Inter VLAN Routing firewall problem


#1

Hi.
I’m quite new in VYOS. I’m trying to use some firewall rules on interface on some vlan. Rules determinate to with vlan users can have access.
So i make some rules with action “accept” and destination (vlan with access granted). Whole “firewall name” have default action reject.
I have problem with that. I make rule with destination to 192.168.0.0/24 (interface eth0.1) (it is group ofc) from 192.168.100.0/24 (on interface eth1.100), state: established, new, related. I can ping hosts in this network (192.168.0.0). But i can’t open web from server (192.168.0.21). I can do that only if rule accept state invalid.
That firewall rule is added to “interface ethernet eth1 vif 100”.
Can somebody help me with that?


#2

Could you paste your rules (and other related settings)? (Did you configure other things such as explicit routing, etc.?)


#3

Routing works ok with out firewall rules. Now IVR_100 (SZ2 network) is added to one VIF (eth1.100) interface on IN direction. And i can ping computers but i can’t open websietes from server or SMB files in SZ0 network (connected to eth0.1 - no firewall on this port)

 all-ping disable
 group {
     address-group SZ1k {
         address 192.168.200.100-192.168.200.249
         description "tylko komputery w grupie SZ1"
     }
     address-group SZ2k {
         address 192.168.100.100-192.168.100.249
         description "tylko komputery w grupie SZ2"
     }
     network-group LAB {
         description "uzadzenia pracujace jako lab"
         network 192.168.99.0/24
     }
     network-group LAN {
         description "sieci do standardowego uzytku"
         network 192.168.0.0/24
         network 192.168.100.0/24
         network 192.168.200.0/24
         network 192.168.99.0/24
     }
     network-group PRIVATE {
         description "mozliwe adresy prywatnych podsieci"
         network 10.0.0.0/8
         network 172.16.0.0/12
         network 192.168.0.0/16
     }
     network-group SZ0 {
         description "podsiec dla uzadzen i serwerow ogolnodostepnych"
         network 192.168.0.0/24
     }
     network-group SZ1 {
         description "podsiec dla ASK"
         network 192.168.200.0/24
     }
     network-group SZ2 {
         description "podsiec dla NK"
         network 192.168.100.0/24
     }
 }
 name IVR_100 {
     default-action reject
     description "INTER VLAN ROUTING"
     rule 1040 {
         action reject
         description "sprawdzanie czy z wlasciwej podsieci"
         source {
             group {
                 network-group !SZ2
             }
         }
     }
     rule 1050 {
         action accept
         description "zezwol na wyjscie poza sieci lokalne"
         destination {
             group {
                 network-group !PRIVATE
             }
         }
     }
     rule 1100 {
         action accept
         description "zezwol na nawiazane i spokrewnione"
         destination {
             group {
                 network-group LAN
             }
         }
         state {
             established enable
             related enable
         }
     }
     rule 1200 {
         action accept
         description "zezwolenie na wejscia do podsieci"
         destination {
             group {
                 network-group SZ0
             }
         }
         state {
             new enable
         }
     }
     rule 1201 {
         action accept
         description "zezwolenie na wejscia do adresow"
         destination {
             group {
                 address-group SZ1k
             }
         }
         state {
             new enable
         }
     }
     rule 1202 {
         action accept
         description "zezwolenie na wejscia do podsieci"
         destination {
             group {
                 network-group LAB
             }
         }
         state {
             new enable
         }
     }
 }

#4

I’m reply to myself. I know.
But i found new information and somebody can read it .
I said

It is not true :frowning:
I can open SMB files and websites. I can’t open HTTPS sites.
Why?
When i add a rule:

 action accept
 destination {
     port https
 }
 protocol tcp

HTTPS starts working. What interests me most is why I need it. What other ports / services require additional rules because the connection is considered “invalid”.