VTI as default gateway?

rcfa · Feb 8, 2024, 11:52 AM

Simple question: if I use a VTI as default gateway, is the system smart enough to notice that obviously it can't route the tunnel over the tunnel, or is the system designed to just route nets other than the one over which the tunnel is transported?

In short, I don't want to saw off the branch I'm sitting on, so to speak... (hence I ask rather than try it out, I might not get into my remote system anymore if it doesn't work...)

If this does work, there's a follow-up question:

I have a DMZ/Guest-LAN, which with NAT I want to send out the WAN interface
Then I have the LAN, which without NAT I want to send out the VTI interface.

Is there an easy way to define default gateways based on the traffic origin, or do I have to essentially double (quadruple actually, due to the inability to use IPv4+IPv6 rules) all my FW rules such that for each passing rule I have a version based on source with policy routing to the appropriate GW?

rcfa · Feb 10, 2024, 5:35 PM

@rcfa Hm, would have thought someone would be able to give a simple answer to at least the first question... Anyone?

bitvoip · Oct 10, 2024, 3:38 PM

@rcfa You can set a VTI interface as default gateway and route all internet traffic tru it. I have tested this and it works. However I found that some websites will not load AT ALL. Gmail and Youtube to be specific. I am working on finding out why is this. If I cant I will have to reach out to Netgate support as these are Netgate hardware appliances I am using.

rcfa · Oct 10, 2024, 7:36 PM

@bitvoip Thanks! This is (almost) great news!
Please let us/me know how the matter with Gmail/YouTube pans out...

bitvoip · Oct 10, 2024, 9:13 PM

@rcfa I think my issue might have something to do with the NAT-ing. I will post as soon as I have a resolution.

rcfa · Oct 13, 2024, 1:34 PM

@bitvoip If it’s NAT, that wouldn’t be a problem for me, because the "private" net is actually a publicly routed IP block. I use the VPN to be able to use an ISP that can’t/won’t route my assigned address block, and thus be able to switch ISPs and location without major ordeal. In essence, I use the VPN as a flexible routing solution, by having my endpoint at some colocation provider...

bitvoip · Oct 24, 2024, 3:53 AM

@rcfa I have reached out to Netgate support for this and they said my "issue" is not covered by the Tac Lite support that comes with the Netgate appliances. I'm sure this is an easy fix for their engineers, but I have to buy a support plan if I want them to look into this. After buying a $700 appliance I'm not ready to buy $400 support for a single issue.

rcfa · Oct 27, 2024, 4:32 PM

@bitvoip I’d just submit a bug report in that case…
…costs nothing and ensures it’s on the radar of the developers.