Hi,
I recently started using VyOS and everything seems to be setup fine. However I cannot seem to get the firewalls rules to be applied. They look correct as below.I’m not sure what I am missing.
I have setup multiple interfaces on eth0 in the 192.168.1.0/24 subnet. I am performing a destination and source NAT. If the firewall is not applied to eth0, everything works perfectly and I can RDP to the server on the other side, however as soon as I apply the firewall to interface eth0 the traffic gets blocked.
I tried both group and standalone firewall rules, but no joy.
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
address-group RDPHOSTS {
address 192.168.1.11
description "RDP Traffic"
}
network-group RDPNETWORKS {
description "Networks allowed to connect to RDP"
network 192.168.1.0/24
}
port-group RDPPORTS {
description "TCP Ports for RDP Access"
port 3389
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name OUTSIDE-IN {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 22 {
action accept
description "Allow RDP to internal server"
destination {
address 192.168.1.11
port 3389
}
protocol tcp
}
rule 30 {
action accept
destination {
group {
address-group RDPHOSTS
port-group RDPPORTS
}
}
protocol tcp
source {
group {
network-group RDPNETWORKS
}
}
}
rule 100 {
action accept
destination {
port 500
}
protocol udp
}
rule 200 {
action accept
protocol esp
}
}
Chain OUTSIDE-IN (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere /* OUTSIDE-IN-10 */ state RELATED,ESTABLISHED
0 0 RETURN icmp -- any any anywhere anywhere /* OUTSIDE-IN-20 */ state NEW icmp echo-request
0 0 RETURN tcp -- any any anywhere 192.168.1.11 /* OUTSIDE-IN-22 */ tcp dpt:3389
0 0 RETURN tcp -- any any anywhere 192.168.1.12 /* OUTSIDE-IN-23 */ tcp dpt:ssh
0 0 RETURN udp -- any any anywhere anywhere /* OUTSIDE-IN-100 */ udp dpt:isakmp
0 0 RETURN esp -- any any anywhere anywhere /* OUTSIDE-IN-200 */
2677 170K DROP all -- any any anywhere anywhere /* OUTSIDE-IN-10000 default-action drop */
I can definately see the packet/byte count increasing for the dropped packets, so definately know the traffic is getting through but for some reason it is not matching anything?
Any help appreciated.
Thanks