When Syntax Errors Cause Nightmares

The problem with network upgrades is that we usually have an idea of what a successful upgrade implies in our head and we base our testing on it. Needed better connectivity and managment of the routers linking two sites, and all went well. Internet access was confirmed, upgraded speed was confirmed and all services exposed work.

Queue the “five minutes later” meme, and random things started failing - Microsoft Store wouldn’t load, Minecraft wouldn’t connect, the Rockstar launcher would complain about no connectivity.

Everything else would work, though I did notice a strange interaction. When I accidentally entered the wrong IP to access a local web page, the default NGINX web page displayed. Odd, but I figured I’d just add it to the todo list for a later date.

Vyos is a great project but being a niche product, it’s lacking in documentation and the discussions that pfsense and opnsense enjoy. I’d even venture a guess that each individual component in Vyos, which is Linux based, has more documentation than Vyos itself - so finding the needle in the haystack when you run into issues is a problem.

Example, this is the portion of the config that caused all of these random issues.

######## Port 80  -> NGINX Reverse Proxy on core (.20) server
set nat destination rule 10 description 'Forward Port 80 to NGINX on core server'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'pppoe0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '192.1268.10.20'

Vyos didn’t throw any glaring errors when committing this config. It was only when I was nft tracing the traffic from a Windows desktop that I noticed the mistake. The Vyos router was redirecting all http (Port 80) to the local reverse proxy and it didn’t matter where it came from or what interface.

Here is the corrected portion that brought sanity back to the network

######## Port 80  -> NGINX Reverse Proxy on core (.20) server
set nat destination rule 10 description 'Forward Port 80 to NGINX on core server'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface name 'pppoe0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '192.1268.10.20'

The inbound-interface was missing the ’name’ component. That was it, one singular word caused a lot of random failures which also goes to show you, so many web sites still depend on http to perform their initial handshakes.