[SOLVED] VyOS 1.3 -> 1.5-2025-Q2 Strange Migration Problem

Hi,

I’m setting new router with 1.5-2025-Q2, and manually migrating config from 1.3. This is generic zone based firewall setup, WAN / DMZ / INT. Struck at the very beginning, ping/traffic router-router local ↔ wan doesn’t work with rules I took from 1.3. Only few basic rules have been ported so far.
Is it possible that “set firewall zone zone-wan member interface eth0,eth1” accepted by parser but is not correct?

Ping doesn’t work even to gateway IP.

What am I missing? Thanks in advance.

set firewall global-options all-ping enable
set interfaces ethernet eth0 address ‘xx.xx.xx.x2/30’
set protocols static route 0.0.0.0/0 next-hop ‘xx.xx.xx.x1’ distance 10

ping from router to 8.8.8.8 OK

set interfaces ethernet eth1 address ‘yy.yy.yy.yy9/24’
set interfaces ethernet eth2 address ‘192.168.1.1/24’
set interfaces ethernet eth3 address ‘192.168.0.1/24’
set protocols static route 0.0.0.0/0 next-hop ‘yy.yy.yy.yy4’ distance 100

ping from router to 8.8.8.8 OK

set firewall zone zone-router-local local-zone
set firewall zone zone-wan member interface eth0,eth1
set firewall zone zone-dmz member interface eth2
set firewall zone zone-int member interface eth3

ping 8.8.8.8 halted

set firewall ipv4 name fw-rt2wan default-action drop
set firewall ipv4 name fw-rt2wan rule 20 action drop
set firewall ipv4 name fw-rt2wan rule 20 state invalid
set firewall ipv4 name fw-rt2wan rule 21 action accept
set firewall ipv4 name fw-rt2wan rule 21 state established
set firewall ipv4 name fw-rt2wan rule 21 state related
set firewall ipv4 name fw-rt2wan rule 21 protocol all
set firewall ipv4 name fw-rt2wan rule 22 action accept
set firewall ipv4 name fw-rt2wan rule 22 protocol all
set firewall zone zone-wan from zone-router-local firewall name fw-rt2wan

set firewall ipv4 name fw-wan2rt default-action drop
set firewall ipv4 name fw-wan2rt rule 50 action drop
set firewall ipv4 name fw-wan2rt rule 50 state invalid
set firewall ipv4 name fw-wan2rt rule 51 action accept
set firewall ipv4 name fw-wan2rt rule 51 state established
set firewall ipv4 name fw-wan2rt rule 51 state related
set firewall ipv4 name fw-wan2rt rule 51 protocol all
set firewall ipv4 name fw-wan2rt rule 52 action ‘accept’
set firewall ipv4 name fw-wan2rt rule 52 protocol ‘icmp’
set firewall zone zone-router-local from zone-wan firewall name fw-wan2rt

Yes, correct syntax is
set firewall zone zone-wan member interface eth0
set firewall zone zone-wan member interface eth1

Please fix parser. Thanks !

Please file this as a ticket over at https://vyos.dev

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.