Hello, as part of my work, I am trying to set up access-lists filtering the IPs that can connect to my VMs. So I established an access list as below:
set firewall name ACL-EXAMPLE
set firewall name ACL-EXAMPLE default-action drop
set firewall name ACL-EXAMPLE rule 10 action accept
set firewall name ACL-EXAMPLE rule 10 source address 10.35.0.0/24
set firewall name ACL-EXAMPLE rule 20 action accept
set firewall name ACL-EXAMPLE rule 20 source address 192.168.100.0/24
set firewall name ACL-EXAMPLE rule 30 action accept
set firewall name ACL-EXAMPLE rule 30 source address 192.168.0.0/24
set firewall name ACL-EXAMPLE rule 9999 action drop
However as soon as I want to set it up on my eth1 interface with the command:
set interfaces ethernet eth1 firewall in name ACL-EXAMPLE
it gives me an error:
Configuration PATH: interfaces ethernet eth1 [firewall] is not valid Set failed
Ok thank you, just one more thing. After establishing my access list on the interface I wanted to try to see if with an unauthorized address in 172.0.0.0 if it still worked and I realized that the connection continued to work. Do you see an error that could explain this? Besides, my eth1 interface is in NAT.
Because for information I have two interfaces on vyos: eth0 which bridges the PC connection and eth1 which is connected to a Nat network to which the VMs are also connected. The addressing of eth0 is in DHCP and that of eth1 static and corresponds to the default gateway of the NAT network. So do you think if I program the NAT before programming the firewall then the access list will not work?
afaik sNAT is performed after firewalling, so highly unlikely this is NAT issue.
only dNAT is done before, but that doesn’t alter source IPs , and those are used for matching
Here is a complete list of all my commands accompanied by a diagram.
conf
set interface eth eth0 ip address dhcp
set interface eth eth0 description bridge
set interface eth eth1 ip address 192.168.100.254/24
set interface eth eth1 description NAT
The NAT provides DHCP for the VM network with the gateway address being the IP of the vyos eth1 interface.
set firewall name ACL-EXAMPLE
set firewall name ACL-EXAMPLE default-action drop
set firewall name ACL-EXAMPLE rule 10 action accept
set firewall name ACL-EXAMPLE rule 10 source address 10.35.0.0/24
set firewall name ACL-EXAMPLE rule 20 action accept
set firewall name ACL-EXAMPLE rule 20 source address 192.168.100.0/24
set firewall name ACL-EXAMPLE rule 30 action accept
set firewall name ACL-EXAMPLE rule 30 source address 192.168.0.0/24
set firewall name ACL-EXAMPLE rule 9999 action delete
set firewall interface eth1 in name ACL-EXAMPLE
set firewall interface eth1 out name ACL-EXAMPLE
NAT programming:
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 192.168.100.0
set nat source rule 10 translation address masquerade
So with such configuration, connections started from an external host with IP 172.x.x.x reaches the router on eth0, and the connection works good, but you want this to be blocked?
Does your hypervisor vSwitch network also perform source NAT?
Moreover, it makes no sense to attach that ruleset in both directions on eth1. If packet matches in the IN direction, the reply won’t in the OUT direction.
ACL_EXAMPLE_OUT should filter on those destination addresses, not source
Thank you for your help. My vmware network cards are vmnet0 which bridges the PC connection and vmnet1 which does NAT and DHCP for the VM network. I made the changes but it still doesn’t work. I have also tried setting my vmnet0 network card to only bridge to the network card I want. Therefore the addressing for eth0 was not done yet but the internet goes through anyway.
