Request for Help VyOS 1.18 Zone Firewall

Hello I am having a problem with VyOS and setting up a firewall zone on a sub interface for which is a VLAN.
I have created a VLAN 500 and I am assigning DHCP. Clients can get to the internet with no problem. As soon as I apply the following firewall rule:

:: VLAN 500 IN
set firewall name VLAN-500-IN default-action ‘drop’
set firewall name VLAN-500-IN rule 1000 action ‘drop’
set firewall name VLAN-500-IN rule 1000 source group network-group ‘BLACKLISTED’
set firewall name VLAN-500-IN rule 1001 action ‘drop’
set firewall name VLAN-500-IN rule 1001 destination group network-group ‘BLACKLISTED’
set firewall name VLAN-500-IN rule 1010 action ‘accept’
set firewall name VLAN-500-IN rule 1010 state established ‘enable’
set firewall name VLAN-500-IN rule 1010 state related ‘enable’
set firewall name VLAN-500-IN rule 1011 action ‘drop’
set firewall name VLAN-500-IN rule 1011 state invalid ‘enable’
set firewall name VLAN-500-IN rule 9000 action ‘accept’
set firewall name VLAN-500-IN rule 9000 source group network-group ‘MANAGEMENT LAN’
set firewall name VLAN-500-IN rule 9000 state new ‘enable’

I apply the rule against the sub interface:

set interfaces ethernet eth4 vif 500 firewall in name ‘VLAN-500-IN’

I am natting out through eth0 to the internet.

Once I remove it I am able to access to the internet. The rule some how kills access to my gateway IP. Not sure what is wrong with my config. Any help appreciated.

Here’s what the wiki says about what a zone based firewall means in VyOS. Note the line there:

Doing this properly using the regular per-interface inbound/outbound approach amounts to an uncomfortable amount of ruleset clutter and repetition

That’s why zone-policy exist. You should look into it. It makes your life infinitely easier

I imagine your problem lies here:

set firewall name VLAN-500-IN rule 1000 action ‘drop’
set firewall name VLAN-500-IN rule 1000 source group network-group ‘BLACKLISTED’
set firewall name VLAN-500-IN rule 1001 action ‘drop’
set firewall name VLAN-500-IN rule 1001 destination group network-group ‘BLACKLISTED’

What you really want to do is move those rules to your other firewalls, the MANAGEMENT LAN/etc.

1 Like

Thank you for your prompt answer I will update that with the method you have mentioned. Have a great weekend!