -v
136M ACCEPT     all  --  eth0   any     anywhere             anywhere

this does reference the slave device, but on here: https://www.kernel.org/doc/Documentation/networking/vrf.txt

I found that you also need to reference the master device, so added the rule

sudo iptables -A INPUT -i mgmt-vrf -j ACCEPT

This fixed the issue for me

Thanks for all your help - helped nudge me in the right direction

Related Solutions

SSH and OpenVPN – Allowing SSH on a Server with an Active OpenVPN Client

I'm having a similar issue to this and have been attempting the fix described in this forum post.

The idea is that currently when you connect to your public IP address, the return packets are being routed over the VPN. You need to force these packets to be routed over your public interface.

These route commands will hopefully do the trick:

ip rule add from x.x.x.x table 128

ip route add table 128 to y.y.y.y/y dev ethX

ip route add table 128 default via z.z.z.z

Where x.x.x.x is your public IP, y.y.y.y/y should be the subnet of your public IP address, ethX should be your public Ethernet interface, and z.z.z.z should be the default gateway.

Note that this hasn't worked for me (using Debian and PrivateInternetAccess) but may help you out.

Linux – How to configure dual homed server in order for both network segments to communicate

There are two problems with this setup:

The hosts on LAN1 know nothing about the LAN2 segment. When you ping a host on LAN1 (let's call it host1) from SRV-02, the packet will be routed through SRV-01 and will reach host1. However, host1 will send the reply to it's default gateway (ISP router) as it doesn't have a specific route to LAN2. (The ISP router will either a) also send it to it's default gateway as it also doesn't know about LAN2, or b) drop the packet as it comes from an unknown source not it's local LAN.)
When trying to reach WAN from LAN2, the packets will be routed through SRV-02 to ISP router where two situations are possible:
- The router will not NAT translate the packet as the source of the packet (LAN2) is not it's local LAN (this is the more probable situation), or
- The router will NAT translate the packet and send it to the Internet. However, when the reply comes and the destination is translated back to the LAN2 address, the packet will not be delivered as the ISP router doesn't have a route for that network. The packet will be sent incorrectly to the default gateway (ISP).

These issues could be fixed by adding a static route to LAN2 to ISP router and adding a source NAT configuration for LAN2 on SRV-01. However, that is not possible due to no admin access to the ISP router.

There are two solutions that get around it:

A. Make SRV-01 a full router for LAN1 and LAN2 hosts

Add another network adapter to SRV-01 (making it 3 in total)
Change the topology as follows:

WAN -> ISP router -> LAN1 -> SRV-01 +-> LAN3 (for hosts originally in LAN1)
                                    +-> LAN2 -> SRV-02

Basically, we're making SRV-01 a router for both LAN segments.

This will require moving hosts originally in LAN1 to a new subnet LAN3 - let's say we use 10.0.1.0/24
The network configuration of SRV-01 will need to be changed as follows:

/etc/network/interfaces:

# LAN1 - to ISP router
auto eth0
iface eth0 inet dhcp
# we can even use dhcp as the IP address is not really important
# - there are no more hosts on LAN1 apart from ISP router and SRV-01

# LAN3 - for hosts originally in LAN1
iface eth1
    address 10.0.1.1
    netmask 255.255.255.0

# LAN2
iface eth2
    address 10.0.2.1
    netmask 255.255.255.0

iptables rules to make WAN access work:

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j MASQUERADE

Alternatively, if you choose to keep the static IP address on SRV-01 on eth0 the rules could be changed (although MASQUERADE would still work):

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j SNAT --to-source 192.168.5.8
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j SNAT --to-source 192.168.5.8

DHCP will need to be configured on SRV-01 on eth1 (LAN3, for hosts originally on LAN1), and possibly on eth2 (LAN2) as well if required. (In both cases the gateway will be the local address of eth1 or eth2 respectively, but that goes without saying :)

This will make communication possible between LAN3 and LAN2 (via SRV-01 which is the default gateway for both). WAN access will also work from both LAN3 and LAN2 thanks to the double source NAT.

B. Make SRV-01 a DHCP server for LAN1

This approach is not as clean as above but is slightly simpler. It assumes you are able to disable DHCP on ISP router

Disable DHCP on ISP router
Set up DHCP for LAN1 on SRV-01 and make SRV-01 (192.168.5.8) the default gateway for LAN1
Set up source NAT translation for LAN2 on SRV-01 so that the WAN access works from LAN2:

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 -d 192.168.5.4 -j SNAT --to-source 192.168.5.8
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 ! -d 192.168.5.0/24 -j SNAT --to-source 192.168.5.8

The first line enables SNAT so that LAN2 hosts can access the ISP router itself and the second line disables SNAT for LAN2-LAN1 access.

Again, this approach is not as clean as the one above as there are two routers in the same subnet (SRV-01, ISP router). When I used this approach myself I noticed my second router (SRV-01 in this scenario) would send ICMP redirects to the ISP router as it would see that the client (host on LAN1) and the upstream router (ISP router) are on the same LAN. This might not be desired as network policies implemented on SRV-01 could be circumvented.

Hope that helps.

EDIT

Best Answer

Related Solutions

SSH and OpenVPN – Allowing SSH on a Server with an Active OpenVPN Client

Linux – How to configure dual homed server in order for both network segments to communicate

Related Topic