How to create whitelist in VyOS router

Hi everyone,
sorry because of this basic question but I need to created a whitelist for some IP addresses that we need have access to them, I created a group list for these tree addresses:

set firewall group network-group Whitelist1

but when I want to add IP address like this:

set firewall group network-group Whitelist1 ‘104.16.x.38/32’

I got this message:

Configuration path: firewall group network-group Whitelist1 [104.16.x.38] is not valid
Set failed

I’m not sure what should I do and do I need to create or anything else or not but I have some comments like these for each network group that I have in firewall:

set firewall name ACL-WAN-IN rule 9 action ‘drop’
set firewall name ACL-WAN-IN rule 9 protocol ‘all’
set firewall name ACL-WAN-IN rule 9 source group network-group ‘DROP-TRAFFIC’
set firewall name ACL-WAN-IN rule 10 action ‘accept’
set firewall name ACL-WAN-IN rule 10 protocol ‘all’
set firewall name ACL-WAN-IN rule 10 source group network-group ‘VCH’
set firewall name ACL-WAN-IN rule 11 action ‘accept’
set firewall name ACL-WAN-IN rule 11 protocol ‘all’
set firewall name ACL-WAN-IN rule 11 source group network-group ‘L2TP’
set firewall name ACL-WAN-IN rule 25 action ‘accept’
set firewall name ACL-WAN-IN rule 25 destination port ‘443’
set firewall name ACL-WAN-IN rule 25 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 29 action ‘accept’
set firewall name ACL-WAN-IN rule 29 destination port ‘80’
set firewall name ACL-WAN-IN rule 29 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 30 action ‘accept’
set firewall name ACL-WAN-IN rule 30 destination port ‘8000’
set firewall name ACL-WAN-IN rule 30 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 31 action ‘accept’
set firewall name ACL-WAN-IN rule 31 destination port ‘554’
set firewall name ACL-WAN-IN rule 31 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 33 action ‘accept’
set firewall name ACL-WAN-IN rule 33 destination port ‘636’
set firewall name ACL-WAN-IN rule 33 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 33 source group address-group ‘ex1’
set firewall name ACL-WAN-IN rule 34 action ‘drop’
set firewall name ACL-WAN-IN rule 34 protocol ‘all’
set firewall name ACL-WAN-IN rule 34 source group address-group ‘blacklist1’
set firewall name ACL-WAN-IN rule 98 action ‘accept’
set firewall name ACL-WAN-IN rule 98 destination port ‘22’
set firewall name ACL-WAN-IN rule 98 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 98 source group address-group ‘Fili’
set firewall name ACL-WAN-OUT default-action ‘accept’
set firewall name ACL-WAN-OUT rule 9 action ‘drop’
set firewall name ACL-WAN-OUT rule 9 destination group address-group ‘blacklist1’
set firewall name ACL-WAN-OUT rule 9 protocol ‘all’
set firewall name ACL-WAN-OUT rule 9 source group

Please I need your help with full commands if you can <3
I have eth0 as a LAN and also eth1 is my WAN interface.

Thanks in advance

Hello, Ali!

Could you provide me with your VyOS version?

Hi @acrane
Thanks for you answer, it’s VyOS 1.3 and I need to create whitelist for this address:

stream.cradlepointecm.com

for more help you can use this following link:
Device Access to NetCloud via Private Network (cradlepoint.com)

Kind regards

Ali, as I see this site got ip 35.167.197.172/32
Also, you missed one more “network”

So final version should be set firewall group network-group Whitelist1 network 35.167.197.172/32

1 Like

Thanks @acrane
I did and could add my rules but I don’t have access yet!
I found IP’s are changing because they are using cloudflare or something like this:

do we have any option to add:

stream.cradlepointecm.com

Ali, now I see. There’s really a pool of addresses.
You need to add all of them.

P.S. I can’t reach this destination via web so it can be a reason

1 Like

Thanks @acrane for your great help!

As a last question is it a way to add address like “stream.cradlepointecm.com” in VyOS as a whitelist rule and if yes how?
and also is it enough when I added a IP in “set firewall group network-group” or need to create another rules for it like:

set firewall name ACL-WAN-IN rule 9 action ‘drop’
set firewall name ACL-WAN-IN rule 9 protocol ‘all’
set firewall name ACL-WAN-IN rule 9 source group network-group ‘DROP-TRAFFIC’
set firewall name ACL-WAN-IN rule 10 action ‘accept’
set firewall name ACL-WAN-IN rule 10 protocol ‘all’
set firewall name ACL-WAN-IN rule 10 source group network-group ‘VCH’
set firewall name ACL-WAN-IN rule 11 action ‘accept’
set firewall name ACL-WAN-IN rule 11 protocol ‘all’
set firewall name ACL-WAN-IN rule 11 source group network-group ‘L2TP’
set firewall name ACL-WAN-IN rule 25 action ‘accept’
set firewall name ACL-WAN-IN rule 25 destination port ‘443’
set firewall name ACL-WAN-IN rule 25 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 29 action ‘accept’
set firewall name ACL-WAN-IN rule 29 destination port ‘80’
set firewall name ACL-WAN-IN rule 29 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 30 action ‘accept’
set firewall name ACL-WAN-IN rule 30 destination port ‘8000’
set firewall name ACL-WAN-IN rule 30 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 31 action ‘accept’
set firewall name ACL-WAN-IN rule 31 destination port ‘554’
set firewall name ACL-WAN-IN rule 31 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 33 action ‘accept’
set firewall name ACL-WAN-IN rule 33 destination port ‘636’
set firewall name ACL-WAN-IN rule 33 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 33 source group address-group ‘ex1’
set firewall name ACL-WAN-IN rule 34 action ‘drop’
set firewall name ACL-WAN-IN rule 34 protocol ‘all’
set firewall name ACL-WAN-IN rule 34 source group address-group ‘blacklist1’
set firewall name ACL-WAN-IN rule 98 action ‘accept’
set firewall name ACL-WAN-IN rule 98 destination port ‘22’
set firewall name ACL-WAN-IN rule 98 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 98 source group address-group ‘Fili’
set firewall name ACL-WAN-OUT default-action ‘accept’
set firewall name ACL-WAN-OUT rule 9 action ‘drop’
set firewall name ACL-WAN-OUT rule 9 destination group address-group ‘blacklist1’
set firewall name ACL-WAN-OUT rule 9 protocol ‘all’
set firewall name ACL-WAN-OUT rule 9 source group

Thanks in advance

Ali, as I recall VyOS does not support addresses like xxxxxxxx.xxxxxxxxx.com/net/etc so it should be an direct IP.
Also if you need to add IP’s to your whitelist - you can just add it with the same command ‘set firewall group network-group Whitelist1 network xxx.xxx.xxx.xxx/32’
Or if you want to make a blacklist - it should be a different group with another rule numbers according to rule number priority (lower number - higher priority)

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.