Firewall rules for blocking traffic between two devices

Hello guys,

I have configured Vyos 1.5 rolling release
This setup has three VMs with different IPs connected to Vyos router:

VM1: 10.10.150.1 (10.10.150.2 to vyos)
VM2: 10.20.150.1 (10.20.150.2 to vyos)
VM3: 10.30.150.1 (10.30.150.2 to vyos)

What I want is that, VM1 and VM2 shouldn’t communicate with each other and VM3 can communicate with all the VMs.

I tried using below commands:

set firewall group network-group VM-NETWORKS network 10.10.150.0/24
set firewall group network-group VM-NETWORKS network 10.20.150.0/24
set firewall group network-group VM-NETWORKS network 10.30.150.0/24

set firewall ipv4 name BLK-VM-NW default-action accept
set firewall ipv4 name BLK-VM-NW rule 10 action drop
set firewall ipv4 name BLK-VM-NW rule 10 source group network-group VM-NETWORKS
set firewall ipv4 name BLK-VM-NW rule 10 destination group network-group VM-NETWORKS

set interfaces ethernet eth0 firewall in name BLK-VM-NW
set interfaces ethernet eth1 firewall in name BLK-VM-NW
set interfaces ethernet eth2 firewall in name BLK-VM-NW

First 2 set of commands are accepted and committed successfully, but last set wont.

I already went through this Official Documentation but still not able to figure out how to apply these firewall rules.

I tried alternatives of it and researching on it more.
My objective is I don’t want VM1 and VM2 to communicate and VM3 to communicate with all VMs.
Requesting community for specific answers, As i am very new to Vyos.

That’s not the correct syntax for 1.5. You no longer apply the firewall to the interface, you call the interface within the rule with either inbound-interface or outbound-interface.

If you wanted to use a named policy like you’re doing, you’ll need to apply it with a jump action to the forward chain.

You don’t assign firewalls to interfaces anymore. The current way is to create jump targets.

For eg. you’d do something like this to have all 3 interfaces get handled by BLK-VM-NW.

set firewall group interface-group VM-INTERFACES interface eth0
set firewall group interface-group VM-INTERFACES interface eth1
set firewall group interface-group VM-INTERFACES interface eth2

set firewall ipv4 input filter rule 1 action jump
set firewall ipv4 input filter rule 1 inbound-interface group VM-INTERFACES
set firewall ipv4 input filter rule 1 jump-target BLK-VM-NW
1 Like

Hello artooro and L0crian,

Thanks for providing the info and required commands.

Using the knowledge you mentioned about ‘create jump targets’.
I was able to achieve my objective mentioned earlier.

The commands that I used were:

set firewall group address-group VM-ADDRESS address 10.10.150.1
set firewall group address-group VM-ADDRESS address 10.20.150.1
set firewall ipv4 name BLOCK-VM-ADDRESS default-action accept
set firewall ipv4 name BLOCK-VM-ADDRESS rule 10 action drop
set firewall ipv4 name BLOCK-VM-ADDRESS rule 10 source group address-group VM-ADDRESS
set firewall ipv4 name BLOCK-VM-ADDRESS rule 10 destination group address-group VM-ADDRESS
set firewall group interface-group VM-INTERFACES interface eth0
set firewall group interface-group VM-INTERFACES interface eth1
set firewall ipv4 forward filter rule 20 action jump
set firewall ipv4 forward filter rule 20 inbound-interface group VM-INTERFACES
set firewall ipv4 forward filter rule 20 jump-target BLOCK-VM-ADDRESS

I refined the commands again to minimize the subnet by using address-group rather than network-group.

Thank you again!
The community here, is wonderful!!

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.