Installed the most recent rolling release (1.3-rolling-202004070629). Testing out the VRF implementation with zone-based firewalling. Attaching "eth0" (default VRF) to "MGMT" and "eth1" (TEST VRF) to "SERVER", and "LOCAL" for the local-zone. I create firewall names with only "rule 1 action accept", just for testing purposes. Once I commit, I am no longer able to communite with anything behind the SERVER zone (TEST VRF). When I try to ping the eth1 interface address, sourcing from the "TEST" vrf, it shows "operation not permitted", thus getting blocked by the firewall local-zone. See config below.
set firewall name local-out rule 1 action 'accept' set firewall name mgmt-to-local rule 1 action 'accept' set firewall name mgmt-to-server rule 1 action 'accept' set firewall name server-to-local rule 1 action 'accept' set firewall name server-to-mgmt rule 1 action 'accept' set interfaces ethernet eth0 address '172.16.1.90/24' set interfaces ethernet eth1 address '172.16.2.90/24' set interfaces ethernet eth1 vrf 'TEST' set interfaces loopback lo set protocols static route 0.0.0.0/0 next-hop 172.16.1.1 set protocols vrf TEST static route 0.0.0.0/0 next-hop 172.16.2.1 set service ssh set system config-management commit-revisions '100' set system console device ttyS0 speed '115200' set system host-name 'vyos' set system login user vyos authentication encrypted-password '$6$umXxrvZsb9nMOb0W$iBIzrXZUm4Ysa8fDplNALXvOHYnYYx9aBiv2UN.xkIn5C03r4s3g82apczZxMk8OZFxRxvGsU5VkaIDatuHy1.' set vrf name TEST table '100' set zone-policy zone LOCAL default-action 'drop' set zone-policy zone LOCAL from MGMT firewall name 'mgmt-to-local' set zone-policy zone LOCAL from SERVER firewall name 'server-to-local' set zone-policy zone LOCAL local-zone set zone-policy zone MGMT default-action 'drop' set zone-policy zone MGMT from LOCAL firewall name 'local-out' set zone-policy zone MGMT from SERVER firewall name 'server-to-mgmt' set zone-policy zone MGMT interface 'eth0' set zone-policy zone SERVER default-action 'drop' set zone-policy zone SERVER from LOCAL firewall name 'local-out' set zone-policy zone SERVER from MGMT firewall name 'mgmt-to-server' set zone-policy zone SERVER interface 'eth1'