Request for Help VyOS 1.18 Zone Firewall

firewall

#1

Hello I am having a problem with VyOS and setting up a firewall zone on a sub interface for which is a VLAN.
I have created a VLAN 500 and I am assigning DHCP. Clients can get to the internet with no problem. As soon as I apply the following firewall rule:

:: VLAN 500 IN
set firewall name VLAN-500-IN default-action ‘drop’
set firewall name VLAN-500-IN rule 1000 action ‘drop’
set firewall name VLAN-500-IN rule 1000 source group network-group ‘BLACKLISTED’
set firewall name VLAN-500-IN rule 1001 action ‘drop’
set firewall name VLAN-500-IN rule 1001 destination group network-group ‘BLACKLISTED’
set firewall name VLAN-500-IN rule 1010 action ‘accept’
set firewall name VLAN-500-IN rule 1010 state established ‘enable’
set firewall name VLAN-500-IN rule 1010 state related ‘enable’
set firewall name VLAN-500-IN rule 1011 action ‘drop’
set firewall name VLAN-500-IN rule 1011 state invalid ‘enable’
set firewall name VLAN-500-IN rule 9000 action ‘accept’
set firewall name VLAN-500-IN rule 9000 source group network-group ‘MANAGEMENT LAN’
set firewall name VLAN-500-IN rule 9000 state new ‘enable’

I apply the rule against the sub interface:

set interfaces ethernet eth4 vif 500 firewall in name ‘VLAN-500-IN’

I am natting out through eth0 to the internet.

Once I remove it I am able to access to the internet. The rule some how kills access to my gateway IP. Not sure what is wrong with my config. Any help appreciated.


#2

Here’s what the wiki says about what a zone based firewall means in VyOS. Note the line there:

Doing this properly using the regular per-interface inbound/outbound approach amounts to an uncomfortable amount of ruleset clutter and repetition

That’s why zone-policy exist. You should look into it. It makes your life infinitely easier

I imagine your problem lies here:

set firewall name VLAN-500-IN rule 1000 action ‘drop’
set firewall name VLAN-500-IN rule 1000 source group network-group ‘BLACKLISTED’
set firewall name VLAN-500-IN rule 1001 action ‘drop’
set firewall name VLAN-500-IN rule 1001 destination group network-group ‘BLACKLISTED’

What you really want to do is move those rules to your other firewalls, the MANAGEMENT LAN/etc.


#3

Thank you for your prompt answer I will update that with the method you have mentioned. Have a great weekend!