Finalmente, migrar um roteador antigo do Vyatta 6.3 para o VyOS e estou tendo alguns problemas.
Devido à incompatibilidade do 6.3, a configuração do VyOS foi reescrita ao fazer referência ao antigo config.boot do VC e ao exemplo do VyOS.
A configuração do IPv6 provavelmente não é bem o que deveria ser, mas esse não é o principal problema que estou tendo. Quando o novo servidor VyOS está em execução, a rede interna não pode acessar nenhum dos endereços no bloco CIDR. Além disso, os endereços no bloco CIDR, além do gateway (.17), que eram acessíveis pela Internet, ficaram inacessíveis após cerca de 8 horas. A reinicialização na configuração antiga do VC não exibiu nenhum desses sintomas.
Aprecie se alguém puder verificar a configuração e verificar se há alguns problemas óbvios em falta.
Algumas configurações básicas:
Rede interna 10.2.0.0/24
IP estático externo: 123.234.234.207/27
Gateway estático externo: 123.234.234.193
Bloco CIDR (sub-rede roteada): 123.123.123.16-31 / 28
Gateway CIDR: 123.123.123.17
Rede remota: 192.168.0.0/24
E a configuração real ...
firewall { all-ping enable broadcast-ping disable config-trap disable ipv6-name WANFW { default-action drop description "Firewall to block incoming connections from IPv6 Tunnel" rule 5 { action accept description "Must be allowed or MTU discovery will break" icmpv6 { type packet-too-big } protocol icmpv6 } rule 10 { action accept description "Allow ping replies" icmpv6 { type pong } protocol icmpv6 } rule 15 { action accept description "May cause fragmentation issues otherwise" icmpv6 { type time-exceeded } protocol icmpv6 } rule 20 { action accept description "Allow incoming IPSec" ipsec { match-ipsec } } rule 30 { action accept description "Allow established TCP connections" protocol tcp tcp { flags ACK } } rule 35 { action accept description "Allow stateless UDP" protocol udp } rule 40 { action accept description "Allow http calls" destination { port http,https } protocol tcp } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name OUTSIDE-IN { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept description Murmur destination { address 10.2.0.70 port 64738 } protocol tcp_udp state { new enable } } } name OUTSIDE-LOCAL { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept icmp { type-name echo-request } protocol icmp state { new enable } } rule 30 { action drop destination { port 22 } protocol tcp recent { count 4 time 60 } state { new enable } } rule 31 { action accept destination { port 22 } protocol tcp state { new enable } } rule 40 { action accept protocol esp } rule 41 { action accept destination { port 500 } protocol udp } rule 42 { action accept destination { port 4500 } protocol udp } rule 43 { action accept destination { port 1701 } ipsec { match-ipsec } protocol udp } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable twa-hazards-protection disable } interfaces { ethernet eth0 { address 123.234.234.207/27 description WAN duplex auto firewall { in { name OUTSIDE-IN } local { name OUTSIDE-LOCAL } } hw-id 0a:2d:35:b5:4a:25 smp_affinity auto speed auto } ethernet eth1 { address 123.123.123.17/28 description CIDR-Gateway dhcpv6-options { parameters-only } duplex auto firewall { in { name OUTSIDE-IN } local { name OUTSIDE-LOCAL } } hw-id 4e:ca:69:29:f4:ce smp_affinity auto speed auto } ethernet eth2 { address 10.2.0.11/24 address 2001:470::::11/64 description LAN duplex auto hw-id ae:61:af:ca:71:59 ipv6 { dup-addr-detect-transmits 1 router-advert { cur-hop-limit 64 default-preference high link-mtu 0 managed-flag false max-interval 600 other-config-flag true prefix 2001:470::::/64 { autonomous-flag true on-link-flag true valid-lifetime 2592000 } reachable-time 0 retrans-timer 0 send-advert true } } smp_affinity auto speed auto } loopback lo { } tunnel tun0 { address 2001:470::::2/64 description "HE.NET IPv6 Tunnel" encapsulation sit local-ip 123.123.123.17 multicast disable remote-ip 66.220.18.42 } } nat { destination { rule 150 { description "Murmur Server" destination { port 64738 } inbound-interface eth0 protocol tcp_udp source { address 0.0.0.0/0 } translation { address 10.2.0.70 port 64738 } } } source { rule 100 { destination { address !192.168.0.0/24 } outbound-interface eth0 source { address 10.2.0.0/24 } translation { address masquerade } } } } protocols { static { interface-route6 ::/0 { next-hop-interface tun0 { } } route 0.0.0.0/0 { next-hop 123.234.234.193 { } } } } service { dhcpv6-server { shared-network-name workipv6 { subnet 2001:470::::/64 { domain-search work.local name-server 2001:4860:4860::8888 } } } dns { forwarding { cache-size 0 listen-on eth2 name-server 8.8.8.8 name-server 8.8.4.4 } } https { http-redirect disable } ssh { port 22 } } system { gateway-address 123.234.234.193 host-name miyuki name-server 8.8.8.8 name-server 8.8.4.4 } vpn { ipsec { esp-group work_esp { compression disable lifetime 28800 mode tunnel pfs disable proposal 2 { encryption 3des hash sha1 } } esp-group transmitter_esp { compression disable lifetime 28800 mode tunnel pfs disable proposal 1 { encryption 3des hash sha1 } } ike-group work_ike { dead-peer-detection { action clear interval 20 timeout 60 } ikev2-reauth no key-exchange ikev1 lifetime 28800 proposal 2 { dh-group 2 encryption 3des hash sha1 } } ike-group transmitter_ike { dead-peer-detection { action clear interval 20 timeout 60 } ikev2-reauth no key-exchange ikev1 lifetime 28800 proposal 1 { dh-group 2 encryption 3des hash sha1 } } ipsec-interfaces { interface eth0 } nat-traversal disable site-to-site { peer 210.210.210.128 { authentication { mode pre-shared-secret pre-shared-secret Nope } connection-type initiate ike-group work_ike ikev2-reauth inherit local-address 123.234.234.207 tunnel 2 { allow-nat-networks disable allow-public-networks disable esp-group work_esp local { prefix 10.2.0.0/24 } remote { prefix 192.168.0.0/24 } } } } } }