Firewall rules not matching


I recently started using VyOS and everything seems to be setup fine. However I cannot seem to get the firewalls rules to be applied. They look correct as below.I’m not sure what I am missing.

I have setup multiple interfaces on eth0 in the subnet. I am performing a destination and source NAT. If the firewall is not applied to eth0, everything works perfectly and I can RDP to the server on the other side, however as soon as I apply the firewall to interface eth0 the traffic gets blocked.

I tried both group and standalone firewall rules, but no joy.

firewall { all-ping enable broadcast-ping disable config-trap disable group { address-group RDPHOSTS { address description "RDP Traffic" } network-group RDPNETWORKS { description "Networks allowed to connect to RDP" network } port-group RDPPORTS { description "TCP Ports for RDP Access" port 3389 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name OUTSIDE-IN { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept icmp { type-name echo-request } protocol icmp state { new enable } } rule 22 { action accept description "Allow RDP to internal server" destination { address port 3389 } protocol tcp } rule 30 { action accept destination { group { address-group RDPHOSTS port-group RDPPORTS } } protocol tcp source { group { network-group RDPNETWORKS } } } rule 100 { action accept destination { port 500 } protocol udp } rule 200 { action accept protocol esp } }

Chain OUTSIDE-IN (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- any any anywhere anywhere /* OUTSIDE-IN-10 */ state RELATED,ESTABLISHED 0 0 RETURN icmp -- any any anywhere anywhere /* OUTSIDE-IN-20 */ state NEW icmp echo-request 0 0 RETURN tcp -- any any anywhere /* OUTSIDE-IN-22 */ tcp dpt:3389 0 0 RETURN tcp -- any any anywhere /* OUTSIDE-IN-23 */ tcp dpt:ssh 0 0 RETURN udp -- any any anywhere anywhere /* OUTSIDE-IN-100 */ udp dpt:isakmp 0 0 RETURN esp -- any any anywhere anywhere /* OUTSIDE-IN-200 */ 2677 170K DROP all -- any any anywhere anywhere /* OUTSIDE-IN-10000 default-action drop */

I can definately see the packet/byte count increasing for the dropped packets, so definately know the traffic is getting through but for some reason it is not matching anything?

Any help appreciated.


So figured out what was going on! cannot believe i missed this.

DNAT is being performed before the firewall rules are being applied. So I needed to include/add my private IP address ( range) in the firewall instead of keeping the public range.

Once I had done that all firewall rules worked as expected.