Need help with firewall setup VyOS 1.5

Kaminaris · September 9, 2024, 7:16pm

So I have tried to follow the docs of 1.5 but got stuck at configuring firewall (whole router works etc)

I want to configure firewall in following manner:
anything from the local network = accept everything
anything from outside network = sane defaults

currently eth6 is my WAN
while eth1 is my PC
eth2 is TP-LINK AP
they are in the in the bridge br0

interfaces {
     bridge br0 {
         address 192.168.1.1/24
         description "LAN Bridge"
         member {
             interface eth1 {
             }
             interface eth2 {
             }
         }
     }
     ethernet eth1 {
         description WIFI
         hw-id 60:be:b4:1a:08:cf
         offload {
             gro
             gso
             sg
             tso
         }
     }
...
nat {
     source {
         rule 100 {
             outbound-interface {
                 name eth6
             }
             source {
                 address 192.168.1.0/24
             }
             translation {
                 address masquerade
             }
         }
     }
 }

For now this is what i have in firewall section (not commited yet) i am so confused on how to assign interfaces to firewall rules and most guides online either have very complex setup or were made for 1.4, please help

+firewall {
+    group {
+        interface-group LAN {
+            interface eth1
+            interface eth2
+            interface eth3
+            interface eth4
+            interface eth5
+            interface br0
+        }
+        interface-group WAN {
+            interface eth6
+        }
+        network-group NET-INSIDE-v4 {
+            network 192.168.1.0/24
+        }
+    }
+    ipv4 {
+        name LAN-IN {
+            default-action accept
+        }
+        name LOCAL {
+            default-action drop
+            rule 10 {
+                action accept
+                state established
+                state related
+            }
+        }
+        name WAN-IN {
+            default-action drop
+            rule 10 {
+                action accept
+                state established
+                state related
+            }
+            rule 20 {
+                action drop
+                state invalid
+            }
+        }
+    }
+}

tjh · September 10, 2024, 2:53am

If you have bridged two interfaces together, you don’t need to reference the individual interfaces anymore.

tjh · September 10, 2024, 2:59am

Here’s an example of what you need. This won’t work exactly, I’ve had a go but I haven’t tested it, but it’s to give the idea:

+firewall {
+    group {
+        interface-group LAN {
-            interface eth1
-            interface eth2
+            interface eth3
+            interface eth4
+            interface eth5
+            interface br0
+        }
+        interface-group WAN {
+            interface eth6
+        }
+        network-group NET-INSIDE-v4 {
+            network 192.168.1.0/24
+        }
+    }
+    ipv4 {
+        name LAN-IN {
+            default-action accept
+        }
+        name LOCAL {
+            default-action drop
+            rule 10 {
+                action accept
+                state established
+                state related
+            }
+        }
+        name WAN-IN {
+            default-action drop
+            rule 10 {
+                action accept
+                state established
+                state related
+            }
+            rule 20 {
+                action drop
+                state invalid
+            }
+        }
+    }
+}

Now you want an input filter (stuff that's destinted FOR the firewall)

        input {
            filter {
                default-action reject
                rule 10 {
                    action jump
                    jump-target LOCAL
                    description "Filter Traffic to Router from WAN"
                    inbound-interface {
                        group WAN
                    }
                    jump-target v4-wan-local
                }
            }


Then you want a forward filter (for traffic the router is forwarding, like from the WAN to the LAN)

    ipv4 {
        forward {
            filter {
                default-action reject
                description "Filter packets being forwarded through the router"
                rule 10 {
                    action jump
                    jump-target WAN-IN
                    inbound-interface {
                        group WAN
                    }

                }

Kaminaris · September 10, 2024, 5:01am

I have updated config according to your suggestion, how does it look like now?:

vyos@vyos# show firewall
+group {
+    interface-group LAN {
+        interface eth3
+        interface eth4
+        interface eth5
+        interface br0
+    }
+    interface-group WAN {
+        interface eth6
+    }
+}
+ipv4 {
+    forward {
+        filter {
+            default-action drop
+            description "Filter packets being forwarded through the router"
+            rule 10 {
+                action jump
+                inbound-interface {
+                    group WAN
+                }
+                jump-target WAN-IN
+            }
+        }
+    }
+    input {
+        filter {
+            default-action drop
+            rule 10 {
+                action jump
+                description "Filter Traffic to Router from WAN"
+                inbound-interface {
+                    group WAN
+                }
+                jump-target LOCAL
+            }
+        }
+    }
+    name LAN-IN {
+        default-action accept
+    }
+    name LOCAL {
+        default-action drop
+        rule 10 {
+            action accept
+            state established
+            state related
+        }
+    }
+    name WAN-IN {
+        default-action drop
+        rule 10 {
+            action accept
+            state established
+            state related
+        }
+        rule 20 {
+            action drop
+            state invalid
+        }
+    }
+}

to be completely honest i’m even more lost than before.

EDIT: unfortunately it does not work at all, i completely lose all the access.

tjh · September 10, 2024, 7:40am

Sorry, the default action for forward filter needs to be accept - otherwise traffic going to from the LAN to the WAN will be dropped. My apologies - that’s why you were losing all access, no LAN traffic was allowed to the WAN.

Same for input filter!

You do the “drop” in the jump targets. So like so:

vyos@vyos# show firewall
+group {
+    interface-group LAN {
+        interface eth3
+        interface eth4
+        interface eth5
+        interface br0
+    }
+    interface-group WAN {
+        interface eth6
+    }
+}
+ipv4 {
+    forward {
+        filter {
+            default-action accept
+            description "Filter packets being forwarded through the router"
+            rule 10 {
+                action jump
+                inbound-interface {
+                    group WAN
+                }
+                jump-target WAN-IN
+            }
+        }
+    }
+    input {
+        filter {
+            default-action accept
+            rule 10 {
+                action jump
+                description "Filter Traffic to Router from WAN"
+                inbound-interface {
+                    group WAN
+                }
+                jump-target LOCAL
+            }
+        }
+    }
+    name LAN-IN {
+        default-action accept
+    }
+    name LOCAL {
+        default-action drop
+        rule 10 {
+            action accept
+            state established
+            state related
+        }
+    }
+    name WAN-IN {
+        default-action drop
+        rule 10 {
+            action accept
+            state established
+            state related
+        }
+        rule 20 {
+            action drop
+            state invalid
+        }
+    }
+}

system · September 24, 2024, 7:40am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.