Help in setting routes between local interfaces

duiod · May 22, 2023, 3:29pm

On my VM vyos1.4, I have 3 network interfaces.

DMZ - 192.168.30.0/24, eth0
ADnet - 192.168.20.0/24, eth1
WSnet - 192.168.10.0/24, eth2

All 3 networks are able to ping to each other by default.

I would like to set the following:
DMZ to be routable to WSnet
DMZ should not be routable to ADnet
WSnet to be routable to ADnet

How should I set it? I’ve tried disabling IP forwarding and manually setting the route with “set protocols static route” but have not been successful.

Thanks, appreciate if anyone can guide me with this as I’m still new to networking.

n.fort · May 22, 2023, 3:37pm

You need to configure firewall rules. For example:

## 1st would sugest configuring global state policies:
set firewall state-policy established action accept
set firewall state-policy related action accept
set firewall state-policy invalid action drop

## Then create custom firewall ruleset
## Create rules that are necessary for your requirements
## Attach these ruleset to interfaces ( in / out / local ) as needed

# example
set firewall name DMZ-IN rule 10 action accept
set firewall name DMZ-IN rule 10 destination address 192.168.10.0/24
set firewall name DMZ-IN rule 20 action drop
set firewall name DMZ-IN rule 20 destination address 192.168.20.0/24
set firewall interface eth0 firewall in name DMZ-IN

More information in vyos docs: Firewall — VyOS 1.4.x (sagitta) documentation