Upgrade fro 1.3.4 with this configuration, the management interface is in a vrf and have no firewall rules configured.
set firewall all-ping 'enable' set firewall broadcast-ping 'disable' set firewall config-trap 'disable' set firewall group address-group PEERING address '10.10.10.2' set firewall ipv6-receive-redirects 'disable' set firewall ipv6-src-route 'disable' set firewall ip-src-route 'disable' set firewall log-martians 'enable' set firewall name WAN-IN default-action 'accept' set firewall name WAN-IN enable-default-log set firewall name WAN-IN rule 1 action 'accept' set firewall name WAN-IN rule 1 source group address-group 'PEERING' set firewall name WAN-IN rule 2 action 'drop' set firewall name WAN-IN rule 2 destination port '179' set firewall name WAN-IN rule 2 log 'enable' set firewall name WAN-IN rule 2 protocol 'tcp_udp' set firewall receive-redirects 'disable' set firewall send-redirects 'enable' set firewall source-validation 'loose' set firewall syn-cookies 'enable' set firewall twa-hazards-protection 'disable' set interfaces ethernet eth0 address '192.168.146.202/24' set interfaces ethernet eth0 description 'MGMT' set interfaces ethernet eth0 vrf 'mgmt' set interfaces ethernet eth2 vif 1000 address '10.10.10.1/24' set interfaces ethernet eth2 vif 1000 firewall local name 'WAN-IN' set protocols vrf mgmt static route 0.0.0.0/0 next-hop 192.168.146.250 set service ssh disable-host-validation set service ssh listen-address '192.168.146.202' set service ssh vrf 'mgmt' set vrf name mgmt description 'MGMT Netz' set vrf name mgmt table '101'
after the Migration this is the config:
set firewall global-options all-ping 'enable' set firewall global-options broadcast-ping 'disable' set firewall global-options ip-src-route 'disable' set firewall global-options ipv6-receive-redirects 'disable' set firewall global-options ipv6-src-route 'disable' set firewall global-options log-martians 'enable' set firewall global-options receive-redirects 'disable' set firewall global-options send-redirects 'enable' set firewall global-options source-validation 'loose' set firewall global-options syn-cookies 'enable' set firewall global-options twa-hazards-protection 'disable' set firewall group address-group PEERING address '10.10.10.2' set firewall ipv4 input filter default-action 'accept' set firewall ipv4 input filter rule 10 action 'jump' set firewall ipv4 input filter rule 10 inbound-interface name 'eth2.1000' set firewall ipv4 input filter rule 10 jump-target 'WAN-IN' set firewall ipv4 name WAN-IN default-action 'return' set firewall ipv4 name WAN-IN default-log set firewall ipv4 name WAN-IN rule 1 action 'return' set firewall ipv4 name WAN-IN rule 1 source group address-group 'PEERING' set firewall ipv4 name WAN-IN rule 2 action 'drop' set firewall ipv4 name WAN-IN rule 2 destination port '179' set firewall ipv4 name WAN-IN rule 2 log set firewall ipv4 name WAN-IN rule 2 protocol 'tcp_udp' set interfaces ethernet eth0 address '192.168.146.202/24' set interfaces ethernet eth0 description 'MGMT' set interfaces ethernet eth0 vrf 'mgmt' set interfaces ethernet eth2 vif 1000 address '10.10.10.1/24' set service ssh disable-host-validation set service ssh listen-address '192.168.146.202' set service vrf 'mgmt' set vrf name mgmt description 'MGMT Netz' set vrf name mgmt protocols static route 0.0.0.0/0 next-hop 192.168.146.250 set vrf name mgmt table '101'
this end in blocking all traffic to eth0 (icmp and ssh)
i tryed and delete some global options, and the problem is the global source validation
set firewall global-options source-validation 'loose'
if i delete the source validation, anything is fine with the mgmt vrf interface.
Also if i deactivate the vrf on the interface, anything is fine.