Hi.
I’m quite new in VYOS. I’m trying to use some firewall rules on interface on some vlan. Rules determinate to with vlan users can have access.
So i make some rules with action “accept” and destination (vlan with access granted). Whole “firewall name” have default action reject.
I have problem with that. I make rule with destination to 192.168.0.0/24 (interface eth0.1) (it is group ofc) from 192.168.100.0/24 (on interface eth1.100), state: established, new, related. I can ping hosts in this network (192.168.0.0). But i can’t open web from server (192.168.0.21). I can do that only if rule accept state invalid.
That firewall rule is added to “interface ethernet eth1 vif 100”.
Can somebody help me with that?
Could you paste your rules (and other related settings)? (Did you configure other things such as explicit routing, etc.?)
Routing works ok with out firewall rules. Now IVR_100 (SZ2 network) is added to one VIF (eth1.100) interface on IN direction. And i can ping computers but i can’t open websietes from server or SMB files in SZ0 network (connected to eth0.1 - no firewall on this port)
all-ping disable
group {
address-group SZ1k {
address 192.168.200.100-192.168.200.249
description "tylko komputery w grupie SZ1"
}
address-group SZ2k {
address 192.168.100.100-192.168.100.249
description "tylko komputery w grupie SZ2"
}
network-group LAB {
description "uzadzenia pracujace jako lab"
network 192.168.99.0/24
}
network-group LAN {
description "sieci do standardowego uzytku"
network 192.168.0.0/24
network 192.168.100.0/24
network 192.168.200.0/24
network 192.168.99.0/24
}
network-group PRIVATE {
description "mozliwe adresy prywatnych podsieci"
network 10.0.0.0/8
network 172.16.0.0/12
network 192.168.0.0/16
}
network-group SZ0 {
description "podsiec dla uzadzen i serwerow ogolnodostepnych"
network 192.168.0.0/24
}
network-group SZ1 {
description "podsiec dla ASK"
network 192.168.200.0/24
}
network-group SZ2 {
description "podsiec dla NK"
network 192.168.100.0/24
}
}
name IVR_100 {
default-action reject
description "INTER VLAN ROUTING"
rule 1040 {
action reject
description "sprawdzanie czy z wlasciwej podsieci"
source {
group {
network-group !SZ2
}
}
}
rule 1050 {
action accept
description "zezwol na wyjscie poza sieci lokalne"
destination {
group {
network-group !PRIVATE
}
}
}
rule 1100 {
action accept
description "zezwol na nawiazane i spokrewnione"
destination {
group {
network-group LAN
}
}
state {
established enable
related enable
}
}
rule 1200 {
action accept
description "zezwolenie na wejscia do podsieci"
destination {
group {
network-group SZ0
}
}
state {
new enable
}
}
rule 1201 {
action accept
description "zezwolenie na wejscia do adresow"
destination {
group {
address-group SZ1k
}
}
state {
new enable
}
}
rule 1202 {
action accept
description "zezwolenie na wejscia do podsieci"
destination {
group {
network-group LAB
}
}
state {
new enable
}
}
}I’m reply to myself. I know.
But i found new information and somebody can read it .
I said
It is not true 
I can open SMB files and websites. I can’t open HTTPS sites.
Why?
When i add a rule:
action accept
destination {
port https
}
protocol tcp
HTTPS starts working. What interests me most is why I need it. What other ports / services require additional rules because the connection is considered “invalid”.