Hello everyone, I recently set up my instance of VyOS following a mixture of the quick start guide, an article I found on the internet and trial and error and I’m kind of working now. My network is defined like this:
VLAN 10 - Default vlan for untagged traffic
VLAN 20 - Home vlan for personal / trusted devices
VLAN 30 - Servers, vlan for servers
VLAN 40 - Guest, vlan for guests / IOT devices
At the moment I don’t have any special firewall rules defined, the last thing I did was set up a zone based firewall and assigned the LAN zone to my vifs. This seems to work fine for devices that connect to VLAN 40 or VLAN 30 but not for VLAN 20, on VLAN 20 I can get an IP address but I can’t ping the gateway or communicate with the internet and I’ve spent enough time staring at this configuration that the words have started to lose meaning. I’m hoping someone can look at my config and tell me what I’m doing wrong, I’m sure I still have some mistakes in here somewhere that are causing the problem. I’m running the rolling release of 1.3 that I build with the official docker container for building an ISO. Thanks
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
port-group SERVER-PORTS {
port http
port https
port ssh
port 53
port 445
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN-LOCAL {
default-action accept
rule 5 {
action accept
description "Allow ICMP from LAN"
protocol icmp
}
rule 100 {
action accept
description "Allow SSH from LAN"
destination {
port 22
}
protocol tcp
source {
address 10.24.0.0/16
port 22
}
}
}
name LAN-WAN {
default-action accept
}
name LOCAL-LAN {
default-action accept
}
name LOCAL-WAN {
default-action accept
}
name WAN-LAN {
default-action drop
rule 5 {
action accept
description "Allow EST/Related"
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
}
name WAN-LOCAL {
default-action drop
rule 5 {
action accept
description "Allow EST/Related traffic"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow ICMP to WAN"
protocol icmp
state {
new enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
bridge br0 {
description LAN
enable-vlan
member {
interface eth0 {
allowed-vlan 10-40
native-vlan 30
}
interface eth2 {
allowed-vlan 10-40
native-vlan 20
}
interface eth3 {
allowed-vlan 10-40
native-vlan 30
}
interface eth4 {
allowed-vlan 10-40
native-vlan 10
}
}
stp
vif 10 {
address 10.24.10.1/26
description "Default / MGMT"
}
vif 20 {
address 10.24.20.1/26
description HOME
}
vif 30 {
address 10.24.30.1/26
description SERVERS
}
vif 40 {
address 10.24.40.1/26
description GUEST
}
}
ethernet eth0 {
hw-id e8:6a:64:f0:99:8e
}
ethernet eth1 {
address dhcp
description WAN
hw-id 24:5e:be:7e:2b:2a
}
ethernet eth2 {
hw-id 24:5e:be:7e:2b:29
}
ethernet eth3 {
hw-id 24:5e:be:7e:2b:28
}
ethernet eth4 {
hw-id 24:5e:be:7e:2b:27
}
loopback lo {
}
}
nat {
source {
rule 100 {
outbound-interface eth1
source {
address 10.24.0.0/16
}
translation {
address masquerade
}
}
}
}
service {
dhcp-server {
shared-network-name DEFAULT {
subnet 10.24.10.0/26 {
default-router 10.24.10.1
lease 86400
name-server 10.24.10.1
range 0 {
start 10.24.10.10
stop 10.24.10.62
}
}
}
shared-network-name GUEST {
subnet 10.24.40.0/26 {
default-router 10.24.40.1
lease 86400
name-server 10.24.40.1
range 0 {
start 10.24.40.1
stop 10.24.40.62
}
}
}
shared-network-name HOME {
subnet 10.24.20.0/26 {
default-router 10.24.20.1
lease 86400
name-server 10.24.20.1
range 0 {
start 10.24.20.10
stop 10.24.20.62
}
}
}
shared-network-name SERVERS {
subnet 10.24.30.0/26 {
default-router 10.24.30.1
lease 86400
name-server 10.24.30.1
range 0 {
start 10.24.30.40
stop 10.24.30.62
}
}
}
}
dns {
forwarding {
allow-from 10.24.0.0/16
cache-size 0
listen-address 10.24.10.1
listen-address 10.24.20.1
listen-address 10.24.30.1
listen-address 10.24.40.1
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
// removed
}
name-server 9.9.9.9
ntp {
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
zone-policy {
zone LAN {
default-action drop
from LOCAL {
firewall {
name LOCAL-LAN
}
}
from WAN {
firewall {
name WAN-LAN
}
}
interface br0.10
interface br0.20
interface br0.30
interface br0.40
}
zone LOCAL {
default-action drop
from LAN {
firewall {
name LAN-LOCAL
}
}
from WAN {
firewall {
name WAN-LOCAL
}
}
local-zone
}
zone WAN {
default-action drop
from LAN {
firewall {
name LAN-WAN
}
}
from LOCAL {
firewall {
name LOCAL-WAN
}
}
interface eth1
}
}
Thanks for reading!