The current firewall implementation on VyOS does not allow rules to be natively injectively into the "raw table" of iptables or its nftables equivalent.
If we manually inject the rules via the post-boot script, functionality such as SSH/BGP etc breaks randomly and randomly works, while iptables counters remain at a clear "0".
MikroTik has a simplified logic that is both flexible and adaptable:
- They have an interface list logic: We can create "LAN" containing local interfaces and "WAN" containing public interfaces or any other combination (We can also add dynamic interfaces like PPPoE clients to an interface list, dynamically)
- They allow native use of filter input/forward/output and also native use of prerouting/output in the raw table
- We can then combine the above features to create comprehensive firewall rules that cover essentially all the bases.
Example:
https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall
We can always allow iptables logic like MikroTik in VyOS CLI, while we still convert them to nftables using scripts under the hood.