Hello all!
I have been using vyos for several years at home for simple nat/dhcp/openvpn, and general internet access for my family.
I have an ESXi host at a colo that I’ve been running vyos on for several months, and just realized a couple days ago that I never assigned a firewall to the WAN interface. Cool, eh?
There’s not anything on there that’s any kind of secret. Just a few game servers, mail server, and a DNS server.
When I went to assign the firewall named WAN to the wan interface (eth0) either nothing happens, or everything is borked. I’m sure that you folks that fall in the “way smarter than me” category, which would be almost all of your when it comes to this side of IT, can point to it and say “here’s where you did the bad thing.” Thanks for taking the time to look at this
Side note - there are several more firewall rules and DNAT rules, but they are all the same. just different port groups and address groups. There are 3 public IPs on eth0 and 3 vlans/subnets inside on eth1.18, eth1.19, and eth1.20. No firewalls between the subnets as they are only for a logical split, not security related.
Here’s where I run into problems -
If I set the firewall to the wan interface (eth0) as “in,” the below rules do not allow the traffic, and nothing works.
If I set the firewall to eth0 as “local,” the traffic below is allowed if the firewall rule is in place or not. It’s just cruising
through on the DNAT rule. The firewall and DNAT rules are below.
And, all this time I thought I was getting this stuff down pretty well, but, here I am back at square one.
vyos@rtfw-01# show firewall name WAN rule 1801
action accept
destination {
group {
address-group WAN-139
port-group ZIMBRAPORTS
}
}
log enable
protocol tcp
state {
new enable
}
vyos@rtfw-01# show nat destination rule 1801
description "Zimbra DNAT"
destination {
address <wan interface IP redacted>
port 25,80,110,143,465,587,993,995,443
}
inbound-interface eth0
log enable
protocol tcp
translation {
address <lan interface IP redacted>
}
The WAN-139 address group has the external destination IP address in it
The ZIMBRAPORTS port group has all the needed ports in it, as it matches the NAT destination rule
The default action on the firewall is drop.
default-action drop
rule 1801 {
action accept
destination {
group {
address-group WAN-139
port-group ZIMBRAPORTS
}
}
protocol tcp
state {
new enable
}
}
TIA
–reno