Firewall local-zone with mgmt vrf

i have a interface in mgmt vrf to be used for management purpose , when i enable zone based firewall with zone router as local-zone my access to the router is lost.

i tried writing firewall rules to allow traffic between zones by creating another zone mgmt having mgmt vrf in it and enabling bidirection traffic between router zone and mgmt but zone still vyos router is not reachable

any help with implementing access between local-zone and zone with vrf will be helpful

it happened because zbf blocks all traffic between zones by default. To restore access, you must explicitly allow mgmt traffic between local and zone of mgmt vrf.
you can try this example,

set firewall zone mgmt-zone int ethX.Y
set firewall global-options state-policy established action ‘accept’
set firewall global-options state-policy invalid action ‘drop’
set firewall global-options state-policy related action ‘accept’
set firewall name mgmt-to-local default-action drop
set firewall name mgmt-to-local rule 10 action accept
set firewall name mgmt-to-local rule 10 protocol tcp
set firewall name mgmt-to-local rule 10 destination port 22,443

set firewall zone local-zone from mgmt-zone firewall name mgmt-to-local

Hi,

thanks for the update i tried the below as suggested but still i’m not able to ping the mgmt ip (192.168.77.5)

below is my config

Set interface ethernet eth1 address 192.168.77.5/24
Set interface ethernet eth1 vrf mgmt

Set vrf name mgmt table 100
Set vrf name mgmt protocols static route 0.0.0.0/0 next-hop 192.168.77.1

set firewall global-options state-policy established action ‘accept’
set firewall global-options state-policy invalid action ‘drop’
set firewall global-options state-policy related action ‘accept’
set firewall name mgmt-to-local default-action drop

set firewall name mgmt-to-local rule 10 action accept
set firewall name mgmt-to-local rule 10 protocol icmp
set firewall name mgmt-to-local rule 11 action accept
set firewall name mgmt-to-local rule 11 protocol tcp
set firewall name mgmt-to-local rule 11 destination port 22

Set firewall zone mgmt-zone interface eth1
Set firewall zone vyos local-zone

Set firewall zone vyos from mgmt-zone firewall name mgmt-to-local

i even tried to add the below rule

Set firewall zone mgmt-zone from vyos firewall name mgmt-to-local

still i’m not able to ping the ip 192.168.77.5 not ssh to it , Not sure if i have missed any step

Traffic cannot flow between a zone member interface and any interface that is not a zone member. In the Linux VRF is a “network device”.

Hi ,

does that mean traffic cannot flow between zone that has interface (e.g mgmt in my usecase) and local-zone (e.g vyos in my usecase) ?

or there is some way to achieve the same.

after changing the zone interface for mgmt-zone to vrf name (as below ) the same started working

Set firewall zone mgmt-zone interface mgmt

my observation is
i have to also enable the established and related rules on the firewall for the traffic between zone.

why is this still needed even though same is mentioned in global-options as below

set firewall global-options state-policy established action ‘accept’
set firewall global-options state-policy related action ‘accept’

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.