Getting ZBF to work with VRFs

Coopercentral · May 1, 2023, 8:23pm

Hello-
I am running the latest rolling-release on 1.4, and have a question regarding VRFs. I use zone-based firewalling, and what I’m seeing is, if I have multiple interfaces assigned to a VRF, the firewall will see that traffic coming in as the VRF master interface itself, as opposed to the physical interface. The problem is, I have the interfaces within that VRF assigned to different zones, but the rules are never being hit because the firewall isn’t seeing those interfaces within the zone as the source, but rather the VRF master interface. I ended up assigning the VRF master interface to one of the zones, and all interfaces within the same zone as the master interface can talk (intrazone), but the other interfaces in different zones won’t work unless I allow from the zone that contains the VRF interface, as opposed to the physical interface. I’m not sure if that makes sense or not, but just wondering if this is normal or not. Please see below as an example - just wondering if this is by design, and if so, how to properly filter traffic via zones when multiple interfaces within a single VRF are assigned to different zones.

show vrf
Name State MAC address Flags Interfaces

MGMT up 7e:10:a9:22:f9:4e noarp,master,up,lower_up eth5
TEST up a2:15:47:30:93:d1 noarp,master,up,lower_up eth1,eth2

show zone-policy
Zone Interfaces From Zone Firewall IPv4 Firewall IPv6

local LOCAL mgmt edge-to-local
zone1 zone1-to-local
zone2 zone2-to-local
mgmt eth5 local local-out
MGMT
zone1 eth1 local local-out
zone2 zone2-to-zone1
zone2 eth2 local local-out
TEST zone1 zone1-to-zone2

[zone2-to-local-10-A]IN=TEST OUT= MAC=00:32:16:08:53:7b:74:ac:b9:42:16:38:08:00 SRC=192.168.35.113 DST=192.168.35.114 LEN=92 TOS=0x00 PREC=0x00 TTL=64 ID=46348 DF PROTO=ICMP TYPE=8 CODE=0 ID=46111 SEQ=25875

[zone2-to-local-default-D]IN=TEST OUT= MAC=00:32:16:08:34:ac:c4:03:a8:ab:45:50:08:00 SRC=192.168.37.4 DST=192.168.37.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=58690 DF PROTO=TCP SPT=52892 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0

From the logs above, the IN= the “TEST” VRF interface, as opposed to the physical interface, therefore the zone firewall rules aren’t being hit. Is there any way for the firewall to see the physical interface coming into the firewall as opposed to the VRF master interface?

Thank you,
Ken

Viacheslav · May 2, 2023, 1:13am

It is some kind of this discussion ⚓ T3933 The firewall does not filter incoming traffic on the interface with vrf.

Coopercentral · May 2, 2023, 11:20am

Thank you, I didn’t realize it was already reported as a bug.

system · May 8, 2023, 12:56pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.