Internal/LAN Filter Rule Examples

Basic Rules for a Permissive LAN

In typical deployments, rules on internal interfaces are generally permissive, allowing local clients to communicate freely with the outside world.

This rule allows clients on LAN to reach any destination:

tnsr(config)# vpf filter ruleset LAN-filter
tnsr(config-vpf-filter-ruleset)# description Filter Rules for LAN
tnsr(config-vpf-filter-ruleset)# rule 10
tnsr(config-vpf-filter-rule)# description Allow LAN inbound to Any destination
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# from ipv4-prefix 172.16.1.0/24
tnsr(config-vpf-filter-rule)# exit

This rule allows connections from TNSR itself, as well as connections allowed by rules on other interfaces, to reach hosts on LAN.

tnsr(config-vpf-filter-ruleset)# rule 20
tnsr(config-vpf-filter-rule)# description Pass outbound from TNSR to LAN
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction out
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# to ipv4-prefix 172.16.1.0/24
tnsr(config-vpf-filter-rule)# exit
tnsr(config-vpf-filter-ruleset)# exit

The rules must be activated for the LAN interface in VPF Options:

tnsr(config)# vpf options
tnsr(config-vpf-option)# interface LAN filter-ruleset LAN-filter
tnsr(config-vpf-option)# exit

Allow DHCP Server Traffic

Even with the previous rules being fairly relaxed, they are not permissive enough to act as a DHCP server. The DHCP client discovery and request procedure uses addresses that are not a part of the local network since clients do not have an address initially. For example, the initial client request comes from a special source address of 0.0.0.0 to the broadcast destination of 255.255.255.255. The source address does not lie inside of the LAN subnnet, 172.16.1.0/24, so it is not passed by the previous rules. Likewise, DHCP requests may be sent to the interface address on TNSR but the source may not necessarily be a valid address in the local subnet. So both of these must be allowed specifically over and above the previous rules.

The following rules allow clients on the local LAN to reach the DHCP server on TNSR:

tnsr(config)# vpf filter ruleset LAN-filter
tnsr(config-vpf-filter-ruleset)# rule 30
tnsr(config-vpf-filter-rule)# description Allow DHCP Discovery
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# from ipv4-prefix 0.0.0.0/32
tnsr(config-vpf-filter-rule)# from port 68
tnsr(config-vpf-filter-rule)# to port 67
tnsr(config-vpf-filter-rule)# to ipv4-prefix 255.255.255.255/32
tnsr(config-vpf-filter-rule)# exit
tnsr(config-vpf-filter-ruleset)# rule 31
tnsr(config-vpf-filter-rule)# description Allow DHCP Requests
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# from port 68
tnsr(config-vpf-filter-rule)# to port 67
tnsr(config-vpf-filter-rule)# to ipv4-prefix 172.16.1.1/32
tnsr(config-vpf-filter-rule)# exit
tnsr(config-vpf-filter-ruleset)# exit

Strict LAN Rules

If the LAN rules use a more strict approach, only allowing specific traffic, or more likely, being strict about connections to TNSR itself, then rules must be added to allow clients to reach other services on TNSR.

This rule allow clients on the local LAN to reach the DNS Resolver on TNSR:

tnsr(config)# vpf filter ruleset LAN-filter
tnsr(config-vpf-filter-ruleset)# rule 40
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# from ipv4-prefix 172.16.1.0/24
tnsr(config-vpf-filter-rule)# to ifaddrs LAN
tnsr(config-vpf-filter-rule)# to port 53
tnsr(config-vpf-filter-rule)# exit
tnsr(config-vpf-filter-ruleset)# exit