Page MenuHomeVyOS Platform

Make firewall groups work everywhere that's appropropriate
Closed, ResolvedPublicFEATURE REQUEST

Description

Coming from other platforms, it's a bit of a disconnect that the firewall groups aren't usable universally. There might be other places where it could be appropriate to use them, but NAT is one that comes to mind.

For example:

set firewall group network-group PRIVATE-NETWORKS network '10.0.0.0/8'
set firewall group network-group PRIVATE-NETWORKS network '192.168.0.0/16'
set firewall group network-group PRIVATE-NETWORKS network '172.16.0.0/12'

It would be nice to have something like:

set nat source rule 102 outbound-interface 'eth0'
set nat source rule 102 source network-group PRIVATE-NETWORKS
set nat source rule 102 translation address 'masquerade'

Obviously the same could apply for port-groups, address-groups, etc.

Details

Difficulty level
Hard (possibly days)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

syncer triaged this task as Normal priority.Dec 21 2018, 10:28 AM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.

ipsec policys, policy prefix-lists,

Viacheslav added a project: VyOS 1.4 Sagitta.
Viacheslav changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
Viacheslav set Is it a breaking change? to Unspecified (possibly destroys the router).
sarthurdev changed the task status from Open to In progress.Nov 3 2022, 7:41 PM
sarthurdev claimed this task.
sarthurdev moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.
sarthurdev added a subscriber: sarthurdev.
sarthurdev moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.