Allow traffic from INT to DMZ


#1

Hi !

I set firewall with VyOS 1.1.8 stable, 3 zones, WAN (load balanced links from 2 ISPs), DMZ (192.168.1.x) and Internal zone (192.168.0.x).
Load balancing and DNAT from WAN to DMZ seem to work fine. However, I have trouble routing traffic between DMZ and Internal zone.

set firewall name INT_TO_DMZ default-action accept
set zone-policy zone DMZ from INT firewall name INT_TO_DMZ

Traffic from INT to DMZ still blocked completely.

vyos@vyos# show zone-policy
zone DMZ {
from INT {
firewall {
name INT_TO_DMZ
}
}
interface eth2
}
zone INT {
interface eth3
}

vyos@vyos# show firewall name INT_TO_DMZ
default-action accept

How to fix this ?
Thanks in advance.


#2

Are you having issues routing or with the firewall? By default there is no firewall and routing should work fine. Can you confirm this works as expected?


#3

Routing works fine between WAN <-> LAN and WAN <-> DMZ.
However, I couldn’t manage to get any traffic between LAN <-> DMZ.


#4

Right. What I am saying is that in its default configuration, after you add IP addresses/subnets to the interfaces, routing works fine. So, is this an issue with your firewall rules? By default there is no firewall blocking the routes.

I am trying to get you to isolate where the issue lies. Routing or firewall


#5

Issue is routing, even without firewall there are no traffic between LAN <-> DMZ.

Should I use RIP, and then restrict certain protocols/ports with zone-based firewall ?

set protocols rip network 192.168.0.0/24
set protocols rip network 192.168.1.0/24
set protocols rip redistribute connected


#6

Hi,

I’m still struggling with that issue. I removed ALL firewall rules, still no traffic between 192.168.0.x and 192.168.1.x.
Seems like no routing between these 2 nets.

With shorewall and susefirewall I didn’t had similar problem with routing between these subnets.

rip removed, its not appropriate here.

How to fix this ?
Thanks in advance.


#7

Please share your sanitized config.

I have tried stating it several times, but you obviously have something configured incorrectly, because BY DEFAULT, the different interfaces will route between each other.


#8

I discarded everything did before and started with clean install from scratch.
Only interfaces are up with wan load balancing, NAT from LAN and DMZ, nothing else.
eth0 - wan1, eth1 - wan2, eth2 - DMZ, eth3 - LAN

PS. I had to replace TABs with underscores to make config readable, otherwise forum software removes leading spaces and tabs.

vyos@vyos# run show configuration 
    interfaces {
        ethernet eth0 {
            address xx.xx.xx.wan1/24
            description INTF_LTC1
            duplex auto
            hw-id 52:54:00:a3:ac:8f
            smp_affinity auto
            speed auto
        }
        ethernet eth1 {
            address xx.xx.xx.ip2/24
            description INTF_BTC2
            duplex auto
            hw-id 52:54:00:16:37:8c
            smp_affinity auto
            speed auto
        }
        ethernet eth2 {
            address 192.168.1.1/24
            description INTF_DMZ
            duplex auto
            hw-id 52:54:00:24:2c:e7
            smp_affinity auto
            speed auto
        }
        ethernet eth3 {
            address 192.168.0.1/24
            description INTF_LOCAL_NET
            duplex auto
            hw-id 52:54:00:e3:b1:35
            smp_affinity auto
            speed auto
        }
        loopback lo {
        }
    }
    load-balancing {
        wan {
            flush-connections
            interface-health eth0 {
                failure-count 3
                nexthop xx.xx.xx.gw1
                success-count 3
                test 10 {
                    resp-time 5
                    target xx.xx.xx.gw1
                    ttl-limit 1
                    type ping
                }
            }
            interface-health eth1 {
                failure-count 3
                nexthop xx.xx.xx.gw2
                success-count 3
                test 10 {
                    resp-time 5
                    target xx.xx.xx.gw2
                    ttl-limit 1
                    type ping
                }
            }
            rule 10 {
                inbound-interface eth2
                interface eth0 {
                    weight 10
                }
                interface eth1 {
                    weight 10
                }
                per-packet-balancing
                protocol all
            }
            rule 20 {
                inbound-interface eth3
                interface eth0 {
                    weight 10
                }
                interface eth1 {
                    weight 10
                }
                per-packet-balancing
                protocol all
            }
        }
    }
    nat {
        source {
            rule 100 {
                outbound-interface eth0
                source {
                    address 192.168.0.0/24
                }
                translation {
                    address masquerade
                }
            }
            rule 101 {
                outbound-interface eth0
                source {
                    address 192.168.1.0/24
                }
                translation {
                    address masquerade
                }
            }
            rule 120 {
                outbound-interface eth1
                source {
                    address 192.168.0.0/24
                }
                translation {
                    address masquerade
                }
            }
            rule 121 {
                outbound-interface eth1
                source {
                    address 192.168.1.0/24
                }
                translation {
                    address masquerade
                }
            }
        }
    }
    protocols {
        static {
            route 0.0.0.0/0 {
                next-hop xx.xx.xx.gw1 {
                }
                next-hop xx.xx.xx.gw2 {
                }
            }
        }
    }
    service {
        dns {
            forwarding {
                cache-size 150
                listen-on eth2
                listen-on eth3
                name-server 8.8.8.8
            }
        }
        ssh {
            allow-root
            port 10055
        }
    }
    system {
        config-management {
            commit-revisions 100
        }
        console {
            device ttyS0 {
                speed 9600
            }
        }
        host-name INT-ROUTER
        login {
            user vyos {
                authentication {
                    encrypted-password ****************
                    plaintext-password ****************
                }
                level admin
            }
        }
        ntp {
            server 0.pool.ntp.org {
            }
            server 1.pool.ntp.org {
            }
            server 2.pool.ntp.org {
            }
        }
        package {
            auto-sync 1
            repository community {
                components main
                distribution helium
                password ****************
                url http://packages.vyos.net/vyos
                username ""
            }
        }
        syslog {
            global {
                facility all {
                    level notice
                }
                facility protocols {
                    level debug
                }
            }
        }
        time-zone UTC
    }

#9

image

See the little </> brackets?

You highlight all your code and hit that


#10

OK, thanks for hint about posting source code.
Edited post, now looks much better.


#11

Is that correct as described here?

You were correct! after going over the full vyatta manual on routing apparently load-balancing takes precedence over the route table. as such i had to have load-balancing exclude the subnets from the policy.

This can be resolved in vyatta/vyos either by using :

set load-balancing wan rule XX exclude
set load-balancing wan rule XX source address
set load-balancing wan rule XX destination address
set load-balancing wan rule XX inbound-interface

or by creating a full fledged policy based routing policy and assigning it to the specified interfaces.