When I set a destination-address on a firewall rule, the rule stops accepting packets and they hit my deny rule 999. If I remove the destination address, the rule performs as expected and I can reach the host. What am I doing wrong please? This is a VyOS 1.3 instance with three VIFs; I have also tried VYos 1.4.
Monitor interface shows the packet being sent to the destination server. If I change the IP address, there is no difference. If I set a source or port, there is also no difference. I observe the same behaviour on other protocols. Below are the the only firewall rules on this router. If I set a generic rule 5 with a destination 10.3.0.3 and an action accept, I face the same issue.
set interfaces ethernet eth1 vif 3 firewall in name ‘eth1.v3inbound’
set firewall name eth1.v3inbound default-action ‘drop’
set firewall name eth1.v3inbound enable-default-log
set firewall name eth1.v3inbound rule 10 action ‘accept’
set firewall name eth1.v3inbound rule 10 log ‘enable’
set firewall name eth1.v3inbound rule 10 protocol ‘icmp’
set firewall name eth1.v3inbound rule 11 action ‘accept’ > set firewall name eth1.v3inbound rule 11 destination address ‘10.3.0.3’
set firewall name eth1.v3inbound rule 11 protocol ‘tcp’
set firewall name eth1.v3inbound rule 999 action ‘drop’
set firewall name eth1.v3inbound rule 999 destination address ‘10.0.0.0/8’
set firewall name eth1.v3inbound rule 1000 action ‘accept’
set firewall name eth1.v3inbound rule 1000 destination address ‘0.0.0.0/0’
Hello 16again - thank you, I’ve just tried a /32 and no change unfortunately. No DNAT in place, only SNAT for outbound internet. The source host is inside another VIF on the VyOS; would that require NAT?
Bingo and thank you. If I add a return rule on the same interface, it works as expected. It would appear that the outbound packet is not blocked, but the return is.