Intra-zone-filtering action accept not accepting

bcfse1 · March 31, 2023, 6:08pm

Hello all. I am adding VyOS as a virtual router to VLANs hosted in my vmware lab. My WAN router is an ER-X-SFP which handles various LAN+GUEST clients and has static routes for each VLAN that point to an interface on the VyOS.
At the moment I am just getting the firewalling setup between my desired zones in the VyOS virtual router netvrt01 and I have come a bit unstuck when trying to use intra-zone-filtering. Perhaps my expectation of that is incorrect too.

So a LAN client connected to a wifi VLAN on the ER-X is attempting to ping a server in the LAN zone on the vyos and hitting the zone’s default reject…

Mar 31 14:33:11 netvrt01 kernel: [ 1248.854124] [zone_LAN-default-R]IN=eth1 OUT=eth3 MAC=00:50:56:ba:18:33:80:2a:a8:de:2e:9e:08:00 SRC=10.140.39.168 DST=10.140.51.11 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=18554 DF PROTO=ICMP TYPE=8 CODE=0 ID=19 SEQ=1 
Mar 31 14:33:12 netvrt01 kernel: [ 1249.856133] [zone_LAN-default-R]IN=eth1 OUT=eth3 MAC=00:50:56:ba:18:33:80:2a:a8:de:2e:9e:08:00 SRC=10.140.39.168 DST=10.140.51.11 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=19103 DF PROTO=ICMP TYPE=8 CODE=0 ID=19 SEQ=2 
Mar 31 14:33:13 netvrt01 kernel: [ 1250.880595] [zone_LAN-default-R]IN=eth1 OUT=eth3 MAC=00:50:56:ba:18:33:80:2a:a8:de:2e:9e:08:00 SRC=10.140.39.168 DST=10.140.51.11 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=19236 DF PROTO=ICMP TYPE=8 CODE=0 ID=19 SEQ=3

Config:

vyos@netvrt01# show firewall zone LAN
 default-action reject
 enable-default-log
 from DMZ {
     firewall {
         name DMZ_LAN
     }
 }
 from LOCAL {
     firewall {
         name ALL_ACCEPT
     }
 }
 interface eth3
 interface eth0
 intra-zone-filtering {
     action accept
 }

nftables rules as rendered…

root@netvrt01:/home/vyos# nft list chain ip vyos_filter VZONE_LAN
table ip vyos_filter {
	chain VZONE_LAN {
		iifname { "eth0", "eth3" } counter packets 0 bytes 0 return
		iifname { "eth0", "eth3" } counter packets 0 bytes 0 return
		iifname "eth2" counter packets 0 bytes 0 jump NAME_DMZ_LAN
		iifname "eth2" counter packets 0 bytes 0 return
		counter packets 4 bytes 336 log prefix "[zone_LAN-default-R]" reject comment "zone_LAN default-action reject"
	}
}

I am able to ping the LAN zone’s gateway IP address on the VyOS eth3 interface.
Can anyone suggest why intra-zone-filtering action accept does not appear to be working here? Or is there any other way to avoid hitting the default-action reject?

Korikaze · March 31, 2023, 7:05pm

According the log messages you posted the packets are coming in from eth1 which is not part of the LAN zone, thus it’s hitting the default since I presume it’s not DMZ.

bcfse1 · April 1, 2023, 11:48am

That’s what I get for staring at a problem for 3 hours and not taking a break - you’re completely right!
eth1 is a member of my “WAN” zone that receives all the traffic into the VyOS lab router from the ER-X.
Thanks for the tip! I got it working simply by adding the required rules for that zone direction

system · April 3, 2023, 11:49am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.