Restriction rule is not working on vyos 1.4.0 version

devashish · August 25, 2025, 12:11pm

Dear Team

my restriction rule is not working on vyos 1.4.3 version when i applied the restriction on port 3389 and allowed only one IP . but the server is accessible from everywhere even i applied to restrict on single IP.
Below are my config.

set firewall ipv4 name FIREWALL_IN rule 30 action ‘accept’
set firewall ipv4 name FIREWALL_IN rule 30 description ‘wsrv150’
set firewall ipv4 name FIREWALL_IN rule 30 destination address ‘192.168.235.10’
set firewall ipv4 name FIREWALL_IN rule 30 destination port ‘3389’
set firewall ipv4 name FIREWALL_IN rule 30 log
set firewall ipv4 name FIREWALL_IN rule 30 protocol ‘tcp’
set nat destination rule 30 description ‘DNAT for wsrv150-ind - One To One’
set nat destination rule 30 destination address ‘115.166.136.250’
set nat destination rule 30 destination port ‘3389’
set nat destination rule 30 inbound-interface name eth1
set nat destination rule 30 protocol ‘tcp’
set nat destination rule 30 translation address ‘192.168.235.10’
set nat source rule 30 description ‘SNAT wsrv150’
set nat source rule 30 outbound-interface name ‘eth1’
set nat source rule 30 protocol ‘all’
set nat source rule 30 source address ‘192.168.235.10’
set nat source rule 30 translation address ‘115.166.136.250’

set firewall group address-group RDP-Restriction

set firewall group address-group RDP-Restriction address ‘103.25.129.248’

set firewall ipv4 name FIREWALL_IN rule 30 source group address-group ‘RDP-Restriction’

Please help me to find the exact issue ???

c-po · August 25, 2025, 12:16pm

I do not see the firewall rule beeing bound to any zone or interface.

devashish · August 25, 2025, 12:17pm

sorry i didnt understand

can you please share the correct config what exactly you are talking about zone ?? Please

actually the below command is not working on vyos 1.4.3 version

set interfaces ethernet eth1 firewall in name ‘FIREWALL_IN’

devashish · August 25, 2025, 12:24pm

please reply its urgent

c-po · August 25, 2025, 12:40pm

Did you consult the Firewall documentation at IPv4 Firewall Configuration — VyOS 1.4.x (sagitta) documentation ?

devashish · August 26, 2025, 1:44pm

Dear Team

I go through vyos 1.4.0 document but didnt understand. can i get the default configuration .

my scenario is like

i have eth1 is WAN and eth2 LAN

i configured firewall ipv4 name FIREWALL_IN for incoming and same firewall ipv4 name FIREWALL_OUT for outgoing

i bound with FIREWALL_IN and FIREWALL_OUT rule via create with ZONE whose config below

set firewall zone LAN default-action ‘drop’
set firewall zone LAN interface ‘eth2’

set firewall zone WAN default-action ‘drop’
set firewall zone WAN interface ‘eth1’

set firewall zone LAN from WAN firewall name ‘FIREWALL_IN’
set firewall zone WAN from LAN firewall name ‘FIREWALL_OUT’

but i got an issue even bound with zone if i configure the some configuration of my server behind firewall and open RDP port on it and restrict on single IP . iam able to access that RDP port from everywhere means my restriction policy is not working .

please help to resolve what configuration is default and what i missing on new vyos 1.4.0

i already mentioned i already go through your doc. but didnt understand

tjh · August 26, 2025, 8:14pm

Please don’t create multiple topics for the same issue. I’ve merged these threads.

As mentioned you have created rules but you haven’t applied them anywhere. You need to reference your blocking rule in a jump chain or at the filter level.

What is unclear about the documentation?

The quickstart also goes over it: Quick Start — VyOS 1.5.x (circinus) documentation

system · September 25, 2025, 8:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.