The purpose is to have Fusion’s SD-WAN provisioned in a private cloud then to connect PWANs to the Agg and use it as an Internet breakout while using only the public IP of a Vanilla Debian Bookworm instance.

https://hubandspoke.amastelek.com/how-sd-wan-private-wans-work-for-the-dummies

The first step is to install an Agg on a private cloud.

Here is the configuration for a private wan space:

ens224.900 is the interface connecting the space and ospf using managed VLANs. Any edge using the designated space via a PWAN will be able to use the CGNAT ability of the upstream breakout. Hundreds of edges can connected via spaces.

This displays a successful running configuration.

The following nft file needs to be created in nft-masquerade.nft and configured to run on startup.

table ip nat {
    chain prerouting {
        type nat hook prerouting priority -100; policy accept;
    }

    chain postrouting {
        type nat hook postrouting priority 100; policy accept;

        # Masquerade traffic leaving via ens192
        oifname "ens192" masquerade
    }
}

To enable the rules on startup use this:

https://hubandspoke.amastelek.com/how-to-auto-load-nftables-masquerade-rules-at-boot-with-systemd-service

The crucial configuration you need on the vanilla Debian breakout is to enable forwarding:

https://hubandspoke.amastelek.com/how-to-enable-ip-forwarding-on-debian-12-bookworm

The next step is to have ospf running between the agg and the breakout.

https://hubandspoke.amastelek.com/implementing-ospf-on-openwrt

And that is it, surfs up!

👨‍💻Implementing a Vanilla Debian Breakout off an Agg🌐

Subscribe to my newsletter

Ronald Bartels

Ronald Bartels