Page MenuHomeVyOS Platform

Make firewall groups work everywhere that's appropropriate
Open, NormalPublicFEATURE REQUEST

Description

Coming from other platforms, it's a bit of a disconnect that the firewall groups aren't usable universally. There might be other places where it could be appropriate to use them, but NAT is one that comes to mind.

For example:

set firewall group network-group PRIVATE-NETWORKS network '10.0.0.0/8'
set firewall group network-group PRIVATE-NETWORKS network '192.168.0.0/16'
set firewall group network-group PRIVATE-NETWORKS network '172.16.0.0/12'

It would be nice to have something like:

set nat source rule 102 outbound-interface 'eth0'
set nat source rule 102 source network-group PRIVATE-NETWORKS
set nat source rule 102 translation address 'masquerade'

Obviously the same could apply for port-groups, address-groups, etc.

Details

Difficulty level
Hard (possibly days)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects

Event Timeline

syncer triaged this task as Normal priority.Dec 21 2018, 10:28 AM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.

ipsec policys, policy prefix-lists,

Viacheslav added a project: VyOS 1.4 Sagitta.
Viacheslav changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
Viacheslav set Is it a breaking change? to Unspecified (possibly destroys the router).