Hi Forum
I am new to vyos and trying to setup zone based firewall (LAN, DMZ and WAN). In addition I want to run wireguard on vyos router and force all traffic from one specific host in the DMZ (172.16.20.4) via wireguard interface, which I suspect I need to use policy based routing.
WAN - 192.168.0.251 (Default gateway)
LAN - 172.16.10.0/24
DMZ - 172.16.20.0/29
WG0
Ive created all the firewall polices I think I need for WAN/LAN/DMZ/Local. I created 4 specific ones for WG0 - DMZ-WG0, WG0-DMZ, WG-LOCAL and LOCAL-WG0.
Once configured WG0 interface I CAN ping 8.8.8.8 via WG0 from the router.
vyos@vyos:~$ping 8.8.8.8 interface wg0
vyos@vyos:~$traceroute 8.8.8.8 interface wg0
How do I setup policy based routing so I can force all traffic from 172.16.20.4 via wg0?
Secondly if wg0 is DOWN how do drop all traffic from 172.16.20.4 to the internet (eg via eth0)?
Ive tried to follow VyOS Policy Based Routing with WireGuard + Mullvad, but it was too complicated to figure out.
Could I get some pointers as to what I need to do next? Are my zone-policies correct?
Here is the configuration I have created thus far template
Densha
set firewall name DMZ-LAN default-action 'drop'
set firewall name DMZ-LAN enable-default-log
set firewall name DMZ-LAN rule 1 action 'accept'
set firewall name DMZ-LAN rule 1 description 'Allow Established/Related Traffic'
set firewall name DMZ-LAN rule 1 state established 'enable'
set firewall name DMZ-LAN rule 1 state related 'enable'
set firewall name DMZ-LAN rule 2 action 'drop'
set firewall name DMZ-LAN rule 2 log 'enable'
set firewall name DMZ-LAN rule 2 state invalid 'enable'
set firewall name DMZ-LAN rule 100 action 'accept'
set firewall name DMZ-LAN rule 100 log 'enable'
set firewall name DMZ-LAN rule 100 protocol 'icmp'
set firewall name DMZ-LOCAL default-action 'drop'
set firewall name DMZ-LOCAL enable-default-log
set firewall name DMZ-LOCAL rule 1 action 'accept'
set firewall name DMZ-LOCAL rule 1 description 'Allow Established/Related Traffic'
set firewall name DMZ-LOCAL rule 1 state established 'enable'
set firewall name DMZ-LOCAL rule 1 state related 'enable'
set firewall name DMZ-LOCAL rule 2 action 'drop'
set firewall name DMZ-LOCAL rule 2 log 'enable'
set firewall name DMZ-LOCAL rule 2 state invalid 'enable'
set firewall name DMZ-LOCAL rule 100 action 'accept'
set firewall name DMZ-LOCAL rule 100 log 'enable'
set firewall name DMZ-LOCAL rule 100 protocol 'icmp'
set firewall name DMZ-LOCAL rule 600 action 'accept'
set firewall name DMZ-LOCAL rule 600 destination port '53'
set firewall name DMZ-LOCAL rule 600 log 'enable'
set firewall name DMZ-LOCAL rule 600 protocol 'tcp_udp'
set firewall name DMZ-LOCAL rule 700 action 'accept'
set firewall name DMZ-LOCAL rule 700 destination port '67-68'
set firewall name DMZ-LOCAL rule 700 log 'enable'
set firewall name DMZ-LOCAL rule 700 protocol 'udp'
set firewall name DMZ-LOCAL rule 800 action 'accept'
set firewall name DMZ-LOCAL rule 800 destination port '22'
set firewall name DMZ-LOCAL rule 800 log 'enable'
set firewall name DMZ-LOCAL rule 800 protocol 'tcp'
set firewall name DMZ-WAN default-action 'accept'
set firewall name DMZ-WG0 default-action 'accept'
set firewall name LAN-DMZ default-action 'accept'
set firewall name LAN-LOCAL default-action 'accept'
set firewall name LAN-WAN default-action 'accept'
set firewall name LOCAL-DMZ default-action 'accept'
set firewall name LOCAL-LAN default-action 'accept'
set firewall name LOCAL-WAN default-action 'accept'
set firewall name LOCAL-WG0 default-action 'accept'
set firewall name WAN-DMZ default-action 'drop'
set firewall name WAN-DMZ enable-default-log
set firewall name WAN-DMZ rule 1 action 'accept'
set firewall name WAN-DMZ rule 1 description 'Allow Established/Related Traffic'
set firewall name WAN-DMZ rule 1 state established 'enable'
set firewall name WAN-DMZ rule 1 state related 'enable'
set firewall name WAN-DMZ rule 2 action 'drop'
set firewall name WAN-DMZ rule 2 log 'enable'
set firewall name WAN-DMZ rule 2 state invalid 'enable'
set firewall name WAN-LAN default-action 'drop'
set firewall name WAN-LAN enable-default-log
set firewall name WAN-LAN rule 1 action 'accept'
set firewall name WAN-LAN rule 1 description 'Allow Established/Related Traffic'
set firewall name WAN-LAN rule 1 state established 'enable'
set firewall name WAN-LAN rule 1 state related 'enable'
set firewall name WAN-LAN rule 2 action 'drop'
set firewall name WAN-LAN rule 2 log 'enable'
set firewall name WAN-LAN rule 2 state invalid 'enable'
set firewall name WAN-LOCAL default-action 'drop'
set firewall name WAN-LOCAL enable-default-log
set firewall name WAN-LOCAL rule 1 action 'accept'
set firewall name WAN-LOCAL rule 1 description 'Allow Established/Related Traffic'
set firewall name WAN-LOCAL rule 1 state established 'enable'
set firewall name WAN-LOCAL rule 1 state related 'enable'
set firewall name WAN-LOCAL rule 2 action 'drop'
set firewall name WAN-LOCAL rule 2 log 'enable'
set firewall name WAN-LOCAL rule 2 state invalid 'enable'
set firewall name WG0-DMZ default-action 'drop'
set firewall name WG0-DMZ enable-default-log
set firewall name WG0-DMZ rule 1 action 'accept'
set firewall name WG0-DMZ rule 1 description 'Allow Established/Related Traffic'
set firewall name WG0-DMZ rule 1 state established 'enable'
set firewall name WG0-DMZ rule 1 state related 'enable'
set firewall name WG0-DMZ rule 2 action 'drop'
set firewall name WG0-DMZ rule 2 log 'enable'
set firewall name WG0-DMZ rule 2 state invalid 'enable'
set firewall name WG0-LOCAL default-action 'drop'
set firewall name WG0-LOCAL enable-default-log
set firewall name WG0-LOCAL rule 1 action 'accept'
set firewall name WG0-LOCAL rule 1 description 'Allow Established/Related Traffic'
set firewall name WG0-LOCAL rule 1 state established 'enable'
set firewall name WG0-LOCAL rule 1 state related 'enable'
set firewall name WG0-LOCAL rule 2 action 'drop'
set firewall name WG0-LOCAL rule 2 log 'enable'
set firewall name WG0-LOCAL rule 2 state invalid 'enable'
set interfaces ethernet eth0 address 'xxx.xxx.0.251/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address 'xxx.xxx.10.1/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth2 address 'xxx.xxx.20.1/29'
set interfaces ethernet eth2 description 'DMZ'
set interfaces loopback lo
set interfaces wireguard wg0 address 'xxx.xxx.47.252/32'
set interfaces wireguard wg0 peer mullvad address 'xxx.xxx.162.234'
set interfaces wireguard wg0 peer mullvad allowed-ips 'xxx.xxx.0.0/0'
set interfaces wireguard wg0 peer mullvad port '51820'
set interfaces wireguard wg0 peer mullvad public-key 'kOpdNLq/ePrlc2WXGinRvbQWRhy755cZ4G4S7xwsKIw='
set interfaces wireguard wg0 private-key xxxxxx
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address 'xxx.xxx.10.0/24'
set nat source rule 100 translation address 'masquerade'
set nat source rule 200 outbound-interface 'eth0'
set nat source rule 200 source address 'xxx.xxx.20.0/29'
set nat source rule 200 translation address 'masquerade'
set protocols static route xxx.xxx.0.0/0 next-hop xxx.xxx.0.1 interface 'eth0'
set protocols static route xxx.xxx.20.4/32
set service dhcp-server shared-network-name DMZ subnet 172.16.20.0/29 default-router 'xxx.xxx.20.1'
set service dhcp-server shared-network-name DMZ subnet 172.16.20.0/29 domain-name xxxxxx
set service dhcp-server shared-network-name DMZ subnet 172.16.20.0/29 name-server 'xxx.xxx.20.1'
set service dhcp-server shared-network-name DMZ subnet 172.16.20.0/29 range 0 start 'xxx.xxx.20.2'
set service dhcp-server shared-network-name DMZ subnet 172.16.20.0/29 range 0 stop 'xxx.xxx.20.3'
set service dhcp-server shared-network-name DMZ subnet 172.16.20.0/29 static-mapping xxxxxx ip-address 'xxx.xxx.20.4'
set service dhcp-server shared-network-name DMZ subnet 172.16.20.0/29 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:04'
set service dns forwarding allow-from 'xxx.xxx.10.0/24'
set service dns forwarding allow-from 'xxx.xxx.20.0/29'
set service dns forwarding listen-address 'xxx.xxx.20.1'
set service dns forwarding name-server 'xxx.xxx.8.8'
set service ssh port '22'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system name-server 'xxx.xxx.8.8'
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set zone-policy zone DMZ default-action 'drop'
set zone-policy zone DMZ from LAN firewall name 'LAN-DMZ'
set zone-policy zone DMZ from LOCAL firewall name 'LOCAL-DMZ'
set zone-policy zone DMZ from WAN firewall name 'WAN-DMZ'
set zone-policy zone DMZ from WG0 firewall name 'WG0-DMZ'
set zone-policy zone DMZ interface 'eth2'
set zone-policy zone LAN default-action 'drop'
set zone-policy zone LAN from DMZ firewall name 'DMZ-LAN'
set zone-policy zone LAN from LOCAL firewall name 'LOCAL-LAN'
set zone-policy zone LAN from WAN firewall name 'WAN-LAN'
set zone-policy zone LAN interface 'eth1'
set zone-policy zone LOCAL default-action 'drop'
set zone-policy zone LOCAL from DMZ firewall name 'DMZ-LOCAL'
set zone-policy zone LOCAL from LAN firewall name 'LAN-LOCAL'
set zone-policy zone LOCAL from WAN firewall name 'WAN-LOCAL'
set zone-policy zone LOCAL from WG0 firewall name 'WG0-LOCAL'
set zone-policy zone LOCAL local-zone
set zone-policy zone WAN default-action 'drop'
set zone-policy zone WAN from DMZ firewall name 'DMZ-WAN'
set zone-policy zone WAN from LAN firewall name 'LAN-WAN'
set zone-policy zone WAN from LOCAL firewall name 'LOCAL-WAN'
set zone-policy zone WAN interface 'eth0'
set zone-policy zone WG0 default-action 'drop'
set zone-policy zone WG0 from DMZ firewall name 'DMZ-WG0'
set zone-policy zone WG0 from LOCAL firewall name 'LOCAL-WG0'
set zone-policy zone WG0 interface 'wg0'