use ACL's between vlans


#1

Guys I am using VYOS as a core router I have a few lab networks that I want to ACL off from my regular network. I have done some research but I’ve not found anything explaining how to configure ACL’s between subnets. So can someone here please share with me how do I acl on VYOS.? Mainly I just need to allow RDP from my regular vlans to the lab vlans and I need to allow the lab vlans access to the internet. Maybe you guys don’t use ACLS in VYOS and just create firewall zones on the router and use the zones to control vlan access. Also I do not use vyos as my internet firewall I use Pfsense for that.


#2

an ACL is equivalent to a firewall “set” in VyOS. i prefer to use zones, but you can apply a firewall set to a specific interface and direction. Something like this:

set interfaces ethernet eth0 firewall in name ‘fw_11_IN’
set firewall name fw_11_IN default-action ‘drop’
set firewall name fw_11_IN rule 99 action ‘accept’
set firewall name fw_11_IN rule 99 destination port ‘3389’
set firewall name fw_11_IN rule 99 protocol tcp


#3

This is what I do… ingress/egress ACLs fall down quickly and become confusing when you have more than a couple of segments you are routing for. It is much simpler to audit firewall policy later when it’s broken down by zone A to B, A to C, B to A etc.