I have the a simple setup with 2 VMs reaching out to the internet with the below configuration.
set protocols static route 0.0.0.0/0 next-hop 192.168.1.254 distance 1
set interfaces ethernet eth1 address dhcp
set interfaces ethernet eth2 address 192.168.35.11/24
set interfaces ethernet eth3 address 192.168.40.11/24
set nat source rule 10 outbound-interface name eth1
set nat source rule 10 source address 192.168.35.0/24
set nat source rule 10 translation address masquerade
set nat source rule 20 outbound-interface name eth1
set nat source rule 20 source address 192.168.40.0/24
set nat source rule 20 translation address masquerade
I have the below address tha tIām trying to allow access to the internet, but this does not seem to be working..
set firewall group address-group ALLOWED-HOSTS address 192.168.35.110
set firewall group interface-group ALLOWED-INTERFACE interface eth1
set firewall ipv4 forward filter default-action drop
set firewall ipv4 forward filter rule 10 action accept
set firewall ipv4 forward filter rule 10 source group address-group ALLOWED-HOSTS
set firewall ipv4 forward filter rule 10 state 'established'
set firewall ipv4 forward filter rule 10 state 'related'
set firewall ipv4 forward filter rule 10 outbound-interface group ALLOWED-INTERFACE
The default-action is drop, but allow ALLOWED-HOSTS address over ALLOWED-INTERFACE which is eth1, does not seem to be working as expected..
What happens is that neither of the 2 VMs can reach internet after the rules are applied..
The moderator is right that the default drop catches everything - but thereās also a specific issue with rule 10 itself. The rule combines state āestablishedā/ārelatedā with the source group check. Those states only match return traffic not new outbound connections which are state ānewā. So even 192.168.35.110 canāt actually initiate connections.
You need to split it into two rules:
First a rule for new outbound connections from your permitted host:
set firewall ipv4 forward filter rule 10 action accept
set firewall ipv4 forward filter rule 10 source group address-group ALLOWED-HOSTS
set firewall ipv4 forward filter rule 10 state new
set firewall ipv4 forward filter rule 10 outbound-interface group ALLOWED-INTERFACE
Then a separate rule for established/related return traffic that does not restrict by source or outbound interface, because return packets arrive on eth1 and exit toward eth2/eth3 - if you put outbound-interface eth1 on this rule it will drop all return traffic:
set firewall ipv4 forward filter rule 5 action accept
set firewall ipv4 forward filter rule 5 state established
set firewall ipv4 forward filter rule 5 state related
Once you have both rules in place your permitted host gets outbound access and return traffic flows back correctly while everything else hits the default drop. Let me know how you get on.
Good question. In VyOS, rule numbers within the same ruleset (ipv4 forward filter in your case) are evaluated in order from lowest to highest. They all apply to the same interface and traffic direction because the ruleset itself is what gets attached to the interface. So rule 5 and rule 10 both live inside āfirewall ipv4 forward filterā and they are checked sequentially for every packet hitting that filter chain.
Rule 5 with action accept and state new matches any NEW outbound connection attempt and lets it through. Rule 10 with state established and related then handles the return traffic for those connections. The address-group and interface-group on rule 10 just narrow down WHICH hosts and interfaces the established/related rule applies to.
Rule 5 without those restrictions means any host on any interface is allowed to initiate new connections ā you can tighten that up later with source/destination groups if you want.
