Problem with connectivity to SSH running in VRF
Open, HighPublicBUG
Actions

Assigned To

None

Authored By

	adestis
	Mon, Jan 5, 2:04 PM

Description

We have a physical router (Lannerinc) running VyOS 1.5-Q2.
The device is relying on BGP for routing purposes (not in config, not relevant for the problem)
and therefore using a separate VRF for management purposes.

We are using zone-based firewall approach on the device.

So far in version 1.5-Q2 it is working great.
Today I tried to upgrade the device but was not able to connect to ssh after the reboot.
The connections via management card to the machine did not bring up any problems.

I was able to capture incoming SSH attempts via tcpdump from a neighbor device within the same management network.
Unfortunately, I was not able to see any answers on any interface (even the non-vrf interfaces).

An outgoing arping was working, so network in general seems to work.
The routing table for the default instance and the vrf instance was also looking good.

During troubleshooting I checked the release notes (blog article) for Version 2025.11 and I saw that there was a change: T7452.

The simplified configuration looks like the following:

firewall {
    global-options {
        ipv6-receive-redirects disable
        ipv6-src-route disable
        ip-src-route disable
        log-martians enable
        receive-redirects disable
        send-redirects enable
        source-validation disable
        syn-cookies enable
    }
    ipv4 {
        name ALLOW_ALL_4 {
            default-action drop
            rule 10 {
                action accept
            }
        }
    }
    zone Firewall {
        default-action drop
        from MGMT {
            firewall {
                name ALLOW_ALL_4
            }
        }
        local-zone
    }
    zone MGMT {
        default-action drop
        description "Management Access"
        from Firewall {
            firewall {
                name ALLOW_ALL_4
            }
        }
        member {
            interface MGMT
            vrf MGMT
        }
    }
}
interfaces {
    ethernet eth12 {
        address 100.68.1.9/24
        vrf MGMT
    }
    loopback lo {
    }
}
service {
    lldp {
        interface all {
        }
        legacy-protocols {
            cdp
        }
    }
    ssh {
        port 22
        vrf MGMT
    }
}
system {
    host-name cr-gw-09
    option {
        reboot-on-upgrade-failure 5
    }
    sysctl {
        parameter net.ipv4.fib_multipath_hash_policy {
            value 1
        }
        parameter net.ipv4.tcp_wmem {
            value "4096 87380 67108864"
        }
    }
    syslog {
        local {
            facility all {
                level info
            }
            facility local7 {
                level debug
            }
        }
    }
    time-zone Europe/Berlin
}
vrf {
    name MGMT {
        protocols {
            static {
                route 0.0.0.0/0 {
                    next-hop 100.68.1.254 {
                    }
                }
            }
        }
        table 100
    }
}

Details

Version: Starting with 2025.11
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)
Forum thread: https://vyos-community.slack.com/archives/C01A6CJFW1F/p1767610192379499

Related Objects

Mentioned Here: rVYOSONEX3f58d529d682: Merge pull request #4506 from davi2367/zbf-vrf
T7452: Zone-based firewall with VRF causes issues

Event Timeline

adestis created this task.Mon, Jan 5, 2:04 PM

With the help of Taras Pudiak I was able to make a diff of the nft config, here are the differences:

Version 1.5-Q2:

table ip vyos_filter {
..
	chain VYOS_ZONE_FORWARD {
		..
		oifname "MGMT" counter jump VZONE_MGMT
		oifname "eth12" counter jump VZONE_MGMT
	}
..
	chain VZONE_Firewall_OUT {
		..
		oifname "MGMT" counter jump NAME_ALLOW_ALL_4
		oifname "MGMT" counter return
		oifname "eth12" counter jump NAME_ALLOW_ALL_4
		oifname "eth12" counter return
		..
	}
..
	chain VYOS_ZONE_FORWARD {
		..
		oifname "MGMT" counter jump VZONE_MGMT
		oifname "eth12" counter jump VZONE_MGMT
	}
..
}

Version 2025.11:

table ip vyos_filter {
..
	chain VYOS_ZONE_FORWARD {
		..
		oifname "MGMT" counter jump VZONE_MGMT
		oifname "MGMT" counter jump VZONE_MGMT
	}
..
	chain VZONE_Firewall_OUT {
		..
		oifname "MGMT" counter jump NAME_ALLOW_ALL_4
		oifname "MGMT" counter return
		oifname "MGMT" counter jump NAME_ALLOW_ALL_4
		oifname "MGMT" counter return
		..
	}
..
	chain VYOS_ZONE_FORWARD {
		..
		oifname "MGMT" counter jump VZONE_MGMT
		oifname "MGMT" counter jump VZONE_MGMT
	}
..
}

In https://vyos.dev/T7452 davi2367 mentioned that the VZONE_LOCAL_IN (in my case VZONE_Firewall_IN) only has the interface but is missing the VRF. It seems as this is not correct in the old and new version:
Version 1.5-Q2:

..
	chain VZONE_Firewall_IN {
		..
		iifname "MGMT" counter jump NAME_ALLOW_ALL_4
		iifname "MGMT" counter return
		iifname "MGMT" counter jump NAME_ALLOW_ALL_4
		iifname "MGMT" counter return
		..
	}
..

Version 2025.11:

..
	chain VZONE_Firewall_IN {
		..
		iifname "MGMT" counter jump NAME_ALLOW_ALL_4
		iifname "MGMT" counter return
		iifname "MGMT" counter jump NAME_ALLOW_ALL_4
		iifname "MGMT" counter return
		..
	}
..

I have not checked and tried to understand what his problem really was but for my use case, the fix made it worse.

IMHO it should look like:

	chain VZONE_Firewall_IN {
		..
		iifname "MGMT" counter jump NAME_ALLOW_ALL_4
		iifname "MGMT" counter return
		iifname "eth12" counter jump NAME_ALLOW_ALL_4
		iifname "eth12" counter return
		..
	}
..
	chain VYOS_ZONE_FORWARD {
		..
		oifname "MGMT" counter jump VZONE_MGMT
		oifname "eth12" counter jump VZONE_MGMT
	}
..
	chain VZONE_Firewall_OUT {
		..
		oifname "MGMT" counter jump NAME_ALLOW_ALL_4
		oifname "MGMT" counter return
		oifname "eth12" counter jump NAME_ALLOW_ALL_4
		oifname "eth12" counter return
		..
	}
..
	chain VYOS_ZONE_FORWARD {
		..
		oifname "MGMT" counter jump VZONE_MGMT
		oifname "eth12" counter jump VZONE_MGMT
	}

Taras helped me with the required tracing of the problem.
Attached are the nft trace output.

Test description:
An SSH connection was tried from another device (100.68.1.10) to the affected device (100.68.1.9)

trace_1.5-Q2.txt86 KBDownload

trace_2025.11.txt75 KBDownload

A test with the current nightly build from 2026-01-05 has the same problem as version 2025.11.

Viacheslav triaged this task as High priority.Mon, Jan 5, 2:33 PM

pasik subscribed.Mon, Jan 5, 2:51 PM

I continued testing and stumbled over an interesting part:

In my config I had configured:

..
firewall {
    ..
    zone MGMT {
        ..
        member {
            interface MGMT
            vrf MGMT
        }
    }
}
..

So I tried just with member vrf MGMT but without success.
When I had a look at the code of the Jinja Template I saw that the interfaces were rendered out without any test, so my next try was:

..
firewall {
    ..
    zone MGMT {
        ..
        member {
            interface eth12
            vrf MGMT
        }
    }
}
..

An error was displayed during commit:
WARNING: Interface eth12 assigned to zone MGMT is in VRF MGMT. This might not work as expected

But it is working with that approach!

So the question is: What is the correct approach after the changes (https://vyos.dev/rVYOSONEX3f58d529d6829df1750ec81d6161c02cc2529107).

Should the warning be removed and the documentation adjusted or is there still a problem what needs to be fixed?

	F57092267: trace_2025.11.txt
	Mon, Jan 5, 2:13 PM

	F57092207: trace_1.5-Q2.txt
	Mon, Jan 5, 2:13 PM

Problem with connectivity to SSH running in VRFOpen, HighPublicBUGActions

Description

Details

Related Objects

Event Timeline

Problem with connectivity to SSH running in VRF
Open, HighPublicBUG
Actions