Security concern for two firewall rules

General questions
, ,
1

Hi there,

I am discovering these days Vyos a little more in detail.

I managed to do what I wanted, however, I wonder about the security of two of my firewall rules.

I have set up an ipsec/ikev2 VPN with the following configuration:

set ipsec disable-uniqreqids
set ipsec esp-group ESP-RW compression 'disable'
set ipsec esp-group ESP-RW lifetime '3600'
set ipsec esp-group ESP-RW pfs 'disable'
set ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128'
set ipsec esp-group ESP-RW proposal 10 hash 'sha256'

set ipsec ike-group IKE-RW key-exchange 'ikev2'
set ipsec ike-group IKE-RW lifetime '7200'
set ipsec ike-group IKE-RW mobike 'enable'
set ipsec ike-group IKE-RW proposal 10 dh-group '14'
set ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128'
set ipsec ike-group IKE-RW proposal 10 hash 'sha256'

set ipsec remote-access connection rw authentication client-mode 'eap-mschapv2'
set ipsec remote-access connection rw authentication id 'xxx.xxx.181.223'
set ipsec remote-access connection rw authentication local-users username xxxxxx password 'xxxxxx'
set ipsec remote-access connection rw authentication server-mode 'x509'
set ipsec remote-access connection rw authentication x509 ca-certificate 'VPN'
set ipsec remote-access connection rw authentication x509 certificate 'VPN'
set ipsec remote-access connection rw esp-group 'ESP-RW'
set ipsec remote-access connection rw ike-group 'IKE-RW'
set ipsec remote-access connection rw local-address 'xxx.xxx.255.6'
set ipsec remote-access connection rw pool 'ra-rw-ipv4'
set ipsec remote-access pool ra-rw-ipv4 name-server 'xxx.xxx.9.9'
set ipsec remote-access pool ra-rw-ipv4 name-server 'xxx.xxx.112.112'
set ipsec remote-access pool ra-rw-ipv4 prefix 'xxx.xxx.128.128/25'

For the clients to be able to browse the internet, I have the following NAT rule:

set source rule 200 outbound-interface 'eth0'
set source rule 200 source address 'xxx.xxx.128.128/25'
set source rule 200 translation address 'masquerade'


set source rule 13 outbound-interface 'eth0'
set source rule 13 source address 'xxx.xxx.13.0/24'
set source rule 13 translation address 'masquerade'

The following zones and firewall rules:

set name GUEST-LAN default-action 'drop'
set name GUEST-LOCAL default-action 'drop'
set name GUEST-WAN default-action 'accept'

set name LAN-GUEST default-action 'drop'
set name LAN-LOCAL default-action 'accept'
set name LAN-WAN default-action 'accept'

set name LOCAL-GUEST default-action 'accept'
set name LOCAL-LAN default-action 'accept'
set name LOCAL-WAN default-action 'accept'

set name WAN-GUEST default-action 'drop'
set name WAN-GUEST rule 5 action 'accept'
set name WAN-GUEST rule 5 state established 'enable'
set name WAN-GUEST rule 5 state related 'enable'

set name WAN-LAN default-action 'drop'
set name WAN-LAN rule 5 action 'accept'
set name WAN-LAN rule 5 state established 'enable'
set name WAN-LAN rule 5 state related 'enable'
set name WAN-LAN rule 10 action 'accept'
set name WAN-LAN rule 10 destination address 'xxx.xxx.64.0/24'
set name WAN-LAN rule 10 ipsec match-ipsec
set name WAN-LAN rule 10 source address 'xxx.xxx.128.128/25'

set name WAN-LOCAL default-action 'drop'
set name WAN-LOCAL enable-default-log
set name WAN-LOCAL rule 5 action 'accept'
set name WAN-LOCAL rule 5 state established 'enable'
set name WAN-LOCAL rule 5 state related 'enable'
set name WAN-LOCAL rule 20 action 'accept'
set name WAN-LOCAL rule 20 protocol 'icmp'
set name WAN-LOCAL rule 20 state new 'enable'
set name WAN-LOCAL rule 30 action 'drop'
set name WAN-LOCAL rule 30 destination port '22'
set name WAN-LOCAL rule 30 protocol 'tcp'
set name WAN-LOCAL rule 30 recent count '4'
set name WAN-LOCAL rule 30 recent time 'minute'
set name WAN-LOCAL rule 30 state new 'enable'
set name WAN-LOCAL rule 31 action 'accept'
set name WAN-LOCAL rule 31 destination port '22'
set name WAN-LOCAL rule 31 protocol 'tcp'
set name WAN-LOCAL rule 31 state new 'enable'
set name WAN-LOCAL rule 40 action 'accept'
set name WAN-LOCAL rule 40 protocol 'esp'
set name WAN-LOCAL rule 41 action 'accept'
set name WAN-LOCAL rule 41 destination port '500'
set name WAN-LOCAL rule 41 protocol 'udp'
set name WAN-LOCAL rule 42 action 'accept'
set name WAN-LOCAL rule 42 destination port '4500'
set name WAN-LOCAL rule 42 protocol 'udp'


set zone GUEST default-action 'drop'
set zone GUEST from LAN firewall name 'LAN-GUEST'
set zone GUEST from LOCAL firewall name 'LOCAL-GUEST'
set zone GUEST from WAN firewall name 'WAN-GUEST'
set zone GUEST interface 'br0.13'

set zone LAN default-action 'drop'
set zone LAN from GUEST firewall name 'GUEST-LAN'
set zone LAN from LOCAL firewall name 'LOCAL-LAN'
set zone LAN from WAN firewall name 'WAN-LAN'
set zone LAN interface 'br0'

set zone LOCAL default-action 'drop'
set zone LOCAL from GUEST firewall name 'GUEST-LOCAL'
set zone LOCAL from LAN firewall name 'LAN-LOCAL'
set zone LOCAL from WAN firewall name 'WAN-LOCAL'
set zone LOCAL local-zone

set zone WAN default-action 'drop'
set zone WAN from GUEST firewall name 'GUEST-WAN'
set zone WAN from LAN firewall name 'LAN-WAN'
set zone WAN from LOCAL firewall name 'LOCAL-WAN'
set zone WAN interface 'eth0'

set zone GUEST default-action 'drop'
set zone GUEST from LAN firewall name 'LAN-GUEST'
set zone GUEST from LOCAL firewall name 'LOCAL-GUEST'
set zone GUEST from WAN firewall name 'WAN-GUEST'
set zone GUEST interface 'br0.13'

set zone LAN default-action 'drop'
set zone LAN from GUEST firewall name 'GUEST-LAN'
set zone LAN from LOCAL firewall name 'LOCAL-LAN'
set zone LAN from WAN firewall name 'WAN-LAN'
set zone LAN interface 'br0'

set zone LOCAL default-action 'drop'
set zone LOCAL from GUEST firewall name 'GUEST-LOCAL'
set zone LOCAL from LAN firewall name 'LAN-LOCAL'
set zone LOCAL from WAN firewall name 'WAN-LOCAL'
set zone LOCAL local-zone

set zone WAN default-action 'drop'
set zone WAN from GUEST firewall name 'GUEST-WAN'
set zone WAN from LAN firewall name 'LAN-WAN'
set zone WAN from LOCAL firewall name 'LOCAL-WAN'
set zone WAN interface 'eth0'

My first question is, is the “WAN-LAN” rule number 10 safe? No risk that someone not using the VPN can access it? It allows my road warrior clients to connect to the local network. To better understand, all VPN traffic is considered external (WAN) and not local?

Second question, is VLAN 13 well isolated from everything else?

Thanks in advance