TO:
DESTINATION NETWORK (routed):
PRIVILEGED DESTINATIONS: 10.20.1.0/24, 10.20.1.0/24
ALL OTHERS ALLOWED: 10.20.0.0/16
if a packet arrives at the VYOS and the destination IP is PRIVILEGED DESTINATION (10.20.1.0 or 10.20.2.0) and the source IP is NOT from PRIVILEGED Source then deny, otherwise allow.
for all other packets destination that are NOT PRIVILEGED DESTINATION - do nothing (allow all).
Another Way to do it would be.
if a packet arrives at the VYOS and the destination IP is PRIVILEGED DESTINATION (10.20.1.0 or 10.20.2.0) and the source IP is from Privileged Source allow, otherwise deny.
set firewall group network-group privileged_source description 'put a meaningful description here'
set firewall group network-group privileged_source network '10.1.1.0/24'
set firewall group network-group privileged_source network '10.1.2.0/24'
set firewall group network-group privileged_dest description 'put a meaningful description here'
set firewall group network-group privileged_dest network '10.20.1.0/24'
set firewall group network-group privileged_dest network '10.21.1.0/24'
set firewall name demo default-action drop
set firewall name demo rule 10 action accept
set firewall name demo rule 10 source group network-group privileged_source
set firewall name demo rule 10 destination group network-group privileged_dest
set firewall name demo rule 11 action drop
set firewall name demo rule 11 destination group network-group privileged_dest
set firewall name demo rule 20 action accept
set firewall name demo rule 20 destination address 10.20.0.0/16
Should do it, according to your first description (but your second one after “Another Way to do it would be.” is not equivalent.)
Also don’t forget that you need to apply the firewall instance on an interface, otherwise it does nothing:
set interface ethernet <appropriate interface name> firewall in name demo