To control the VLAN tagged packet with L2 Firewall.



I am trying to build a L2 Firewall in vyOS.
packets passing through the vyOS is VLAN tagged packet.
Packet tag is not, I was able to control.
However, the packet there is a tag could not be controlled, it will then, passing through the FW.

The following will be set at the time of the command.

$ configure

set interfaces bridge br0

set interfaces ethernet eth0 bridge-group bridge br0

set interfaces ethernet eth1 bridge-group bridge br0

set firewall name L2FW default-action drop

set firewall name L2FW rule 100 action drop

set interfaces bridge br0 firewall in name L2FW




What would be the best thing to do?


using a bridge puts both interfaces in the same Layer 2 domain. If you want separation between 2 different physical network VLANs then keep each interface separate and put a firewall between them. The firewall you have will only filter traffic that is arriving at the ingress of br0 which is the bridge or combined interfaces of eth0 and eth1.