ACL list Creation example

james.boden · March 26, 2024, 6:29pm

I downloaded the VYOS for Hyper V to generate a situation that is similar to a real world situation. I am trying to duplicate a router with the similar commands as that of the cisco router. I am looking for an ACL example to use. I looked at the documentation but it was not real clear on what to write. In the Cisco router, I am using an IP access-list extended ForNAT and the under it I am using a permit IP host 192.168.xx.xx any.
Example;
ip access-list extended ForNAT
10 permit ip host 192.168.xx.xx any

route-map NAT permit 10
match ip address ForNAT

Thank you for your time.

L0crian · March 26, 2024, 6:47pm

It’ll depend on what you’re trying to configure. If you were trying to configure NAT, the equivalent would be something like this:

set nat source rule 1000 destination address '0.0.0.0/0'
set nat source rule 1000 source address '192.168.0.1'

If you were trying to use it in a firewall rule, it would be something like this:

set firewall ipv4 forward filter rule 1000 destination address '0.0.0.0/0'
set firewall ipv4 forward filter rule 1000 source address '192.168.0.1'

Both configs would be for 1.4.

ginko · March 26, 2024, 9:33pm

Did you the access list topic in the documentation? Link for 1.4 is below:

https://docs.vyos.io/en/sagitta/configuration/policy/access-list.html

There are also prefix lists which permit a bit more control (Prefix List Policy — VyOS 1.5.x (circinus) documentation)

As an example for the one rule you mentioned it would actually require 3 commands (or 4 if you choose to add a description):

$ conf
set policy access-list 99 rule 10 source network 192.168.0.0/16
set policy access-list 99 rule 10 destination any
set policy access-list 99 rule 10 action permit

james.boden · April 1, 2024, 2:12pm

Ok. I am trying what you stated on this. Both are good pieces of information. Coming from a Cisco router stand point, this router is close, but still struggling in getting it all put together with the syntax. I have managed to get the router to route my traffic out from my test network, this is from both servers and my workstation. I now want to block the workstation from ever getting to the internet which would be close to what I have in my real world situation.
So taking into account that I am using V1.2.9 I am looking at the documentation and am not seeing access list but only firewall rules, but did try to do the access list that Ginko supplied but I must be missing something as to where I need to place the rule at. Meaning on the interfaces, I am assuming that it would be on the outside interface to allow all out except my workstation.

L0crian · April 1, 2024, 3:09pm

In VyOS, ACLs are not a general use object like you would see in Cisco. They are for route-filtering in routing protocols, since they allow for discontiguous matching.

VyOS just rolls the actions from ACLs directly into the syntax of what you’re doing. So that could be NAT, firewall, etc…, like I showed in my example. Those examples won’t be 1:1 for what you need due to version differences, but just lookup the VyOS documentation for firewall to see what you need to do.

james.boden · April 1, 2024, 3:27pm

Thank you for getting back to me quickly. I got NAT working just fine. The firewall /ACL is my main hold up. I basically need to deny everything coming from my internal network, basically everything stays inside. The only thing that goes out is the server. I will refer back to the documentation on firewalls and see if I can figure out how to deny everything except that of the server.