Traffic originating in local zone is blocked by default action

Hello,

Having issues sending traffic from the local zone (vyos itself) to anywhere else. I realized this issue when trying to download docker images and saw dns lookups failing. Why would traffic originating in the local zone be blocked by the local zone and how do i fix this so that i can send/receive traffic from the vyos router itself.

My understanding is that if i have the firewall LOCAL-WAN2 which is default-action accept, this traffic should make it out… What am i missing here and how do i ensure the router can send traffic from itself…

vyos@vyos:~$ sh ver
Version:          VyOS 1.5-rolling-202404181746
Release train:    current

Built by:         autobuild@vyos.net
Built on:         Thu 18 Apr 2024 20:08 UTC
Build UUID:       a552d819-47ab-4034-918e-95e270b4f1e6
Build commit ID:  67511ae3bfc3fc

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  Supermicro
Hardware model:   A1SAi
Hardware S/N:     123456789
Hardware UUID:    Unknown

Copyright:        VyOS maintainers and contributors
vyos@vyos:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 173.14.xx.213 icmp_seq=1 Destination Port Unreachable
From 173.14.xx.213 icmp_seq=2 Destination Port Unreachable
From 173.14.xx.213 icmp_seq=3 Destination Port Unreachable
From 173.14.xx.213 icmp_seq=4 Destination Port Unreachable
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3059ms

vyos@vyos:~$ sudo dmesg -t | grep 8.8.8.8
[-zone_LOCAL-default-R]IN= OUT=WAN2-STATIC SRC=173.14.xx.213 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=55520 DF PROTO=ICMP TYPE=8 CODE=0 ID=60594 SEQ=1
[-zone_LOCAL-default-R]IN= OUT=WAN2-STATIC SRC=173.14.xx.213 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=56450 DF PROTO=ICMP TYPE=8 CODE=0 ID=60594 SEQ=2
[-zone_LOCAL-default-R]IN= OUT=WAN2-STATIC SRC=173.14.xx.213 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=57292 DF PROTO=ICMP TYPE=8 CODE=0 ID=60594 SEQ=3
[-zone_LOCAL-default-R]IN= OUT=WAN2-STATIC SRC=173.14.xx.213 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=57897 DF PROTO=ICMP TYPE=8 CODE=0 ID=60594 SEQ=4
set firewall zone LOCAL default-action 'reject'
set firewall zone LOCAL default-log
set firewall zone LOCAL description 'LOCAL THIS DEVICE'
set firewall zone LOCAL from ADMIN firewall name 'ADMIN-LOCAL'
set firewall zone LOCAL from DMZ firewall name 'DMZ-LOCAL'
set firewall zone LOCAL from LAB firewall name 'LAB-LOCAL'
set firewall zone LOCAL from WAN1 firewall name 'WAN1-LOCAL'
set firewall zone LOCAL from WAN2 firewall name 'WAN2-LOCAL'
set firewall zone LOCAL local-zone

set firewall zone WAN2 default-action 'reject'
set firewall zone WAN2 default-log
set firewall zone WAN2 description 'WAN2 OUTBOUND'
set firewall zone WAN2 from ADMIN firewall name 'ADMIN-WAN2'
set firewall zone WAN2 from DMZ firewall name 'DMZ-WAN2'
set firewall zone WAN2 from LAB firewall name 'LAB-WAN2'
set firewall zone WAN2 from LOCAL firewall name 'LOCAL-WAN2'
set firewall zone WAN2 interface 'eth1'

set firewall ipv4 name LOCAL-WAN2 default-action 'accept'
set firewall ipv4 name LOCAL-WAN2 description 'From LOCAL to WAN2'

set firewall ipv4 name WAN2-LOCAL default-action 'drop'
set firewall ipv4 name WAN2-LOCAL default-log
set firewall ipv4 name WAN2-LOCAL description 'From WAN2 to LOCAL'
set firewall ipv4 name WAN2-LOCAL rule 10 action 'drop'
set firewall ipv4 name WAN2-LOCAL rule 10 description 'drop invalid'
set firewall ipv4 name WAN2-LOCAL rule 10 log
set firewall ipv4 name WAN2-LOCAL rule 10 log-options
set firewall ipv4 name WAN2-LOCAL rule 10 state 'invalid'
set firewall zone LOCAL from WAN2 firewall name 'WAN2-LOCAL'


vyos@vyos:~$ sh ip route vrf all
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF WAN1-DHCP:
S>* 0.0.0.0/0 [210/0] via 73.100.xx.1, eth3, weight 1, 03:08:47
S>* 10.100.0.0/24 [1/0] is directly connected, eth2.100 (vrf default), weight 1, 00:08:44
C>* 73.100.xx.0/23 is directly connected, eth3, 03:11:16

VRF WAN2-STATIC:
S>* 0.0.0.0/0 [1/0] via 173.14.xx.214, eth1, weight 1, 2d16h34m
S>* 10.100.69.0/24 [1/0] is directly connected, eth2.69 (vrf default), weight 1, 00:08:44
C>* 173.14.xx.212/30 is directly connected, eth1, 2d16h36m

VRF default:
S>* 0.0.0.0/0 [1/0] via 173.14.xx.214, eth1 (vrf WAN2-STATIC), weight 1, 03:07:27
C>* 10.100.0.0/24 is directly connected, eth2.100, 00:08:44
C>* 10.100.50.0/24 is directly connected, eth2.50, 00:08:44
C>* 10.100.69.0/24 is directly connected, eth2.69, 00:08:44
C>* 10.100.200.0/24 is directly connected, eth2.200, 00:08:44
C>* 172.16.0.0/30 is directly connected, wg0, 3d03h20m
C>* 172.17.0.0/30 is directly connected, wg1, 3d03h20m

Any help would be appreciated.

I’m not sure that Zone Based Firewalls currently work with VRFs.

Edit: This comment can be ignored, see further down.

Well, that is unfortunate. Following your link and then the bug report, it seems like a dead topic that may not be getting any dev attention anymore. Is there any way we can get some word from the maintainers on whether this is going to be solved in future releases?

I like vyos a lot but it seems like there are some real downsides when using ZBF, and trying to manage per interface in a large environment seems like a real test of patience.

Either way, thanks for your help and info.

Try add this
set firewall zone WAN2 interface WAN2-STATIC

1 Like

Well that worked perfectly… Thanks so much!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.