NAT & Firewall
NAT & Firewall
Section titled βNAT & FirewallβVersion key: π’ = 1.3+ Β· π‘ = 1.4+ Β· π£ = 1.5+
VyOS uses a zone-based firewall model π‘ 1.4+ β you define zones, assign interfaces to them, then write rules between zones. This scales far better than interface-based rules.
The Zone Model
Section titled βThe Zone Modelβ ββββββββββββ WAN ββββΆβ LOCAL βββββ (traffic TO the router) ββββββββββββ β² β ββββββ΄ββββββ LAN ββββΆβ LAN βββββ (traffic BETWEEN interfaces) ββββββββββββ- LOCAL zone: traffic destined to the router itself (SSH, DNS, management)
- From LAN zone: traffic from the LAN zone to WAN/LOCAL
- From WAN zone: traffic from WAN to LAN/LOCAL
π’ 1.3 users: In VyOS 1.3, the firewall uses interface-based rules (no zones). Equivalent:
set firewall name WAN_IN rule ...bound to interface withset interfaces ethernet eth0 firewall in name WAN_IN. The zone model in 1.4+ is a superset β same concepts, cleaner syntax.
Firewall: Basic Setup
Section titled βFirewall: Basic SetupβDefine Zone Structure
Section titled βDefine Zone Structureβ# LAN zoneset zone-policy zone LAN default-action dropset zone-policy zone LAN interface eth1set zone-policy zone LAN interface eth1.10 # VLAN 10set zone-policy zone LAN interface eth1.20 # VLAN 20
# WAN zoneset zone-policy zone WAN default-action dropset zone-policy zone WAN interface eth0LAN to WAN (allow outbound)
Section titled βLAN to WAN (allow outbound)β# Allow LAN β WANset firewall ipv4 name LAN-to-WAN default-action acceptset firewall ipv4 name LAN-to-WAN rule 10 action acceptset firewall ipv4 name LAN-to-WAN rule 10 state established enableset firewall ipv4 name LAN-to-WAN rule 10 state related enable
# Apply to zone-policyset zone-policy zone LAN to WAN firewall ipv4 name LAN-to-WANLAN to LOCAL (allow management)
Section titled βLAN to LOCAL (allow management)βset firewall ipv4 name LAN-to-LOCAL default-action dropset firewall ipv4 name LAN-to-LOCAL rule 10 action acceptset firewall ipv4 name LAN-to-LOCAL rule 10 state established enableset firewall ipv4 name LAN-to-LOCAL rule 10 state related enableset firewall ipv4 name LAN-to-LOCAL rule 20 action acceptset firewall ipv4 name LAN-to-LOCAL rule 20 protocol icmpset firewall ipv4 name LAN-to-LOCAL rule 30 action acceptset firewall ipv4 name LAN-to-LOCAL rule 30 destination port 22set firewall ipv4 name LAN-to-LOCAL rule 30 protocol tcpset firewall ipv4 name LAN-to-LOCAL rule 40 action acceptset firewall ipv4 name LAN-to-LOCAL rule 40 destination port 53set firewall ipv4 name LAN-to-LOCAL rule 40 protocol udp
set zone-policy zone LAN to LOCAL firewall ipv4 name LAN-to-LOCALWAN to LOCAL (protect the router)
Section titled βWAN to LOCAL (protect the router)βset firewall ipv4 name WAN-to-LOCAL default-action dropset firewall ipv4 name WAN-to-LOCAL rule 10 action acceptset firewall ipv4 name WAN-to-LOCAL rule 10 state established enableset firewall ipv4 name WAN-to-LOCAL rule 10 state related enableset firewall ipv4 name WAN-to-LOCAL rule 20 action dropset firewall ipv4 name WAN-to-LOCAL rule 20 state invalid enable
# Allow SSH only from a specific IPset firewall ipv4 name WAN-to-LOCAL rule 30 action acceptset firewall ipv4 name WAN-to-LOCAL rule 30 destination port 22set firewall ipv4 name WAN-to-LOCAL rule 30 protocol tcpset firewall ipv4 name WAN-to-LOCAL rule 30 source address 203.0.113.99/32
set zone-policy zone WAN to LOCAL firewall ipv4 name WAN-to-LOCALWAN to LAN (block inbound)
Section titled βWAN to LAN (block inbound)βset firewall ipv4 name WAN-to-LAN default-action dropset firewall ipv4 name WAN-to-LAN rule 10 action acceptset firewall ipv4 name WAN-to-LAN rule 10 state established enableset firewall ipv4 name WAN-to-LAN rule 10 state related enable
set zone-policy zone WAN to LAN firewall ipv4 name WAN-to-LANSource NAT (Masquerade) π’ 1.3+
Section titled βSource NAT (Masquerade) π’ 1.3+βFor IPv4 with private LAN IPs, NAT traffic out the WAN interface:
# SNAT β masquerade all LAN trafficset nat source rule 100 outbound-interface name eth0set nat source rule 100 source address 192.168.0.0/16set nat source rule 100 translation address masquerade
# SNAT β specific static IPset nat source rule 200 outbound-interface name eth0set nat source rule 200 source address 10.0.10.0/24set nat source rule 200 translation address 203.0.113.10Exclude from NAT (hairpin/internal)
Section titled βExclude from NAT (hairpin/internal)βset nat source rule 100 destination address 192.168.0.0/16set nat source rule 100 translation address masqueradeset nat source rule 100 excludeDestination NAT (Port Forwarding) π’ 1.3+
Section titled βDestination NAT (Port Forwarding) π’ 1.3+βForward external port to internal host:
# Port forward 80/443 to internal web serverset nat destination rule 10 description 'Web Server'set nat destination rule 10 destination port 80,443set nat destination rule 10 inbound-interface name eth0set nat destination rule 10 protocol tcpset nat destination rule 10 translation address 192.168.1.100set nat destination rule 10 translation port 80
# Port forward a different external portset nat destination rule 20 description 'SSH to jumpbox'set nat destination rule 20 destination port 2222set nat destination rule 20 inbound-interface name eth0set nat destination rule 20 protocol tcpset nat destination rule 20 translation address 192.168.1.50set nat destination rule 20 translation port 22Firewall Groups π‘ 1.4+
Section titled βFirewall Groups π‘ 1.4+βUse address/network/port groups for cleaner rules:
# Network groupset firewall group network-group TRUSTED_NETS network 192.168.1.0/24set firewall group network-group TRUSTED_NETS network 10.0.0.0/24
# Address groupset firewall group address-group WEB_SERVERS address 192.168.1.100set firewall group address-group WEB_SERVERS address 192.168.1.101
# Port groupset firewall group port-group WEB_PORTS port 80set firewall group port-group WEB_PORTS port 443
# Use in rulesset firewall ipv4 name LAN-to-LOCAL rule 50 action acceptset firewall ipv4 name LAN-to-LOCAL rule 50 source group network-group TRUSTED_NETSset firewall ipv4 name LAN-to-LOCAL rule 50 destination group port-group WEB_PORTSset firewall ipv4 name LAN-to-LOCAL rule 50 protocol tcpUseful knobs
Section titled βUseful knobsβ# Enable state-policy globallyset firewall state-policy established action acceptset firewall state-policy related action acceptset firewall state-policy invalid action drop
# Rate limiting (ICMP flood protection)set firewall ipv4 name WAN-to-LOCAL rule 15 action acceptset firewall ipv4 name WAN-to-LOCAL rule 15 protocol icmpset firewall ipv4 name WAN-to-LOCAL rule 15 limit burst 5set firewall ipv4 name WAN-to-LOCAL rule 15 limit rate 10/minute
# Log drops (careful β noisy on WAN)set firewall ipv4 name WAN-to-LOCAL rule 999 action dropset firewall ipv4 name WAN-to-LOCAL rule 999 log enableshow firewall name LAN-to-LOCAL statisticsshow nat source statisticsshow nat destination statisticsshow zone-policy zone LANshow log firewall