Routing/firewall/VLAN issue with Wireguard VPN

General questions
, , ,
1

I’m trying to get a roadwarrior Wireguard VPN setup on my VyOS router but I don’t get very far and suspect I have a routing/firewall/VLAN issue. I only get UDP packets arriving on my WAN interface, but they’re not forwarded/routed to my wg0 Wireguard interface. Any ideas? Help would be much appreciated :slight_smile:

I’m using Wireguard on iOS as test client, and this is what I get:

vyos@vyos# sudo tcpdump -nnti eth1.300 dst port 51820
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth1.300, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP 123.123.123.123.41138 > 234.234.234.234.51820: UDP, length 148
IP 123.123.123.123.41138 > 234.234.234.234.51820: UDP, length 148
IP 123.123.123.123.41138 > 234.234.234.234.51820: UDP, length 148

I don’t get any Wireguard traffic on wg0. My Wireguard setup is quite boring:

interfaces {
    wireguard wg0 {
        address 172.17.50.1/24
        description Roadwarrior
        peer trombone {
            allowed-ips 172.17.50.100/32
            persistent-keepalive 15
            preshared-key ****************
            public-key ****************
        }
        port 51820
        private-key ****************
    }
}

I have a zone-based firewall where wg0 is part of ‘Trusted’:

|       | to Local     | to Infra       | to Trusted      | to Guest          | to IoT    | to WAN    |
|-------|--------------|----------------|-----------------|-------------------|-----------|-----------|
| Local |              | FW_ACCEPT      | FW_ACCEPT       | FW_ACCEPT         | FW_ACCEPT | FW_ACCEPT |
| Infra | FW_ACCEPT    |                | FW_ACCEPT       | FW_ACCEPT         | FW_ACCEPT | FW_ACCEPT |
| Trust.| FW_2LOCAL    | FW_TRUST2INFRA |                 | FW_ACCEPT         | FW_ACCEPT | FW_ACCEPT |
| Guest | FW_2LOCAL    | FW_DROP        | FW_GUEST2TRUST  |                   | FW_DROP   | FW_ACCEPT |
| IoT   | FW_2LOCAL    | FW_IOT2INFRA   | FW_DROP         | FW_DROP           |           | FW_DROP   |
| WAN   | FW_WAN2LOCAL | FW_WAN2INFRA   | FW_WAN2ALL      | FW_WAN2ALL        | FW_DROP   |           |

The only relevant Wireguard part of the firewall is FW_WAN2LOCAL where I try to accept Wireguard traffic.

firewall {
    name FW_WAN2LOCAL {
        default-action drop
        enable-default-log
        rule 200 {
            action accept
            description "accept established/related"
            state {
                established enable
                related enable
            }
        }
        rule 210 {
            action accept
            description wireguard
            destination {
                port 51820
            }
            protocol udp
        }
    }
}

Adding an allow rule for Wireguard to FW_WAN2ALL (because wg0 is part of ‘Trusted’) didn’t seem to work.

My network is VLAN-aware and bridged over eth0:

interfaces {
    bridge br100 {
        enable-vlan
        member {
            interface eth0 {
                allowed-vlan 10
                allowed-vlan 20
                allowed-vlan 30
                allowed-vlan 40
            }
        }
        stp
        vif 10 {
            address 172.17.10.1/24
            description VLAN1-Infra
        }
        vif 20 {
            address 172.17.20.1/24
            description VLAN20-Trusted
        }
        vif 30 {
            address 172.17.30.1/24
            description VLAN30-Guest
        }
        vif 40 {
            address 172.17.40.1/24
            description VLAN40-IoT
        }
    }
    ethernet eth0 {
        description LAN
    }
    ethernet eth1 {
        vif 300 {
            address dhcp
            description "T-Mobile WAN"
        }
    }
    loopback lo {
    }
    wireguard wg0 {
        address 172.17.50.1/24
        description Roadwarrior
        peer tim {
            allowed-ips 172.17.50.100/32
            persistent-keepalive 15
            preshared-key ****************
            public-key ****************
        }
        port 51820
        private-key ****************
    }
}

My full configuration is as follows (some details omitted):

vyos@vyos:~$ cat vyos_config.json 
firewall {
    name FW_2LOCAL {
        default-action drop
        rule 200 {
            action accept
            description "accept established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 210 {
            action accept
            description "accept dhcp"
            destination {
                port 67-68
            }
            log disable
            protocol udp
        }
        rule 220 {
            action accept
            description "accept dns"
            destination {
                port 53
            }
            log disable
            protocol udp
        }
    }
    name FW_ACCEPT {
        default-action accept
        rule 200 {
            action drop
            description "drop invalid"
            state {
                invalid enable
            }
        }
    }
    name FW_DROP {
        default-action drop
    }
    name FW_GUEST2TRUST {
        default-action drop
        rule 200 {
            action accept
            description "accept established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
    }
    name FW_IOT2INFRA {
        default-action drop
        rule 200 {
            action accept
            description "accept established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
    }
    name FW_TRUST2INFRA {
        default-action drop
        rule 200 {
            action accept
            description "accept established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
    }
    name FW_WAN2ALL {
        default-action drop
        rule 200 {
            action accept
            description "accept established/related"
            state {
                established enable
                related enable
            }
        }
    }
    name FW_WAN2INFRA {
        default-action drop
        rule 200 {
            action accept
            description "accept established/related"
            state {
                established enable
                related enable
            }
        }
        rule 210 {
            action accept
            description "accept port forwards"
            destination {
                port 22,80,443,1883
            }
            log enable
            protocol tcp
            state {
                new enable
            }
        }
    }
    name FW_WAN2LOCAL {
        default-action drop
        enable-default-log
        rule 200 {
            action accept
            description "accept established/related"
            state {
                established enable
                related enable
            }
        }
        rule 210 {
            action accept
            description wireguard
            destination {
                port 51820
            }
            protocol udp
        }
    }
    zone GUEST {
        default-action drop
        from INFRA {
            firewall {
                name FW_DROP
            }
        }
        from IOT {
            firewall {
                name FW_DROP
            }
        }
        from LOCAL {
            firewall {
                name FW_ACCEPT
            }
        }
        from TRUSTED {
            firewall {
                name FW_ACCEPT
            }
        }
        from WAN {
            firewall {
                name FW_WAN2ALL
            }
        }
        interface br100.30
    }
    zone INFRA {
        default-action drop
        from GUEST {
            firewall {
                name FW_DROP
            }
        }
        from IOT {
            firewall {
                name FW_IOT2INFRA
            }
        }
        from LOCAL {
            firewall {
                name FW_ACCEPT
            }
        }
        from TRUSTED {
            firewall {
                name FW_TRUST2INFRA
            }
        }
        from WAN {
            firewall {
                name FW_WAN2INFRA
            }
        }
        interface br100.10
    }
    zone IOT {
        default-action drop
        from GUEST {
            firewall {
                name FW_DROP
            }
        }
        from INFRA {
            firewall {
                name FW_ACCEPT
            }
        }
        from LOCAL {
            firewall {
                name FW_ACCEPT
            }
        }
        from TRUSTED {
            firewall {
                name FW_DROP
            }
        }
        from WAN {
            firewall {
                name FW_DROP
            }
        }
        interface br100.40
    }
    zone LOCAL {
        default-action drop
        from GUEST {
            firewall {
                name FW_2LOCAL
            }
        }
        from INFRA {
            firewall {
                name FW_ACCEPT
            }
        }
        from IOT {
            firewall {
                name FW_2LOCAL
            }
        }
        from TRUSTED {
            firewall {
                name FW_2LOCAL
            }
        }
        from WAN {
            firewall {
                name FW_WAN2LOCAL
            }
        }
        local-zone
    }
    zone TRUSTED {
        default-action drop
        from GUEST {
            firewall {
                name FW_GUEST2TRUST
            }
        }
        from INFRA {
            firewall {
                name FW_ACCEPT
            }
        }
        from IOT {
            firewall {
                name FW_DROP
            }
        }
        from LOCAL {
            firewall {
                name FW_ACCEPT
            }
        }
        from WAN {
            firewall {
                name FW_WAN2ALL
            }
        }
        interface br100.20
        interface wg0
    }
    zone WAN {
        default-action drop
        from GUEST {
            firewall {
                name FW_ACCEPT
            }
        }
        from INFRA {
            firewall {
                name FW_ACCEPT
            }
        }
        from IOT {
            firewall {
                name FW_DROP
            }
        }
        from LOCAL {
            firewall {
                name FW_ACCEPT
            }
        }
        from TRUSTED {
            firewall {
                name FW_ACCEPT
            }
        }
        interface eth1.1
        interface eth1.300
    }
}
interfaces {
    bridge br100 {
        enable-vlan
        member {
            interface eth0 {
                allowed-vlan 10
                allowed-vlan 20
                allowed-vlan 30
                allowed-vlan 40
            }
        }
        stp
        vif 10 {
            address 172.17.10.1/24
            description VLAN1-Infra
        }
        vif 20 {
            address 172.17.20.1/24
            description VLAN20-Trusted
        }
        vif 30 {
            address 172.17.30.1/24
            description VLAN30-Guest
        }
        vif 40 {
            address 172.17.40.1/24
            description VLAN40-IoT
        }
    }
    ethernet eth0 {
        description LAN
    }
    ethernet eth1 {
        vif 300 {
            address dhcp
            description "T-Mobile WAN"
        }
    }
    loopback lo {
    }
    wireguard wg0 {
        address 172.17.50.1/24
        description Roadwarrior
        peer trombone {
            allowed-ips 172.17.50.100/32
            persistent-keepalive 15
            preshared-key ****************
            public-key ****************
        }
        port 51820
        private-key ****************
    }
}
nat {
    destination {
        rule 100 {
            description "Port Forward: SSH to 172.17.10.2"
            destination {
                port 22
            }
            inbound-interface eth1.300
            protocol tcp
            translation {
                address 172.17.10.2
            }
        }
        rule 102 {
            description "Port Forward: HTTP to 172.17.10.2"
            destination {
                port 80
            }
            inbound-interface eth1.300
            protocol tcp
            translation {
                address 172.17.10.2
            }
        }
        rule 104 {
            description "Port Forward: HTTPS to 172.17.10.2"
            destination {
                port 443
            }
            inbound-interface eth1.300
            protocol tcp
            translation {
                address 172.17.10.2
            }
        }
        rule 106 {
            description "Port Forward: MQTT to 172.17.10.2"
            destination {
                port 1883
            }
            inbound-interface eth1.300
            protocol tcp
            translation {
                address 172.17.10.2
                port 8883
            }
        }
    }
    source {
        rule 5001 {
            description "Exclude roadwarrior VPN"
            destination {
                address 172.17.50.0/24
            }
            exclude
            outbound-interface eth1.300
            protocol all
            translation {
                address masquerade
            }
        }
        rule 5010 {
            description "Masquerade for WAN"
            outbound-interface eth1.300
            protocol all
            source {
                address 172.17.0.0/16
            }
            translation {
                address masquerade
            }
        }
    }
}
qos {
    interface eth1.300 {
        egress WAN_QUEUE
    }
    policy {
        shaper WAN_QUEUE {
            bandwidth 100mbit
            class 10 {
                bandwidth 10%
                match dns {
                    ip {
                        source {
                            port 53
                        }
                    }
                }
                match icmp {
                    ip {
                        protocol icmp
                    }
                }
                priority 1
                queue-type fq-codel
            }
            default {
                bandwidth 95%
                queue-type fq-codel
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name vlan10 {
            authoritative
            subnet 172.17.10.0/24 {
                default-router 172.17.10.1
                domain-name lan.mydomain.com
                name-server 172.17.10.1
                range vlan10range {
                    start 172.17.10.100
                    stop 172.17.10.254
                }
                static-mapping gs108e {
                    ip-address 172.17.10.3
                    mac-address 78:D2:94:2F:81:F8
                }
                static-mapping philips-hue {
                    ip-address 172.17.10.21
                    mac-address 00:17:88:79:93:47
                }
                static-mapping uap-lr1-floor1 {
                    ip-address 172.17.10.10
                    mac-address 18:E8:29:93:E1:66
                }
                static-mapping uap-lr2-floor2 {
                    ip-address 172.17.10.11
                    mac-address 18:E8:29:E6:00:2E
                }
            }
        }
        shared-network-name vlan20 {
            authoritative
            subnet 172.17.20.0/24 {
                default-router 172.17.20.1
                domain-name lan.mydomain.com
                name-server 172.17.20.1
                range vlan20range {
                    start 172.17.20.100
                    stop 172.17.20.254
                }
                static-mapping appletv-living {
                    ip-address 172.17.20.20
                    mac-address D0:03:4B:26:85:0C
                }
            }
        }
        shared-network-name vlan30 {
            authoritative
            subnet 172.17.30.0/24 {
                default-router 172.17.30.1
                domain-name lan.mydomain.com
                name-server 172.17.30.1
                range vlan30range {
                    start 172.17.30.100
                    stop 172.17.30.254
                }
            }
        }
        shared-network-name vlan40 {
            authoritative
            subnet 172.17.40.0/24 {
                default-router 172.17.40.1
                domain-name lan.mydomain.com
                name-server 172.17.40.1
                range vlan40range {
                    start 172.17.40.100
                    stop 172.17.40.254
                }
            }
        }
    }
    dns {
        forwarding {
            allow-from 172.17.0.0/16
            cache-size 100004
            dhcp eth1.1
            dhcp eth1.300
            listen-address 172.17.10.1
            listen-address 172.17.20.1
            listen-address 172.17.30.1
            listen-address 172.17.40.1
            listen-address 172.17.50.1
        }
    }
    mdns {
        repeater {
            interface br100.20
            interface br100.30
        }
    }
    ntp {
        allow-client {
            address 0.0.0.0/0
            address ::/0
        }
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
    }
    ssh {
        ciphers aes128-cbc
        ciphers [email protected]
        ciphers aes128-ctr
        ciphers [email protected]
        ciphers aes192-cbc
        ciphers aes192-ctr
        ciphers aes256-cbc
        ciphers aes256-ctr
        ciphers [email protected]
        disable-password-authentication
        key-exchange curve25519-sha256
        key-exchange [email protected]
        key-exchange diffie-hellman-group-exchange-sha256
        key-exchange diffie-hellman-group14-sha256
        key-exchange diffie-hellman-group16-sha512
        key-exchange diffie-hellman-group18-sha512
        listen-address 172.17.10.1
        mac hmac-sha2-256
        mac [email protected]
        mac hmac-sha2-512
        mac [email protected]
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    domain-name lan.mydomain.com
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
                public-keys trombone@neptune {
                    key ****************
                    type ssh-rsa
                }
            }
        }
    }
    name-server 172.17.10.1
    static-host-mapping {
        host-name grafana.mydomain.com {
            inet 172.17.10.2
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility local7 {
                level debug
            }
        }
    }
}
2

Before analyzing all the config, I would suggest disabling/removing firewall.
You have vlans, bridges, wireguard and firewall.
First thing first: ensure switching and routing works as expected, then move on securing your network/devices.

1 Like
3

Thanks for your reply. I removed all firewall zones*, rebooted VyOS and still the Wireguard traffic only reached eth1.300 and not wg0. Disabling the firewall also broke my port forwarding, however, which I thought was done by NAT, not the firewall. Any other firewall setting I should disable?

*To delete the firewall I ran:

delete firewall zone LOCAL
delete firewall zone INFRA
delete firewall zone TRUSTED
delete firewall zone GUEST
delete firewall zone IOT
delete firewall zone WAN
4

try to run the command as follow behind.

show configuration commands | strip-private
5

hi @echowings, see below (useful command btw :)):

vyos@vyos:~$ show configuration commands | strip-private
set firewall name FW_2LOCAL default-action 'drop'
set firewall name FW_2LOCAL rule 200 action 'accept'
set firewall name FW_2LOCAL rule 200 description 'accept established/related'
set firewall name FW_2LOCAL rule 200 log 'disable'
set firewall name FW_2LOCAL rule 200 state established 'enable'
set firewall name FW_2LOCAL rule 200 state related 'enable'
set firewall name FW_2LOCAL rule 210 action 'accept'
set firewall name FW_2LOCAL rule 210 description 'accept dhcp'
set firewall name FW_2LOCAL rule 210 destination port '67-68'
set firewall name FW_2LOCAL rule 210 log 'disable'
set firewall name FW_2LOCAL rule 210 protocol 'udp'
set firewall name FW_2LOCAL rule 220 action 'accept'
set firewall name FW_2LOCAL rule 220 description 'accept dns'
set firewall name FW_2LOCAL rule 220 destination port '53'
set firewall name FW_2LOCAL rule 220 log 'disable'
set firewall name FW_2LOCAL rule 220 protocol 'udp'
set firewall name FW_2LOCAL rule 230 action 'accept'
set firewall name FW_2LOCAL rule 230 description 'accept ssh'
set firewall name FW_2LOCAL rule 230 destination port '22'
set firewall name FW_2LOCAL rule 230 log 'disable'
set firewall name FW_2LOCAL rule 230 protocol 'tcp'
set firewall name FW_ACCEPT default-action 'accept'
set firewall name FW_ACCEPT rule 200 action 'drop'
set firewall name FW_ACCEPT rule 200 description 'drop invalid'
set firewall name FW_ACCEPT rule 200 state invalid 'enable'
set firewall name FW_DROP default-action 'drop'
set firewall name FW_GUEST2TRUST default-action 'drop'
set firewall name FW_GUEST2TRUST rule 200 action 'accept'
set firewall name FW_GUEST2TRUST rule 200 description 'accept established/related'
set firewall name FW_GUEST2TRUST rule 200 log 'disable'
set firewall name FW_GUEST2TRUST rule 200 state established 'enable'
set firewall name FW_GUEST2TRUST rule 200 state related 'enable'
set firewall name FW_GUEST2TRUST rule 210 action 'accept'
set firewall name FW_GUEST2TRUST rule 210 description 'accept access to AppleTV'
set firewall name FW_GUEST2TRUST rule 210 destination address 'xxx.xxx.20.20'
set firewall name FW_GUEST2TRUST rule 210 protocol 'tcp_udp'
set firewall name FW_IOT2INFRA default-action 'drop'
set firewall name FW_IOT2INFRA rule 200 action 'accept'
set firewall name FW_IOT2INFRA rule 200 description 'accept established/related'
set firewall name FW_IOT2INFRA rule 200 log 'disable'
set firewall name FW_IOT2INFRA rule 200 state established 'enable'
set firewall name FW_IOT2INFRA rule 200 state related 'enable'
set firewall name FW_IOT2INFRA rule 210 action 'accept'
set firewall name FW_IOT2INFRA rule 210 description 'accept mqtt(s)/HA API to proteus'
set firewall name FW_IOT2INFRA rule 210 destination address 'xxx.xxx.10.2'
set firewall name FW_IOT2INFRA rule 210 destination port '8883,1883,6053'
set firewall name FW_IOT2INFRA rule 210 protocol 'tcp'
set firewall name FW_TRUST2INFRA default-action 'drop'
set firewall name FW_TRUST2INFRA rule 200 action 'accept'
set firewall name FW_TRUST2INFRA rule 200 description 'accept established/related'
set firewall name FW_TRUST2INFRA rule 200 log 'disable'
set firewall name FW_TRUST2INFRA rule 200 state established 'enable'
set firewall name FW_TRUST2INFRA rule 200 state related 'enable'
set firewall name FW_TRUST2INFRA rule 210 action 'accept'
set firewall name FW_TRUST2INFRA rule 210 description 'accept mqtt(s)/http(s)/HA/ssh/grafana to proteus'
set firewall name FW_TRUST2INFRA rule 210 destination address 'xxx.xxx.10.2'
set firewall name FW_TRUST2INFRA rule 210 destination port '8883,1883,80,443,8123,22,3000'
set firewall name FW_TRUST2INFRA rule 210 protocol 'tcp'
set firewall name FW_TRUST2INFRA rule 220 action 'accept'
set firewall name FW_TRUST2INFRA rule 220 description 'accept ssh to pve'
set firewall name FW_TRUST2INFRA rule 220 destination address 'xxx.xxx.10.4'
set firewall name FW_TRUST2INFRA rule 220 destination port '22'
set firewall name FW_TRUST2INFRA rule 220 protocol 'tcp'
set firewall name FW_TRUST2INFRA rule 230 action 'accept'
set firewall name FW_TRUST2INFRA rule 230 description 'accept ssh to unifi controller'
set firewall name FW_TRUST2INFRA rule 230 destination address 'xxx.xxx.10.5'
set firewall name FW_TRUST2INFRA rule 230 destination port '22,443,8443'
set firewall name FW_TRUST2INFRA rule 230 protocol 'tcp'
set firewall name FW_WAN2ALL default-action 'drop'
set firewall name FW_WAN2ALL rule 200 action 'accept'
set firewall name FW_WAN2ALL rule 200 description 'accept established/related'
set firewall name FW_WAN2ALL rule 200 state established 'enable'
set firewall name FW_WAN2ALL rule 200 state related 'enable'
set firewall name FW_WAN2INFRA default-action 'drop'
set firewall name FW_WAN2INFRA rule 200 action 'accept'
set firewall name FW_WAN2INFRA rule 200 description 'accept established/related'
set firewall name FW_WAN2INFRA rule 200 state established 'enable'
set firewall name FW_WAN2INFRA rule 200 state related 'enable'
set firewall name FW_WAN2INFRA rule 210 action 'accept'
set firewall name FW_WAN2INFRA rule 210 description 'accept port forwards'
set firewall name FW_WAN2INFRA rule 210 destination port '22,80,443,1883'
set firewall name FW_WAN2INFRA rule 210 log 'enable'
set firewall name FW_WAN2INFRA rule 210 protocol 'tcp'
set firewall name FW_WAN2INFRA rule 210 state new 'enable'
set firewall name FW_WAN2LOCAL default-action 'drop'
set firewall name FW_WAN2LOCAL enable-default-log
set firewall name FW_WAN2LOCAL rule 200 action 'accept'
set firewall name FW_WAN2LOCAL rule 200 description 'accept established/related'
set firewall name FW_WAN2LOCAL rule 200 state established 'enable'
set firewall name FW_WAN2LOCAL rule 200 state related 'enable'
set firewall name FW_WAN2LOCAL rule 210 action 'accept'
set firewall name FW_WAN2LOCAL rule 210 description 'wireguard'
set firewall name FW_WAN2LOCAL rule 210 destination port '51820'
set firewall name FW_WAN2LOCAL rule 210 protocol 'udp'
set firewall zone GUEST default-action 'drop'
set firewall zone GUEST from INFRA firewall name 'FW_DROP'
set firewall zone GUEST from IOT firewall name 'FW_DROP'
set firewall zone GUEST from LOCAL firewall name 'FW_ACCEPT'
set firewall zone GUEST from TRUSTED firewall name 'FW_ACCEPT'
set firewall zone GUEST from WAN firewall name 'FW_WAN2ALL'
set firewall zone GUEST interface 'br100.30'
set firewall zone INFRA default-action 'drop'
set firewall zone INFRA from GUEST firewall name 'FW_DROP'
set firewall zone INFRA from IOT firewall name 'FW_IOT2INFRA'
set firewall zone INFRA from LOCAL firewall name 'FW_ACCEPT'
set firewall zone INFRA from TRUSTED firewall name 'FW_TRUST2INFRA'
set firewall zone INFRA from WAN firewall name 'FW_WAN2INFRA'
set firewall zone INFRA interface 'br100.10'
set firewall zone IOT default-action 'drop'
set firewall zone IOT from GUEST firewall name 'FW_DROP'
set firewall zone IOT from INFRA firewall name 'FW_ACCEPT'
set firewall zone IOT from LOCAL firewall name 'FW_ACCEPT'
set firewall zone IOT from TRUSTED firewall name 'FW_DROP'
set firewall zone IOT from WAN firewall name 'FW_DROP'
set firewall zone IOT interface 'br100.40'
set firewall zone LOCAL default-action 'drop'
set firewall zone LOCAL from GUEST firewall name 'FW_2LOCAL'
set firewall zone LOCAL from INFRA firewall name 'FW_ACCEPT'
set firewall zone LOCAL from IOT firewall name 'FW_2LOCAL'
set firewall zone LOCAL from TRUSTED firewall name 'FW_2LOCAL'
set firewall zone LOCAL from WAN firewall name 'FW_WAN2LOCAL'
set firewall zone LOCAL local-zone
set firewall zone TRUSTED default-action 'drop'
set firewall zone TRUSTED from GUEST firewall name 'FW_GUEST2TRUST'
set firewall zone TRUSTED from INFRA firewall name 'FW_ACCEPT'
set firewall zone TRUSTED from IOT firewall name 'FW_DROP'
set firewall zone TRUSTED from LOCAL firewall name 'FW_ACCEPT'
set firewall zone TRUSTED from WAN firewall name 'FW_WAN2ALL'
set firewall zone TRUSTED interface 'br100.20'
set firewall zone TRUSTED interface 'wg0'
set firewall zone WAN default-action 'drop'
set firewall zone WAN from GUEST firewall name 'FW_ACCEPT'
set firewall zone WAN from INFRA firewall name 'FW_ACCEPT'
set firewall zone WAN from IOT firewall name 'FW_DROP'
set firewall zone WAN from LOCAL firewall name 'FW_ACCEPT'
set firewall zone WAN from TRUSTED firewall name 'FW_ACCEPT'
set firewall zone WAN interface 'eth1.300'
set interfaces bridge br100 enable-vlan
set interfaces bridge br100 member interface eth0 allowed-vlan '10'
set interfaces bridge br100 member interface eth0 allowed-vlan '20'
set interfaces bridge br100 member interface eth0 allowed-vlan '30'
set interfaces bridge br100 member interface eth0 allowed-vlan '40'
set interfaces bridge br100 stp
set interfaces bridge br100 vif 10 address 'xxx.xxx.10.1/24'
set interfaces bridge br100 vif 10 description 'VLAN1-Infra'
set interfaces bridge br100 vif 20 address 'xxx.xxx.20.1/24'
set interfaces bridge br100 vif 20 description 'VLAN20-Trusted'
set interfaces bridge br100 vif 30 address 'xxx.xxx.30.1/24'
set interfaces bridge br100 vif 30 description 'VLAN30-Guest'
set interfaces bridge br100 vif 40 address 'xxx.xxx.40.1/24'
set interfaces bridge br100 vif 40 description 'VLAN40-IoT'
set interfaces ethernet eth0 description 'LAN'
set interfaces ethernet eth1 vif 300 address 'dhcp'
set interfaces ethernet eth1 vif 300 description 'T-Mobile WAN'
set interfaces loopback lo
set interfaces wireguard wg0 address 'xxx.xxx.50.1/24'
set interfaces wireguard wg0 description 'Roadwarrior'
set interfaces wireguard wg0 peer trombone allowed-ips 'xxx.xxx.50.100/32'
set interfaces wireguard wg0 peer trombone persistent-keepalive '15'
set interfaces wireguard wg0 peer trombone preshared-key 'xxx'
set interfaces wireguard wg0 peer trombone public-key 'xxx'
set interfaces wireguard wg0 port '51820'
set interfaces wireguard wg0 private-key xxxxxx
set nat destination rule 100 description 'Port Forward: SSH to xxx.xxx.10.2'
set nat destination rule 100 destination port '22'
set nat destination rule 100 inbound-interface 'eth1.300'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation address 'xxx.xxx.10.2'
set nat destination rule 102 description 'Port Forward: HTTP to xxx.xxx.10.2'
set nat destination rule 102 destination port '80'
set nat destination rule 102 inbound-interface 'eth1.300'
set nat destination rule 102 protocol 'tcp'
set nat destination rule 102 translation address 'xxx.xxx.10.2'
set nat destination rule 104 description 'Port Forward: HTTPS to xxx.xxx.10.2'
set nat destination rule 104 destination port '443'
set nat destination rule 104 inbound-interface 'eth1.300'
set nat destination rule 104 protocol 'tcp'
set nat destination rule 104 translation address 'xxx.xxx.10.2'
set nat destination rule 106 description 'Port Forward: MQTT to xxx.xxx.10.2'
set nat destination rule 106 destination port '1883'
set nat destination rule 106 inbound-interface 'eth1.300'
set nat destination rule 106 protocol 'tcp'
set nat destination rule 106 translation address 'xxx.xxx.10.2'
set nat destination rule 106 translation port '8883'
set nat source rule 5001 description 'Exclude roadwarrior VPN'
set nat source rule 5001 destination address 'xxx.xxx.50.0/24'
set nat source rule 5001 exclude
set nat source rule 5001 outbound-interface 'eth1.300'
set nat source rule 5001 protocol 'all'
set nat source rule 5001 translation address 'masquerade'
set nat source rule 5010 description 'Masquerade for WAN'
set nat source rule 5010 outbound-interface 'eth1.300'
set nat source rule 5010 protocol 'all'
set nat source rule 5010 source address 'xxx.xxx.0.0/16'
set nat source rule 5010 translation address 'masquerade'
set qos interface eth1.300 egress 'WAN_QUEUE'
set qos policy shaper WAN_QUEUE bandwidth '100mbit'
set qos policy shaper WAN_QUEUE class 10 bandwidth '10%'
set qos policy shaper WAN_QUEUE class 10 match dns ip source port '53'
set qos policy shaper WAN_QUEUE class 10 match icmp ip protocol 'icmp'
set qos policy shaper WAN_QUEUE class 10 priority '1'
set qos policy shaper WAN_QUEUE class 10 queue-type 'fq-codel'
set qos policy shaper WAN_QUEUE default bandwidth '95%'
set qos policy shaper WAN_QUEUE default queue-type 'fq-codel'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 default-router 'xxx.xxx.10.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 name-server 'xxx.xxx.10.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 range vlan10range start 'xxx.xxx.10.100'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 range vlan10range stop 'xxx.xxx.10.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.3'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:F8'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.21'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:47'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.10'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:66'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.11'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:2E'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 default-router 'xxx.xxx.20.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 name-server 'xxx.xxx.20.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 range vlan20range start 'xxx.xxx.20.100'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 range vlan20range stop 'xxx.xxx.20.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.20.20'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:0C'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 default-router 'xxx.xxx.30.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 name-server 'xxx.xxx.30.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 range vlan30range start 'xxx.xxx.30.100'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 range vlan30range stop 'xxx.xxx.30.254'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 default-router 'xxx.xxx.40.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 name-server 'xxx.xxx.40.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 range vlan40range start 'xxx.xxx.40.100'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 range vlan40range stop 'xxx.xxx.40.254'
set service dns forwarding allow-from 'xxx.xxx.0.0/16'
set service dns forwarding cache-size '100004'
set service dns forwarding dhcp 'eth1.1'
set service dns forwarding dhcp 'eth1.300'
set service dns forwarding listen-address 'xxx.xxx.10.1'
set service dns forwarding listen-address 'xxx.xxx.20.1'
set service dns forwarding listen-address 'xxx.xxx.30.1'
set service dns forwarding listen-address 'xxx.xxx.40.1'
set service dns forwarding listen-address 'xxx.xxx.50.1'
set service mdns repeater interface 'br100.20'
set service mdns repeater interface 'br100.30'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/0'
set service ntp allow-client xxxxxx '::/0'
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ssh ciphers 'aes128-cbc'
set service ssh ciphers '[email protected]'
set service ssh ciphers 'aes128-ctr'
set service ssh ciphers '[email protected]'
set service ssh ciphers 'aes192-cbc'
set service ssh ciphers 'aes192-ctr'
set service ssh ciphers 'aes256-cbc'
set service ssh ciphers 'aes256-ctr'
set service ssh ciphers '[email protected]'
set service ssh disable-password-authentication
set service ssh key-exchange 'curve25519-sha256'
set service ssh key-exchange '[email protected]'
set service ssh key-exchange 'diffie-hellman-group-exchange-sha256'
set service ssh key-exchange 'diffie-hellman-group14-sha256'
set service ssh key-exchange 'diffie-hellman-group16-sha512'
set service ssh key-exchange 'diffie-hellman-group18-sha512'
set service ssh listen-address 'xxx.xxx.10.1'
set service ssh mac 'hmac-sha2-256'
set service ssh mac '[email protected]'
set service ssh mac 'hmac-sha2-512'
set service ssh mac '[email protected]'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system domain-name xxxxxx
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx authentication public-keys [email protected] key xxxxxx
set system login user xxxxxx authentication public-keys [email protected] type ssh-xxx
set system name-server 'xxx.xxx.10.1'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.20.20'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.3'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.21'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.4'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.10'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.11'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.5'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.1'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.2'
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set system time-zone 'Europe/Amsterdam'
6

There was no routing policy? I think you should try to set routing policy to make it work.

7

No I didn’t add routing. I now added

set protocols static route x.x.50.0/24 interface wg0

but that’s not working either. This makes sense because it’s only for internal routing once I’m connected.

On routing: how does VyOS know where to route Wireguard packets incoming to my WAN? Since I’m accessing the WAN IP the only identifier it has is the port number. Should I add a port forward like I do for my HTTP(S)?

I had a working EdgerouterX setup (Ubiquiti/Vyatta) but there I didn’t add any routing, only adding the wg0 interface was enough.

8

On the other side also need setup routing.
This is VyOS. not er-x.
Maybe you need read the offical vyos document carefully first.

9

No need to port forward wireguard packets. Without port-forward (dANT) , incoming WG packets have destination IP of your WAN interface, and aren’t forwarded, but handled by mVyOS host itself.
And end up in WG process, they decrypt, and decapsulate te packet. Then destination of decapsulated packet is checked, for new routing decision.
Note: To make sure tcpdump command in 1st post doesn’t only show packets in one direction , filter on port, not dstport.

10

I found something else: /var/log/vyatta/cfg-stdout.log shows an error any time I commit new changes, most of them are on firewall, but it looks like it’s the last ~500 config changes I made. I might have a corrupted config somehow, any way to solve this? Updating to a new rolling release didn’t solve the problem.

I noticed this because my show log firewall doesn’t output anything for the last 3 days…

/var/log/vyatta/cfg-stdout.log:

cp[/opt/vyatta/config/tmp/new_config_4442]->[/opt/vyatta/config/tmp/tmp_4442/work]
recursive_copy_dir failed due to boost::filesystem::copy_file: Invalid cross-device link: "/opt/vyatta/config/tmp/new_config_4442/firewall/name/FW_ACCEPT/rule/200/log/node.val", "/opt/vyatta/config/tmp/tmp_4442/work/firewall/name/FW_ACCEPT/rule/200/log/node.val" in copy_file. Falling back to internal stream_file
recursive_copy_dir failed due to boost::filesystem::copy_file: Invalid cross-device link: "/opt/vyatta/config/tmp/new_config_4442/firewall/name/FW_ACCEPT/rule/200/state/invalid/node.val", "/opt/vyatta/config/tmp/tmp_4442/work/firewall/name/FW_ACCEPT/rule/200/state/invalid/node.val" in copy_file. Falling back to internal stream_file
[...500+ more lines]
recursive_copy_dir failed due to boost::filesystem::copy_file: Invalid cross-device link: "/opt/vyatta/config/tmp/new_config_4442/interfaces/bridge/br100/member/interface/eth0/allowed-vlan/node.val", "/opt/vyatta/config/tmp/tmp_4442/active/interfaces/bridge/br100/member/interface/eth0/allowed-vlan/node.val" in copy_file. Falling back to internal stream_file
found inactive config [5862]
umount [/opt/vyatta/config/tmp/new_config_5862]
11

More update: I installed a fresh VyOS image on a fresh VM and this also has the errors in /var/log/vyatta/cfg-stdout.log:

vyos@vyos:/var/log/vyatta$ head -n 5 cfg-stdout.log 
vyos@vyos:/var/log/vyatta$ head -n 5 cfg-stdout.log 
cp[/opt/vyatta/config/tmp/new_config_1549]->[/opt/vyatta/config/tmp/tmp_1549/work]
recursive_copy_dir failed due to boost::filesystem::copy_file: Invalid cross-device link: "/opt/vyatta/config/tmp/new_config_1549/system/syslog/global/facility/local7/level/node.val", "/opt/vyatta/config/tmp/tmp_1549/work/system/syslog/global/facility/local7/level/node.val" in copy_file. Falling back to internal stream_file
recursive_copy_dir failed due to boost::filesystem::copy_file: Invalid cross-device link: "/opt/vyatta/config/tmp/new_config_1549/system/syslog/global/facility/all/level/node.val", "/opt/vyatta/config/tmp/tmp_1549/work/system/syslog/global/facility/all/level/node.val" in copy_file. Falling back to internal stream_file
recursive_copy_dir failed due to boost::filesystem::copy_file: Invalid cross-device link: "/opt/vyatta/config/tmp/new_config_1549/system/login/user/vyos/authentication/encrypted-password/node.val", "/opt/vyatta/config/tmp/tmp_1549/work/system/login/user/vyos/authentication/encrypted-password/node.val" in copy_file. Falling back to internal stream_file
recursive_copy_dir failed due to boost::filesystem::copy_file: Invalid cross-device link: "/opt/vyatta/config/tmp/new_config_1549/system/host-name/node.val", "/opt/vyatta/config/tmp/tmp_1549/work/system/host-name/node.val" in copy_file. Falling back to internal stream_file

I made a separate topic on this.

However, while the firewall works, the logging somehow still doesn’t work (I’m hoping this gives more clues on the Wireguard issue). I have logging enabled for FW_WAN2LOCAL, there are packets going through it, but it doesn’t show up in the logs:

firewall {
    name FW_WAN2LOCAL {
        default-action drop
        enable-default-log
        rule 200 {
            action accept
            description "accept established/related"
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 210 {
            action accept
            description wireguard
            destination {
                port 51820
            }
            log enable
            protocol udp
            state {
                new enable
            }
        }
    }
}

vyos@vyos:/var/log$ show firewall statistics
[...]
IPv4 Firewall "FW_WAN2LOCAL"

Rule       Packets    Bytes  Action    Source     Destination
-------  ---------  -------  --------  ---------  -------------
200           2359   742017  accept    0.0.0.0/0  0.0.0.0/0
210              4      704  accept    0.0.0.0/0  0.0.0.0/0
default        236    17655  drop      0.0.0.0/0  0.0.0.0/0

vyos@vyos:/var/log$ grep FW_WAN2LOCAL /var/log/messages
vyos@vyos:/var/log$ 

vyos@vyos:/var/log$ show log firewall name FW_WAN2LOCAL
vyos@vyos:/var/log$

Update: also, looking at the underlying iptables config I don’t see any configuration(?):

vyos@vyos:/var/log/vyatta$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
12

I can confirm that I see similar errors in my /var/log/vyatta/cfg-stdout.log aswell and I dont have any firewall zones configured.

Using VyOS 1.4-rolling-202307161346.

During commit these are the first few lines (gazillions of lines are flooded during commit into cfg-stadout.log file):

cp[/opt/vyatta/config/tmp/new_config_6956]->[/opt/vyatta/config/tmp/tmp_6956/work]
recursive_copy_dir failed due to boost::filesystem::copy_file: Invalid cross-device link: "/opt/vyatta/config/tmp/new_config_6956/firewall/all-ping/node.val", "/opt/vyatta/config/tmp/tmp_6956/work/firewall/all-ping/node.val" in copy_file. Falling back to internal stream_file
recursive_copy_dir failed due to boost::filesystem::copy_file: Invalid cross-device link: "/opt/vyatta/config/tmp/new_config_6956/firewall/twa-hazards-protection/node.val", "/opt/vyatta/config/tmp/tmp_6956/work/firewall/twa-hazards-protection/node.val" in copy_file. Falling back to internal stream_file
13

Don’t use iptables
sudo nft list ruleset

14

Thanks, this works. I missed that and didn’t see it on the firewall documentation page.

The recursive_copy_dir failed errors are also informational only.

Now I can rule that out and continue with my original problem.

Any suggestions on why my firewall (or any other service, like dhcp) doesn’t log anything? /var/log/messages seems to only log during startup and then stays quiet. My system booted at Jul 19 20:18:46 and last log message is at Jul 19 20:22:30, roughly 2 minutes after it was done booting/configuring.

My syslog is as follows:

    syslog {
        global {
            facility all {
                level info
            }
            facility local7 {
                level debug
            }
        }
    }
15

Ok I solved it :sweat:.

In the end it was a partial user error: I had the wrong public key in my VyOS config. However, in my defence, running

generate wireguard client-config user interface wg0 server FQDN address VPN_IP/24

generates a QR code that when scanned on my mobile, does not take over the pub/private key for the client. You have to manually copy it over from client back to server… Is this expected behaviour?

For future users or language models ingesting this: While initially I thought it was a routing error because I only see 1 packet coming in without any response, after depleting all other options I checked the Wireguard doc and confirmed that the first packet sent is already encrypted, and hence needs the public/private key of client and server to match.

Wireguard is a very quiet protocol, so you cannot distinguish between firewall/routing errors (my original hypothesis), no Wireguard server running, or wrong authentication.

An unrelated error: I still don’t have firewall logging, I’ll open a separate topic for that.

Thanks for your support :slight_smile:

Update: For reference, the full working config of my Wireguard on VLAN segmented network with zone-based firewall is as follows:

set firewall name FW_2LOCAL default-action 'drop'
set firewall name FW_2LOCAL rule 200 action 'accept'
set firewall name FW_2LOCAL rule 200 description 'accept established/related'
set firewall name FW_2LOCAL rule 200 log 'disable'
set firewall name FW_2LOCAL rule 200 state established 'enable'
set firewall name FW_2LOCAL rule 200 state related 'enable'
set firewall name FW_2LOCAL rule 210 action 'accept'
set firewall name FW_2LOCAL rule 210 description 'accept dhcp'
set firewall name FW_2LOCAL rule 210 destination port '67-68'
set firewall name FW_2LOCAL rule 210 log 'disable'
set firewall name FW_2LOCAL rule 210 protocol 'udp'
set firewall name FW_2LOCAL rule 220 action 'accept'
set firewall name FW_2LOCAL rule 220 description 'accept dns'
set firewall name FW_2LOCAL rule 220 destination port '53'
set firewall name FW_2LOCAL rule 220 log 'disable'
set firewall name FW_2LOCAL rule 220 protocol 'udp'
set firewall name FW_2LOCAL rule 230 action 'accept'
set firewall name FW_2LOCAL rule 230 description 'accept ssh'
set firewall name FW_2LOCAL rule 230 destination port '22'
set firewall name FW_2LOCAL rule 230 log 'disable'
set firewall name FW_2LOCAL rule 230 protocol 'tcp'
set firewall name FW_ACCEPT default-action 'accept'
set firewall name FW_ACCEPT rule 200 action 'drop'
set firewall name FW_ACCEPT rule 200 description 'drop invalid'
set firewall name FW_ACCEPT rule 200 state invalid 'enable'
set firewall name FW_DROP default-action 'drop'
set firewall name FW_GUEST2INFRA default-action 'drop'
set firewall name FW_GUEST2INFRA rule 200 action 'accept'
set firewall name FW_GUEST2INFRA rule 200 description 'accept established/related'
set firewall name FW_GUEST2INFRA rule 200 log 'disable'
set firewall name FW_GUEST2INFRA rule 200 state established 'enable'
set firewall name FW_GUEST2INFRA rule 200 state related 'enable'
set firewall name FW_GUEST2INFRA rule 210 action 'accept'
set firewall name FW_GUEST2INFRA rule 210 description 'accept http(s)/ssh to proteus'
set firewall name FW_GUEST2INFRA rule 210 destination address 'xxx.xxx.10.2'
set firewall name FW_GUEST2INFRA rule 210 destination port '22,80,443'
set firewall name FW_GUEST2INFRA rule 210 protocol 'tcp'
set firewall name FW_GUEST2TRUST default-action 'drop'
set firewall name FW_GUEST2TRUST rule 200 action 'accept'
set firewall name FW_GUEST2TRUST rule 200 description 'accept established/related'
set firewall name FW_GUEST2TRUST rule 200 log 'disable'
set firewall name FW_GUEST2TRUST rule 200 state established 'enable'
set firewall name FW_GUEST2TRUST rule 200 state related 'enable'
set firewall name FW_GUEST2TRUST rule 210 action 'accept'
set firewall name FW_GUEST2TRUST rule 210 description 'accept access to AppleTV'
set firewall name FW_GUEST2TRUST rule 210 destination address 'xxx.xxx.20.20'
set firewall name FW_GUEST2TRUST rule 210 protocol 'tcp_udp'
set firewall name FW_IOT2INFRA default-action 'drop'
set firewall name FW_IOT2INFRA rule 200 action 'accept'
set firewall name FW_IOT2INFRA rule 200 description 'accept established/related'
set firewall name FW_IOT2INFRA rule 200 log 'disable'
set firewall name FW_IOT2INFRA rule 200 state established 'enable'
set firewall name FW_IOT2INFRA rule 200 state related 'enable'
set firewall name FW_IOT2INFRA rule 210 action 'accept'
set firewall name FW_IOT2INFRA rule 210 description 'accept mqtt(s)/HA API to proteus'
set firewall name FW_IOT2INFRA rule 210 destination address 'xxx.xxx.10.2'
set firewall name FW_IOT2INFRA rule 210 destination port '8883,1883,6053'
set firewall name FW_IOT2INFRA rule 210 protocol 'tcp'
set firewall name FW_TRUST2INFRA default-action 'drop'
set firewall name FW_TRUST2INFRA rule 200 action 'accept'
set firewall name FW_TRUST2INFRA rule 200 description 'accept established/related'
set firewall name FW_TRUST2INFRA rule 200 log 'disable'
set firewall name FW_TRUST2INFRA rule 200 state established 'enable'
set firewall name FW_TRUST2INFRA rule 200 state related 'enable'
set firewall name FW_TRUST2INFRA rule 210 action 'accept'
set firewall name FW_TRUST2INFRA rule 210 description 'accept mqtt(s)/http(s)/HA/ssh/grafana to proteus'
set firewall name FW_TRUST2INFRA rule 210 destination address 'xxx.xxx.10.2'
set firewall name FW_TRUST2INFRA rule 210 destination port '8883,1883,80,443,8123,22,3000'
set firewall name FW_TRUST2INFRA rule 210 protocol 'tcp'
set firewall name FW_TRUST2INFRA rule 220 action 'accept'
set firewall name FW_TRUST2INFRA rule 220 description 'accept ssh to pve'
set firewall name FW_TRUST2INFRA rule 220 destination address 'xxx.xxx.10.4'
set firewall name FW_TRUST2INFRA rule 220 destination port '22'
set firewall name FW_TRUST2INFRA rule 220 protocol 'tcp'
set firewall name FW_TRUST2INFRA rule 230 action 'accept'
set firewall name FW_TRUST2INFRA rule 230 description 'accept ssh to unifi controller'
set firewall name FW_TRUST2INFRA rule 230 destination address 'xxx.xxx.10.5'
set firewall name FW_TRUST2INFRA rule 230 destination port '22,443,8443'
set firewall name FW_TRUST2INFRA rule 230 protocol 'tcp'
set firewall name FW_WAN2ALL default-action 'drop'
set firewall name FW_WAN2ALL rule 200 action 'accept'
set firewall name FW_WAN2ALL rule 200 description 'accept established/related'
set firewall name FW_WAN2ALL rule 200 state established 'enable'
set firewall name FW_WAN2ALL rule 200 state related 'enable'
set firewall name FW_WAN2INFRA default-action 'drop'
set firewall name FW_WAN2INFRA rule 200 action 'accept'
set firewall name FW_WAN2INFRA rule 200 description 'accept established/related'
set firewall name FW_WAN2INFRA rule 200 state established 'enable'
set firewall name FW_WAN2INFRA rule 200 state related 'enable'
set firewall name FW_WAN2INFRA rule 210 action 'accept'
set firewall name FW_WAN2INFRA rule 210 description 'accept port forwards'
set firewall name FW_WAN2INFRA rule 210 destination port '22,80,443,1883'
set firewall name FW_WAN2INFRA rule 210 log 'enable'
set firewall name FW_WAN2INFRA rule 210 protocol 'tcp'
set firewall name FW_WAN2INFRA rule 210 state new 'enable'
set firewall name FW_WAN2LOCAL default-action 'drop'
set firewall name FW_WAN2LOCAL enable-default-log
set firewall name FW_WAN2LOCAL rule 200 action 'accept'
set firewall name FW_WAN2LOCAL rule 200 description 'accept established/related'
set firewall name FW_WAN2LOCAL rule 200 log 'enable'
set firewall name FW_WAN2LOCAL rule 200 state established 'enable'
set firewall name FW_WAN2LOCAL rule 200 state related 'enable'
set firewall name FW_WAN2LOCAL rule 210 action 'accept'
set firewall name FW_WAN2LOCAL rule 210 description 'wireguard'
set firewall name FW_WAN2LOCAL rule 210 destination port '51820'
set firewall name FW_WAN2LOCAL rule 210 log 'enable'
set firewall name FW_WAN2LOCAL rule 210 protocol 'udp'
set firewall name FW_WAN2LOCAL rule 210 state new 'enable'
set firewall zone GUEST default-action 'drop'
set firewall zone GUEST from INFRA firewall name 'FW_ACCEPT'
set firewall zone GUEST from IOT firewall name 'FW_DROP'
set firewall zone GUEST from LOCAL firewall name 'FW_ACCEPT'
set firewall zone GUEST from TRUSTED firewall name 'FW_ACCEPT'
set firewall zone GUEST from WAN firewall name 'FW_WAN2ALL'
set firewall zone GUEST interface 'br100.30'
set firewall zone INFRA default-action 'drop'
set firewall zone INFRA from GUEST firewall name 'FW_GUEST2INFRA'
set firewall zone INFRA from IOT firewall name 'FW_IOT2INFRA'
set firewall zone INFRA from LOCAL firewall name 'FW_ACCEPT'
set firewall zone INFRA from TRUSTED firewall name 'FW_TRUST2INFRA'
set firewall zone INFRA from WAN firewall name 'FW_WAN2INFRA'
set firewall zone INFRA interface 'br100.10'
set firewall zone IOT default-action 'drop'
set firewall zone IOT from GUEST firewall name 'FW_DROP'
set firewall zone IOT from INFRA firewall name 'FW_ACCEPT'
set firewall zone IOT from LOCAL firewall name 'FW_ACCEPT'
set firewall zone IOT from TRUSTED firewall name 'FW_ACCEPT'
set firewall zone IOT from WAN firewall name 'FW_DROP'
set firewall zone IOT interface 'br100.40'
set firewall zone LOCAL default-action 'drop'
set firewall zone LOCAL from GUEST firewall name 'FW_2LOCAL'
set firewall zone LOCAL from INFRA firewall name 'FW_ACCEPT'
set firewall zone LOCAL from IOT firewall name 'FW_2LOCAL'
set firewall zone LOCAL from TRUSTED firewall name 'FW_2LOCAL'
set firewall zone LOCAL from WAN firewall name 'FW_WAN2LOCAL'
set firewall zone LOCAL local-zone
set firewall zone TRUSTED default-action 'drop'
set firewall zone TRUSTED from GUEST firewall name 'FW_GUEST2TRUST'
set firewall zone TRUSTED from INFRA firewall name 'FW_ACCEPT'
set firewall zone TRUSTED from IOT firewall name 'FW_IOT2INFRA'
set firewall zone TRUSTED from LOCAL firewall name 'FW_ACCEPT'
set firewall zone TRUSTED from WAN firewall name 'FW_WAN2ALL'
set firewall zone TRUSTED interface 'br100.20'
set firewall zone TRUSTED interface 'wg0'
set firewall zone WAN default-action 'drop'
set firewall zone WAN from GUEST firewall name 'FW_ACCEPT'
set firewall zone WAN from INFRA firewall name 'FW_ACCEPT'
set firewall zone WAN from IOT firewall name 'FW_DROP'
set firewall zone WAN from LOCAL firewall name 'FW_ACCEPT'
set firewall zone WAN from TRUSTED firewall name 'FW_ACCEPT'
set firewall zone WAN interface 'eth1.300'
set interfaces bridge br100 enable-vlan
set interfaces bridge br100 member interface eth0 allowed-vlan '10'
set interfaces bridge br100 member interface eth0 allowed-vlan '20'
set interfaces bridge br100 member interface eth0 allowed-vlan '30'
set interfaces bridge br100 member interface eth0 allowed-vlan '40'
set interfaces bridge br100 stp
set interfaces bridge br100 vif 10 address 'xxx.xxx.10.1/24'
set interfaces bridge br100 vif 10 description 'VLAN10-Mgmt'
set interfaces bridge br100 vif 20 address 'xxx.xxx.20.1/24'
set interfaces bridge br100 vif 20 description 'VLAN20-Trusted'
set interfaces bridge br100 vif 30 address 'xxx.xxx.30.1/24'
set interfaces bridge br100 vif 30 description 'VLAN30-Guest'
set interfaces bridge br100 vif 40 address 'xxx.xxx.40.1/24'
set interfaces bridge br100 vif 40 description 'VLAN40-IoT'
set interfaces ethernet eth0 description 'LAN'
set interfaces ethernet eth1 vif 300 address 'dhcp'
set interfaces ethernet eth1 vif 300 description 'T-Mobile WAN'
set interfaces loopback lo
set interfaces wireguard wg0 address 'xxx.xxx.50.1/24'
set interfaces wireguard wg0 description 'Roadwarrior'
set interfaces wireguard wg0 peer username allowed-ips 'xxx.xxx.50.100/32'
set interfaces wireguard wg0 peer username persistent-keepalive '15'
set interfaces wireguard wg0 peer username preshared-key xxxxxx
set interfaces wireguard wg0 peer username public-key xxxxxx
set interfaces wireguard wg0 port '51820'
set interfaces wireguard wg0 private-key xxxxxx
set nat destination rule 100 description 'Port Forward: SSH to xxx.xxx.10.2'
set nat destination rule 100 destination port '22'
set nat destination rule 100 inbound-interface 'eth1.300'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation address 'xxx.xxx.10.2'
set nat destination rule 102 description 'Port Forward: HTTP to xxx.xxx.10.2'
set nat destination rule 102 destination port '80'
set nat destination rule 102 inbound-interface 'eth1.300'
set nat destination rule 102 protocol 'tcp'
set nat destination rule 102 translation address 'xxx.xxx.10.2'
set nat destination rule 104 description 'Port Forward: HTTPS to xxx.xxx.10.2'
set nat destination rule 104 destination port '443'
set nat destination rule 104 inbound-interface 'eth1.300'
set nat destination rule 104 protocol 'tcp'
set nat destination rule 104 translation address 'xxx.xxx.10.2'
set nat destination rule 106 description 'Port Forward: MQTT to xxx.xxx.10.2'
set nat destination rule 106 destination port '8883'
set nat destination rule 106 inbound-interface 'eth1.300'
set nat destination rule 106 protocol 'tcp'
set nat destination rule 106 translation address 'xxx.xxx.10.2'
set nat destination rule 106 translation port '1883'
set nat source rule 5001 description 'Exclude roadwarrior VPN'
set nat source rule 5001 destination address 'xxx.xxx.50.0/24'
set nat source rule 5001 exclude
set nat source rule 5001 outbound-interface 'eth1.300'
set nat source rule 5001 protocol 'all'
set nat source rule 5001 translation address 'masquerade'
set nat source rule 5010 description 'Masquerade for WAN'
set nat source rule 5010 outbound-interface 'eth1.300'
set nat source rule 5010 protocol 'all'
set nat source rule 5010 source address 'xxx.xxx.0.0/16'
set nat source rule 5010 translation address 'masquerade'
set qos interface eth1.300 egress 'WAN_QUEUE'
set qos policy shaper WAN_QUEUE bandwidth '100mbit'
set qos policy shaper WAN_QUEUE class 10 bandwidth '10%'
set qos policy shaper WAN_QUEUE class 10 match dns ip source port '53'
set qos policy shaper WAN_QUEUE class 10 match icmp ip protocol 'icmp'
set qos policy shaper WAN_QUEUE class 10 priority '1'
set qos policy shaper WAN_QUEUE class 10 queue-type 'fq-codel'
set qos policy shaper WAN_QUEUE default bandwidth '95%'
set qos policy shaper WAN_QUEUE default queue-type 'fq-codel'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 default-router 'xxx.xxx.10.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 name-server 'xxx.xxx.10.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 range vlan10range start 'xxx.xxx.10.100'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 range vlan10range stop 'xxx.xxx.10.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.3'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:F8'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.21'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:47'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.10'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:66'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.11'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:2E'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 default-router 'xxx.xxx.20.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 name-server 'xxx.xxx.20.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 range vlan20range start 'xxx.xxx.20.100'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 range vlan20range stop 'xxx.xxx.20.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.20.20'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:0C'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.20.30'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:f5'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 default-router 'xxx.xxx.30.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 name-server 'xxx.xxx.30.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 range vlan30range start 'xxx.xxx.30.100'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 range vlan30range stop 'xxx.xxx.30.254'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 default-router 'xxx.xxx.40.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 name-server 'xxx.xxx.40.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 range vlan40range start 'xxx.xxx.40.100'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 range vlan40range stop 'xxx.xxx.40.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.40.32'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:b8'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.40.31'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:3e'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.40.33'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:6c'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.40.30'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:11'
set service dns forwarding allow-from 'xxx.xxx.0.0/16'
set service dns forwarding cache-size '100004'
set service dns forwarding dhcp 'eth1.300'
set service dns forwarding listen-address 'xxx.xxx.10.1'
set service dns forwarding listen-address 'xxx.xxx.20.1'
set service dns forwarding listen-address 'xxx.xxx.30.1'
set service dns forwarding listen-address 'xxx.xxx.40.1'
set service dns forwarding listen-address 'xxx.xxx.50.1'
set service mdns repeater interface 'br100.20'
set service mdns repeater interface 'br100.30'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/0'
set service ntp allow-client xxxxxx '::/0'
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ssh ciphers 'aes128-cbc'
set service ssh ciphers '[email protected]'
set service ssh ciphers 'aes128-ctr'
set service ssh ciphers '[email protected]'
set service ssh ciphers 'aes192-cbc'
set service ssh ciphers 'aes192-ctr'
set service ssh ciphers 'aes256-cbc'
set service ssh ciphers 'aes256-ctr'
set service ssh ciphers '[email protected]'
set service ssh disable-password-authentication
set service ssh key-exchange 'curve25519-sha256'
set service ssh key-exchange '[email protected]'
set service ssh key-exchange 'diffie-hellman-group-exchange-sha256'
set service ssh key-exchange 'diffie-hellman-group14-sha256'
set service ssh key-exchange 'diffie-hellman-group16-sha512'
set service ssh key-exchange 'diffie-hellman-group18-sha512'
set service ssh listen-address 'xxx.xxx.10.1'
set service ssh mac 'hmac-sha2-256'
set service ssh mac '[email protected]'
set service ssh mac 'hmac-sha2-512'
set service ssh mac '[email protected]'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system domain-name xxxxxx
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx authentication public-keys [email protected] key xxxxxx
set system login user xxxxxx authentication public-keys [email protected] type ssh-xxx
set system name-server 'xxx.xxx.10.1'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.20.20'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.10.2'
set system syslog global facility all level 'debug'
set system syslog global facility local7 level 'debug'
set system time-zone 'Europe/Amsterdam'
3 Likes
16

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.