Need help to configure Asymetric VLAN Traffic in vyOS 1.5

Before upgrade to 1.5 I had inter-valn traffic after upgrade I can’t have vlan to communicate between each other.

What I want to achieve is:

VLAN100 can ping communicate with resources on VLAN500 but VLAN500 should not be able to communicate with VLAN100.

VLAN200 should be able to communicate with specific resources on VLAN500 for exemple host 10.0.0.105 on port 80 and 443.

vyOS version: 1.5-rolling-202408030020

This is my current configuration:

firewall {
    global-options {
        state-policy {
            established {
                action accept
            }
            invalid {
                action drop
            }
            related {
                action accept
            }
        }
    }
    group {
        interface-group LAN {
            interface br0
            interface br0.100
            interface br0.200
            interface br0.400
            interface br1
            interface br1.300
        }
        interface-group WAN {
            interface pppoe0
            interface pppoe1
        }
        network-group NET-INSIDE-v4 {
            network 172.1.100.0/24
            network 172.1.200.0/24
            network 172.1.30.0/24
            network 192.168.1.0/24
        }
    }
    ipv4 {
        forward {
            filter {
                default-log
                rule 100 {
                    action jump
                    destination {
                        group {
                            network-group NET-INSIDE-v4
                        }
                    }
                    inbound-interface {
                        group WAN
                    }
                    jump-target OUTSIDE-IN
                }
            }
        }
        input {
            filter {
                default-action drop
                default-log
                rule 20 {
                    action jump
                    destination {
                        port 22
                    }
                    jump-target VyOS_MANAGEMENT
                    protocol tcp
                }
                rule 30 {
                    action accept
                    icmp {
                        type-name echo-request
                    }
                    protocol icmp
                    state new
                }
                rule 50 {
                    action accept
                    source {
                        address 127.0.0.0/8
                    }
                }
            }
        }
        name OUTSIDE-IN {
            default-action drop
        }
        name VyOS_MANAGEMENT {
            default-action return
            rule 15 {
                action accept
                inbound-interface {
                    group LAN
                }
            }
        }
        output {
            filter {
                default-log
            }
        }
    }
}
interfaces {
    bridge br0 {
        enable-vlan
        member {
            interface eth1 {
                allowed-vlan 100
                allowed-vlan 200
                allowed-vlan 400
                allowed-vlan 500
            }
        }
        stp
        vif 100 {
            address 172.1.100.1/24
            description "WORK VLAN"
        }
        vif 200 {
            address 172.1.200.1/24
            description "HOME VLAN"
        }
        vif 400 {
            address 192.168.1.1/24
            description "iLO VLAN"
        }
        vif 500 {
            address 10.0.0.1/9
            description "Public VM Network"
        }
    }
    bridge br1 {
        enable-vlan
        member {
            interface eth2 {
                allowed-vlan 300
            }
        }
        stp
        vif 300 {
            address 172.1.30.1/24
            description "CEPH VLAN"
        }
    }
    ethernet eth0 {
        hw-id 78:2b:cb:c0:6e:cb
        offload {
            gro
            gso
            sg
            tso
        }
    }
    ethernet eth1 {
        hw-id a0:1d:48:98:4b:30
        offload {
            gro
            gso
            sg
            tso
        }
    }
    ethernet eth2 {
        hw-id a0:1d:48:98:4b:34
        offload {
            gro
            gso
            sg
            tso
        }
    }
    ethernet eth3 {
        hw-id 00:26:55:ee:bb:7e
        offload {
            gro
            gso
            sg
            tso
        }
    }
    ethernet eth4 {
        hw-id 00:26:55:ee:bb:7f
        offload {
            gro
            gso
            sg
            tso
        }
    }
    loopback lo {
    }
    pppoe pppoe0 {
        authentication {
            password ****************
            username ****************
        }
        description Netsulminas
        source-interface eth3
    }
    pppoe pppoe1 {
        authentication {
            password ****************
            username ****************
        }
        description "5G Net"
        ipv6 {
            address {
            }
        }
        local-address x.x.x.x
        source-interface eth4
    }
}
load-balancing {
    wan {
        disable-source-nat
        interface-health pppoe0 {
            nexthop 10.1.1.1
        }
        interface-health pppoe1 {
            nexthop 100.126.0.1
        }
        rule 1 {
            inbound-interface br0.100
            interface pppoe0 {
                weight 2
            }
            interface pppoe1 {
                weight 1
            }
        }
        rule 2 {
            inbound-interface br0.200
            interface pppoe0 {
                weight 2
            }
            interface pppoe1 {
                weight 1
            }
        }
        rule 5 {
            inbound-interface br0.500
            interface pppoe0 {
                weight 2
            }
            interface pppoe1 {
                weight 1
            }
        }
        sticky-connections {
            inbound
        }
    }
}
nat {
    source {
        rule 100 {
            outbound-interface {
                name pppoe0
            }
            source {
                address 172.1.100.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 200 {
            outbound-interface {
                name pppoe0
            }
            source {
                address 172.1.200.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 300 {
            outbound-interface {
                name pppoe1
            }
            source {
                address 172.1.100.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 400 {
            outbound-interface {
                name pppoe1
            }
            source {
                address 172.1.200.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 500 {
            outbound-interface {
                name pppoe0
            }
            source {
                address 10.0.0.0/9
            }
            translation {
                address masquerade
            }
        }
        rule 600 {
            outbound-interface {
                name pppoe1
            }
            source {
                address 10.0.0.0/9
            }
            translation {
                address masquerade
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name HOMELAN {
            subnet 172.1.200.0/24 {
                lease 86400
                option {
                    default-router 172.1.200.1
                    domain-name home.local
                    domain-search home.local
                    name-server 172.1.200.5
                }
                range 0 {
                    start 172.1.200.51
                    stop 172.1.200.250
                }
                subnet-id 1
            }
        }
        shared-network-name LAN {
            subnet 192.168.1.0/24 {
                lease 86400
                option {
                    default-router 192.168.1.1
                    domain-name ilo.local
                    domain-search ilo.local
                    name-server 192.168.1.1
                }
                range 0 {
                    start 192.168.1.100
                    stop 192.168.1.200
                }
                subnet-id 3
            }
        }
        shared-network-name VMPUBLICLAN {
            subnet 10.0.0.0/9 {
                lease 86400
                option {
                    default-router 10.0.0.1
                    domain-name vmpublic.local
                    domain-search vmpublic.local
                    name-server 10.0.0.5
                }
                range 0 {
                    start 10.0.0.100
                    stop 10.127.255.200
                }
                subnet-id 4
            }
        }
        shared-network-name WORKLAN {
            subnet 172.1.100.0/24 {
                lease 86400
                option {
                    default-router 172.1.100.1
                    domain-name mylab.local
                    domain-search mylab.local
                    name-server 172.1.100.5
                }
                range 0 {
                    start 172.1.100.100
                    stop 172.1.100.150
                }
                subnet-id 2
            }
        }
    }
    dns {
        forwarding {
            allow-from 192.168.1.0/24
            cache-size 0
            listen-address 192.168.1.1
        }
    }
    ntp {
        allow-client {
            address 127.0.0.0/8
            address 169.254.0.0/16
            address 10.0.0.0/8
            address 172.16.0.0/12
            address 192.168.0.0/16
            address ::1/128
            address fe80::/10
            address fc00::/7
        }
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
    name-server 8.8.8.8
    syslog {
        global {
            facility all {
                level info
            }
            facility local7 {
                level debug
            }
        }
    }
    time-zone America/Sao_Paulo
    update-check {
        auto-check
        url https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json
    }
}

What was the version you upgraded from?

Maybe you are impacted with this bug: ⚓ T6647 Zone-based Firewalls on Bridges would flag related DHCP traffic invalid

It is a fresh install

I did try to set the set firewall global-options state-policy invalid action accept but still unable to talk with other vlans.

I basically follow the Quick start firewall configuration using the option 1 Global State Policies

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.