Zone-based fw question + dhcp issue

Hello, I wanted to setup a zone-based firewall, but in the description it’s saying:

  • You need 2 separate firewalls to define traffic: one for each direction.

Does it really mean TWO separate firewalls?

2nd: I had an issue with a formerly setup 1.5 firewall. 2 subnets, dhcp enabled and all was running fine when suddenly DHCP wasn’t working anymore. More and more of my IoT devices and also laptop / mobile phones weren’t getting an address, even though they had static mappings.

Any issues, bugs or whatsoever known?

Thanks in advance!

No, you don’t need two firewalls. Instead, you need to assign zones to interfaces, such as WAN, LAN, or LOCAL.

For example, you can create rules for these zone pairs:
• WAN-to-LAN
• LAN-to-WAN

This way, you define traffic policies for each direction.

Traffic from Zone A to Zone B requires a rule, and traffic from Zone B to Zone A needs another rule. Firewall policies in VyOS are not automatically bidirectional, so you must explicitly define rules for both directions if needed.

About dhcp need share config for review.

Okay, now I have my first problem. I can’t ping from VyOS to anything even though i’ve set default action accept on LOCAL_to_X.

When I ping 8.8.8.8 it says network unreachable - if I ping interface ‘eth0’ it does not receive a reply.

Rulesets Information


ipv4 Firewall “forward filter”

Rule Action Protocol Packets Bytes Conditions


1 accept all 0 0 ct state { established, related } accept
2 drop all 0 0 ct state invalid
default drop all 0 0


ipv4 Firewall “input filter”

Rule Action Protocol Packets Bytes Conditions


1 accept all 63 4504 ct state { established, related } accept
2 drop all 0 0 ct state invalid
100 accept all 0 0 icmp type echo-request accept
200 accept tcp_udp 0 0 meta l4proto { tcp, udp } th dport 53 accept
800 accept tcp 0 0 tcp dport 22 ip saddr 192.168.11.0/24 prefix “[ipv4-INP-filter-800-A]” accept
default drop all 21 9832


ipv4 Firewall “name IOT_to_LAN”

Rule Action Protocol Packets Bytes Conditions


10 accept all 0 0 ct state { established, related } accept
11 drop all 0 0 ct state invalid
default drop all 0 0


ipv4 Firewall “name IOT_to_LOCAL”

Rule Action Protocol Packets Bytes Conditions


200 accept tcp_udp 0 0 meta l4proto { tcp, udp } th dport 53 accept
default drop all 0 0


ipv4 Firewall “name IOT_to_WAN”

Rule Action Protocol Packets Bytes Conditions


300 accept tcp_udp 0 0 meta l4proto { tcp, udp } th dport 443 accept
default drop all 0 0


ipv4 Firewall “name LAN_to_IOT”

Rule Action Protocol Packets Bytes


default accept all 0 0


ipv4 Firewall “name LAN_to_LOCAL”

Rule Action Protocol Packets Bytes Conditions


100 accept all 0 0 icmp type echo-request accept
200 accept tcp_udp 0 0 meta l4proto { tcp, udp } th dport 53 accept
800 accept tcp 63 4504 tcp dport 22 prefix “[ipv4-NAM-LAN_to_LOCAL-800-A]” accept
default drop all 0 0


ipv4 Firewall “name LAN_to_WAN”

Rule Action Protocol Packets Bytes Conditions


1000 accept all 0 0 accept
default accept all 0 0


ipv4 Firewall “name LOCAL_to_IOT”

Rule Action Protocol Packets Bytes


default accept all 0 0


ipv4 Firewall “name LOCAL_to_LAN”

Rule Action Protocol Packets Bytes


default accept all 36 6528


ipv4 Firewall “name LOCAL_to_WAN”

Rule Action Protocol Packets Bytes


default accept all 0 0


ipv4 Firewall “name WAN_to_IOT”

Rule Action Protocol Packets Bytes Conditions


10 accept all 0 0 ct state { established, related } accept
11 drop all 0 0 ct state invalid
default drop all 0 0


ipv4 Firewall “name WAN_to_LAN”

Rule Action Protocol Packets Bytes Conditions


10 accept all 0 0 ct state { established, related } accept
11 drop all 0 0 ct state invalid
default drop all 0 0


ipv4 Firewall “name WAN_to_LOCAL”

Rule Action Protocol Packets Bytes Conditions


10 accept all 0 0 ct state { established, related } accept
11 drop all 0 0 ct state invalid
default drop all 0 0


ipv4 Firewall “output filter”

Rule Action Protocol Packets Bytes


default accept all 36 6528

EDIT: Ping to local ip addresses works now. Now I’m getting a new “ping reply” : 192.168.x.x destination host unreachable

Since I’ve set global-options ping enable I do not believe I forgot a rule to set, no?

Oh and I’m using a static route at the moment

set protocols static route 0.0.0.0/0 next-hop 192.168.10.10
Should I switch over to OSPF or something else?

I am using a simple topology like:

INTERNET ↔ Router ↔ VyOS —> LAN , IOT

You can share you conf ?

firewall {
    global-options {
        all-ping "enable"
        broadcast-ping "disable"
        ip-src-route "disable"
        log-martians "enable"
        receive-redirects "disable"
        send-redirects "enable"
        source-validation "disable"
        syn-cookies "enable"
        twa-hazards-protection "disable"
    }
    ipv4 {
        forward {
            filter {
                default-action "drop"
                default-log
                rule 1 {
                    action "accept"
                    state "established"
                    state "related"
                }
                rule 2 {
                    action "drop"
                    state "invalid"
                }
            }
        }
        input {
            filter {
                default-action "drop"
                default-log
                rule 1 {
                    action "accept"
                    state "established"
                    state "related"
                }
                rule 2 {
                    action "drop"
                    state "invalid"
                }
                rule 100 {
                    action "accept"
                    description "allow ping"
                    icmp {
                        type-name "echo-request"
                    }
                }
                rule 200 {
                    action "accept"
                    description "allow dns"
                    destination {
                        port "53"
                    }
                    protocol "tcp_udp"
                }
                rule 800 {
                    action "accept"
                    description "allow ssh from LAN"
                    destination {
                        port "22"
                    }
                    log
                    protocol "tcp"
                    source {
                        address "192.168.11.0/24"
                    }
                }
            }
        }
        name IOT_to_LAN {
            default-action "drop"
            default-log
            rule 10 {
                action "accept"
                description "allow return traffic from LAN"
                state "related"
                state "established"
            }
            rule 11 {
                action "drop"
                description "drop invalid packets"
                state "invalid"
            }
        }
        name IOT_to_LOCAL {
            rule 200 {
                action "accept"
                description "allow DNS"
                destination {
                    port "53"
                }
                protocol "tcp_udp"
            }
        }
        name IOT_to_WAN {
            default-action "drop"
            default-log
            rule 300 {
                action "accept"
                description "allow HTTPS to Internet from IOT"
                destination {
                    port "443"
                }
                protocol "tcp_udp"
            }
        }
        name LAN_to_IOT {
            default-action "accept"
        }
        name LAN_to_LOCAL {
            rule 50 {
                action "accept"
                description "allow DHCP"
                destination {
                    port "67-68"
                }
                protocol "udp"
                source {
                    port "67-68"
                }
            }
            rule 100 {
                action "accept"
                description "allow ping"
                icmp {
                    type-name "echo-request"
                }
            }
            rule 200 {
                action "accept"
                description "allow DNS"
                destination {
                    port "53"
                }
                protocol "tcp_udp"
            }
            rule 800 {
                action "accept"
                description "allow SSH from LAN"
                destination {
                    port "22"
                }
                log
                protocol "tcp"
            }
            rule 1000 {
                action "accept"
                description "allow traffic to Internet"
                destination {
                    address-mask "0.0.0.0"
                }
            }
        }
        name LAN_to_WAN {
            default-action "accept"
            default-log
            rule 1000 {
                action "accept"
                description "allow all from LAN to INTERNET"
            }
        }
        name LOCAL_to_IOT {
            default-action "accept"
        }
        name LOCAL_to_LAN {
            default-action "accept"
            default-log
        }
        name LOCAL_to_WAN {
            default-action "accept"
        }
        name WAN_to_IOT {
            rule 10 {
                action "accept"
                description "allow return traffic from Internet to IOT"
                state "established"
                state "related"
            }
            rule 11 {
                action "drop"
                description "drop invalid"
                state "invalid"
            }
        }
        name WAN_to_LAN {
            rule 10 {
                action "accept"
                description "allow return traffic from Internet to LAN"
                state "established"
                state "related"
            }
            rule 11 {
                action "drop"
                description "drop invalid"
                state "invalid"
            }
        }
        name WAN_to_LOCAL {
            default-action "drop"
            default-log
            rule 10 {
                action "accept"
                description "allow established/related traffic"
                protocol "all"
                state "established"
                state "related"
            }
            rule 11 {
                action "drop"
                description "drop traffic with invalid packets"
                state "invalid"
            }
        }
        output {
            filter {
                default-action "accept"
            }
        }
    }
    zone IOT {
        default-action "drop"
        default-log
        from LAN {
            firewall {
                name "LAN_to_IOT"
            }
        }
        from LOCAL {
            firewall {
                name "LOCAL_to_IOT"
            }
        }
        from WAN {
            firewall {
                name "WAN_to_IOT"
            }
        }
        interface "eth2"
    }
    zone LAN {
        default-log
        from IOT {
            firewall {
                name "IOT_to_LAN"
            }
        }
        from LOCAL {
            firewall {
                name "LOCAL_to_LAN"
            }
        }
        from WAN {
            firewall {
                name "WAN_to_LAN"
            }
        }
        interface "eth0"
    }
    zone LOCAL {
        from IOT {
            firewall {
                name "IOT_to_LOCAL"
            }
        }
        from LAN {
            firewall {
                name "LAN_to_LOCAL"
            }
        }
        from WAN {
            firewall {
                name "WAN_to_LOCAL"
            }
        }
        local-zone
    }
    zone WAN {
        default-action "drop"
        default-log
        from IOT {
            firewall {
                name "IOT_to_WAN"
            }
        }
        from LAN {
            firewall {
                name "LAN_to_WAN"
            }
        }
        from LOCAL {
            firewall {
                name "LOCAL_to_WAN"
            }
        }
        interface "eth1"
    }
}
interfaces {
    ethernet eth0 {
        address "192.168.11.100/24"
        description "LAN"
        hw-id "bc:24:11:7a:16:ee"
        offload {
            gro
            gso
            sg
            tso
        }
    }
    ethernet eth1 {
        address "192.168.10.2/24"
        description "WAN"
        hw-id "bc:24:11:64:71:fb"
        offload {
            gro
            gso
            sg
            tso
        }
    }
    ethernet eth2 {
        address "192.168.20.1/24"
        description "IOT"
        hw-id "bc:24:11:1c:39:b8"
        offload {
            gro
            gso
            sg
            tso
        }
    }
    loopback lo {
    }
}
nat {
    source {
        rule 100 {
            description "NAT for all local interfaces to WAN"
            source {
                address "!192.168.10.0/24"
            }
            translation {
                address "masquerade"
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            interface eth1 {
            }
            next-hop 192.168.10.10 {
            }
        }
    }
}
service {
    dns {
        forwarding {
            allow-from "192.168.0.0/16"
            listen-address "192.168.11.1"
            listen-address "192.168.20.1"
            listen-address "127.0.0.1"
            name-server 4.2.2.2 {
            }
        }
    }
    lldp {
        interface eth0 {
        }
        interface eth2 {
        }
        management-address "192.168.11.100"
    }
    ntp {
        allow-client {
            address "127.0.0.0/8"
            address "169.254.0.0/16"
            address "10.0.0.0/8"
            address "172.16.0.0/12"
            address "192.168.0.0/16"
            address "::1/128"
            address "fe80::/10"
            address "fc00::/7"
        }
        server 192.53.103.108 {
        }
    }
    ssh {
        port "22"
    }
}
system {
    config-management {
        commit-revisions "100"
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sqlnet
        }
    }
    console {
        device ttyS0 {
            speed "115200"
        }
    }
    host-name "VyOSFW"
    login {
        user demji {
            authentication {
                encrypted-password "xxxxx"
            }
        }
    }
    option {
        keyboard-layout "de"
        ssh-client {
            source-interface "eth0"
        }
        time-format "24-hour"
    }
    syslog {
        global {
            facility all {
                level "info"
            }
            facility local7 {
                level "debug"
            }
        }
    }
}


// Warning: Do not remove the following line.
// vyos-config-version: "bgp@5:broadcast-relay@1:cluster@2:config-management@1:conntrack@5:conntrack-sync@2:container@2:dhcp-relay@2:dhcp-server@11:dhcpv6-server@6:dns-dynamic@4:dns-forwarding@4:firewall@17:flow-accounting@1:https@7:ids@1:interfaces@33:ipoe-server@4:ipsec@13:isis@3:l2tp@9:lldp@2:mdns@1:monitoring@1:nat@8:nat66@3:ntp@3:openconnect@3:openvpn@4:ospf@2:pim@1:policy@8:pppoe-server@11:pptp@5:qos@3:quagga@11:reverse-proxy@2:rip@1:rpki@2:salt@1:snmp@3:ssh@2:sstp@6:system@28:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2"
// Release version: 1.5-rolling-202412060007

never mind… now ping works to internet as well. I have no clue what changed in the meantime.

1 Like

You can use :

set firewall global-options all-ping ‘enable’
set firewall global-options state-policy established action ‘accept’
set firewall global-options state-policy invalid action ‘drop’
set firewall global-options state-policy related action ‘accept’

and don’t need create this rule:
rule 10 {
action “accept”
description “allow established/related traffic”
protocol “all”
state “established”
state “related”

that policy is global and apply to all rules (include all zones)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.