VRRP Issues on vyos

devashish · January 11, 2023, 5:03am

Hello Team

my VRRP is working fine but when i try to configure or implement one policy for RDP restriction of my server but the policy is not working which means i want RDP is allowed on some particular IPs only

this policy is not working on my VRRP configured firewall . Please let me know what i missed or is there any configuration which need to configure after configure VRRP.

devashish · January 12, 2023, 7:11am

Awaiting your positive response. your guidance will be appreciated

Hannibal · January 12, 2023, 7:54am

I think it would help, if you share your config and log/error messages with us

devashish · January 12, 2023, 10:45am

hello Hannibal

How can i explain or share the logs , let me brief you what happen actually my concern is when i used VRRP on vyos firewall my security policy is stop working which means if i want to allow any port related policy for any server which is behind the firewall , that port is globally open even i allowed it on some specific IPs only

so my policy is not working after configure VRRP which hampered my server behind the firewall . if i want to allow remote access on some specific IPs , that policy is not working and my server remote is accessible globally.

i dont know what should i need to configure now

below are my VRRP and Firewall configuration .

set high-availability vrrp group Green_interface interface ‘eth2’
set high-availability vrrp group Green_interface priority ‘100’
set high-availability vrrp group Green_interface rfc3768-compatibility
set high-availability vrrp group Green_interface virtual-address ‘10.10.0.1/16’
set high-availability vrrp group Green_interface vrid ‘49’
set high-availability vrrp group Red_interface interface ‘eth1’
set high-availability vrrp group Red_interface priority ‘100’
set high-availability vrrp group Red_interface rfc3768-compatibility
set high-availability vrrp group Red_interface virtual-address ‘103.109.63.24/24’
set high-availability vrrp group Red_interface vrid ‘49’
set high-availability vrrp sync-group VRRP_GROUP_49 member ‘Green_interface’
set high-availability vrrp sync-group VRRP_GROUP_49 member ‘Red_interface’

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description

eth0 172.17.23.49/16 u/u BLUE Management Network
eth1 192.2.49.1/24 u/u RED Public Network
eth1v49 103.109.63.24/24 u/u
eth2 10.10.0.2/16 u/u GREEN Lan Network
eth2v49 10.10.0.1/16 u/u
lo 127.0.0.1/8 u/u
::1/128
vtun0 10.34.1.1/24 u/u
vtun1 10.34.2.1/24 u/u

###############################################################
Firewall Default configuration

set firewall name FIREWALL_IN default-action ‘drop’
set firewall name FIREWALL_IN rule 1 action ‘accept’
set firewall name FIREWALL_IN rule 1 description ‘Establiched Connections’
set firewall name FIREWALL_IN rule 1 state established ‘enable’
set firewall name FIREWALL_IN rule 1 state related ‘enable’
set firewall name FIREWALL_IN rule 2 action ‘accept’
set firewall name FIREWALL_IN rule 2 description ‘PING Incoming’
set firewall name FIREWALL_IN rule 2 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_IN rule 2 protocol ‘icmp’
set firewall name FIREWALL_IN rule 2 source address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT default-action ‘drop’
set firewall name FIREWALL_OUT rule 1 action ‘accept’
set firewall name FIREWALL_OUT rule 1 description ‘Established Connections’
set firewall name FIREWALL_OUT rule 1 state established ‘enable’
set firewall name FIREWALL_OUT rule 1 state related ‘enable’
set firewall name FIREWALL_OUT rule 2 action ‘accept’
set firewall name FIREWALL_OUT rule 2 description ‘DNS Outgoing’
set firewall name FIREWALL_OUT rule 2 destination port ‘53’
set firewall name FIREWALL_OUT rule 2 protocol ‘udp’
set firewall name FIREWALL_OUT rule 3 action ‘accept’
set firewall name FIREWALL_OUT rule 3 description ‘PING Outgoing’
set firewall name FIREWALL_OUT rule 3 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 3 protocol ‘icmp’
set firewall name FIREWALL_OUT rule 3 source address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 4 action ‘accept’
set firewall name FIREWALL_OUT rule 4 description ‘TCP Outgoing’
set firewall name FIREWALL_OUT rule 4 destination address ‘0.0.0.0/0’
set firewall name FIREWALL_OUT rule 4 protocol ‘tcp’
set firewall name FIREWALL_OUT rule 4 source address ‘0.0.0.0/0’

set interfaces ethernet eth1 firewall in name ‘FIREWALL_IN’
set interfaces ethernet eth2 firewall out name ‘FIREWALL_OUT’

set nat source rule 9999 outbound-interface ‘any’
set nat source rule 9999 protocol ‘all’
set nat source rule 9999 source address ‘10.10.0.0/16’
set nat source rule 9999 translation address ‘masquerade’

###########################################################

Port restriction policy which is not working after VRRP configuration

set firewall name FIREWALL_IN rule 32 action ‘accept’
set firewall name FIREWALL_IN rule 32 description ‘wsrv109’
set firewall name FIREWALL_IN rule 32 destination address ‘10.10.1.109’
set firewall name FIREWALL_IN rule 32 destination port ‘RDP’
set firewall name FIREWALL_IN rule 32 log ‘disable’
set firewall name FIREWALL_IN rule 32 protocol ‘tcp’
set nat destination rule 32 description ‘DNAT for wsrv109 - RDP’
set nat destination rule 32 destination address ‘103.109.63.24’
set nat destination rule 32 destination port ‘3389’
set nat destination rule 32 inbound-interface ‘any’
set nat destination rule 32 protocol ‘tcp’
set nat destination rule 32 translation address ‘10.10.1.109’

set firewall group address-group wsrv-Restriction

set firewall name FIREWALL_IN rule 32 source group address-group ‘wsrv-Restriction’

set firewall group address-group wsrv-Restriction address ‘103.25.107.56’

a.apostoliuk · January 12, 2023, 6:52pm

@devashish
What version do you use?
Try to delete rfc3768-compatibility.

Viacheslav · January 12, 2023, 8:08pm

set high-availability vrrp group Green_interface interface ‘eth2’
set high-availability vrrp group Green_interface priority ‘100’
set high-availability vrrp group Green_interface rfc3768-compatibility
set high-availability vrrp group Green_interface virtual-address ‘10.10.0.1/16’
set high-availability vrrp group Green_interface vrid ‘49’

Interfaces in this case will be as eth2v49 not eth2
You can check it with “show interfaces”
And you set the firewall to eth2

It will work only in 1.4 with new firewall logic/syntax
And more details in T1185

devashish · January 13, 2023, 6:29am

Dear Viacheslav

As you mentioned to use eth2v49 instead eth2 but as you know the virtual interface eth2v49 only showing when we configured VRRP not before that

devashish · January 13, 2023, 6:31am

iam using version VyOS 1.2.0

Viacheslav · January 13, 2023, 7:28am

As I mentioned it works only for 1.4
Interface could be not exists

n.fort · January 17, 2023, 4:09pm

As suggested previously, if rfc3768-compatibility is not mandatory in your scenario, removing it from vrrp configuration will help

devashish · January 18, 2023, 8:58am

Hello Fort

Yes its working after removing rfc3768-compatibility.

Thanks to all