WAN Interface Filter Rules¶
These WAN interface rules control traffic flow into and out of the WAN interface. This example setup is focused on outbound client traffic, so it does not allow other traffic is inbound.
Create Ruleset¶
Add the WAN filter ruleset on both nodes:
tnsr(config)# vpf filter ruleset WAN-filter
tnsr(config-vpf-filter-ruleset)# description Filter rules for WAN
Allow ICMP¶
This rule allows ICMP inbound for diagnostic and network control purposes:
tnsr(config-vpf-filter-ruleset)# rule 10
tnsr(config-vpf-filter-rule)# description Allow ICMP inbound
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# protocol icmp
tnsr(config-vpf-filter-rule)# exit
Allow VRRP¶
These rules allow VRRP to communicate inbound and outbound to ensure both nodes can exchange heartbeats:
tnsr(config-vpf-filter-ruleset)# rule 20
tnsr(config-vpf-filter-rule)# description Allow VRRP inbound
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# protocol vrrp
tnsr(config-vpf-filter-rule)# exit
tnsr(config-vpf-filter-ruleset)# rule 21
tnsr(config-vpf-filter-rule)# description Allow VRRP outbound
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction out
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# protocol vrrp
tnsr(config-vpf-filter-rule)# exit
Note
The VRRP rules could be more strict, allowing only a source of the peer
interface IP address and/or to a destination of 224.0.0.18.
Do not use stateful on VRRP rules as it is multicast and has no return
traffic, so the state never has traffic it can match.
Allow Egress Traffic¶
This rule allows traffic outbound from TNSR itself and for traffic routed through TNSR egressing through the WAN interface on TNSR:
tnsr(config-vpf-filter-ruleset)# rule 1000
tnsr(config-vpf-filter-rule)# description Pass outbound from TNSR to any destination
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction out
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# exit
Activate Ruleset¶
Exit out to complete the ruleset:
tnsr(config-vpf-filter-ruleset)# exit
Next, activate the WAN filter ruleset:
tnsr(config)# vpf options
tnsr(config-vpf-option)# interface WAN filter-ruleset WAN-filter
tnsr(config-vpf-option)# exit