Block /32 ip using vyos

Well after i run all that commands i cant commit anything
vyos@vyos# delete interfaces ethernet eth0 firewall in name ‘WAN_IN’
[edit]
vyos@vyos#
[edit]
vyos@vyos# commit
Failed to generate committed config

I cant delete task from schedueler.

Anyone with some ideea?

If you don’t can disable script from scheduler, change it to
echo " " > /dev/null

You need to exclude script from commits.
Due to erroneous commits, your configuration synchronization has diverged.
A reboot will be best in this situation.
So you get synchronized configuration.

Ok but any other solution, other than reboot?
And why you say to remove the script. What are the problems caused by this one?

Some update? :smiley: Or any ideea?

First, you need to sync configurations.
I suggested removing the script for this.

But why is the reasone for removing the script?
Somehow i solve it and now all configs are sync

Use a large list of IP addresses for blocking with commits it’s not a good idea. Many internal checks for every ip address. And if something goes wrong, the commit will disrupt the system. Фs it was on your router.
The best solution will be to use directly ipset for it. And adding ip-addresses directly to this ipset.
And don’t affect vyos commits.

i have only 900 records, its so many?
And you sugest to use ipset(iptables) instead of vyos firewall?

VyOS use iptables for the firewall.
It will be faster if you declare the rules in the VyOS, and the lists of ip addresses will be entered immediately in ipset. So you get rid of extra commits.
This is just my opinion.

you have any example or doc material for this ?
Thanks

@BIT2GB I don’t have documentation. You can read about IPSET in official documentation pages.
Let me explain with one example.

Configuration on VyOS.

set firewall group address-group ag-Blacklist
set firewall name FIREWALL-LOCAL default-action 'accept'
set firewall name FIREWALL-LOCAL rule 10 action 'drop'
set firewall name FIREWALL-LOCAL rule 10 source group address-group 'ag-Blacklist'

It’s all.
All other logic direct with ipset.
We can see, that ipset “ag-Blacklist” is present (hash ip)

$ sudo ipset -L
Name: ag-Blacklist
Type: hash:ip

Our blacklist:

[email protected]:~$ sudo cat /tmp/ag-Blacklist.txt 
103.9.226.57
103.97.95.221
104.131.41.185
104.168.96.122
104.182.56.131

Ipset script (adding ip addresses from txt)

#!/usr/bin/env bash

IPSET=`which ipset`
IPSET_NAME="ag-Blacklist"
SRC_DATA=" /tmp/ag-Blacklist.txt"

# Flush all old entries
$IPSET -F $IPSET_NAME

# Add new entries from txt file
for I in `cat $SRC_DATA`;
  do
    $IPSET add $IPSET_NAME $I -exist 2>/dev/null;
  done

Check addresses in ipset

[email protected]:~$ sudo ipset -L
Name: ag-Blacklist
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 328
References: 1
Number of entries: 5
Members:
103.9.226.57
103.97.95.221
104.182.56.131
104.131.41.185
104.168.96.122

You need only update your SRC_DATA (list ip) and execute IPSET script.

If we check the firewall, we see these entries.

-A FIREWALL-LOCAL -m set --match-set ag-Blacklist src -m comment --comment FIREWALL-LOCAL-10 -j DROP
-A FIREWALL-LOCAL -m comment --comment "FIREWALL-LOCAL-10000 default-action accept" -j RETURN

Of course, you can use also network-group with same logic or combine them.

@Viacheslav Thanks a lot for all your infor provided here.
I go and take a decision and see what i choice.

A small question, dosent exist any… gui or simple app who can show directly from the router some statistics?
And not grafana because i allready use it and works fine.