Firewall/Zone Policy on GRE Tunnel


#1

I am having great difficulty getting a GRE tunnel to pass traffic when there the interface is in a zone and a firewall which allows traffic is applied. I have a very simple configuration with a VyOS firewall/router on each of two Hyper-V hosts. There are several Ethernet interfaces on each firewall and a GRE tunnel interface. I am not using
the Ethernet interfaces at the moment. The tunnel is defined as follows:

tunnel tun0 {
    address 10.100.255.1/30
    encapsulation gre
    local-ip 192.168.30.250
    multicast disable
    remote-ip 192.168.30.251
}

The definition on the other end of the tunnel is the same except that the address is 10.100.255.2 and the local and remote IPs are swapped. These are the addresses
of the external ethernet interface.

I have defined a route from this VyOS router to a network connected to the other VyOS router on the other Hyper-V server like this:

interface-route 10.100.135.0/24 {
    next-hop-interface tun0 {
}

If I now ping 10.100.135.254 from the first VyOS router I get responses from the second VyOS router. (The address is the gateway address for one of the Ethernet interfaces). In this scenario the pings are crossing the tunnel and being delivered to the router itself. I have checked this and if I disable the tunnel the responses stop.
Also I can monitor the TUN0 interface and see traffic on it.

Now I create a zone for LOCAL and the tunnel as follows:

zone LOCAL {
    default-action drop
    local-zone
}

zone TUNNEL {
    default-action drop
    interface tun0
}

As soon as I commit these changes the pings stop as expected.

I now create a firewall that allows all traffic through. I called it ANYANY

name ANYANY {
    default-action accept
    enable-default-log
}

I also set some state-policy

state-policy {
    established {
        action accept
    }
    invalid {
        action drop
    }
    related {
        action accept
    }
}

and applied the firewall to the zone as follows:

zone LOCAL {
    default-action drop
    from TUNNEL {
        firewall {
            name ANYANY
        }
    }
    local-zone
}

Now when I ping the same address as before there are no responses and no traffic on the TUN0 interface.

However, if I do a ping from the second VyOS router to the first both pings start working which sounds like there is an “ESTABLISHED” rule but. I have the same state-policy on both so I don’t understand this.

If anyone can suggest what is wrong I would be very grateful.

I have attached the config files from each of the VyOS routers. They are the same except for names of things and addresses.


#2

1st of all , I’m not that familiar with zone based firewalling…
but it seems like you’re not allowing GRE in on eth0, blocking the tunneled traffic


#3

Thanks for the reply and your suggestion. I hadn’t thought of that. Sadly it didn’t help though - it still doesn’t work as it should. It is a shame that there is no reference manual or decent examples to work from but then again it is free:-) I have spent several weeks on this and got nowhere so I am going to dump vyos and look for alternatives. Apparently Hyper-V can do some simple VLAN routing if it is configured with powershell so that’s worth a look. I’ve seen mention of a thing called pfsense so that might be worth trying as well.


#4

VyOS predecessor Vyatta was well documented…do a google search for Vyatta-Firewall_6.5R1_v01.pdf to read more about zone based firewalling

Doing the GRE tunneling directly in HyperV uses less resources then any other solution. But it’s meant to be managed with system center virtual machine manager , going the pure powershell way seems like a challenge to me too.


#5