Migration from 1.4-20230725-rolling to 1.4-20231109-rolling causes no inbound or outbound traffic over WAN

General questions
,
1

Hello

I am trying to upgrade from 1.4-20230725-rolling to 1.4-20231109-rolling however after I upgrade and reboot I am left without inbound or outbound internet. It appears local devices can talk between VLANs or networks. But I cannot (for example) ping 1.1.1.1 from the vyos shell. From what I can tell the migration happens successfully but it appears like something still does not line up.

I have attached my commands below which has been edited for brevity from my 1.4-20230725-rolling configuration. Any help would be great.

eth4 is the port used for WAN

set firewall all-ping 'enable'
set firewall name lan-local default-action 'accept'
set firewall name lan-local description 'From LAN to LOCAL'
set firewall name lan-trusted default-action 'accept'
set firewall name lan-trusted description 'From LAN to TRUSTED'
set firewall name lan-wan default-action 'accept'
set firewall name lan-wan description 'From LAN to WAN'
set firewall name local-lan default-action 'accept'
set firewall name local-lan description 'From LOCAL to LAN'
set firewall name local-trusted default-action 'accept'
set firewall name local-trusted description 'From LOCAL to TRUSTED'
set firewall name local-wan default-action 'accept'
set firewall name local-wan description 'From LOCAL to WAN'
set firewall name trusted-lan default-action 'accept'
set firewall name trusted-lan description 'From TRUSTED to LAN'
set firewall name trusted-local default-action 'accept'
set firewall name trusted-local description 'From TRUSTED to LOCAL'
set firewall name trusted-wan default-action 'accept'
set firewall name trusted-wan description 'From TRUSTED to WAN'
set firewall name wan-lan default-action 'drop'
set firewall name wan-lan description 'From WAN to LAN'
set firewall name wan-lan enable-default-log
set firewall name wan-local default-action 'drop'
set firewall name wan-local description 'From WAN to LOCAL'
set firewall name wan-local enable-default-log
set firewall name wan-local rule 100 action 'accept'
set firewall name wan-local rule 100 icmp type-name 'echo-request'
set firewall name wan-local rule 100 limit burst '5'
set firewall name wan-local rule 100 limit rate '2/second'
set firewall name wan-local rule 100 protocol 'icmp'
set firewall name wan-local rule 100 state new 'enable'
set firewall name wan-trusted default-action 'drop'
set firewall name wan-trusted description 'From WAN to TRUSTED'
set firewall name wan-trusted enable-default-log
set firewall state-policy established action 'accept'
set firewall state-policy invalid action 'drop'
set firewall state-policy related action 'accept'
set firewall zone lan default-action 'drop'
set firewall zone lan from local firewall name 'local-lan'
set firewall zone lan from trusted firewall name 'trusted-lan'
set firewall zone lan from wan firewall name 'wan-lan'
set firewall zone lan interface 'bond0'
set firewall zone local default-action 'drop'
set firewall zone local description 'Local router zone'
set firewall zone local from lan firewall name 'lan-local'
set firewall zone local from trusted firewall name 'trusted-local'
set firewall zone local from wan firewall name 'wan-local'
set firewall zone local local-zone
set firewall zone trusted default-action 'drop'
set firewall zone trusted from lan firewall name 'lan-trusted'
set firewall zone trusted from local firewall name 'local-trusted'
set firewall zone trusted from wan firewall name 'wan-trusted'
set firewall zone trusted interface 'bond0.10'
set firewall zone wan default-action 'drop'
set firewall zone wan from lan firewall name 'lan-wan'
set firewall zone wan from local firewall name 'local-wan'
set firewall zone wan from trusted firewall name 'trusted-wan'
set firewall zone wan interface 'eth4'
set interfaces bonding bond0 address '192.168.0.1/24'
set interfaces bonding bond0 description 'LAN'
set interfaces bonding bond0 hash-policy 'layer2+3'
set interfaces bonding bond0 member interface 'eth2'
set interfaces bonding bond0 member interface 'eth3'
set interfaces bonding bond0 mode '802.3ad'
set interfaces bonding bond0 vif 10 address '192.168.1.1/24'
set interfaces bonding bond0 vif 10 description 'TRUSTED'
set interfaces ethernet eth4 address 'dhcp'
set interfaces ethernet eth4 description 'WAN'
set interfaces ethernet eth4 hw-id 'xx:xx:xx:xx:xx:xx'
set interfaces loopback lo
set nat source rule 100 description 'LAN to WAN'
set nat source rule 100 destination address '0.0.0.0/0'
set nat source rule 100 outbound-interface 'eth4'
set nat source rule 100 translation address 'masquerade'
set service dhcp-server shared-network-name LAN authoritative
set service dhcp-server shared-network-name LAN ping-check
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'domain.tld'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 name-server '192.168.254.2'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start '192.168.0.150'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop '192.168.0.254'
set service dhcp-server shared-network-name TRUSTED authoritative
set service dhcp-server shared-network-name TRUSTED ping-check
set service dhcp-server shared-network-name TRUSTED subnet 192.168.1.0/24 default-router '192.168.1.1'
set service dhcp-server shared-network-name TRUSTED subnet 192.168.1.0/24 domain-name 'domain.tld'
set service dhcp-server shared-network-name TRUSTED subnet 192.168.1.0/24 lease '86400'
set service dhcp-server shared-network-name TRUSTED subnet 192.168.1.0/24 name-server '192.168.254.2'
set service dhcp-server shared-network-name TRUSTED subnet 192.168.1.0/24 range 0 start '192.168.1.150'
set service dhcp-server shared-network-name TRUSTED subnet 192.168.1.0/24 range 0 stop '192.168.1.254'
set service dns forwarding allow-from '192.168.0.0/24'
set service dns forwarding cache-size '0'
set service dns forwarding listen-address '192.168.0.1'
set service dns forwarding name-server 1.0.0.1
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server 8.8.4.4
set service dns forwarding name-server 8.8.8.8
set service ntp allow-client address '0.0.0.0/0'
set service ntp allow-client address '::/0'
set service ntp server 0.us.pool.ntp.org
set service ntp server 1.us.pool.ntp.org
set service ntp server 2.us.pool.ntp.org
set service ntp server 3.us.pool.ntp.org
set service ssh disable-password-authentication
set system domain-name 'domain.tld'
set system host-name 'vyos'
set system ipv6 disable-forwarding
set system logs logrotate messages
set system name-server '192.168.254.2'
2

Good morning.

  1. does internet work from your LAN devices?
  2. do a sudo tcpdump -ni eth4 icmp and check for outgoing and incoming ICMP packets, post output here
  3. please show output of sudo nft ruleset list
3

I’d verify eth4 hw-id first . Then use tcpdump on eth4 to get a clue what goes on

4

@anon10687249 I’m going to speculate this is related to firewall state-policy migration. See my new post here and the corresponding ticket T5775.

2 Likes
5

That was indeed the issue, I managed to update to the latest 1.4-rolling after the fix was backported.

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.