When implementing zone-based firewall on a system that has multiple IP addresses assigned to an interface, the second IP address fails to communicate.
ping -I <secondary IP> <destination> fails, even with all firewall rules set into an ANY-ANY type state for every zone.
vyos@KSC-RBX-RTR001# show firewall { all-ping enable broadcast-ping disable config-trap disable group { network-group NET-IPSECHOME { network 10.255.0.4/30 } network-group NET-WAN { network WAN.PREFIX.0/27 } network-group SERVER-LAN { network 10.101.0.0/26 } network-group vlans { network 10.101.0.0/26 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name ANYANY { default-action accept enable-default-log } name SERVER100-WAN { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop state { invalid enable } } rule 100 { action accept protocol icmp } rule 200 { action accept destination { port 80,443 } protocol tcp } rule 9999 { action drop } } name WAN-LOCAL { default-action drop rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept log enable protocol ICMP } rule 200 { action accept destination { port 22 } log enable protocol tcp } rule 300 { action accept protocol esp } rule 301 { action accept destination { port 500 } protocol udp } rule 302 { action accept destination { port 4500 } protocol udp } rule 303 { action accept destination { port 1701 } ipsec { match-ipsec } protocol udp } rule 9999 { action drop log enable } } name WAN-SERVER100 { default-action drop rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 9999 { action drop log enable } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable twa-hazards-protection disable } interfaces { ethernet eth0 { address WAN.PREFIX.29/27 address WAN.PREFIX.28/27 description WAN duplex auto hw-id fa:cd:49:76:d3:49 smp-affinity auto speed auto } ethernet eth1 { duplex auto hw-id 9e:e9:04:a2:e9:c2 smp-affinity auto speed auto vif 100 { address 10.101.0.1/26 description "Server LAN" } } loopback lo { } vti vti0 { address 10.255.0.6/30 description "IPsec to HOME" } } nat { source { rule 2000 { description "1-to-1 example" outbound-interface eth0 source { address 10.101.0.2 } translation { address WAN.PREFIX.28 } } rule 9001 { outbound-interface eth0 source { address 10.101.0.0/26 } translation { address WAN.PREFIX.29 } } } } protocols { static { interface-route 10.100.251.0/24 { next-hop-interface vti0 { } } interface-route 10.255.0.0/30 { next-hop-interface vti0 { } } route 0.0.0.0/0 { next-hop WAN.PREFIX.30 { } } } } service { ssh { port 22 } } system { config-management { commit-revisions 100 } console { device ttyS0 { speed 9600 } } domain-name corp.kisaracorporation.com host-name KSC-RBX-RTR001 login { user vyos { authentication { encrypted-password plaintext-password "" } level admin } } ntp { server 0.pool.ntp.org { } server 1.pool.ntp.org { } server 2.pool.ntp.org { } } syslog { global { facility all { level info } facility protocols { level debug } } } time-zone UTC } vpn { ipsec { esp-group ESP-OVHLOCAL { compression disable lifetime 3600 mode tunnel pfs dh-group5 proposal 1 { encryption aes128 hash sha1 } } ike-group IKE-OVHLOCAL { ikev2-reauth no key-exchange ikev1 lifetime 28800 proposal 1 { dh-group 5 encryption aes128 hash sha1 } } ipsec-interfaces { interface eth0 } site-to-site { peer IPV4REMOTESITE { authentication { mode pre-shared-secret pre-shared-secret } connection-type initiate description OVH-REMOTE ike-group IKE-OVHLOCAL ikev2-reauth inherit local-address WAN.PREFIX.29 vti { bind vti0 esp-group ESP-OVHLOCAL } } } } } zone-policy { zone IPSEC-HOME { from SERVER100 { firewall { name ANYANY } } from WAN { firewall { name ANYANY } } from local { firewall { name ANYANY } } interface vti0 } zone SERVER100 { from IPSEC-HOME { firewall { name ANYANY } } from WAN { firewall { name ANYANY } } from local { firewall { name ANYANY } } interface eth1.100 } zone WAN { from IPSEC-HOME { firewall { name ANYANY } } from SERVER100 { firewall { name ANYANY } } from local { firewall { name ANYANY } } interface eth0 } zone local { from IPSEC-HOME { firewall { name ANYANY } } from SERVER100 { firewall { name ANYANY } } from WAN { firewall { name ANYANY } } local-zone } } [edit] vyos@KSC-RBX-RTR001# sudo su - root@KSC-RBX-RTR001:~# iptables-save # Generated by iptables-save v1.4.21 on Mon Mar 11 19:25:29 2019 *nat :PREROUTING ACCEPT [42613:1616059] :INPUT ACCEPT [37242:1333934] :OUTPUT ACCEPT [1607:123524] :POSTROUTING ACCEPT [4138:303063] :VYATTA_PRE_DNAT_HOOK - [0:0] :VYATTA_PRE_SNAT_HOOK - [0:0] -A PREROUTING -j VYATTA_PRE_DNAT_HOOK -A POSTROUTING -j VYATTA_PRE_SNAT_HOOK -A POSTROUTING -s 10.101.0.2/32 -o eth0 -m comment --comment SRC-NAT-2000 -j SNAT --to-source WAN.PREFIX.28 -A POSTROUTING -s 10.101.0.0/26 -o eth0 -m comment --comment SRC-NAT-9001 -j SNAT --to-source WAN.PREFIX.29 -A VYATTA_PRE_DNAT_HOOK -j RETURN -A VYATTA_PRE_SNAT_HOOK -j RETURN COMMIT # Completed on Mon Mar 11 19:25:29 2019 # Generated by iptables-save v1.4.21 on Mon Mar 11 19:25:29 2019 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :ANYANY - [0:0] :SERVER100-WAN - [0:0] :VYATTA_FW_IN_HOOK - [0:0] :VYATTA_FW_LOCAL_HOOK - [0:0] :VYATTA_FW_OUT_HOOK - [0:0] :VYATTA_POST_FW_FWD_HOOK - [0:0] :VYATTA_POST_FW_IN_HOOK - [0:0] :VYATTA_POST_FW_OUT_HOOK - [0:0] :VYATTA_PRE_FW_FWD_HOOK - [0:0] :VYATTA_PRE_FW_IN_HOOK - [0:0] :VYATTA_PRE_FW_OUT_HOOK - [0:0] :VZONE_IPSEC-HOME - [0:0] :VZONE_SERVER100 - [0:0] :VZONE_WAN - [0:0] :VZONE_local_IN - [0:0] :VZONE_local_OUT - [0:0] :WAN-LOCAL - [0:0] :WAN-SERVER100 - [0:0] -A INPUT -j VYATTA_PRE_FW_IN_HOOK -A INPUT -j VYATTA_FW_LOCAL_HOOK -A INPUT -j VZONE_local_IN -A INPUT -j VYATTA_POST_FW_IN_HOOK -A FORWARD -j VYATTA_PRE_FW_FWD_HOOK -A FORWARD -j VYATTA_FW_IN_HOOK -A FORWARD -j VYATTA_FW_OUT_HOOK -A FORWARD -o vti0 -j VZONE_IPSEC-HOME -A FORWARD -o eth1.100 -j VZONE_SERVER100 -A FORWARD -o eth0 -j VZONE_WAN -A FORWARD -j VYATTA_POST_FW_FWD_HOOK -A OUTPUT -j VYATTA_PRE_FW_OUT_HOOK -A OUTPUT -j VZONE_local_OUT -A OUTPUT -j VYATTA_POST_FW_OUT_HOOK -A ANYANY -m comment --comment "ANYANY-10000 default-action accept" -j LOG --log-prefix "[ANYANY-default-A]" -A ANYANY -m comment --comment "ANYANY-10000 default-action accept" -j RETURN -A SERVER100-WAN -m comment --comment SERVER100-WAN-1 -m state --state RELATED,ESTABLISHED -j RETURN -A SERVER100-WAN -m comment --comment SERVER100-WAN-2 -m state --state INVALID -j DROP -A SERVER100-WAN -p icmp -m comment --comment SERVER100-WAN-100 -j RETURN -A SERVER100-WAN -p tcp -m comment --comment SERVER100-WAN-200 -m multiport --dports 80,443 -j RETURN -A SERVER100-WAN -m comment --comment SERVER100-WAN-9999 -j DROP -A SERVER100-WAN -m comment --comment "SERVER100-WAN-10000 default-action drop" -j LOG --log-prefix "[SERVER100-WAN-default-D]" -A SERVER100-WAN -m comment --comment "SERVER100-WAN-10000 default-action drop" -j DROP -A VYATTA_POST_FW_FWD_HOOK -j ACCEPT -A VYATTA_POST_FW_IN_HOOK -j ACCEPT -A VYATTA_POST_FW_OUT_HOOK -j ACCEPT -A VYATTA_PRE_FW_FWD_HOOK -j RETURN -A VYATTA_PRE_FW_IN_HOOK -j RETURN -A VYATTA_PRE_FW_OUT_HOOK -j RETURN -A VZONE_IPSEC-HOME -i vti0 -j RETURN -A VZONE_IPSEC-HOME -i eth1.100 -j ANYANY -A VZONE_IPSEC-HOME -i eth1.100 -j RETURN -A VZONE_IPSEC-HOME -i eth0 -j ANYANY -A VZONE_IPSEC-HOME -i eth0 -j RETURN -A VZONE_IPSEC-HOME -j DROP -A VZONE_SERVER100 -i eth1.100 -j RETURN -A VZONE_SERVER100 -i eth0 -j ANYANY -A VZONE_SERVER100 -i eth0 -j RETURN -A VZONE_SERVER100 -i vti0 -j ANYANY -A VZONE_SERVER100 -i vti0 -j RETURN -A VZONE_SERVER100 -j DROP -A VZONE_WAN -i eth0 -j RETURN -A VZONE_WAN -i eth1.100 -j ANYANY -A VZONE_WAN -i eth1.100 -j RETURN -A VZONE_WAN -i vti0 -j ANYANY -A VZONE_WAN -i vti0 -j RETURN -A VZONE_WAN -j DROP -A VZONE_local_IN -i lo -j RETURN -A VZONE_local_IN -i vti0 -j ANYANY -A VZONE_local_IN -i vti0 -j RETURN -A VZONE_local_IN -i eth0 -j ANYANY -A VZONE_local_IN -i eth0 -j RETURN -A VZONE_local_IN -i eth1.100 -j ANYANY -A VZONE_local_IN -i eth1.100 -j RETURN -A VZONE_local_IN -j DROP -A VZONE_local_OUT -o lo -j RETURN -A VZONE_local_OUT -o eth0 -j ANYANY -A VZONE_local_OUT -o eth0 -j RETURN -A VZONE_local_OUT -o vti0 -j ANYANY -A VZONE_local_OUT -o vti0 -j RETURN -A VZONE_local_OUT -o eth1.100 -j ANYANY -A VZONE_local_OUT -o eth1.100 -j RETURN -A VZONE_local_OUT -j DROP -A WAN-LOCAL -m comment --comment WAN-LOCAL-1 -m state --state RELATED,ESTABLISHED -j RETURN -A WAN-LOCAL -m comment --comment WAN-LOCAL-2 -m state --state INVALID -j LOG --log-prefix "[WAN-LOCAL-2-D] " -A WAN-LOCAL -m comment --comment WAN-LOCAL-2 -m state --state INVALID -j DROP -A WAN-LOCAL -p icmp -m comment --comment WAN-LOCAL-100 -j LOG --log-prefix "[WAN-LOCAL-100-A] " -A WAN-LOCAL -p icmp -m comment --comment WAN-LOCAL-100 -j RETURN -A WAN-LOCAL -p tcp -m comment --comment WAN-LOCAL-200 -m tcp --dport 22 -j LOG --log-prefix "[WAN-LOCAL-200-A] " -A WAN-LOCAL -p tcp -m comment --comment WAN-LOCAL-200 -m tcp --dport 22 -j RETURN -A WAN-LOCAL -p esp -m comment --comment WAN-LOCAL-300 -j RETURN -A WAN-LOCAL -p udp -m comment --comment WAN-LOCAL-301 -m udp --dport 500 -j RETURN -A WAN-LOCAL -p udp -m comment --comment WAN-LOCAL-302 -m udp --dport 4500 -j RETURN -A WAN-LOCAL -p udp -m comment --comment WAN-LOCAL-303 -m udp --dport 1701 -m policy --dir in --pol ipsec -j RETURN -A WAN-LOCAL -m comment --comment WAN-LOCAL-9999 -j LOG --log-prefix "[WAN-LOCAL-9999-D] " -A WAN-LOCAL -m comment --comment WAN-LOCAL-9999 -j DROP -A WAN-LOCAL -m comment --comment "WAN-LOCAL-10000 default-action drop" -j DROP -A WAN-SERVER100 -m comment --comment WAN-SERVER100-1 -m state --state RELATED,ESTABLISHED -j RETURN -A WAN-SERVER100 -m comment --comment WAN-SERVER100-2 -m state --state INVALID -j LOG --log-prefix "[WAN-SERVER100-2-D] " -A WAN-SERVER100 -m comment --comment WAN-SERVER100-2 -m state --state INVALID -j DROP -A WAN-SERVER100 -m comment --comment WAN-SERVER100-9999 -j LOG --log-prefix "[WAN-SERVER100-9999-D] " -A WAN-SERVER100 -m comment --comment WAN-SERVER100-9999 -j DROP -A WAN-SERVER100 -m comment --comment "WAN-SERVER100-10000 default-action drop" -j DROP COMMIT # Completed on Mon Mar 11 19:25:29 2019 # Generated by iptables-save v1.4.21 on Mon Mar 11 19:25:29 2019 *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :FW_CONNTRACK - [0:0] :NAT_CONNTRACK - [0:0] :VYATTA_CT_HELPER - [0:0] :VYATTA_CT_IGNORE - [0:0] :VYATTA_CT_OUTPUT_HOOK - [0:0] :VYATTA_CT_PREROUTING_HOOK - [0:0] :VYATTA_CT_TIMEOUT - [0:0] -A PREROUTING -j VYATTA_CT_IGNORE -A PREROUTING -j VYATTA_CT_HELPER -A PREROUTING -j VYATTA_CT_TIMEOUT -A PREROUTING -j VYATTA_CT_PREROUTING_HOOK -A PREROUTING -j NAT_CONNTRACK -A PREROUTING -j FW_CONNTRACK -A PREROUTING -j NOTRACK -A OUTPUT -j VYATTA_CT_IGNORE -A OUTPUT -j VYATTA_CT_HELPER -A OUTPUT -j VYATTA_CT_TIMEOUT -A OUTPUT -j VYATTA_CT_OUTPUT_HOOK -A OUTPUT -j NAT_CONNTRACK -A OUTPUT -j FW_CONNTRACK -A OUTPUT -j NOTRACK -A FW_CONNTRACK -j ACCEPT -A NAT_CONNTRACK -j ACCEPT -A VYATTA_CT_HELPER -p tcp -m tcp --dport 1536 -j CT --helper tns -A VYATTA_CT_HELPER -p tcp -m tcp --dport 1525 -j CT --helper tns -A VYATTA_CT_HELPER -p tcp -m tcp --dport 1521 -j CT --helper tns -A VYATTA_CT_HELPER -p udp -m udp --dport 111 -j CT --helper rpc -A VYATTA_CT_HELPER -p tcp -m tcp --dport 111 -j CT --helper rpc -A VYATTA_CT_HELPER -j RETURN -A VYATTA_CT_IGNORE -j RETURN -A VYATTA_CT_OUTPUT_HOOK -j RETURN -A VYATTA_CT_PREROUTING_HOOK -j RETURN -A VYATTA_CT_TIMEOUT -j RETURN COMMIT # Completed on Mon Mar 11 19:25:29 2019 root@KSC-RBX-RTR001:~#