Vyos as a router for FTTH providers in DHCP VLAN 835

Gaby68 · September 16, 2024, 12:04pm

I’m trying to configure Vyos 1.5 to act as a simple home router, but I’m having problems redirecting traffic.
My ISP is Openfiber which passes me 1 Gbit fiber with an ONT through a VLAN 835 in DHCP.

I can connect but the packets coming from my LAN are not routed through Vyos, only ping works, typically from the LAN everything must be allowed while from the WAN everything is denied.

I’m not sure how to properly set up the connection with the provider and how to route traffic through Vyos; Sorry, I’m really a novice, I need a kind soul to accept my plea. Thanks very much again.

My configuration is this, where am I going wrong? :

#########################################
eth0 LAN, 192.168.20.0/24
eth1 WAN, DHCP, VLAN 835
Vyos ip: 192.168.20.1
#########################################

Interface:

set interfaces ethernet eth1 vif 835 address dhcp
set interfaces ethernet eth1.835 description ‘WAN’
set interfaces ethernet eth0 address ‘192.168.20.1/24’
set interfaces ethernet eth0 description ‘LAN’

Nat:

set nat source rule 100 outbound-interface name ‘eth1.835’
set nat source rule 100 source address ‘192.168.20.0/24’
set nat source rule 100 translation address masquerade

Dns:

set system name-server 1.1.1.1
set system name-server 1.0.0.1

set service dns forwarding system
set service dns forwarding cache-size ‘0’
set service dns forwarding listen-address ‘192.168.20.1’
set service dns forwarding allow-from ‘192.168.20.0/24’
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server 1.0.0.1

DHCP server:

set service dhcp-server shared-network-name ‘LAN’ authoritative
set service dhcp-server shared-network-name ‘LAN’ subnet 192.168.20.0/24 option default-router ‘192.168.20.1’
set service dhcp-server shared-network-name ‘LAN’ subnet 192.168.20.0/24 option name-server ‘192.168.20.1’
set service dhcp-server shared-network-name ‘LAN’ subnet 192.168.20.0/24 option domain-name ‘local.lan’
set service dhcp-server shared-network-name ‘LAN’ subnet 192.168.20.0/24 lease ‘86400’
set service dhcp-server shared-network-name ‘LAN’ subnet 192.168.20.0/24 range 0 start ‘192.168.20.50’
set service dhcp-server shared-network-name ‘LAN’ subnet 192.168.20.0/24 range 0 stop ‘192.168.20.100’
set service dhcp-server shared-network-name ‘LAN’ subnet 192.168.20.0/24 subnet-id ‘1’

FW :

set firewall global-options all-ping enable
set firewall global-options state-policy established action accept
set firewall global-options state-policy related action accept
set firewall global-options state-policy invalid action drop

set firewall ipv4 input filter default-action drop
set firewall ipv4 input filter rule 10 action ‘accept’
set firewall ipv4 input filter rule 10 state ‘established’
set firewall ipv4 input filter rule 10 state ‘related’
set firewall ipv4 input filter rule 10 inbound-interface name eth1.835
set firewall ipv4 input filter rule 10 description ‘Allow Return traffic destined to the router’

set firewall ipv4 output filter default-action accept

set firewall ipv4 forward filter default-action drop
set firewall ipv4 forward filter rule 20 action ‘accept’
set firewall ipv4 forward filter rule 20 description ‘Allow Return traffic through the router’
set firewall ipv4 forward filter rule 20 state ‘established’
set firewall ipv4 forward filter rule 20 state ‘related’

set firewall ipv4 forward filter rule 20 inbound-interface name eth1.835
#########################################

Grazie, grazie, grazie.
Gabriele.

zero1three013 · September 16, 2024, 1:55pm

Input controls traffic going to the router itself, which can come from the WAN and from the LAN. You will need to handle both cases in your input rules

Additionally, output controls traffic from the router to to WAN/LAN, which can be fine to just accept in both directions

Forward will control traffic traversing the router but not destined to the router itself, eg WAN to LAN, LAN to WAN

I suspect the all-ping enable is what is allowing ping through, but DNS lookups, etc aren’t working.

It might be more helpful to set it up as a zone-based firewall with interface-groups

firewall {
    group {
        interface-group ZONE_LAN {
            interface eth0
        }
        interface-group ZONE_WAN {
            interface eth1.835
        }
    }
    ipv4 {
        forward {
            filter {
                default-action drop
                rule 1 {
                    action accept
                    state established
                }
                rule 2 {
                    action drop
                    state invalid
                }
                rule 3 {
                    action accept
                    state related
                }
                rule 100 {
                    action jump
                    description "LAN to WAN policy"
                    inbound-interface {
                        group ZONE_LAN
                    }
                    jump-target LAN-to-WANv4
                    outbound-interface {
                        group ZONE_WAN
                    }
                }
            }
        }
        input {
            filter {
                default-action drop
                rule 1 {
                    action accept
                    state established
                }
                rule 2 {
                    action drop
                    state invalid
                }
                rule 3 {
                    action accept
                    state related
                }
                rule 50 {
                    action accept
                    description "Allow localhost"
                    inbound-interface {
                        name lo
                    }
                }
                rule 100 {
                    action jump
                    description "WAN to LOCAL policy"
                    inbound-interface {
                        group ZONE_WAN
                    }
                    jump-target WAN-to-LOCALv4
                }
                rule 200 {
                    action jump
                    description "LAN to LOCAL policy"
                    inbound-interface {
                        group ZONE_LAN
                    }
                    jump-target LAN-to-LOCALv4
                }
            }
        }
        name LAN-to-LOCALv4 {
            default-action accept
        }
        name LAN-to-WANv4 {
            default-action accept
        }
        name LOCAL-to-LANv4 {
            default-action accept
        }
        name LOCAL-to-WANv4 {
            default-action accept
        }
        name WAN-to-LOCALv4 {
            default-action drop
            rule 10 {
                action accept
                description "Allow ICMP"
                protocol icmp
            }
        }
        output {
            filter {
                default-action drop
                rule 1 {
                    action accept
                    state established
                }
                rule 2 {
                    action drop
                    state invalid
                }
                rule 3 {
                    action accept
                    state related
                }
                rule 50 {
                    action accept
                    description "Allow localhost"
                    outbound-interface {
                        name lo
                    }
                }
                rule 100 {
                    action jump
                    description "LOCAL to WAN policy"
                    jump-target LOCAL-to-WANv4
                    outbound-interface {
                        group ZONE_WAN
                    }
                }
                rule 200 {
                    action jump
                    description "LOCAL to LAN policy"
                    jump-target LOCAL-to-LANv4
                    outbound-interface {
                        group ZONE_LAN
                    }
                }
            }
        }
    }

This way you have a policy for each direction of flow

L0crian · September 16, 2024, 4:30pm

You’re not allowing anything from the LAN through your firewall. Add these lines of config:

set firewall ipv4 forward filter rule 1000 action 'accept'
set firewall ipv4 forward filter rule 1000 description 'Allow LAN traffic from eth0'
set firewall ipv4 forward filter rule 1000 inbound-interface name 'eth0'

set firewall ipv4 input filter rule 1000 action 'accept'
set firewall ipv4 input filter rule 1000 description 'Allow LAN traffic from eth0'
set firewall ipv4 input filter rule 1000 inbound-interface name 'eth0'

Gaby68 · September 17, 2024, 6:27am

I will be able to try it in the next few days, many many many thanks !!

system · October 1, 2024, 6:27am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.