Issues with viewing all traffic to and from the internet through the br0 bridge with LACP enabled

Hello everyone,

I have an LACP configuration running on VyOS 1.3.3.
The device is inline in transparent mode, with all internet traffic flowing through it.
We are working with a br0 bridge, where one end connects to the firewall and the other to the switch.

When we review the traffic, we can only see lateral traffic (moving from one device to another) but never see traffic heading toward the internet.

I’m attaching the configuration we used below.

1. Bonding Configuration:
First, we configure bond0 and bond1 with LACP (802.3ad mode):

set interfaces bonding bond0 mode 802.3ad
set interfaces bonding bond0 member interface eth0
set interfaces bonding bond0 description 'Firewall_F1'

set interfaces bonding bond1 mode 802.3ad
set interfaces bonding bond1 member interface eth1
set interfaces bonding bond1 description 'Switch_F1'

2. Bridge (br0) Configuration:
We join bond0 and bond1 into the br0 bridge:

set interfaces bridge br0
set interfaces bridge br0 member interface bond0
set interfaces bridge br0 member interface bond1
set interfaces bridge br0 description 'Bridge-BondFw-BondSw'

3. Configuring Physical Interfaces:
Add descriptions to the physical interfaces:

set interfaces ethernet eth0 description 'To Firewall'
set interfaces ethernet eth1 description 'To Switch'

4. Configuring VLAN
Enable VLANs on the bridge (br0)
set interfaces bridge br0 enable-vlan

Configure the Native VLAN for the Bonds
set interfaces bridge br0 member interface bond0 native-vlan 1
set interfaces bridge br0 member interface bond1 native-vlan 1

Configure Allowed VLANs on the Bonds
set interfaces bridge br0 member interface bond0 allowed-vlan 10
set interfaces bridge br0 member interface bond1 allowed-vlan 10

Configure the VLAN Interface (VIF) Sub-Bridge
We create the VIF (VLAN sub-interface) for VLAN 10 on the br0 bridge and apply descriptions and firewalls:
set interfaces bridge br0 vif 10 description 'BridgeV10'
set interfaces bridge br0 vif 10 firewall in name 'inbound'
set interfaces bridge br0 vif 10 firewall local name 'local'

Thank you in advance for any help or recommendations!

Why bond interfaces, when you only have one member.
Do the firewall and the switch have more active members, connected otherwise?

Hello 16again,

Thank you very much for your questions regarding the topic presented.

Why link interfaces if you only have one member?

I have placed a VyOS 1.3.3 device between the firewall and the main switch, configured with a bridge (br0) in transparent mode. We activated bonding for the interfaces because both the firewall and the switch have LACP mode enabled.
In the br0, we are filtering all traffic, and if malicious traffic is detected, it should be blocked by the firewall operating within the br0.

We have been monitoring this configuration and added an additional adjustment to the bond interfaces:

set interfaces bonding bond0 hash-policy layer3+4
set interfaces bonding bond1 hash-policy layer3+4

This improved the visibility of traffic to the internet, and we are now able to observe this traffic. However, we noticed that the firewall is not applying the expected blocking on br0.

We conducted tests targeting a specific IP that should be blocked according to the configured rules, but the traffic flows without issues to this test IP, which should not happen.

We would greatly appreciate any feedback or suggestions you can provide regarding this situation.

Thank you in advance!

If you only use single bond member, don’t interconnect the other bond members between firewall and switch, making sure all traffic must traverse VyOS.
As this involves bridging (L2) instead of routing (L3), packets will traverse blue instead of green path in:
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
Obvious, filters set in green path won’t pass traffic.