Zone based firewall + IPSEC VTI

HI, i’m missing something about zone based firewall.

I have the following zones:
WAN-LAN
WAN-LOCAL

LAN-WAN
LAN-LOCAL

LOCAL-WAN
LOCAL-LAN

When we create a VTI interface we cannot create zone that use the VTI interface, how to restrict traffic on the IPSEC tunnel?

Also on the same network (LAN) supose we don’t want machine 192.168.0.10 to comunicate with server 192.168.0.20 in what zone can I block this ? LAN-LOCAL?

Thank you

Are you sure that pc communicate with server not directly but via vyos? Because the hosts in the same network and don’t need any gateway.

Can you describe more details what wrong with vti interfaces?

Hi Viacheslav,

Thank you for the feedback.

The hosts on the same network on the switch the ports are in isolation mode, so the Hosts to comunicate it each other they need to go to the router. My main dificult is to identify in what zone should I block or allow the traffic (LAN-LOCAL ou LOCAL-LAN).

About the IPSEC VTI, I create a VTI interface “vti1” and then I want to block or allow traffic in this interface, but if I do a:

 set zone-policy zone IPSEC interface vti1

When I commit vyos says:

[ zone-policy zone IPSEC interface vti1 ]
interface vti1 does not exist on system


 R# show interfaces vti
 vti vti1 {
     address 10.10.16.1/32
     description HOST-CLOUD
 }

Hi,

Can you check if the vti1 interface is showing by running the below command:

#run show interfaces