Zone based firewall design thoughts?

I’ve decided to try to set up a zone based firewall but wanted to get some thoughts from others who may already have done so. My network consists of the following interfaces/network segments:

Mullvad VPN
Site to Site Wireguard
Remote access WG

Obviously I could create zones for all, but I fear that defeats the purpose. How would you set up zones if your network were mine?

I would do as you propose, a zone for all. Why do you think that would default the purpose?

@phillipmcmahon I thought part of the idea with ZBF was to be able to group interfaces with similar trust levels into zones rather than have to set up zones/rules for each. What I ended up doing was creating a zone for each interface except for the Mullvad one. Because it functions as a WAN interface and is trusted no better than my normal WAN, I went ahead and assigned it to the WAN zone. Everything works fine so far. I can appreciate the concept and power of ZBF and the rules are obviously a bit easier to understand since you create one for each traffic flow versus just IN/OUT/local. Not sure what I personally gained by setting it up versus sticking with interface-assigned rules though. Maybe I’m missing the point.

ZBF can offer that efficiency, if as you say you have zones with the same access profiles. I set up my interfaces all as individual zones, I have a fair amount of duplication in my config but this also means I can toy with an interface/zone ruleset without likely impacting existing connectivity.

ZBF has also been easier for me to understand long-term as my rulesets have grown. IN/OUT/local was not as intuitive and I am sure I’ve saved time because of this. Creating a new zone is a dull process of cut and paste and modifying existing zones, a helper function in vyos to insert the stubs would be appreciated.

a bit easier to understand

This, I started with zones on juniper and when i started using vyos that came much easier than interface rulesets. In fact, i still haven’t wrapped my mind around just how those work.

a helper function in vyos to insert the stubs would be appreciated.

+1 to this. this is my biggest gripe with doing the initial setup on zones, there is so much additional config. Once set up though i do think it’s easier to manage.
Another thing, if you’re using this for a homelab and start messing around with interfaces and wireing it’s much easier to just slap the correct interface to the correct zone and let the zone’s firewall settings take care of the rest than going around to each interface and making sure the correct firewall names are asigned to the correct directions on each interface.


1 Like

Appreciate the comments from all. I’m going to keep rocking the ZBF, if for no other reason than all the work I put into setting it up! :grin: I’m sure things will become me clearer to me over time.

Which exactly issue?

I think Clemens post is just spam?

1 Like

I’ve setup an Ansible playbook (heavily inspired by this blog entry, lengthy but very thourough!) to deal with similar situations. I then just add a couple of lines of yaml and run the playbook to add new zones etc.

Ansible and VyOS is a great combo!

1 Like

any chance you could share as that sounds like a pretty sustainable approach?

It’s a bit hacky but I can try to publish it somewhere. Currently in a private repo, but there are no secret stuff in it so should be doable.

1 Like

I accidentally made this gist secret, but I’m too lazy to redo it. :slight_smile:

This is an example that should be fairly complete, but you’ll have to read the templates and tasks in order to understand which variables are needed.