Hi All, sorry I’m new to vyOS and would like to ask (that might be) a basic question.
On my network, I’m blocking everything between network A and B with a firewall rule.
Then I would like to whitelist IP between 2 devices, how I should do this?
For example:
IP A: 192.168.3.101
IP B: 192.168.3.105
IP C: 192.168.5.201
IP D: 192.168.5.205
The objective is to let IP A to access IP C only, then IP B to access IP D only.
For comparison, from switch configuration equivalent is like this (HPE aruba):
ip access-list extended “WHITELIST”
10 permit ip 192.168.3.101 255.255.255.255 192.168.5.201 255.255.255.255
I have tried a few things (ACL, firewall address-group), but it didn’t work as intended.
Any advice on this matter? Thank you in advance!
Firewall rules are ordered, use most specific first.
So your allow rules must become before block rule, in ruleset handling interface 192.168.3.x
Return traffic must be allowed too.
Simply doing something similar on interface 192.168.5.x will work, but then sessions can be opened in other direction too. (Host C accessing host A)
To only allow sessions in one direction (stateful firewalling), use first rule on 192.168.5.x interface “allow established & related” , next rule block anything to 192.168.3.0/24.
Hey thanks for the reply. Actually, I have tried those too. But it seems all the registered IPs are able to ping each other, not only to particular IP. Here’s the config I tried:
set firewall group address-group PairA address 192.168.3.116
set firewall group address-group PairA address 192.168.5.202
set firewall name WHITELIST rule 500 action accept
set firewall name WHITELIST rule 500 source group address-group PairA
set firewall group address-group PairB address 192.168.3.109
set firewall group address-group PairB address 192.168.5.203
set firewall name WHITELIST rule 501 action accept
set firewall name WHITELIST rule 501 source group address-group PairB
Hmm strange, after I try the previous configuration, it’s now working as intended. I only added the destination group (the last line), but this was tested before and not working. I’m not sure what happened. Maybe someone will be able to explain better.
set firewall group address-group PairA address 192.168.3.116
set firewall group address-group PairA address 192.168.5.202
set firewall name WHITELIST rule 500 action accept
set firewall name WHITELIST rule 500 source group address-group PairA
set firewall name WHITELIST rule 500 destination group address-group PairA
set firewall group address-group PairB address 192.168.3.109
set firewall group address-group PairB address 192.168.5.203
set firewall name WHITELIST rule 501 action accept
set firewall name WHITELIST rule 501 source group address-group PairB
set firewall name WHITELIST rule 501 destination group address-group PairB
Thank you for everyone who tried to help. I will update again after some further testing.