Network layout is here: https://imgur.com/a/psnGzvj For purposes of testing, I'm redirecting traffic to 4.2.2.2 from the Fortigate FW to 192.168.99.1, the other side of the VPN gateway connector. I can confirm that traffic to 4.2.2.2 ceases once the PBR on the Fortigate is in place, so that's working. What I can't quite work out is the PBR and NAT necessary on the Edgerouter.
Here's the Edgerouter config:
firewall {
all-ping enable broadcast-ping disable group { } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable modify PBR { rule 10 { action modify description Gateway_to_WAN modify { table 11 } source { address 192.168.99.0/30 } } rule 20 { action modify description User_to_VPN modify { table 12 } source { address 192.168.10.0/24 } } }
interfaces {
ethernet eth0 { disable duplex auto speed auto } ethernet eth1 { duplex auto speed auto vif 99 { address 192.168.99.1/30 description "VPN Connector" firewall { in { modify PBR } } } } protocols {
static { bfd { } route 0.0.0.0/0 { next-hop 192.168.99.2 { } } table 11 { route 0.0.0.0/0 { next-hop 192.168.99.2 { } } } table 12 { interface-route 0.0.0.0/0 { next-hop-interface vtun0 { } } } } }
service {
dns { } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 5000 { description "masquerade for PIA VPN" destination { group { } } log enable outbound-interface vtun0 protocol all source { address 192.168.10.0/24 group { } } type masquerade } } I can confirm the tunnel builds itself fine, I can also confirm that pings and traces out the vtun0 interface (initiated from the VPN gateway) also make it outside using the VPN and not the regular WAN, so I'm pretty sure this is a NAT/PBR problem. I have this set for 192.168.10.0 for testing since that's the subnet I'm on. Any idears?
Better config formatting is here: https://www.reddit.com/r/homelab/comments/plpaz2/need_a_hand_with_policybased_routing_for_ubiquiti/
No comments:
Post a Comment