Before upgrade to 1.5 I had inter-valn traffic after upgrade I can’t have vlan to communicate between each other.
What I want to achieve is:
VLAN100 can ping communicate with resources on VLAN500 but VLAN500 should not be able to communicate with VLAN100.
VLAN200 should be able to communicate with specific resources on VLAN500 for exemple host 10.0.0.105 on port 80 and 443.
vyOS version: 1.5-rolling-202408030020
This is my current configuration:
firewall {
global-options {
state-policy {
established {
action accept
}
invalid {
action drop
}
related {
action accept
}
}
}
group {
interface-group LAN {
interface br0
interface br0.100
interface br0.200
interface br0.400
interface br1
interface br1.300
}
interface-group WAN {
interface pppoe0
interface pppoe1
}
network-group NET-INSIDE-v4 {
network 172.1.100.0/24
network 172.1.200.0/24
network 172.1.30.0/24
network 192.168.1.0/24
}
}
ipv4 {
forward {
filter {
default-log
rule 100 {
action jump
destination {
group {
network-group NET-INSIDE-v4
}
}
inbound-interface {
group WAN
}
jump-target OUTSIDE-IN
}
}
}
input {
filter {
default-action drop
default-log
rule 20 {
action jump
destination {
port 22
}
jump-target VyOS_MANAGEMENT
protocol tcp
}
rule 30 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state new
}
rule 50 {
action accept
source {
address 127.0.0.0/8
}
}
}
}
name OUTSIDE-IN {
default-action drop
}
name VyOS_MANAGEMENT {
default-action return
rule 15 {
action accept
inbound-interface {
group LAN
}
}
}
output {
filter {
default-log
}
}
}
}
interfaces {
bridge br0 {
enable-vlan
member {
interface eth1 {
allowed-vlan 100
allowed-vlan 200
allowed-vlan 400
allowed-vlan 500
}
}
stp
vif 100 {
address 172.1.100.1/24
description "WORK VLAN"
}
vif 200 {
address 172.1.200.1/24
description "HOME VLAN"
}
vif 400 {
address 192.168.1.1/24
description "iLO VLAN"
}
vif 500 {
address 10.0.0.1/9
description "Public VM Network"
}
}
bridge br1 {
enable-vlan
member {
interface eth2 {
allowed-vlan 300
}
}
stp
vif 300 {
address 172.1.30.1/24
description "CEPH VLAN"
}
}
ethernet eth0 {
hw-id 78:2b:cb:c0:6e:cb
offload {
gro
gso
sg
tso
}
}
ethernet eth1 {
hw-id a0:1d:48:98:4b:30
offload {
gro
gso
sg
tso
}
}
ethernet eth2 {
hw-id a0:1d:48:98:4b:34
offload {
gro
gso
sg
tso
}
}
ethernet eth3 {
hw-id 00:26:55:ee:bb:7e
offload {
gro
gso
sg
tso
}
}
ethernet eth4 {
hw-id 00:26:55:ee:bb:7f
offload {
gro
gso
sg
tso
}
}
loopback lo {
}
pppoe pppoe0 {
authentication {
password ****************
username ****************
}
description Netsulminas
source-interface eth3
}
pppoe pppoe1 {
authentication {
password ****************
username ****************
}
description "5G Net"
ipv6 {
address {
}
}
local-address x.x.x.x
source-interface eth4
}
}
load-balancing {
wan {
disable-source-nat
interface-health pppoe0 {
nexthop 10.1.1.1
}
interface-health pppoe1 {
nexthop 100.126.0.1
}
rule 1 {
inbound-interface br0.100
interface pppoe0 {
weight 2
}
interface pppoe1 {
weight 1
}
}
rule 2 {
inbound-interface br0.200
interface pppoe0 {
weight 2
}
interface pppoe1 {
weight 1
}
}
rule 5 {
inbound-interface br0.500
interface pppoe0 {
weight 2
}
interface pppoe1 {
weight 1
}
}
sticky-connections {
inbound
}
}
}
nat {
source {
rule 100 {
outbound-interface {
name pppoe0
}
source {
address 172.1.100.0/24
}
translation {
address masquerade
}
}
rule 200 {
outbound-interface {
name pppoe0
}
source {
address 172.1.200.0/24
}
translation {
address masquerade
}
}
rule 300 {
outbound-interface {
name pppoe1
}
source {
address 172.1.100.0/24
}
translation {
address masquerade
}
}
rule 400 {
outbound-interface {
name pppoe1
}
source {
address 172.1.200.0/24
}
translation {
address masquerade
}
}
rule 500 {
outbound-interface {
name pppoe0
}
source {
address 10.0.0.0/9
}
translation {
address masquerade
}
}
rule 600 {
outbound-interface {
name pppoe1
}
source {
address 10.0.0.0/9
}
translation {
address masquerade
}
}
}
}
service {
dhcp-server {
shared-network-name HOMELAN {
subnet 172.1.200.0/24 {
lease 86400
option {
default-router 172.1.200.1
domain-name home.local
domain-search home.local
name-server 172.1.200.5
}
range 0 {
start 172.1.200.51
stop 172.1.200.250
}
subnet-id 1
}
}
shared-network-name LAN {
subnet 192.168.1.0/24 {
lease 86400
option {
default-router 192.168.1.1
domain-name ilo.local
domain-search ilo.local
name-server 192.168.1.1
}
range 0 {
start 192.168.1.100
stop 192.168.1.200
}
subnet-id 3
}
}
shared-network-name VMPUBLICLAN {
subnet 10.0.0.0/9 {
lease 86400
option {
default-router 10.0.0.1
domain-name vmpublic.local
domain-search vmpublic.local
name-server 10.0.0.5
}
range 0 {
start 10.0.0.100
stop 10.127.255.200
}
subnet-id 4
}
}
shared-network-name WORKLAN {
subnet 172.1.100.0/24 {
lease 86400
option {
default-router 172.1.100.1
domain-name mylab.local
domain-search mylab.local
name-server 172.1.100.5
}
range 0 {
start 172.1.100.100
stop 172.1.100.150
}
subnet-id 2
}
}
}
dns {
forwarding {
allow-from 192.168.1.0/24
cache-size 0
listen-address 192.168.1.1
}
}
ntp {
allow-client {
address 127.0.0.0/8
address 169.254.0.0/16
address 10.0.0.0/8
address 172.16.0.0/12
address 192.168.0.0/16
address ::1/128
address fe80::/10
address fc00::/7
}
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
}
}
name-server 8.8.8.8
syslog {
global {
facility all {
level info
}
facility local7 {
level debug
}
}
}
time-zone America/Sao_Paulo
update-check {
auto-check
url https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json
}
}