I have recently set up an IPSEC configuration to a remote location and am trying to make sure I understand firewall rule configuration. All the examples I find however are for an interface based firewall, however I am running a zone based firewall. As far as I’ve been able to tell, I need to make rules for WAN-LOCAL, and then LOCAL to various interfaces (LOCAL-LAN, or LOCAL-VLAN20, and vice versa). Is my understanding correct? Everything works great but I want to make sure I’ve grasped the concept and am as secure as possible. Thanks in advance!
Hi,
You can refer the below articles for zone-based firewall:
https://docs.vyos.io/en/latest/configuration/zonepolicy/index.html
https://docs.vyos.io/en/latest/configexamples/zone-policy.html#zones-basics
Thanks for the response. I’m pretty clear on how ZBF works at this point but the issue is that I didn’t understand how to use it with a routed IPSEC connection for which there is no interface to assign to a zone. Are you able to help me understand that angle? Is it treated like a LOCAL zone?
I’m not really familiar with ipsec on vyos, but looking at the ipsec doc it does raise a couple of questions for me.
There has to be an interface, doesn’t there? When setting up the tunnel, didn’t you create a tun interface?
If you did, asign that to the zone you want it in and you’re done. Firewall rules applied to this zone would automatically apply to the ipsec interface as well.
HTH.
@nktech1135 routed IPSEC creates no interface at all. No VTI or tun or anything else. Just a routing policy. I did find some posts on Ubiquiti forum about this and it literally looks to be just a matter of allowing certain ports/protocol to pass from WAN-LOCAL and then other rules from WAN- internal Interface. A number of posts indicate that routed IPSEC isn’t really a good fit for ZBF and there are recommendations to go with VTI or GRE. I guess I’ll give that a go for fun. After using Wireguard, it sure makes it hard to deal with these more archaic vpn implementations. The down side to Wireguard is that I don’t think it has really been strongly accepted in the enterprise environment.