I tried to set up a service etc on nfconsole.io but it is not straightforward for me regarding our use case. What we need from our side is to assign an IP to the external interface of our VyOS virtual router so that it is reachable from other virtual routers in other domains (which will ideally be configured in a similar manner) as in a VPN. This would replace the use of a public static IP on this virtual router interface.
In order to create an initial test of this I have created two VMs locally on my laptop and downloaded ziti-edge-tunnel, but I am not sure how to configure these on nfconsole.io so that one VM can ping the VPN IP on the other VM (initially without running VyOS).
How to solve?
Hi,
PING is not allowed / doesn’t work in a NetFoundry zero trust network since it violates our zero trust principle of blocking all inbound connections.
It would be great if you can share a diagram with details of what you are trying to achieve ( other than PING) to be able to help you better.
Yes, some diagrams might be more helpful.
The first diagram attached (vyos_diagram.jpg) shows what we have tested so far regarding our DMVPN connectivity. We have 3 main VyOS(VyOS-Spoke1, VyOS-Spoke2 and VyOS-Hub) routers that participate in the DMVPN. In our test we emulated the Internet with another virtual router that provided static “public” IPs to the external interfaces of the 3 routers. These IPs are necessary for DMVPN to be deployed via the VyOS routers. Since using the public IPs of the private cloud infrastructure we want to use is not possible, we need something else to provide us with this capability and we thought that OpenZitti can do this, i.e., allow the use of an IP on the external interface of VyOS that will be part of an overlay network where other VyOS routers are connected in a similar manner.
I attach another image with two very simple diagrams. The first one is what I wanted to test with two Ubuntu VMs, but since ping won’t work then I’m not sure how to test at least the first diagram. Perhaps we can go and directly connect two VyOS VMs. VyOS is a Debian-based OS, so I guess we can install OpenZitti in there as well and try things out.
Based on the 1st vyos_diagram.jpg do you think what we are looking for is possible with OpenZitti?
Note, I think the answer is below, would be great to hear your thoughts.
I think in the scenario you describe it can be easily solved. The NetFoundry fabric is made up of hosted OpenZiti edge routers (or fabric routers). These have a public IP (see diagram below) and this can easily be extracted via the NetFoundry console (see below), (1) Networks > (2) three dots on far right > (3) Network Firewall Info.
I would like to understand the business use case or problem we are trying to address via NetFoundry. NetFoundry can replace VyoS routers in this set up and let the PC 1 and PC 2 talk to each other between spoke 1 and spoke 2. That’s the purpose of our platform and solution. We can do this without the need for static public IPs on the routers with zero trust networking. Adding a tunnel on top of a router isn’t the best approach for the problem you are trying to solve w.r.t IIP addressing.
My second diagram was probably more confusing than helpful. I attach a better version that hopefully illustrates my question better. As you can see in this one the VyOS router requires a static IP reachable from routers in other domains e.g. VMs with VyOS routers in other servers (we won’t require many other domains, only 3-4). My question is how can this be enabled by OpenZitti, I assumed a tunnel but maybe it can be something else I don’t know about (hence the question marks in the box interfaced with the VyOS router in the diagram).
Thank you and sorry for the confusion.
Assuming the VyOS router is needed for other reasons, would source transparency be able to solve this challenge??
Source transparency only supports between edge router(ingress ER) to edge router(egress ER). Source transparency will not work if we use a ziti-edge-tunnel.
Enabling the source transparency allows the source IP of the device to be visible at the destination app of host. While having it disabled, the source IP will be NATTED to the IP of the egress router or endpoint.
For your reference: https://support.netfoundry.io/hc/en-us/articles/8339804868237-How-Service-Source-Transparency-Works
Thanks Girish. The PC behind each VyOS router in the image is a simplification we did in a GNS-3 emulation. The purpose of the VyOS router is to support multiple VLANs from different VMs attached to it and the data would be relayed to VMs on networks of a different domain.
By the way, the reason we want to simply interface VyOS with OpenZiti is because we have already set up VyOS to accommodate the network services (the VM networks) we want to deploy over the different domains and we are looking for a quick solution (but not the best) to overcome the restriction of not having available public IPs for DMVPN to use.
This is due to an upcoming deadline. Of course if replacing VyOS is something quick and easy then we can discuss this in the call.
