Hello,
I have tried switching from OPNsense to VyOS for a second time and again, something fails.
First time I tried, it first worked for a few days and suddenly I had issues getting DHCP replies and some devices stopped communication in the network. My only solution was to return to OPNsense since I didn’t get it running smoothly.
This time, my config is close to the first and I can’t get it working at all. I can ping and resolve everything from the VyOS device itself, but clients have serious issues and I don’t quite understand why.
Ping works from VyOS Device to anywhere
Ping to almost all websites do not work. Some do.
Ping to Fritzbox (WAN Router) works.
My setup is like this:
Clients → managed but not configured switch → VyOS (DHCP: 192.168.11.0/24) on ETH0 → Fritzbox (192.168.10.10) on ETH1 → WWW
No VLANs
Version: 1.5-rolling-202412060007
When i did look for arp cache, almost all outside addresses showed “FAILED” or “UNREACHABLE”
container {
name AdGuard {
allow-host-networks
disable
image "adguard/adguardhome:latest"
volume work {
destination "/opt/adguardhome/conf"
source "/config/containers/adguard"
}
}
}
firewall {
global-options {
all-ping "enable"
ip-src-route "enable"
log-martians "enable"
syn-cookies "enable"
twa-hazards-protection "disable"
}
ipv4 {
name IOT_to_LAN {
default-action "drop"
default-log
rule 10 {
action "accept"
description "allow return traffic from LAN"
state "related"
state "established"
}
rule 11 {
action "drop"
description "drop invalid packets"
state "invalid"
}
}
name IOT_to_LOCAL {
rule 200 {
action "accept"
description "allow DNS"
destination {
port "53"
}
protocol "tcp_udp"
}
}
name IOT_to_MGMT {
default-action "drop"
}
name IOT_to_WAN {
default-action "drop"
default-log
rule 300 {
action "accept"
description "allow HTTPS to Internet from IOT"
destination {
port "443"
}
protocol "tcp_udp"
}
}
name LAN_to_IOT {
default-action "accept"
}
name LAN_to_LOCAL {
default-action "accept"
default-log
rule 50 {
action "accept"
description "allow DHCP"
destination {
port "67-68"
}
log
protocol "udp"
source {
port "67-68"
}
}
rule 100 {
action "accept"
description "allow ping"
icmp {
type-name "echo-request"
}
log
}
rule 200 {
action "accept"
description "allow DNS"
destination {
port "53"
}
log
protocol "tcp_udp"
}
rule 800 {
action "accept"
description "allow SSH from LAN"
destination {
port "22"
}
log
protocol "tcp"
}
rule 1000 {
action "accept"
description "allow traffic to Internet"
destination {
address-mask "0.0.0.0"
}
log
}
}
name LAN_to_MGMT {
default-action "drop"
}
name LAN_to_WAN {
default-action "accept"
default-log
rule 1000 {
action "accept"
description "allow all from LAN to INTERNET"
log
}
}
name LOCAL_to_IOT {
default-action "accept"
}
name LOCAL_to_LAN {
default-action "accept"
default-log
}
name LOCAL_to_MGMT {
default-action "accept"
}
name LOCAL_to_WAN {
default-action "accept"
default-log
}
name MGMT_to_IOT {
default-action "accept"
}
name MGMT_to_LAN {
default-action "accept"
}
name MGMT_to_LOCAL {
default-action "accept"
default-log
}
name MGMT_to_WAN {
default-action "accept"
}
name WAN_to_IOT {
rule 10 {
action "accept"
description "allow return traffic from Internet to IOT"
state "established"
state "related"
}
rule 11 {
action "drop"
description "drop invalid"
state "invalid"
}
}
name WAN_to_LAN {
default-action "accept"
default-log
rule 10 {
action "accept"
description "allow return traffic from Internet to LAN"
log
state "established"
state "related"
}
rule 11 {
action "drop"
description "drop invalid"
log
state "invalid"
}
}
name WAN_to_LOCAL {
default-action "accept"
default-log
rule 10 {
action "accept"
description "allow established/related traffic"
log
state "established"
state "related"
}
rule 11 {
action "drop"
description "drop traffic with invalid packets"
log
state "invalid"
}
}
name WAN_to_MGMT {
default-action "drop"
}
}
zone IOT {
default-action "drop"
default-log
from LAN {
firewall {
name "LAN_to_IOT"
}
}
from LOCAL {
firewall {
name "LOCAL_to_IOT"
}
}
from MGMT {
firewall {
name "MGMT_to_IOT"
}
}
from WAN {
firewall {
name "WAN_to_IOT"
}
}
interface "eth0.20"
}
zone LAN {
default-log
from IOT {
firewall {
name "IOT_to_LAN"
}
}
from LOCAL {
firewall {
name "LOCAL_to_LAN"
}
}
from MGMT {
firewall {
name "MGMT_to_LAN"
}
}
from WAN {
firewall {
name "WAN_to_LAN"
}
}
interface "eth0"
}
zone LOCAL {
from IOT {
firewall {
name "IOT_to_LOCAL"
}
}
from LAN {
firewall {
name "LAN_to_LOCAL"
}
}
from MGMT {
firewall {
name "MGMT_to_LOCAL"
}
}
from WAN {
firewall {
name "WAN_to_LOCAL"
}
}
local-zone
}
zone MGMT {
description "Allow Access to Firewall from SECURE PORT ETH2 (ETH3 on DEVICE)"
from IOT {
firewall {
name "IOT_to_MGMT"
}
}
from LAN {
firewall {
name "LAN_to_MGMT"
}
}
from LOCAL {
firewall {
name "LOCAL_to_MGMT"
}
}
from WAN {
firewall {
name "WAN_to_MGMT"
}
}
interface "eth2"
}
zone WAN {
default-action "drop"
default-log
from IOT {
firewall {
name "IOT_to_WAN"
}
}
from LAN {
firewall {
name "LAN_to_WAN"
}
}
from LOCAL {
firewall {
name "LOCAL_to_WAN"
}
}
from MGMT {
firewall {
name "MGMT_to_WAN"
}
}
interface "eth1"
}
}
interfaces {
ethernet eth0 {
address "192.168.11.1/24"
description "LAN"
hw-id "bc:24:11:7a:16:ee"
offload {
gro
gso
sg
tso
}
}
ethernet eth1 {
address "192.168.10.2/24"
description "WAN"
hw-id "bc:24:11:64:71:fb"
offload {
gro
gso
sg
tso
}
}
ethernet eth2 {
address "172.100.200.1/24"
description "MGMT"
hw-id "bc:24:11:1c:39:b8"
}
loopback lo {
}
}
nat {
source {
rule 11 {
outbound-interface {
name "eth1"
}
protocol "all"
source {
address "192.168.11.0/24"
}
translation {
address "masquerade"
}
}
rule 20 {
description "IOT"
outbound-interface {
name "eth1"
}
protocol "all"
source {
address "192.168.20.0/24"
}
translation {
address "masquerade"
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
interface eth1 {
}
next-hop 192.168.10.10 {
}
}
}
}
service {
dhcp-server {
dynamic-dns-update
hostfile-update
shared-network-name berts.local {
authoritative
option {
}
subnet 192.168.11.0/24 {
option {
default-router "192.168.11.1"
name-server "192.168.10.10"
}
range clients {
start "192.168.11.120"
stop "192.168.11.199"
}
subnet-id "1"
}
}
}
dns {
}
lldp {
interface all {
}
interface eth0 {
}
interface eth2 {
}
management-address "192.168.11.1"
}
ntp {
allow-client {
address "127.0.0.0/8"
address "169.254.0.0/16"
address "10.0.0.0/8"
address "172.16.0.0/12"
address "192.168.0.0/16"
address "::1/128"
address "fe80::/10"
address "fc00::/7"
}
server 192.53.103.108 {
}
}
ssh {
port "22"
}
}
system {
config-management {
commit-revisions "100"
}
conntrack {
modules {
ftp
h323
nfs
pptp
sqlnet
}
}
console {
device ttyS0 {
speed "115200"
}
}
host-name "VyOSFW"
login {
user xxxx {
authentication {
encrypted-password "*"
}
}
}
name-server "192.168.10.10"
option {
keyboard-layout "de"
ssh-client {
source-interface "eth0"
}
time-format "24-hour"
}
syslog {
global {
facility all {
level "info"
}
facility local7 {
level "debug"
}
}
}
time-zone "Europe/Berlin"
}
// Warning: Do not remove the following line.
// vyos-config-version: "bgp@5:broadcast-relay@1:cluster@2:config-management@1:conntrack@5:conntrack-sync@2:container@2:dhcp-relay@2:dhcp-server@11:dhcpv6-server@6:dns-dynamic@4:dns-forwarding@4:firewall@17:flow-accounting@1:https@7:ids@1:interfaces@33:ipoe-server@4:ipsec@13:isis@3:l2tp@9:lldp@2:mdns@1:monitoring@1:nat@8:nat66@3:ntp@3:openconnect@3:openvpn@4:ospf@2:pim@1:policy@8:pppoe-server@11:pptp@5:qos@3:quagga@11:reverse-proxy@2:rip@1:rpki@2:salt@1:snmp@3:ssh@2:sstp@6:system@28:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2"
// Release version: 1.5-rolling-202412060007