Connectivity issue with 1 vlan

Hello everyone, I recently set up my instance of VyOS following a mixture of the quick start guide, an article I found on the internet and trial and error and I’m kind of working now. My network is defined like this:

VLAN 10 - Default vlan for untagged traffic
VLAN 20 - Home vlan for personal / trusted devices
VLAN 30 - Servers, vlan for servers
VLAN 40 - Guest, vlan for guests / IOT devices

At the moment I don’t have any special firewall rules defined, the last thing I did was set up a zone based firewall and assigned the LAN zone to my vifs. This seems to work fine for devices that connect to VLAN 40 or VLAN 30 but not for VLAN 20, on VLAN 20 I can get an IP address but I can’t ping the gateway or communicate with the internet and I’ve spent enough time staring at this configuration that the words have started to lose meaning. I’m hoping someone can look at my config and tell me what I’m doing wrong, I’m sure I still have some mistakes in here somewhere that are causing the problem. I’m running the rolling release of 1.3 that I build with the official docker container for building an ISO. Thanks

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
        port-group SERVER-PORTS {
            port http
            port https
            port ssh
            port 53
            port 445
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN-LOCAL {
        default-action accept
        rule 5 {
            action accept
            description "Allow ICMP from LAN"
            protocol icmp
        }
        rule 100 {
            action accept
            description "Allow SSH from LAN"
            destination {
                port 22
            }
            protocol tcp
            source {
                address 10.24.0.0/16
                port 22
            }
        }
    }
    name LAN-WAN {
        default-action accept
    }
    name LOCAL-LAN {
        default-action accept
    }
    name LOCAL-WAN {
        default-action accept
    }
    name WAN-LAN {
        default-action drop
        rule 5 {
            action accept
            description "Allow EST/Related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            protocol icmp
            state {
                new enable
            }
        }
    }
    name WAN-LOCAL {
        default-action drop
        rule 5 {
            action accept
            description "Allow EST/Related traffic"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow ICMP to WAN"
            protocol icmp
            state {
                new enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    bridge br0 {
        description LAN
        enable-vlan
        member {
            interface eth0 {
                allowed-vlan 10-40
                native-vlan 30
            }
            interface eth2 {
                allowed-vlan 10-40
                native-vlan 20
            }
            interface eth3 {
                allowed-vlan 10-40
                native-vlan 30
            }
            interface eth4 {
                allowed-vlan 10-40
                native-vlan 10
            }
        }
        stp
        vif 10 {
            address 10.24.10.1/26
            description "Default / MGMT"
        }
        vif 20 {
            address 10.24.20.1/26
            description HOME
        }
        vif 30 {
            address 10.24.30.1/26
            description SERVERS
        }
        vif 40 {
            address 10.24.40.1/26
            description GUEST
        }
    }
    ethernet eth0 {
        hw-id e8:6a:64:f0:99:8e
    }
    ethernet eth1 {
        address dhcp
        description WAN
        hw-id 24:5e:be:7e:2b:2a
    }
    ethernet eth2 {
        hw-id 24:5e:be:7e:2b:29
    }
    ethernet eth3 {
        hw-id 24:5e:be:7e:2b:28
    }
    ethernet eth4 {
        hw-id 24:5e:be:7e:2b:27
    }
    loopback lo {
    }
}
nat {
    source {
        rule 100 {
            outbound-interface eth1
            source {
                address 10.24.0.0/16
            }
            translation {
                address masquerade
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name DEFAULT {
            subnet 10.24.10.0/26 {
                default-router 10.24.10.1
                lease 86400
                name-server 10.24.10.1
                range 0 {
                    start 10.24.10.10
                    stop 10.24.10.62
                }
            }
        }
        shared-network-name GUEST {
            subnet 10.24.40.0/26 {
                default-router 10.24.40.1
                lease 86400
                name-server 10.24.40.1
                range 0 {
                    start 10.24.40.1
                    stop 10.24.40.62
                }
            }
        }
        shared-network-name HOME {
            subnet 10.24.20.0/26 {
                default-router 10.24.20.1
                lease 86400
                name-server 10.24.20.1
                range 0 {
                    start 10.24.20.10
                    stop 10.24.20.62
                }
            }
        }
        shared-network-name SERVERS {
            subnet 10.24.30.0/26 {
                default-router 10.24.30.1
                lease 86400
                name-server 10.24.30.1
                range 0 {
                    start 10.24.30.40
                    stop 10.24.30.62
                }
            }
        }
    }
    dns {
        forwarding {
            allow-from 10.24.0.0/16
            cache-size 0
            listen-address 10.24.10.1
            listen-address 10.24.20.1
            listen-address 10.24.30.1
            listen-address 10.24.40.1
        }
    }
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    login {
	// removed
    }
    name-server 9.9.9.9
    ntp {
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}
zone-policy {
    zone LAN {
        default-action drop
        from LOCAL {
            firewall {
                name LOCAL-LAN
            }
        }
        from WAN {
            firewall {
                name WAN-LAN
            }
        }
        interface br0.10
        interface br0.20
        interface br0.30
        interface br0.40
    }
    zone LOCAL {
        default-action drop
        from LAN {
            firewall {
                name LAN-LOCAL
            }
        }
        from WAN {
            firewall {
                name WAN-LOCAL
            }
        }
        local-zone
    }
    zone WAN {
        default-action drop
        from LAN {
            firewall {
                name LAN-WAN
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-WAN
            }
        }
        interface eth1
    }
}

Thanks for reading!

Hi @noodlygod
I have checked (played) your configuration in my local lab (VyOS version 1.3.2).
It is working. I can get IP addresses from DHCP and also can reach devices to the internet.
Please check:

  • Internet connection from VyOS to the internet
  • If you are using managed switches for connecting your devices to the router please check the switch configuration (for example if you are using Cisco Catalyst you need to change the native VLAN to your configured native VLAN number of VyOS interface).

Also in my opinion you need to set only one NATIVE VLAN inside bridge interface (for example 10).
If not you will get “native vlan mismatch” error inside your switches.
Example configuration:

set interfaces bridge br0 description LAN
set interfaces bridge br0 enable-vlan
set interfaces bridge br0 member interface eth0 allowed-vlan 10-40
set interfaces bridge br0 member interface eth0 native-vlan 10
set interfaces bridge br0 member interface eth2 allowed-vlan 10-40
set interfaces bridge br0 member interface eth2 native-vlan 10
set interfaces bridge br0 member interface eth3 allowed-vlan 10-40
set interfaces bridge br0 member interface eth3 native-vlan 10
set interfaces bridge br0 member interface eth4 allowed-vlan 10-40
set interfaces bridge br0 member interface eth4 native-vlan 10

Plese change this part I think everything will work fine.

Thanks! I’ll give that a shot.

Edit – Thanks, that works! It looks like I’m able to use all my vlans.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.