i have a interface in mgmt vrf to be used for management purpose , when i enable zone based firewall with zone router as local-zone my access to the router is lost.
i tried writing firewall rules to allow traffic between zones by creating another zone mgmt having mgmt vrf in it and enabling bidirection traffic between router zone and mgmt but zone still vyos router is not reachable
any help with implementing access between local-zone and zone with vrf will be helpful
it happened because zbf blocks all traffic between zones by default. To restore access, you must explicitly allow mgmt traffic between local and zone of mgmt vrf.
you can try this example,
set firewall zone mgmt-zone int ethX.Y
set firewall global-options state-policy established action ‘accept’
set firewall global-options state-policy invalid action ‘drop’
set firewall global-options state-policy related action ‘accept’
set firewall name mgmt-to-local default-action drop
set firewall name mgmt-to-local rule 10 action accept
set firewall name mgmt-to-local rule 10 protocol tcp
set firewall name mgmt-to-local rule 10 destination port 22,443
set firewall zone local-zone from mgmt-zone firewall name mgmt-to-local
thanks for the update i tried the below as suggested but still i’m not able to ping the mgmt ip (192.168.77.5)
below is my config
Set interface ethernet eth1 address 192.168.77.5/24 Set interface ethernet eth1 vrf mgmt
Set vrf name mgmt table 100 Set vrf name mgmt protocols static route 0.0.0.0/0 next-hop 192.168.77.1
set firewall global-options state-policy established action ‘accept’ set firewall global-options state-policy invalid action ‘drop’ set firewall global-options state-policy related action ‘accept’ set firewall name mgmt-to-local default-action drop
set firewall name mgmt-to-local rule 10 action accept set firewall name mgmt-to-local rule 10 protocol icmp set firewall name mgmt-to-local rule 11 action accept set firewall name mgmt-to-local rule 11 protocol tcp set firewall name mgmt-to-local rule 11 destination port 22
Set firewall zone mgmt-zone interface eth1 Set firewall zone vyos local-zone
Set firewall zone vyos from mgmt-zone firewall name mgmt-to-local
i even tried to add the below rule
Set firewall zone mgmt-zone from vyos firewall name mgmt-to-local
still i’m not able to ping the ip 192.168.77.5 not ssh to it , Not sure if i have missed any step