I was still using 1.4 in my home lab but with Stream getting launched I figured it’s a good time to jump to 1.5.
After reboot the router was not accessible over the network, so I went into the console. There were no migration errors. In fact the only migrations that caused changes were related to DHCP.
But I could not even ping the IP address of the eth1 LAN interface from the console itself.
By the process of elimination I found that deleting the invalid global state-policy, the network would come back online.
firewall {
global-options {
state-policy {
established {
action accept
}
invalid {
action drop
}
related {
action accept
}
}
}
}
and is now
firewall {
global-options {
state-policy {
established {
action accept
}
related {
action accept
}
}
}
}
And I’m not seeing any other issues. I have not tried to reproduce this on other hardware, but my hardware is pretty generic, an Atom D525 CPU with e1000e NICs.
Anyone else experience this, or is there something I should look at to determine the cause?
I had that issue and several other ones, too. (No bridges here, either. I am running a 4-port APU4 for hardware.)
I tried several times to import a config from 1.5rolling, and it consistently lost all firewall settings (“show conf commands” would start its listing with “set interfaces ethernet…”, without showing any “set firewall…” statements.) Note, if I did a “cat /config/config.boot”, the firewall statements were there, they just weren’t picked up as part of the running config or displayed when I ran “show conf commands”.
It lost zone interfaces. I had to go in and add back the physical interfaces for each of my zones (except the self zone). Once I did that and “committed”, the “show conf commands” showed all the “set firewall” statements again.
And like you, I lost network connectivity. [Edit - DHCP worked - I still got an IPv4 address - but I couldn’t SSH into or ping the router.] (Fortunately my serial port kept working.) Your suggestion to “delete firewall global-options state-policy” seems to have fixed that. Thank you for that!
I had already reinstalled the latest 1.5rolling before I read your note. 1.5 Stream seems to be working now. My rules all have “default-actions” and a “drop” action for any “invalid” state, so I think I’m okay in terms of firewall behavior (though I’ll go back and review, to be sure).
Good to know I’m not the only one
My ingress firewall has a jump that applies to the WAN interface, and otherwise accepts all traffic. So it’s odd that the global state policy is blocking the local interfaces.
I haven’t spent the time to compare the generated nftables rules with an older install yet.
I tried it again on different hardware (a basic 2-port SuperMicro J1900-based board) and had basically the same issues. My steps were a bit different between my two trials, but bottom line, after migrating from 1.5-rolling, I had to remove the troublesome firewall global state policy and add back in my two zones’ physical interfaces.
As an experiment, I tried adding that set firewall global-options state-policy invalid action 'drop' statement back in. The instant I entered commit I lost SSH access to the router. I could still surf the web through the router, I just couldn’t manage it. I hit the power button for a graceful shutdown, and since I hadn’t saved my commit, it was fine when it booted back up.
@Viacheslav this change only works for IPv4. Just realized that my IPv6 router advertisements weren’t working, and turns out it’s being caused by the same issue so that table needs the same change.
Same issue here. After upgrading to vyos-1.5-stream-2025-Q1outgoing traffic originating from the firewall itself is marked as invalid. Forwarded traffic works fine tough, even with bridges.
The suggested fix works (it removes the state check from VYOS_OUTPUT_raw):
Before:
@artooro If you want to apply the fix for IPv6 you can apply it the same way:
On Line 242 (chain VYOS_IPV6_OUTPUT_) replace this line: {% if global_options.state_policy is vyos_defined %}
with: {% if global_options.state_policy is vyos_defined and prior == 'filter' %}
