Hi !
I set firewall with VyOS 1.1.8 stable, 3 zones, WAN (load balanced links from 2 ISPs), DMZ (192.168.1.x) and Internal zone (192.168.0.x).
Load balancing and DNAT from WAN to DMZ seem to work fine. However, I have trouble routing traffic between DMZ and Internal zone.
set firewall name INT_TO_DMZ default-action accept
set zone-policy zone DMZ from INT firewall name INT_TO_DMZ
Traffic from INT to DMZ still blocked completely.
vyos@vyos# show zone-policy
zone DMZ {
from INT {
firewall {
name INT_TO_DMZ
}
}
interface eth2
}
zone INT {
interface eth3
}
vyos@vyos# show firewall name INT_TO_DMZ
default-action accept
How to fix this ?
Thanks in advance.
Are you having issues routing or with the firewall? By default there is no firewall and routing should work fine. Can you confirm this works as expected?
Routing works fine between WAN <-> LAN and WAN <-> DMZ.
However, I couldn’t manage to get any traffic between LAN <-> DMZ.
Right. What I am saying is that in its default configuration, after you add IP addresses/subnets to the interfaces, routing works fine. So, is this an issue with your firewall rules? By default there is no firewall blocking the routes.
I am trying to get you to isolate where the issue lies. Routing or firewall
Issue is routing, even without firewall there are no traffic between LAN <-> DMZ.
Should I use RIP, and then restrict certain protocols/ports with zone-based firewall ?
set protocols rip network 192.168.0.0/24
set protocols rip network 192.168.1.0/24
set protocols rip redistribute connected
Hi,
I’m still struggling with that issue. I removed ALL firewall rules, still no traffic between 192.168.0.x and 192.168.1.x.
Seems like no routing between these 2 nets.
With shorewall and susefirewall I didn’t had similar problem with routing between these subnets.
rip removed, its not appropriate here.
How to fix this ?
Thanks in advance.
Please share your sanitized config.
I have tried stating it several times, but you obviously have something configured incorrectly, because BY DEFAULT, the different interfaces will route between each other.
I discarded everything did before and started with clean install from scratch.
Only interfaces are up with wan load balancing, NAT from LAN and DMZ, nothing else.
eth0 - wan1, eth1 - wan2, eth2 - DMZ, eth3 - LAN
PS. I had to replace TABs with underscores to make config readable, otherwise forum software removes leading spaces and tabs.
vyos@vyos# run show configuration
interfaces {
ethernet eth0 {
address xx.xx.xx.wan1/24
description INTF_LTC1
duplex auto
hw-id 52:54:00:a3:ac:8f
smp_affinity auto
speed auto
}
ethernet eth1 {
address xx.xx.xx.ip2/24
description INTF_BTC2
duplex auto
hw-id 52:54:00:16:37:8c
smp_affinity auto
speed auto
}
ethernet eth2 {
address 192.168.1.1/24
description INTF_DMZ
duplex auto
hw-id 52:54:00:24:2c:e7
smp_affinity auto
speed auto
}
ethernet eth3 {
address 192.168.0.1/24
description INTF_LOCAL_NET
duplex auto
hw-id 52:54:00:e3:b1:35
smp_affinity auto
speed auto
}
loopback lo {
}
}
load-balancing {
wan {
flush-connections
interface-health eth0 {
failure-count 3
nexthop xx.xx.xx.gw1
success-count 3
test 10 {
resp-time 5
target xx.xx.xx.gw1
ttl-limit 1
type ping
}
}
interface-health eth1 {
failure-count 3
nexthop xx.xx.xx.gw2
success-count 3
test 10 {
resp-time 5
target xx.xx.xx.gw2
ttl-limit 1
type ping
}
}
rule 10 {
inbound-interface eth2
interface eth0 {
weight 10
}
interface eth1 {
weight 10
}
per-packet-balancing
protocol all
}
rule 20 {
inbound-interface eth3
interface eth0 {
weight 10
}
interface eth1 {
weight 10
}
per-packet-balancing
protocol all
}
}
}
nat {
source {
rule 100 {
outbound-interface eth0
source {
address 192.168.0.0/24
}
translation {
address masquerade
}
}
rule 101 {
outbound-interface eth0
source {
address 192.168.1.0/24
}
translation {
address masquerade
}
}
rule 120 {
outbound-interface eth1
source {
address 192.168.0.0/24
}
translation {
address masquerade
}
}
rule 121 {
outbound-interface eth1
source {
address 192.168.1.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop xx.xx.xx.gw1 {
}
next-hop xx.xx.xx.gw2 {
}
}
}
}
service {
dns {
forwarding {
cache-size 150
listen-on eth2
listen-on eth3
name-server 8.8.8.8
}
}
ssh {
allow-root
port 10055
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 9600
}
}
host-name INT-ROUTER
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ****************
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
See the little </> brackets?
You highlight all your code and hit that
OK, thanks for hint about posting source code.
Edited post, now looks much better.
Is that correct as described here?
You were correct! after going over the full vyatta manual on routing apparently load-balancing takes precedence over the route table. as such i had to have load-balancing exclude the subnets from the policy.
This can be resolved in vyatta/vyos either by using :
set load-balancing wan rule XX exclude
set load-balancing wan rule XX source address
set load-balancing wan rule XX destination address
set load-balancing wan rule XX inbound-interface
or by creating a full fledged policy based routing policy and assigning it to the specified interfaces.