Firewall config for IPSEC

General questions
,
1

Hi Team,

Ive applied some new firewall rules to lockdown the network. After applying the firewall rules everything works that need to work except IPSEC tunnels are not building up. When removing the firewall rules IPSEC works. So I am doing something wrong with the rules set. I hope someone can point out what Iam doing wrong here:

Show version

Version: VyOS 1.4.0-rc3
Release train: sagitta

Built by: Sentrium S.L.
Built on: Thu 18 Jan 2024 19:21 UTC
Build UUID: 8603fe3e-29bd-4669-9427-cc07110bd272
Build commit ID: 651ff15892ade4

Architecture: x86_64
Boot via: installed image
System type: KVM guest

Hardware vendor: QEMU
Hardware model: Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID: b34fc4a3-c61e-45e1-9dd7-c0e85290f316

Copyright: VyOS maintainers and contributors

Firewall rules

set firewall global-options all-ping ‘enable’
set firewall global-options broadcast-ping ‘disable’
set firewall global-options ip-src-route ‘disable’
set firewall global-options ipv6-receive-redirects ‘disable’
set firewall global-options ipv6-src-route ‘disable’
set firewall global-options log-martians ‘enable’
set firewall global-options receive-redirects ‘disable’
set firewall global-options send-redirects ‘enable’
set firewall global-options source-validation ‘disable’
set firewall global-options syn-cookies ‘enable’

set firewall ipv4 forward filter default-action ‘accept’
set firewall ipv4 forward filter rule 1 action ‘jump’
set firewall ipv4 forward filter rule 1 inbound-interface name ‘eth0’
set firewall ipv4 forward filter rule 1 jump-target ‘WAN_IN’

set firewall ipv4 input filter default-action ‘accept’
set firewall ipv4 input filter rule 1 action ‘jump’
set firewall ipv4 input filter rule 1 inbound-interface name ‘eth0’
set firewall ipv4 input filter rule 1 jump-target ‘WAN_LOCAL’

set firewall ipv4 name WAN_IN default-action ‘drop’
set firewall ipv4 name WAN_IN default-log
set firewall ipv4 name WAN_IN description ‘WAN TO INTERNAL’
set firewall ipv4 name WAN_IN rule 10 action ‘accept’
set firewall ipv4 name WAN_IN rule 10 description ‘ALLOW ESTABLISHED/RELATED’
set firewall ipv4 name WAN_IN rule 10 state ‘established’
set firewall ipv4 name WAN_IN rule 10 state ‘related’
set firewall ipv4 name WAN_IN rule 20 action ‘drop’
set firewall ipv4 name WAN_IN rule 20 description ‘DROP INVALID STATE’
set firewall ipv4 name WAN_IN rule 20 state ‘invalid’

set firewall ipv4 name WAN_LOCAL default-action ‘drop’
set firewall ipv4 name WAN_LOCAL default-log
set firewall ipv4 name WAN_LOCAL description ‘WAN_TO_ROUTER’
set firewall ipv4 name WAN_LOCAL rule 10 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 10 description ‘ALLOW ESTABLISHED/RELATED’
set firewall ipv4 name WAN_LOCAL rule 10 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 10 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 15 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 15 description ‘ALLOW_ICMP’
set firewall ipv4 name WAN_LOCAL rule 15 protocol ‘icmp’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘new’
set firewall ipv4 name WAN_LOCAL rule 20 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 20 destination port ‘500,4500,4510,4511’
set firewall ipv4 name WAN_LOCAL rule 20 protocol ‘udp’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘new’
set firewall ipv4 name WAN_LOCAL rule 25 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 25 protocol ‘esp’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘new’
set firewall ipv4 name WAN_LOCAL rule 100 action ‘drop’
set firewall ipv4 name WAN_LOCAL rule 100 description ‘DROP INVALID STATE’
set firewall ipv4 name WAN_LOCAL rule 100 state ‘invalid’

vyos@vyos:~$ show vpn ips sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

dmvpn up 13m14s 7K/0B 78/0 IP(hidden) IP(hidden) AES_CBC_256/HMAC_SHA1_94

Hope you can point me the right direction.

Thanks!

2

To optimize your configuration, you can set the following commands and remove any explicit “established|related|drop” rules from your firewall:

set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'drop'
set firewall global-options state-policy related action 'accept'

Currently, the tunnel is up, but you are sending 0 packets and receiving 7K. This suggests that traffic is not being properly routed through the tunnel. Are you using a VTI (Virtual Tunnel Interface)? Have you configured NAT or routing to direct traffic over the tunnel?

1 Like
3

Hi @Ethernaut,

Thanks for the reply and the optimalization of the rule set.

It works stable without the firewall rules
 The rules as shown here is applied causing the issue thus also the one way communication as you mentioned before.

Here you see from the spoke point of view towards the hubs. Hub1 has the firewall rule-set and the other doesnt


vyos@KCS0003-CE01:~$ show vpn ips sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

HUB 1 dmvpn up 4m6s 0B/2K 0/27 IP1-{hidden} IP1-{hidden} AES_CBC_256/HMAC_SHA1_964
HUB 2 dmvpn up 22m 19K/17K 159/181 IP2-{hidden} IP2-{hidden} AES_CBC_256/HMAC_SHA1_964

4

You can share your current configuration securely by using the strip-private command, which removes any sensitive information:

run show configuration commands | strip-private

After sharing this output, you can clarify where access is needed or provide details about the tunnel network configuration.

It seems like there might be an issue with the firewall rules. You may need to allow specific traffic through the tunnel.

5

Here is the configuration based on the output of your command

PE1-LAB Config

set firewall global-options all-ping ‘enable’
set firewall global-options broadcast-ping ‘disable’
set firewall global-options ip-src-route ‘disable’
set firewall global-options ipv6-receive-redirects ‘disable’
set firewall global-options ipv6-src-route ‘disable’
set firewall global-options log-martians ‘enable’
set firewall global-options receive-redirects ‘disable’
set firewall global-options send-redirects ‘enable’
set firewall global-options source-validation ‘disable’
set firewall global-options syn-cookies ‘enable’
set firewall ipv4 forward filter default-action ‘accept’
set firewall ipv4 forward filter rule 1 action ‘jump’
set firewall ipv4 forward filter rule 1 inbound-interface name ‘eth0’
set firewall ipv4 forward filter rule 1 jump-target ‘WAN_IN’
set firewall ipv4 input filter default-action ‘accept’
set firewall ipv4 input filter rule 1 action ‘jump’
set firewall ipv4 input filter rule 1 inbound-interface name ‘eth0’
set firewall ipv4 input filter rule 1 jump-target ‘WAN_LOCAL’
set firewall ipv4 name WAN_IN default-action ‘drop’
set firewall ipv4 name WAN_IN default-log
set firewall ipv4 name WAN_IN description ‘WAN TO INTERNAL’
set firewall ipv4 name WAN_IN rule 10 action ‘accept’
set firewall ipv4 name WAN_IN rule 10 description ‘ALLOW ESTABLISHED/RELATED’
set firewall ipv4 name WAN_IN rule 10 state ‘established’
set firewall ipv4 name WAN_IN rule 10 state ‘related’
set firewall ipv4 name WAN_IN rule 20 action ‘drop’
set firewall ipv4 name WAN_IN rule 20 description ‘DROP INVALID STATE’
set firewall ipv4 name WAN_IN rule 20 state ‘invalid’
set firewall ipv4 name WAN_LOCAL default-action ‘drop’
set firewall ipv4 name WAN_LOCAL default-log
set firewall ipv4 name WAN_LOCAL description ‘WAN_TO_ROUTER’
set firewall ipv4 name WAN_LOCAL rule 10 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 10 description ‘ALLOW ESTABLISHED/RELATED’
set firewall ipv4 name WAN_LOCAL rule 10 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 10 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 15 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 15 description ‘ALLOW_ICMP’
set firewall ipv4 name WAN_LOCAL rule 15 protocol ‘icmp’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘new’
set firewall ipv4 name WAN_LOCAL rule 20 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 20 destination port ‘500,4500,4510,4511’
set firewall ipv4 name WAN_LOCAL rule 20 protocol ‘udp’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘new’
set firewall ipv4 name WAN_LOCAL rule 25 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 25 protocol ‘esp’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘new’
set firewall ipv4 name WAN_LOCAL rule 100 action ‘drop’
set firewall ipv4 name WAN_LOCAL rule 100 description ‘DROP INVALID STATE’
set firewall ipv4 name WAN_LOCAL rule 100 state ‘invalid’
set high-availability vrrp group CU-VRRP address xxx.xxx.48.1/20 interface ‘eth2’
set high-availability vrrp group CU-VRRP hello-source-address ‘xxx.xxx.48.3’
set high-availability vrrp group CU-VRRP interface ‘eth2’
set high-availability vrrp group CU-VRRP peer-address ‘xxx.xxx.48.4’
set high-availability vrrp group CU-VRRP preempt-delay ‘180’
set high-availability vrrp group CU-VRRP priority ‘200’
set high-availability vrrp group CU-VRRP vrid ‘2’
set high-availability vrrp group K8S-VRRP address xxx.xxx.64.1/20 interface ‘eth3’
set high-availability vrrp group K8S-VRRP hello-source-address ‘xxx.xxx.64.3’
set high-availability vrrp group K8S-VRRP interface ‘eth3’
set high-availability vrrp group K8S-VRRP peer-address ‘xxx.xxx.64.4’
set high-availability vrrp group K8S-VRRP preempt-delay ‘180’
set high-availability vrrp group K8S-VRRP priority ‘200’
set high-availability vrrp group K8S-VRRP vrid ‘3’
set high-availability vrrp group MNG-VRRP address xxx.xxx.20.1/24 interface ‘eth1’
set high-availability vrrp group MNG-VRRP hello-source-address ‘xxx.xxx.20.3’
set high-availability vrrp group MNG-VRRP interface ‘eth1’
set high-availability vrrp group MNG-VRRP peer-address ‘xxx.xxx.20.4’
set high-availability vrrp group MNG-VRRP preempt-delay ‘180’
set high-availability vrrp group MNG-VRRP priority ‘200’
set high-availability vrrp group MNG-VRRP vrid ‘1’
set interfaces dummy dum0 address ‘xxx.xxx.0.1/32’
set interfaces dummy dum0 description ‘iBGP Peering’
set interfaces ethernet eth0 address ‘xxx.xxx.35.5/23’
set interfaces ethernet eth0 description ‘INET’
set interfaces ethernet eth0 hw-id ‘xx:xx:xx:xx:xx:00’
set interfaces ethernet eth1 address ‘xxx.xxx.20.3/24’
set interfaces ethernet eth1 description ‘LAN-MNG’
set interfaces ethernet eth1 hw-id ‘xx:xx:xx:xx:xx:01’
set interfaces ethernet eth1 mtu ‘1450’
set interfaces ethernet eth2 address ‘xxx.xxx.48.3/20’
set interfaces ethernet eth2 description ‘LAN-CU’
set interfaces ethernet eth2 hw-id ‘xx:xx:xx:xx:xx:02’
set interfaces ethernet eth2 mtu ‘1450’
set interfaces ethernet eth3 address ‘xxx.xxx.64.3/20’
set interfaces ethernet eth3 description ‘LAN-K8S’
set interfaces ethernet eth3 hw-id ‘xx:xx:xx:xx:xx:03’
set interfaces ethernet eth3 mtu ‘1450’
set interfaces loopback lo
set interfaces tunnel tun0 address ‘xxx.xxx.0.1/16’
set interfaces tunnel tun0 enable-multicast
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 ip adjust-mss ‘1360’
set interfaces tunnel tun0 mtu ‘1410’
set interfaces tunnel tun0 parameters ip key xxxxxx
set interfaces tunnel tun0 source-address ‘xxx.xxx.35.5’
set nat source rule 1 outbound-interface name ‘eth0’
set nat source rule 1 source address ‘xxx.xxx.0.0/16’
set nat source rule 1 translation address ‘masquerade’
set protocols bfd peer xxxxx.tld profile ‘BFD-OSPF’
set protocols bfd profile BFD-OSPF interval multiplier ‘3’
set protocols bfd profile BFD-OSPF interval receive ‘50’
set protocols bfd profile BFD-OSPF interval transmit ‘50’
set protocols bgp address-family ipv4-unicast network xxx.xxx.20.0/24
set protocols bgp address-family ipv4-unicast network xxx.xxx.48.0/20
set protocols bgp neighbor xxx.xxx.0.29 address-family ipv4-unicast
set protocols bgp neighbor xxx.xxx.0.29 remote-as ‘4200000002’
set protocols bgp neighbor xxx.xxx.0.31 address-family ipv4-unicast
set protocols bgp neighbor xxx.xxx.0.31 remote-as ‘4200000003’
set protocols bgp neighbor xxx.xxx.0.33 address-family ipv4-unicast
set protocols bgp neighbor xxx.xxx.0.33 remote-as ‘4200000004’
set protocols bgp neighbor xxx.xxx.0.35 address-family ipv4-unicast
set protocols bgp neighbor xxx.xxx.0.35 remote-as ‘4200000005’
set protocols bgp neighbor xxx.xxx.0.37 address-family ipv4-unicast
set protocols bgp neighbor xxx.xxx.0.37 remote-as ‘4200000006’
set protocols bgp neighbor xxx.xxx.0.2 address-family ipv4-unicast
set protocols bgp neighbor xxx.xxx.0.2 remote-as ‘4200000000’
set protocols bgp neighbor xxx.xxx.0.2 update-source ‘dum0’
set protocols bgp system-as ‘4200000000’
set protocols failover route xxx.xxx.0.0/0 next-hop xxx.xxx.34.1 check target ‘xxx.xxx.8.8’
set protocols failover route xxx.xxx.0.0/0 next-hop xxx.xxx.34.1 check timeout ‘3’
set protocols failover route xxx.xxx.0.0/0 next-hop xxx.xxx.34.1 check type ‘icmp’
set protocols failover route xxx.xxx.0.0/0 next-hop xxx.xxx.34.1 interface ‘eth0’
set protocols failover route xxx.xxx.0.0/0 next-hop xxx.xxx.34.1 metric ‘10’
set protocols nhrp tunnel tun0 cisco-authentication xxxxxx
set protocols nhrp tunnel tun0 holding-time ‘30’
set protocols nhrp tunnel tun0 multicast ‘dynamic’
set protocols ospf area 0 network ‘xxx.xxx.0.0/16’
set protocols ospf area 0 network ‘xxx.xxx.0.1/32’
set protocols ospf interface eth1 bfd profile ‘BFD-OSPF’
set protocols ospf interface eth1 passive disable
set protocols ospf log-adjacency-changes detail
set protocols ospf parameters router-id ‘xxx.xxx.1.1’
set protocols ospf passive-interface ‘default’
set protocols ospf redistribute bgp metric-type ‘2’
set protocols ospf redistribute kernel metric-type ‘2’
set service ntp allow-client xxxxxx ‘xxx.xxx.0.0/0’
set service ntp allow-client xxxxxx ‘::/0’
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ssh listen-address ‘xxx.xxx.20.3’
set system config-management commit-revisions ‘100’
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed ‘115200’
set system domain-name xxxxxx
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system syslog global facility all level ‘info’
set system syslog global facility local7 level ‘debug’
set system time-zone ‘Europe/Amsterdam’
set vpn ipsec esp-group ESP-AMX-IX lifetime ‘1800’
set vpn ipsec esp-group ESP-AMX-IX mode ‘transport’
set vpn ipsec esp-group ESP-AMX-IX pfs ‘dh-group2’
set vpn ipsec esp-group ESP-AMX-IX proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-AMX-IX proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKE-AMX-IX close-action ‘none’
set vpn ipsec ike-group IKE-AMX-IX dead-peer-detection action ‘restart’
set vpn ipsec ike-group IKE-AMX-IX dead-peer-detection interval ‘3’
set vpn ipsec ike-group IKE-AMX-IX dead-peer-detection timeout ‘30’
set vpn ipsec ike-group IKE-AMX-IX key-exchange ‘ikev2’
set vpn ipsec ike-group IKE-AMX-IX lifetime ‘3600’
set vpn ipsec ike-group IKE-AMX-IX proposal 1 dh-group ‘2’
set vpn ipsec ike-group IKE-AMX-IX proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-AMX-IX proposal 1 hash ‘sha1’
set vpn ipsec interface ‘eth0’
set vpn ipsec profile NHRPVPN authentication mode ‘pre-shared-secret’
set vpn ipsec profile NHRPVPN authentication pre-shared-secret xxxxxx
set vpn ipsec profile NHRPVPN bind tunnel ‘tun0’
set vpn ipsec profile NHRPVPN esp-group ‘ESP-AMX-IX’
set vpn ipsec profile NHRPVPN ike-group ‘IKE-AMX-IX’

FYI There is no tunnel yet since it can not be properly formed although there is end to end communication. This most likely due to incorrect use of the firewall.

Also important to mention that this vyos setup is running in eve-ng thats hosted on a Proxmox server. Till now we didnt see any compatability issues or any weird behaviors.

6

Change this:

set firewall ipv4 name WAN_IN default-action drop

To

set firewall ipv4 name WAN_IN default-action accept

and try with the tunnel

7

Same issue
 still one-way:

HUB1 up 27s 0B/580B 0/5 IP1{hidden} IP1{hidden} AES_CBC_256/HMAC_SHA1_96
HUB2 up 27s 464B/376B 4/4 IP2{hidden} IP2{hidden} AES_CBC_256/HMAC_SHA1_96

8

You can provide info about remote networks and config of HUB1

9

If I set set firewall ipv4 name WAN_LOCAL default-action ‘accept’ — it works.

So the issue should be within this line of code:

Firewall Rules WAN-LOCAL

set firewall ipv4 name WAN_LOCAL default-action ‘drop’
set firewall ipv4 name WAN_LOCAL default-log
set firewall ipv4 name WAN_LOCAL description ‘WAN_TO_ROUTER’

set firewall ipv4 name WAN_LOCAL rule 10 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 10 description ‘ALLOW ESTABLISHED/RELATED’
set firewall ipv4 name WAN_LOCAL rule 10 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 10 state ‘related’

set firewall ipv4 name WAN_LOCAL rule 15 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 15 description ‘ALLOW_ICMP’
set firewall ipv4 name WAN_LOCAL rule 15 protocol ‘icmp’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘new’

set firewall ipv4 name WAN_LOCAL rule 20 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 20 destination port ‘500,4500,4510,4511’
set firewall ipv4 name WAN_LOCAL rule 20 protocol ‘udp’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘new’

set firewall ipv4 name WAN_LOCAL rule 25 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 25 protocol ‘esp’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘new’

set firewall ipv4 name WAN_LOCAL rule 100 action ‘drop’
set firewall ipv4 name WAN_LOCAL rule 100 description ‘DROP INVALID STATE’
set firewall ipv4 name WAN_LOCAL rule 100 state ‘invalid’

11

Allow GRE too,as it’s outer tun protocol.
To not expose yourself for spoofed unencrypted GRE incoming traffic, filter it (match-ipsec-in)

12

Thanks @16again Actually in the previous post that ive deleted ive added GRE in there aswell. Thought that was the solution why IPSEC tunnel wasnt forming but after some other tests tunnells still dont form. Am not sure what am doing wrong in the ruleset that prevents the tunnels to form.

I will try today to config this on a physical router instead of using it in eve-ng lab.

13

Hi All,

Seems a firewall rule from the spoke is blocking the IPSEC tunnel traffic. Still it doesnt make sense to me why that specific rule causing IPSEC not to build up


Hope someone can explain me why this rules is blocking IPSEC


Hub firewall ruleset

set firewall global-options all-ping ‘enable’
set firewall global-options broadcast-ping ‘disable’
set firewall global-options ip-src-route ‘disable’
set firewall global-options ipv6-receive-redirects ‘disable’
set firewall global-options ipv6-src-route ‘disable’
set firewall global-options log-martians ‘enable’
set firewall global-options receive-redirects ‘disable’
set firewall global-options send-redirects ‘enable’
set firewall global-options source-validation ‘disable’
set firewall global-options syn-cookies ‘enable’

set firewall ipv4 forward filter default-action ‘accept’
set firewall ipv4 forward filter rule 1 action ‘jump’
set firewall ipv4 forward filter rule 1 inbound-interface name ‘eth0’
set firewall ipv4 forward filter rule 1 jump-target ‘WAN_IN’

set firewall ipv4 input filter default-action ‘accept’
set firewall ipv4 input filter rule 1 action ‘jump’
set firewall ipv4 input filter rule 1 inbound-interface name ‘eth0’
set firewall ipv4 input filter rule 1 jump-target ‘WAN_LOCAL’

set firewall ipv4 name WAN_IN default-action ‘accept’
set firewall ipv4 name WAN_IN default-log
set firewall ipv4 name WAN_IN description ‘WAN TO INTERNAL’
set firewall ipv4 name WAN_IN rule 10 action ‘accept’
set firewall ipv4 name WAN_IN rule 10 description ‘ALLOW ESTABLISHED/RELATED’
set firewall ipv4 name WAN_IN rule 10 state ‘established’
set firewall ipv4 name WAN_IN rule 10 state ‘related’

set firewall ipv4 name WAN_IN rule 20 action ‘drop’
set firewall ipv4 name WAN_IN rule 20 description ‘DROP INVALID STATE’
set firewall ipv4 name WAN_IN rule 20 state ‘invalid’

set firewall ipv4 name WAN_LOCAL default-action ‘drop’
set firewall ipv4 name WAN_LOCAL default-log
set firewall ipv4 name WAN_LOCAL description ‘WAN_TO_ROUTER’

set firewall ipv4 name WAN_LOCAL rule 10 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 10 description ‘ALLOW ESTABLISHED/RELATED’
set firewall ipv4 name WAN_LOCAL rule 10 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 10 state ‘related’

set firewall ipv4 name WAN_LOCAL rule 15 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 15 description ‘ALLOW_ICMP’
set firewall ipv4 name WAN_LOCAL rule 15 protocol ‘icmp’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘new’

set firewall ipv4 name WAN_LOCAL rule 20 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 20 destination port ‘500,4500,4510,4511’
set firewall ipv4 name WAN_LOCAL rule 20 protocol ‘udp’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘new’

set firewall ipv4 name WAN_LOCAL rule 25 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 25 protocol ‘esp’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘new’

set firewall ipv4 name WAN_LOCAL rule 30 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 30 protocol ‘gre’
set firewall ipv4 name WAN_LOCAL rule 30 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 30 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 30 state ‘new’

set firewall ipv4 name WAN_LOCAL rule 100 action ‘drop’
set firewall ipv4 name WAN_LOCAL rule 100 description ‘DROP INVALID STATE’
set firewall ipv4 name WAN_LOCAL rule 100 state ‘invalid’

Spoke firewall ruleset

set firewall global-options all-ping ‘enable’
set firewall global-options broadcast-ping ‘disable’
set firewall global-options ip-src-route ‘disable’
set firewall global-options ipv6-receive-redirects ‘disable’
set firewall global-options ipv6-src-route ‘disable’
set firewall global-options log-martians ‘enable’
set firewall global-options receive-redirects ‘disable’
set firewall global-options send-redirects ‘enable’
set firewall global-options source-validation ‘disable’
set firewall global-options syn-cookies ‘enable’

set firewall group address-group PE-ROUTERS address ‘HUB1 IP HIDDEN’
set firewall group address-group PE-ROUTERS address ‘HUB2 IP HIDDEN’

set firewall ipv4 forward filter default-action ‘accept’
set firewall ipv4 forward filter rule 1 action ‘jump’
set firewall ipv4 forward filter rule 1 inbound-interface name ‘eth0.6’
set firewall ipv4 forward filter rule 1 jump-target ‘WAN_IN’

set firewall ipv4 input filter default-action ‘accept’
set firewall ipv4 input filter rule 1 action ‘jump’
set firewall ipv4 input filter rule 1 inbound-interface name ‘eth0.6’
set firewall ipv4 input filter rule 1 jump-target ‘WAN_LOCAL’

set firewall ipv4 name WAN_IN default-action ‘drop’
set firewall ipv4 name WAN_IN default-log
set firewall ipv4 name WAN_IN description ‘WAN TO INTERNAL’
set firewall ipv4 name WAN_IN rule 10 action ‘accept’
set firewall ipv4 name WAN_IN rule 10 description ‘ALLOW ESTABLISHED/RELATED’
set firewall ipv4 name WAN_IN rule 10 state ‘established’
set firewall ipv4 name WAN_IN rule 10 state ‘related’
set firewall ipv4 name WAN_IN rule 20 action ‘drop’
set firewall ipv4 name WAN_IN rule 20 description ‘DROP INVALID STATE’
set firewall ipv4 name WAN_IN rule 20 state ‘invalid’

set firewall ipv4 name WAN_LOCAL default-action ‘drop’
set firewall ipv4 name WAN_LOCAL default-log
set firewall ipv4 name WAN_LOCAL description ‘WAN_TO_ROUTER’

set firewall ipv4 name WAN_LOCAL rule 10 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 10 description ‘ALLOW ESTABLISHED/RELATED’
set firewall ipv4 name WAN_LOCAL rule 10 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 10 state ‘related’

set firewall ipv4 name WAN_LOCAL rule 15 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 15 description ‘ALLOW_ICMP’
set firewall ipv4 name WAN_LOCAL rule 15 protocol ‘icmp’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 15 state ‘new’

set firewall ipv4 name WAN_LOCAL rule 20 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 20 description ‘ALLOW_SSH_DC’
set firewall ipv4 name WAN_LOCAL rule 20 destination port ‘22’
set firewall ipv4 name WAN_LOCAL rule 20 protocol ‘tcp’
set firewall ipv4 name WAN_LOCAL rule 20 source group address-group ‘PE-ROUTERS’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 20 state ‘new’

set firewall ipv4 name WAN_LOCAL rule 25 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 25 protocol ‘esp’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 25 state ‘new’

set firewall ipv4 name WAN_LOCAL rule 30 action ‘accept’
set firewall ipv4 name WAN_LOCAL rule 30 protocol ‘gre’
set firewall ipv4 name WAN_LOCAL rule 30 state ‘established’
set firewall ipv4 name WAN_LOCAL rule 30 state ‘related’
set firewall ipv4 name WAN_LOCAL rule 30 state ‘new’

So I removed from the Spoke rule 20 from WAN_LOCAL which should only effect SSH port 22 but when removing these rules
 the IPSEC tunnels work like a charm.

Can somebody explain me how? :smile:

Thanks a million.

14

Well its sorted
 rule 20 WAN_LOCAL on the spoke is basically a deny statement except for ssh
 Moved it to the bottom of the list and everthing works like a charm.

Still trying to get a grip on the firewall configuration logic.

Cheers!

15

that explanation makes no sense.
imho spoke rule 20 either allows traffic (dpt tcp22) or packet should be checked against next rule in line

16

Hi @16again I was thinking the same
but I cant find any other explanation for to be honest or this might be due to VyOS being virtualized in EVE-NG. Ive rebooted the lab and make the adjustments as mentioned before and it worked and didnt stopped working.