Hello, I am new to VyOS and I am having some difficulties that I hope someone here will be able to answer. I have a VyOS firewall running in a VM environment connected to a VMWare virtual switch with 3 inside interfaces and 1 outside interface. Each inside interface has its own private subnet and they all do masquerade NAT. The issue is when I configure zones at all it seems to block all traffic preventing the inside interfaces from doing ARP properly, even if I don’t add interfaces as members. The VyOS is running version “VyOS 2025.03.14-0017-rolling” which appears to be an issue. Every documentation I read says you can apply firewall rules directly on an interface but in this version I can only apply them to zones from another zone.
All I am trying to do is limit SSH access to the WAN side while permitting everything else and the way I thought it would work completely fails. I am highly skilled in Juniper and Cisco but the way this seems to work is very counter intuitive.
If someone can lend some assistance I would be eternally grateful.
I was about to post the same thing. While we wait for your config, a few notes:
Applying firewall rules directly to interfaces was how it was done in 1.3. From 1.4 on, it is done at the global level. Once you get familiar with this format, you’ll see why it’s much better.
Below is my config, I have censored the public IP information for security purposes. I have no zones configured yet as it will cause an interruption as I stated earlier but there should be an untrust zone with eth0 as a member, a trust zone with eth1-3 as members and a local zone to apply the SSH-FILTER rule to and I’m not sure how to do this.
The only way I can connect to the firewall is through the WAN side and I need to use the wireguard VPN I configured to connect to anything on its LAN.
My end goal is to secure the Firewall so only I can connect to it, everything else should be allowed and it should function as a NAT gateway for the servers behind it.
But do you really want every port other than udp/51820 and tcp/22 allowed in to VyOS itself?
I ask, because if there’s a vulnerability for a specific socket, you’re wide open to that. If all you need are these 2 ports, I would lock it down to only those 2 ports:
udp/51820
tcp/22
One last question, should everything from the trusted interfaces be allowed to VyOS, including SSH? So you could manage it while on site (assuming you ever go to this site)?
The VyOS is a VM as well as the servers it serves as a firewall for. We don’t know what else we need to secure yet as this is a new setup for an outside vendor to access the servers which they will do using the wireguard VPN.
I’m really only trying to secure everything while allowing the servers behind the firewall to have Internet access.
Here’s something to get you started. I made this more secure than what you have, so just modify it if you really want to go with what you had. This is not a zone-based firewall config, since you really don’t need that. But you can create one if you really want using the link to the docs I posted earlier.
NOTE: This is only for traffic TO VyOS. If you also want to filter traffic THROUGH VyOS, you’ll need to create the forward chain in addition to the input chain.
set firewall group interface-group TRUSTED_INTERFACES interface 'eth1'
set firewall group interface-group TRUSTED_INTERFACES interface 'eth2'
set firewall group interface-group TRUSTED_INTERFACES interface 'eth3'
set firewall group interface-group WAN_INTERFACES interface 'eth0'
set firewall ipv4 input filter default-action 'drop'
set firewall ipv4 input filter rule 10 action 'accept'
set firewall ipv4 input filter rule 10 description 'Allow return traffic initiated from VyOS host'
set firewall ipv4 input filter rule 10 state 'established'
set firewall ipv4 input filter rule 10 state 'related'
set firewall ipv4 input filter rule 20 action 'drop'
set firewall ipv4 input filter rule 20 description 'Drop Invalid State'
set firewall ipv4 input filter rule 20 state 'invalid'
set firewall ipv4 input filter rule 30 action 'accept'
set firewall ipv4 input filter rule 30 description 'ALLOW SSH'
set firewall ipv4 input filter rule 30 destination port '22'
set firewall ipv4 input filter rule 30 protocol 'tcp'
set firewall ipv4 input filter rule 30 source address $Allowed-Subnet
set firewall ipv4 input filter rule 30 inbound-interface group WAN_INTERFACES
set firewall ipv4 input filter rule 40 action 'accept'
set firewall ipv4 input filter rule 40 description 'ALLOW WIREGUARD'
set firewall ipv4 input filter rule 40 destination port '51820'
set firewall ipv4 input filter rule 40 protocol 'udp'
set firewall ipv4 input filter rule 40 inbound-interface group WAN_INTERFACES
set firewall ipv4 input filter rule 1000 action 'accept'
set firewall ipv4 input filter rule 1000 description 'Allow all from trusted interfaces'
set firewall ipv4 input filter rule 1000 inbound-interface group 'TRUSTED_INTERFACES'
Here’s what this does:
Rule 10 and 20 make the firewall stateful, allowing everything to the input chain (local zone), provided it already has a session from traffic initiated by VyOS itself (like ping).
Rule 30 explicitly allows your SSH traffic.
Rule 40 allows the wireguard traffic. You weren’t filtering by subnet in your example, so I didn’t include that. You can lock it down further by source address if desired.
Rule 1000 allows all traffic from the trusted side. If you’ll never need the services at the site to be able to communicate with VyOS itself, then you can skip this rule.