Moving Zone based config 1.3 -1.4

Hi !

I have encountered strange issue moving my zone-based config from 1.3 to 1.4 rolling. Only small part of the config have been moved so far but it doesn’t work as expected. Typical zone base firewall, 2 WAN interfaces, DMZ 192.168.1.xx and Internal LAN 192.168.0.xx. In short, no traffic (even ping) from router itself to WAN zone (and from INT to WAN, too). However, I can ping/ssh connect between router and Internal zone. Here is a config.
Thanks in advance for any help.


set interfaces ethernet eth4 address '192.168.1.1/24'
set interfaces ethernet eth0 address '192.168.0.1/24'
set interfaces ethernet eth2 address '159.xx.xx.xx/30'
set interfaces ethernet eth3 address '83.xx.xx.xx/24'

set interfaces ethernet eth4 description 'INTF-DMZ'
set interfaces ethernet eth0 description 'INTF-INT'
set interfaces ethernet eth2 description 'INTF-WAN1-BITE'
set interfaces ethernet eth3 description 'INTF-WAN2-BTC'

set firewall group interface-group INTF-GRP-WAN interface eth2,eth3

set firewall zone ZONE-ROUTER-LOCAL local-zone
set firewall zone ZONE-INT interface eth0
set firewall zone ZONE-DMZ interface eth4
set firewall zone ZONE-WAN interface eth2,eth3

# Enable all router -> INT.
set firewall ipv4 name FW-RT2INT default-action drop
set firewall ipv4 name FW-RT2INT rule 101 action accept
set firewall ipv4 name FW-RT2INT rule 101 protocol all
set firewall zone ZONE-INT from ZONE-ROUTER-LOCAL firewall name FW-RT2INT

# Enable ping / SSH INT -> router.
set firewall ipv4 name FW-INT2RT default-action drop
set firewall ipv4 name FW-INT2RT rule 150 action accept
set firewall ipv4 name FW-INT2RT rule 150 state established 
set firewall ipv4 name FW-INT2RT rule 150 state related 
set firewall ipv4 name FW-INT2RT rule 151 action drop
set firewall ipv4 name FW-INT2RT rule 151 state invalid

set firewall ipv4 name FW-INT2RT rule 152 action accept
set firewall ipv4 name FW-INT2RT rule 152 protocol 'icmp'

set firewall ipv4 name FW-INT2RT rule 153 action accept
set firewall ipv4 name FW-INT2RT rule 153 protocol tcp
set firewall ipv4 name FW-INT2RT rule 153 destination port xxx

set firewall zone ZONE-ROUTER-LOCAL from ZONE-INT firewall name FW-INT2RT

set system static-host-mapping host-name node00.mycompany.com inet 192.168.0.4

set system name-server 8.8.8.8
set service dns forwarding cache-size '150'
set service dns forwarding allow-from 192.168.0.0/24
set service dns forwarding allow-from 192.168.1.0/24
set service dns forwarding listen-address 192.168.0.1

set service dns forwarding name-server 94.101.230.2
set service dns forwarding name-server 82.193.64.2 

set nat source rule 100 outbound-interface group INTF-GRP-WAN
set nat source rule 100 source address 192.168.0.0/24
set nat source rule 100 translation address 'masquerade'
set nat source rule 100 protocol all

set nat source rule 101 outbound-interface group INTF-GRP-WAN
set nat source rule 101 source address 192.168.1.0/24
set nat source rule 101 translation address 'masquerade'
set nat source rule 101 protocol all

# -------------------

set protocols static route 0.0.0.0/0 next-hop '159.xx.xx.aa' distance 15
set protocols static route 0.0.0.0/0 next-hop '83.xx.xx.bb' distance 100

# -------------------

# Enable all router -> DMZ + WAN.
 
set firewall ipv4 name FW-RT2DMZ default-action drop
set firewall ipv4 name FW-RT2DMZ rule 110 action accept
set firewall ipv4 name FW-RT2DMZ rule 110 protocol all
set firewall zone ZONE-DMZ from ZONE-ROUTER-LOCAL firewall name FW-RT2DMZ

set firewall ipv4 name FW-RT2WAN default-action drop
set firewall ipv4 name FW-RT2WAN rule 120 action accept
set firewall ipv4 name FW-RT2WAN rule 120 protocol all
set firewall zone ZONE-WAN from ZONE-ROUTER-LOCAL firewall name FW-RT2WAN

# Enable all INT -> DMZ + WAN

set firewall ipv4 name FW-INT2DMZ default-action drop
set firewall ipv4 name FW-INT2DMZ rule 130 action accept
set firewall ipv4 name FW-INT2DMZ rule 130 state established 
set firewall ipv4 name FW-INT2DMZ rule 130 state related 
set firewall ipv4 name FW-INT2DMZ rule 131 action drop
set firewall ipv4 name FW-INT2DMZ rule 131 state invalid
set firewall ipv4 name FW-INT2DMZ rule 132 action accept
set firewall ipv4 name FW-INT2DMZ rule 132 protocol all
set firewall zone ZONE-DMZ from ZONE-INT firewall name FW-INT2DMZ

set firewall ipv4 name FW-INT2WAN default-action drop
set firewall ipv4 name FW-INT2WAN rule 140 action accept
set firewall ipv4 name FW-INT2WAN rule 140 state established 
set firewall ipv4 name FW-INT2WAN rule 140 state related 
set firewall ipv4 name FW-INT2WAN rule 141 action drop
set firewall ipv4 name FW-INT2WAN rule 141 state invalid
set firewall ipv4 name FW-INT2WAN rule 142 action accept
set firewall ipv4 name FW-INT2WAN rule 142 protocol all
set firewall zone ZONE-WAN from ZONE-INT firewall name FW-INT2WAN

Try adding global state policies.
With a quick review, for example, it seems your are accepting all connections from router to WAN, but I see no accept for their response.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.