Routing LAN to VLAN - seeing Firewall Traffic but no connections

chrhel · September 24, 2023, 7:13pm

Hi,
I’m new to the forums and have been working on replacing my home Firewall/Router with VyOS. Running vyos-1.4-rolling-202309070021 on Proxmox.

I have 2 NIC mapped to WAN and LAN with LAN being split into Multiple VLAN

I also have a Virtual NIC on Proxmox designated for my Multiple Virtual Machines traffic only but want to allow certain VLAN’s to SSH in.

All VLAN and ethernet have DHCP and share the same default-router - both physical device and virtual machines are getting IP’s assigned and I have the respective rules that allows traffic to forward from the machines to the WAN NIC/internet.

What I’m struggling with is to get my VLAN eth1.3 to connect to any services on eth2 (virtual nic). I’ve assumed it’s firewall based and tried FORWARD rules from inbound interface eth1.3 to outbound interface eth2, I’ve tried dropping outbound interface altogether. From operations mode if I open show firewall and try to SSH to the VM then I can see some packets, but they’re not arriving as expected.

I’m not an nftables expert (not using legacy FW) and so looking for a nudge in the right direction and welcome any assistance.

Update ----
Following the monitoring of traffic on the respective ethernet, it appeared as though the outbound traffic was reaching the destination (e.g. SYN) but the response (SYN-ACK) wasn’t despite there being allow rules for established and related traffic. By creating a corresponding forward rule from ETH2 → eth1.3 this worked but unsure why this would be required.

thanks.

a.apostoliuk · September 26, 2023, 1:45pm

Hell @chrhel
By default VyOS uses stateless firewall. So you should use rules in both directions.
If you want to use statefull firewall, look at state option in forward.
https://docs.vyos.io/en/latest/configuration/firewall/general.html#

chrhel · October 6, 2023, 7:33am

Thank you for your response. Appreciating that it’s stateless my rules looked like this

set firewall ipv4 name VL_INT default-action drop
set firewall ipv4 name VL_INT enable-default-log
set firewall ipv4 name VL_INT rule 1 state invalid enable
set firewall ipv4 name VL_INT rule 1 action drop
set firewall ipv4 name VL_INT rule 1 log enable
set firewall ipv4 name VL_INT rule 1 description “BLOCK - Invalid Traffic”
set firewall ipv4 name VL_INT rule 2 state established enable
set firewall ipv4 name VL_INT rule 2 action accept
set firewall ipv4 name VL_INT rule 2 description “ALLOW - Established Traffic”
set firewall ipv4 name VL_INT rule 3 state related enable
set firewall ipv4 name VL_INT rule 3 action accept
set firewall ipv4 name VL_INT rule 3 description “ALLOW - Related Traffic”
set firewall ipv4 name VL_INT rule 50 action accept
set firewall ipv4 name VL_INT rule 50 description “ALLOW - Internal Traffic to VM”

This was from a forward chain from interface A to B. I would have thought adding in state = related/established would have allowed my SSH handshake to occur, but it was only when I added in a corresponding B to A forward chain (to these rules) that it worked. Problem is that now I allow traffic back that I don’t want. Did I miss something?

Thanks again.

n.fort · October 6, 2023, 9:58am

Can you share also forward filter firewall configuration?
And what exactly are the requirements for this two vlans?

chrhel · October 6, 2023, 3:57pm

Of course. ETH1.3 is my VLAN and eth2 is a Virtual NIC for my VM’s. The intent being to allow SSH from my laptop on ETH1.3 to VM on ETH2

set firewall ipv4 forward filter rule 9 inbound-interface interface-name eth1.3
set firewall ipv4 forward filter rule 9 outbound-interface interface-name eth2
set firewall ipv4 forward filter rule 9 action jump
set firewall ipv4 forward filter rule 9 jump-target VL_INT

I could see in the monitor that the traffic was being received and hitting the initial packets were hitting the above rule but the responses to the SSH handshake did not return until I added the following.

set firewall ipv4 forward filter rule 10 inbound-interface interface-name eth2
set firewall ipv4 forward filter rule 10 outbound-interface interface-name eth1.3
set firewall ipv4 forward filter rule 10 action jump
set firewall ipv4 forward filter rule 10 jump-target VL_INT

thanks again.

n.fort · October 6, 2023, 4:18pm

But requirement is to only allow new connections from your LAN (eth1.3) to other subnet (eth2)? new connections in opposite directions should be allowed to?
For better analsis, all firewall configuration might be useful… Otherwise, it’s difficult to say what rules are being used

chrhel · October 6, 2023, 5:18pm

New Connections should only be allowed from ETH1.3 to ETH2 but not the other way.

I’ll apologise in advance as I don’t have the JSON output as wiped the VM to try another rolling release.

Set Hostname
set system host-name VyOS
set system domain-name allofus.dh

Set Timezone
set system time-zone Europe/London

Set DNS
set system name-server 1.1.1.3

Set ARP Cache
Cache size divide by 52
set system ip arp table-size 4096

Other
set system option reboot-on-panic
set system option keyboard-layout uk

Set LAN
set interfaces ethernet eth1 address ‘192.168.10.100/20’
set interfaces ethernet eth1 description ‘LAN’
set interfaces ethernet eth1 duplex auto

Set SSH
set service ssh port 22

Enable Internal Source NAT
set nat source rule 100 outbound-interface ‘eth0’
set nat source rule 100 source address ‘192.168.0.0/16’
set nat source rule 100 translation address masquerade

Set WAN
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description ‘WAN’
set interfaces ethernet eth0 duplex auto

Set LAN
set interfaces ethernet eth1 address ‘192.168.10.100/20’
set interfaces ethernet eth1 description ‘LAN’
set interfaces ethernet eth1 duplex auto

SET VM LAN
set interfaces ethernet eth2 3 address ‘192.168.11.1/24’
set interfaces ethernet eth2 description ‘VMOnly’
set interfaces ethernet eth2 duplex auto

Set VLAN
set interfaces ethernet eth1 vif 3 address 192.168.3.1/24
set interfaces ethernet eth1 vif 3 description “VLP - VLAN Primary Devices”
set interfaces ethernet eth1 vif 4 address 192.168.4.1/24
set interfaces ethernet eth1 vif 4 description “VLM - VLAN Mobile”
set interfaces ethernet eth1 vif 5 address 192.168.5.1/24
set interfaces ethernet eth1 vif 5 description “VLI - VLAN IOT Devices”
set interfaces ethernet eth1 vif 6 address 192.168.6.1/24
set interfaces ethernet eth1 vif 6 description “VLK - VLAN Kids Devices”
set interfaces ethernet eth1 vif 7 address 192.168.7.1/24
set interfaces ethernet eth1 vif 7 description “VLG - VLAN Guest Devices”

DHCP - ONE PER VLAN AND LAN
set service dhcp-server shared-network-name ‘LAN’ authoritative
set service dhcp-server shared-network-name ‘LAN’ subnet 192.168.10.0/24 default-router 192.168.10.100
set service dhcp-server shared-network-name ‘LAN’ name-server 192.168.10.100
set service dhcp-server shared-network-name ‘LAN’ name-server 1.1.1.3
set service dhcp-server shared-network-name ‘LAN’ subnet 192.168.10.0/24 lease 1800
set service dhcp-server shared-network-name ‘LAN’ subnet 192.168.10.0/24 range 0 start 192.168.10.50
set service dhcp-server shared-network-name ‘LAN’ subnet 192.168.10.0/24 range 0 stop 192.168.10.99

set service dhcp-server shared-network-name ‘VLP’ authoritative
set service dhcp-server shared-network-name ‘VLP’ subnet 192.168.3.0/24 default-router 192.168.10.100
set service dhcp-server shared-network-name ‘VLP’ name-server 192.168.10.100
set service dhcp-server shared-network-name ‘VLP’ name-server 1.1.1.2
set service dhcp-server shared-network-name ‘VLP’ subnet 192.168.3.0/24 lease 1800
set service dhcp-server shared-network-name ‘VLP’ subnet 192.168.3.0/24 range 0 start 192.168.3.50
set service dhcp-server shared-network-name ‘VLP’ subnet 192.168.3.0/24 range 0 stop 192.168.3.99

set service dhcp-server shared-network-name ‘VLM’ authoritative
set service dhcp-server shared-network-name ‘VLM’ subnet 192.168.4.0/24 default-router 192.168.10.100
set service dhcp-server shared-network-name ‘VLM’ name-server 192.168.10.100
set service dhcp-server shared-network-name ‘VLM’ name-server 1.1.1.2
set service dhcp-server shared-network-name ‘VLM’ subnet 192.168.4.0/24 lease 1800
set service dhcp-server shared-network-name ‘VLM’ subnet 192.168.4.0/24 range 0 start 192.168.4.50
set service dhcp-server shared-network-name ‘VLM’ subnet 192.168.4.0/24 range 0 stop 192.168.4.99

set service dhcp-server shared-network-name ‘VLI’ authoritative
set service dhcp-server shared-network-name ‘VLI’ subnet 192.168.5.0/24 default-router 192.168.10.100
set service dhcp-server shared-network-name ‘VLI’ name-server 192.168.10.100
set service dhcp-server shared-network-name ‘VLI’ name-server 1.1.1.2
set service dhcp-server shared-network-name ‘VLI’ subnet 192.168.5.0/24 lease 1800
set service dhcp-server shared-network-name ‘VLI’ subnet 192.168.5.0/24 range 0 start 192.168.5.50
set service dhcp-server shared-network-name ‘VLI’ subnet 192.168.5.0/24 range 0 stop 192.168.5.99

set service dhcp-server shared-network-name ‘VLK’ authoritative
set service dhcp-server shared-network-name ‘VLK’ subnet 192.168.6.0/24 default-router 192.168.10.100
set service dhcp-server shared-network-name ‘VLK’ name-server 192.168.10.100
set service dhcp-server shared-network-name ‘VLK’ name-server 1.1.1.3
set service dhcp-server shared-network-name ‘VLK’ subnet 192.168.6.0/24 lease 1800
set service dhcp-server shared-network-name ‘VLK’ subnet 192.168.6.0/24 range 0 start 192.168.6.50
set service dhcp-server shared-network-name ‘VLK’ subnet 192.168.6.0/24 range 0 stop 192.168.6.99

set service dhcp-server shared-network-name ‘VLG’ authoritative
set service dhcp-server shared-network-name ‘VLG’ subnet 192.168.7.0/24 default-router 192.168.10.100
set service dhcp-server shared-network-name ‘VLG’ name-server 192.168.10.100
set service dhcp-server shared-network-name ‘VLG’ name-server 1.1.1.3
set service dhcp-server shared-network-name ‘VLG’ subnet 192.168.7.0/24 lease 1800
set service dhcp-server shared-network-name ‘VLG’ subnet 192.168.7.0/24 range 0 start 192.168.7.50
set service dhcp-server shared-network-name ‘VLG’ subnet 192.168.7.0/24 range 0 stop 192.168.7.99

set service dhcp-server shared-network-name ‘VMO’ authoritative
set service dhcp-server shared-network-name ‘VMO’ subnet 192.168.11.0/24 default-router 192.168.10.100
set service dhcp-server shared-network-name ‘VMO’ name-server 192.168.10.100
set service dhcp-server shared-network-name ‘VMO’ name-server 1.1.1.2
set service dhcp-server shared-network-name ‘VMO’ subnet 192.168.11.0/24 lease 1800
set service dhcp-server shared-network-name ‘VMO’ subnet 192.168.11.0/24 range 0 start 192.168.11.50
set service dhcp-server shared-network-name ‘VMO’ subnet 192.168.11.0/24 range 0 stop 192.168.11.99

Firewall
set firewall global-options all-ping enable
set firewall global-options broadcast-ping disable
set firewall global-options log-martians enable
set firewall global-options receive-redirects disable

set firewall ipv4 name WAN_IN description “Firewall Rules for Inbound traffic from External”
set firewall ipv4 name LAN_OUT description “Firewall Rules for outbound traffic from LAN interface”
set firewall ipv4 name VLP_OUT description “Firewall Rules for outbound traffic from VLP interface”
set firewall ipv4 name VLM_OUT description “Firewall Rules for outbound traffic from VLM interface”
set firewall ipv4 name VLI_OUT description “Firewall Rules for outbound traffic from VLI interface”
set firewall ipv4 name VLK_OUT description “Firewall Rules for outbound traffic from VLK interface”
set firewall ipv4 name VLG_OUT description “Firewall Rules for outbound traffic from VLG interface”
set firewall ipv4 name VMO_OUT description “Firewall Rules for outbound traffic from VMO interface”
set firewall ipv4 name VL_INT description “Firewall Rules for Internal traffic to VMO interface”

INTERNAL_SERVICES port groups
set firewall group port-group INTERNAL_SERVICES port 53
set firewall group port-group INTERNAL_SERVICES port 123

IOT_SERVICES port groups
set firewall group port-group IOT_SERVICES port 53
set firewall group port-group IOT_SERVICES port 123
set firewall group port-group IOT_SERVICES port 443
set firewall group port-group IOT_SERVICES port 9543
set firewall group port-group IOT_SERVICES port 11095
set firewall group port-group IOT_SERVICES port 8886
set firewall group port-group IOT_SERVICES port 80

WAN IN
set firewall ipv4 name WAN_IN default-action drop
set firewall ipv4 name WAN_IN enable-default-log
set firewall ipv4 name WAN_IN rule 1 state invalid enable
set firewall ipv4 name WAN_IN rule 1 action drop
set firewall ipv4 name WAN_IN rule 1 log enable
set firewall ipv4 name WAN_IN rule 1 description “BLOCK - Invalid Traffic”
set firewall ipv4 name WAN_IN rule 2 state established enable
set firewall ipv4 name WAN_IN rule 2 action accept
set firewall ipv4 name WAN_IN rule 2 description “ALLOW - Established Traffic”
set firewall ipv4 name WAN_IN rule 3 state related enable
set firewall ipv4 name WAN_IN rule 3 action accept
set firewall ipv4 name WAN_IN rule 3 description “ALLOW - Related Traffic”

LAN OUT
set firewall ipv4 name LAN_OUT default-action drop
set firewall ipv4 name LAN_OUT enable-default-log
set firewall ipv4 name LAN_OUT rule 1 state invalid enable
set firewall ipv4 name LAN_OUT rule 1 action drop
set firewall ipv4 name LAN_OUT rule 1 log enable
set firewall ipv4 name LAN_OUT rule 1 description “BLOCK - Invalid Traffic”
set firewall ipv4 name LAN_OUT rule 2 state established enable
set firewall ipv4 name LAN_OUT rule 2 action accept
set firewall ipv4 name LAN_OUT rule 2 description “ALLOW - Established Traffic”
set firewall ipv4 name LAN_OUT rule 3 state related enable
set firewall ipv4 name LAN_OUT rule 3 action accept
set firewall ipv4 name LAN_OUT rule 3 description “ALLOW - Related Traffic”

set firewall ipv4 name LAN_OUT rule 50 action accept
set firewall ipv4 name LAN_OUT rule 50 description “ALLOW - Outbound Traffic to All”
VLP OUT
set firewall ipv4 name VLP_OUT default-action drop
set firewall ipv4 name VLP_OUT enable-default-log
set firewall ipv4 name VLP_OUT rule 1 state invalid enable
set firewall ipv4 name VLP_OUT rule 1 action drop
set firewall ipv4 name VLP_OUT rule 1 log enable
set firewall ipv4 name VLP_OUT rule 1 description “BLOCK - Invalid Traffic”
set firewall ipv4 name VLP_OUT rule 2 state established enable
set firewall ipv4 name VLP_OUT rule 2 action accept
set firewall ipv4 name VLP_OUT rule 2 description “ALLOW - Established Traffic”
set firewall ipv4 name VLP_OUT rule 3 state related enable
set firewall ipv4 name VLP_OUT rule 3 action accept
set firewall ipv4 name VLP_OUT rule 3 description “ALLOW - Related Traffic”

set firewall ipv4 name VLP_OUT rule 50 action accept
set firewall ipv4 name VLP_OUT rule 50 description “ALLOW - Outbound Traffic to All”

LATERAL_INTERNAL
set firewall ipv4 name LATERAL_INTERNAL description “Firewall Rules for Laternal Internal traffic”
set firewall ipv4 name LATERAL_INTERNAL default-action drop
set firewall ipv4 name LATERAL_INTERNAL enable-default-log
set firewall ipv4 name LATERAL_INTERNAL rule 1 state invalid enable
set firewall ipv4 name LATERAL_INTERNAL rule 1 action drop
set firewall ipv4 name LATERAL_INTERNAL rule 1 log enable
set firewall ipv4 name LATERAL_INTERNAL rule 1 description “BLOCK - Invalid Traffic”
set firewall ipv4 name LATERAL_INTERNAL rule 2 state established enable
set firewall ipv4 name LATERAL_INTERNAL rule 2 action accept
set firewall ipv4 name LATERAL_INTERNAL rule 2 description “ALLOW - Established Traffic”
set firewall ipv4 name LATERAL_INTERNAL rule 3 state related enable
set firewall ipv4 name LATERAL_INTERNAL rule 3 action accept
set firewall ipv4 name LATERAL_INTERNAL rule 3 description “ALLOW - Related Traffic”
set firewall ipv4 name LATERAL_INTERNAL rule 10 protocol tcp_udp
set firewall ipv4 name LATERAL_INTERNAL rule 10 destination group port-group INTERNAL_SERVICES
set firewall ipv4 name LATERAL_INTERNAL rule 10 action accept
set firewall ipv4 name LATERAL_INTERNAL rule 10 description “ALLOW - Internal Traffic to SSH”

VLM OUT
set firewall ipv4 name VLM_OUT default-action drop
set firewall ipv4 name VLM_OUT enable-default-log
set firewall ipv4 name VLM_OUT rule 1 state invalid enable
set firewall ipv4 name VLM_OUT rule 1 action drop
set firewall ipv4 name VLM_OUT rule 1 log enable
set firewall ipv4 name VLM_OUT rule 1 description “BLOCK - Invalid Traffic”
set firewall ipv4 name VLM_OUT rule 2 state established enable
set firewall ipv4 name VLM_OUT rule 2 action accept
set firewall ipv4 name VLM_OUT rule 2 description “ALLOW - Established Traffic”
set firewall ipv4 name VLM_OUT rule 3 state related enable
set firewall ipv4 name VLM_OUT rule 3 action accept
set firewall ipv4 name VLM_OUT rule 3 description “ALLOW - Related Traffic”

set firewall ipv4 name VLM_OUT rule 50 action accept
set firewall ipv4 name VLM_OUT rule 50 description “ALLOW - Outbound Traffic to All”

VLI OUT
set firewall ipv4 name VLI_OUT default-action drop
set firewall ipv4 name VLI_OUT enable-default-log
set firewall ipv4 name VLI_OUT rule 1 state invalid enable
set firewall ipv4 name VLI_OUT rule 1 action drop
set firewall ipv4 name VLI_OUT rule 1 log enable
set firewall ipv4 name VLI_OUT rule 1 description “BLOCK - Invalid Traffic”
set firewall ipv4 name VLI_OUT rule 2 state established enable
set firewall ipv4 name VLI_OUT rule 2 action accept
set firewall ipv4 name VLI_OUT rule 2 description “ALLOW - Established Traffic”
set firewall ipv4 name VLI_OUT rule 3 state related enable
set firewall ipv4 name VLI_OUT rule 3 action accept
set firewall ipv4 name VLI_OUT rule 3 description “ALLOW - Related Traffic”

set firewall ipv4 name VLI_OUT rule 50 protocol tcp_udp
set firewall ipv4 name VLI_OUT rule 50 destination group port-group IOT_SERVICES
set firewall ipv4 name VLI_OUT rule 50 action accept
set firewall ipv4 name VLI_OUT rule 50 description “ALLOW - Outbound Traffic to IOT Services”

VLK OUT
set firewall ipv4 name VLK_OUT default-action drop
set firewall ipv4 name VLK_OUT enable-default-log
set firewall ipv4 name VLK_OUT rule 1 state invalid enable
set firewall ipv4 name VLK_OUT rule 1 action drop
set firewall ipv4 name VLK_OUT rule 1 log enable
set firewall ipv4 name VLK_OUT rule 1 description “BLOCK - Invalid Traffic”
set firewall ipv4 name VLK_OUT rule 2 state established enable
set firewall ipv4 name VLK_OUT rule 2 action accept
set firewall ipv4 name VLK_OUT rule 2 description “ALLOW - Established Traffic”
set firewall ipv4 name VLK_OUT rule 3 state related enable
set firewall ipv4 name VLK_OUT rule 3 action accept
set firewall ipv4 name VLK_OUT rule 3 description “ALLOW - Related Traffic”
set firewall ipv4 name VLK_OUT rule 45 destination port 80,443
set firewall ipv4 name VLK_OUT rule 45 action accept
set firewall ipv4 name VLK_OUT rule 45 protocol tcp_udp
set firewall ipv4 name VLK_OUT rule 45 description “ALLOW - Outbound HTTP Traffic”
set firewall ipv4 name VLK_OUT rule 50 action accept
set firewall ipv4 name VLK_OUT rule 50 description “ALLOW - Outbound Traffic to All”

VLG OUT
set firewall ipv4 name VLG_OUT default-action drop
set firewall ipv4 name VLG_OUT enable-default-log
set firewall ipv4 name VLG_OUT rule 1 state invalid enable
set firewall ipv4 name VLG_OUT rule 1 action drop
set firewall ipv4 name VLG_OUT rule 1 log enable
set firewall ipv4 name VLG_OUT rule 1 description “BLOCK - Invalid Traffic”
set firewall ipv4 name VLG_OUT rule 2 state established enable
set firewall ipv4 name VLG_OUT rule 2 action accept
set firewall ipv4 name VLG_OUT rule 2 description “ALLOW - Established Traffic”
set firewall ipv4 name VLG_OUT rule 3 state related enable
set firewall ipv4 name VLG_OUT rule 3 action accept
set firewall ipv4 name VLG_OUT rule 3 description “ALLOW - Related Traffic”
set firewall ipv4 name VLG_OUT rule 50 action accept
set firewall ipv4 name VLG_OUT rule 50 description “ALLOW - Outbound Traffic to All”

VM OUT
set firewall ipv4 name VMO_OUT default-action drop
set firewall ipv4 name VMO_OUT enable-default-log
set firewall ipv4 name VMO_OUT rule 1 state invalid enable
set firewall ipv4 name VMO_OUT rule 1 action drop
set firewall ipv4 name VMO_OUT rule 1 log enable
set firewall ipv4 name VMO_OUT rule 1 description “BLOCK - Invalid Traffic”
set firewall ipv4 name VMO_OUT rule 2 state established enable
set firewall ipv4 name VMO_OUT rule 2 action accept
set firewall ipv4 name VMO_OUT rule 2 description “ALLOW - Established Traffic”
set firewall ipv4 name VMO_OUT rule 3 state related enable
set firewall ipv4 name VMO_OUT rule 3 action accept
set firewall ipv4 name VMO_OUT rule 3 description “ALLOW - Related Traffic”

set firewall ipv4 name VMO_OUT rule 50 action accept
set firewall ipv4 name VMO_OUT rule 50 description “ALLOW - Outbound Traffic to All”

VM INTERNAL ACCESS
set firewall ipv4 name VL_INT default-action drop
set firewall ipv4 name VL_INT enable-default-log
set firewall ipv4 name VL_INT rule 1 state invalid enable
set firewall ipv4 name VL_INT rule 1 action drop
set firewall ipv4 name VL_INT rule 1 log enable
set firewall ipv4 name VL_INT rule 1 description “BLOCK - Invalid Traffic”
set firewall ipv4 name VL_INT rule 2 state established enable
set firewall ipv4 name VL_INT rule 2 action accept
set firewall ipv4 name VL_INT rule 2 description “ALLOW - Established Traffic”
set firewall ipv4 name VL_INT rule 3 state related enable
set firewall ipv4 name VL_INT rule 3 action accept
set firewall ipv4 name VL_INT rule 3 description “ALLOW - Related Traffic”
set firewall ipv4 name VL_INT rule 50 action accept
set firewall ipv4 name VL_INT rule 50 description “ALLOW - Internal Traffic to VM”

INPUT
set firewall ipv4 input filter default-action drop
set firewall ipv4 input filter rule 1 inbound-interface interface-name eth0
set firewall ipv4 input filter rule 1 action jump
set firewall ipv4 input filter rule 1 jump-target WAN_IN
set firewall ipv4 input filter rule 1 description “JUMP to WAN_IN rules where Inbound Interface is WAN”
set firewall ipv4 input filter rule 10 inbound-interface interface-name eth1
set firewall ipv4 input filter rule 10 action accept
set firewall ipv4 input filter rule 10 description “ALLOW - Internal SSH from ETH1”
set firewall ipv4 input filter rule 10 destination port 22
set firewall ipv4 input filter rule 10 protocol tcp
set firewall ipv4 input filter rule 11 inbound-interface interface-name eth1.3
set firewall ipv4 input filter rule 11 action accept
set firewall ipv4 input filter rule 11 description “ALLOW - Internal SSH from ETH1.3”
set firewall ipv4 input filter rule 11 destination port 22
set firewall ipv4 input filter rule 11 protocol tcp
set firewall ipv4 input filter rule 20 inbound-interface interface-name eth1.3
set firewall ipv4 input filter rule 20 action jump
set firewall ipv4 input filter rule 20 jump-target LATERAL_INTERNAL
set firewall ipv4 input filter rule 20 description “JUMP to LATERAL_INTERNAL rules where Inbound Interface is ETH1.3”
set firewall ipv4 input filter rule 30 inbound-interface interface-name eth1
set firewall ipv4 input filter rule 30 action jump
set firewall ipv4 input filter rule 30 jump-target LATERAL_INTERNAL
set firewall ipv4 input filter rule 30 description “JUMP to LATERAL_INTERNAL rules where Inbound Interface is ETH1”
set firewall ipv4 input filter rule 40 inbound-interface interface-name eth1.4
set firewall ipv4 input filter rule 40 action jump
set firewall ipv4 input filter rule 40 jump-target LATERAL_INTERNAL
set firewall ipv4 input filter rule 40 description “JUMP to LATERAL_INTERNAL rules where Inbound Interface is ETH1.4”
set firewall ipv4 input filter rule 50 inbound-interface interface-name eth1.5
set firewall ipv4 input filter rule 50 action jump
set firewall ipv4 input filter rule 50 jump-target LATERAL_INTERNAL
set firewall ipv4 input filter rule 50 description “JUMP to LATERAL_INTERNAL rules where Inbound Interface is ETH1.5”
set firewall ipv4 input filter rule 60 inbound-interface interface-name eth1.6
set firewall ipv4 input filter rule 60 action jump
set firewall ipv4 input filter rule 60 jump-target LATERAL_INTERNAL
set firewall ipv4 input filter rule 60 description “JUMP to LATERAL_INTERNAL rules where Inbound Interface is ETH1.6”
set firewall ipv4 input filter rule 70 inbound-interface interface-name eth1.7
set firewall ipv4 input filter rule 70 action jump
set firewall ipv4 input filter rule 70 jump-target LATERAL_INTERNAL
set firewall ipv4 input filter rule 70 description “JUMP to LATERAL_INTERNAL rules where Inbound Interface is ETH1.7”
set firewall ipv4 input filter rule 80 inbound-interface interface-name eth2
set firewall ipv4 input filter rule 80 action jump
set firewall ipv4 input filter rule 80 jump-target LATERAL_INTERNAL
set firewall ipv4 input filter rule 80 description “JUMP to LATERAL_INTERNAL rules where Inbound Interface is ETH2”

FORWARD
set firewall ipv4 forward filter default-action drop
set firewall ipv4 forward filter rule 1 inbound-interface interface-name eth0
set firewall ipv4 forward filter rule 1 action jump
set firewall ipv4 forward filter rule 1 jump-target WAN_IN
set firewall ipv4 forward filter rule 1 description “JUMP to WAN_IN rules where Inbound Interface is WAN”
set firewall ipv4 forward filter rule 2 inbound-interface interface-name eth1
set firewall ipv4 forward filter rule 2 outbound-interface interface-name eth0
set firewall ipv4 forward filter rule 2 action jump
set firewall ipv4 forward filter rule 2 jump-target LAN_OUT
set firewall ipv4 forward filter rule 3 inbound-interface interface-name eth1.3
set firewall ipv4 forward filter rule 3 outbound-interface interface-name eth0
set firewall ipv4 forward filter rule 3 action jump
set firewall ipv4 forward filter rule 3 jump-target VLP_OUT
set firewall ipv4 forward filter rule 4 inbound-interface interface-name eth1.4
set firewall ipv4 forward filter rule 4 outbound-interface interface-name eth0
set firewall ipv4 forward filter rule 4 action jump
set firewall ipv4 forward filter rule 4 jump-target VLM_OUT
set firewall ipv4 forward filter rule 5 inbound-interface interface-name eth1.5
set firewall ipv4 forward filter rule 5 outbound-interface interface-name eth0
set firewall ipv4 forward filter rule 5 action jump
set firewall ipv4 forward filter rule 5 jump-target VLI_OUT
set firewall ipv4 forward filter rule 6 inbound-interface interface-name eth1.6
set firewall ipv4 forward filter rule 6 outbound-interface interface-name eth0
set firewall ipv4 forward filter rule 6 action jump
set firewall ipv4 forward filter rule 6 jump-target VLK_OUT
set firewall ipv4 forward filter rule 7 inbound-interface interface-name eth1.7
set firewall ipv4 forward filter rule 7 outbound-interface interface-name eth0
set firewall ipv4 forward filter rule 7 action jump
set firewall ipv4 forward filter rule 7 jump-target VLG_OUT
set firewall ipv4 forward filter rule 8 inbound-interface interface-name eth2
set firewall ipv4 forward filter rule 8 outbound-interface interface-name eth0
set firewall ipv4 forward filter rule 8 action jump
set firewall ipv4 forward filter rule 8 jump-target VMO_OUT

set firewall ipv4 forward filter rule 9 inbound-interface interface-name eth1.3
set firewall ipv4 forward filter rule 9 outbound-interface interface-name eth2
set firewall ipv4 forward filter rule 9 action jump
set firewall ipv4 forward filter rule 9 jump-target VL_INT

set firewall ipv4 forward filter rule 10 inbound-interface interface-name eth2
set firewall ipv4 forward filter rule 10 outbound-interface interface-name eth1.3
set firewall ipv4 forward filter rule 10 action jump
set firewall ipv4 forward filter rule 10 jump-target VL_INT

n.fort · October 6, 2023, 6:34pm

I would delete all state policies from custom chains, and add such state policies at the very first of forward chain (same for input):

set firewall ipv4 forward filter rule 1 state established enable
set firewall ipv4 forward filter rule 1 state related enable
set firewall ipv4 forward filter rule 1 action accept

set firewall ipv4 forward filter rule 2 state invalid enable
set firewall ipv4 forward filter rule 2 action drop
# .. Then continue with other rules

This will make firewall config shorter and better.
Now replies from eth2 should hit this rule and be able to establish connections from eth1.3 to eth2.

Remove rule 10 if you don’t want connections from eth2 to eth1.3
Custom chain VL_INT basically only accepts all traffic (and drops invalid). Since in point 1 we moved state to base forward chain, you could omit using jump to VL_INT, and instead accept all connections from eth1.3 to eth2:

set firewall ipv4 forward filter rule 9 inbound-interface interface-name eth1.3
set firewall ipv4 forward filter rule 9 outbound-interface interface-name eth2
set firewall ipv4 forward filter rule 9 action accept

Point 3 seems to apply to all other custom chains… You could repeat point 3 for other rules|interfaces.

Thisistheoldplan · October 6, 2023, 11:52pm

slightly off topic, if using fastpath offload in vyos 1.5 should it replace rule 1 in forward filter?

eg.

set firewall [ipv4|ipv6] forward filter rule 1 action offload
#... more rules
set firewall ipv4 forward filter rule 2 state established enable
#... more rules
set firewall ipv4 forward filter rule 3 state invalid enable
#... more rules