Cannot connect to network after update

Hi there,

For a few weeks now, I have been using Vyos (1.4-rolling-202207100637).

Since a few days I have however disconnections when I am connected to a Fortinet VPN on my laptop (Cisco IPSEC as called in macOS).

The first thing that came to my mind was to update Vyos to its latest version as the problem only appears in this network, but after this update, nothing works anymore on the network called LAN. The clients in DHCP don’t get any IP anymore, and the ones in fixed IP can’t ping the gateway either.

I redid a clean installation with the last nightly version available, nothing changes.

The problem seems to be present since version 1.4-rolling-202207111030.

Here is my configuration :

firewall {
    name GUEST-LAN {
        default-action drop
    }
    name GUEST-LOCAL {
        default-action drop
    }
    name GUEST-WAN {
        default-action accept
    }
    name LAN-GUEST {
        default-action drop
    }
    name LAN-LOCAL {
        default-action accept
    }
    name LAN-WAN {
        default-action accept
    }
    name LOCAL-GUEST {
        default-action drop
    }
    name LOCAL-LAN {
        default-action accept
    }
    name LOCAL-WAN {
        default-action accept
    }
    name WAN-GUEST {
        default-action drop
        rule 5 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
    name WAN-LAN {
        default-action drop
        rule 5 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 10 {
            action accept
            destination {
                address xxx.xxx.64.0/24
            }
            ipsec {
                match-ipsec
            }
            source {
                address xxx.xxx.128.128/25
            }
        }
    }
    name WAN-LOCAL {
        default-action drop
        rule 5 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            protocol icmp
            state {
                new enable
            }
        }
        rule 30 {
            action drop
            destination {
                port 22
            }
            protocol tcp
            recent {
                count 4
                time minute
            }
            state {
                new enable
            }
        }
        rule 31 {
            action accept
            destination {
                port 22
            }
            protocol tcp
            state {
                new enable
            }
        }
        rule 40 {
            action accept
            protocol esp
        }
        rule 41 {
            action accept
            destination {
                port 500
            }
            protocol udp
        }
        rule 42 {
            action accept
            destination {
                port 4500
            }
            protocol udp
        }
    }
}
interfaces {
    bridge br0 {
        address xxx.xxx.64.1/24
        description LAN
        enable-vlan
        ip {
        }
        member {
            interface eth1 {
                native-vlan 1
            }
            interface eth2 {
                allowed-vlan 13
                native-vlan 1
            }
        }
        vif 13 {
            address xxx.xxx.13.1/24
            description "Guest VLAN"
        }
    }
    ethernet eth0 {
        address dhcp
        description WAN
        hw-id xx:xx:xx:xx:xx:ec
    }
    ethernet eth1 {
        description ACCESS
        hw-id xx:xx:xx:xx:xx:f6
    }
    ethernet eth2 {
        description "Trunk to APs"
        hw-id xx:xx:xx:xx:xx:00
    }
    loopback lo {
    }
}
nat {
    source {
        rule 13 {
            outbound-interface eth0
            source {
                address xxx.xxx.13.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 100 {
            outbound-interface eth0
            source {
                address xxx.xxx.64.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 200 {
            outbound-interface eth0
            source {
                address xxx.xxx.128.128/25
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route xxx.xxx.0.0/0 {
            next-hop xxx.xxx.255.5 {
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name xxxxxx {
            subnet xxx.xxx.13.0/24 {
                default-router xxx.xxx.13.1
                lease 86400
                name-server xxx.xxx.9.9
                name-server xxx.xxx.112.112
                range 0 {
                    start xxx.xxx.13.50
                    stop xxx.xxx.13.100
                }
            }
        }
        shared-network-name xxxxxx {
            ntp-server xxx.xxx.64.1
            subnet xxx.xxx.64.0/24 {
                default-router xxx.xxx.64.1
                domain-name xxxxxx
                lease 86400
                name-server xxx.xxx.64.251
                name-server xxx.xxx.64.252
                range 0 {
                    start xxx.xxx.64.50
                    stop xxx.xxx.64.100
                }
            }
        }
    }
    ssh {
        disable-password-authentication
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    domain-name xxxxxx
    host-name xxxxxx
    login {
        user xxxxxx {
            authentication {
                public-keys xxxx@xxx.xxx {
                    key xxxxxx
                    type ssh-ed25519
                }
            }
        }
        user xxxxxx {
            authentication {
                public-keys xxxx@xxx.xxx {
                    key xxxxxx
                    type ssh-ed25519
                }
            }
        }
        user xxxxxx {
            authentication {
                public-keys xxxx@xxx.xxx {
                    key xxxxxx
                    type ssh-rsa
                }
            }
        }
        user xxxxxx {
            authentication {
                encrypted-password xxxxxx
                plaintext-password xxxxxx
            }
        }
    }
    name-server xxx.xxx.9.9
    name-server xxx.xxx.112.112
    ntp {
        listen-address xxx.xxx.64.1
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
    }
    option {
        root-partition-auto-resize
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}
zone-policy {
    zone GUEST {
        default-action drop
        from LAN {
            firewall {
                name LAN-GUEST
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-GUEST
            }
        }
        from WAN {
            firewall {
                name WAN-GUEST
            }
        }
        interface br0.13
    }
    zone LAN {
        default-action drop
        from GUEST {
            firewall {
                name GUEST-LAN
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-LAN
            }
        }
        from WAN {
            firewall {
                name WAN-LAN
            }
        }
        interface br0
    }
    zone LOCAL {
        default-action drop
        from GUEST {
            firewall {
                name GUEST-LOCAL
            }
        }
        from LAN {
            firewall {
                name LAN-LOCAL
            }
        }
        from WAN {
            firewall {
                name WAN-LOCAL
            }
        }
        local-zone
    }
    zone WAN {
        default-action drop
        from GUEST {
            firewall {
                name GUEST-WAN
            }
        }
        from LAN {
            firewall {
                name LAN-WAN
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-WAN
            }
        }
        interface eth0
    }
}

Is there an error somewhere? I have looked at the changelog, but unfortunately I did not find anything that could help me.

Thanks in advance :slight_smile:

It seems the bug with vlan-aware bridge T4565

Thank you very much for your answer.

Following advice in your last comment in T4565 @Viacheslav, adding “allowed-vlan 1” did the trick.
It seems like VLAN 1 was allowed by default before, but now needs to be explicitly setted.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.