A couple of questions about NAT and zones (and CAKE)

Two questions:

1.: Where does traffic origin from when DNAT has been applied, from the perspective of zones? I.e. what set of firewalls is applied when I have traffic coming in on WAN which is DNAT to an internal ip on LAN?

The reason I’m asking is that it seems like I did not have to apply any firewall rules to allow the traffic, even though my from WAN rules for both LAN and LOCAL are default drop.

2.: What happens when multiple firewalls are applied to the same zone pair? Example: LAN from WAN has two different firewalls applied.

Are they merged or are they applied in some kind of order?

And here is a third bonus question: Does anyone know if there is any documentation on how to apply CAKE?


re 1: The zones only look at the ingress and egress interface. So if the ingress interface is in the WAN zone and the egress interface in the LAN zone the rule specified at zone LAN from WAN firewall name <name> is applied.

re 2: no idea, I’ve never tried that.

On the bonus one:

VyOS does not support CAKE, but you can have very similar results to CAKE by using HTB+FQ-CoDel. You can do so by embedding an FQ-Codel queue into a Shaper policy.