I was testing ZBF + VRF again in 1.5 stream 2025Q2 with https://vyos.dev/T6841 / https://github.com/vyos/vyos-1x/pull/4180 merged. I ran into the same issue mentioned by @senthilnaidu in https://forum.vyos.io/t/firewall-local-zone-with-mgmt-vrf/15752/6. I have the global-options for established/related enabled, but the ZBF did not work until I added the same rules to the return path firewall rule.
Testing was performed by pinging the vyos host xxx.xxx.10.50 from xxx.xxx.10.4, both in the /23 subnet, which is "vrf mgmt" to the vyos host.
This is the baseline config that does not work (ping received at vyos host but not replied):
```set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-receive-redirects 'disable'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options send-redirects 'enable'
set firewall global-options source-validation 'disable'
set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'accept'
set firewall global-options state-policy related action 'accept'
set firewall global-options syn-cookies 'enable'
set firewall global-options twa-hazards-protection 'disable'
set firewall ipv4 name accept-all default-action 'return'
set firewall ipv4 name mgmt-local default-action 'drop'
set firewall ipv4 name mgmt-local default-log
set firewall ipv4 name mgmt-local rule 900 action 'accept'
set firewall ipv4 name mgmt-local rule 900 protocol 'icmp'
set firewall ipv4 name net-local default-action 'drop'
set firewall ipv4 name net-local default-log
set firewall ipv4 name net-local rule 900 action 'return'
set firewall ipv4 name net-local rule 900 description 'icmp'
set firewall ipv4 name net-local rule 900 protocol 'icmp'
set firewall ipv4 name net-nos default-action 'drop'
set firewall ipv4 name net-nos default-log
set firewall ipv4 name net-nos rule 900 action 'return'
set firewall ipv4 name net-nos rule 900 protocol 'icmp'
set firewall ipv6 name accept-all-6 default-action 'return'
set firewall ipv6 name net-local-6 default-action 'drop'
set firewall ipv6 name net-local-6 default-log
set firewall ipv6 name net-local-6 rule 900 action 'return'
set firewall ipv6 name net-local-6 rule 900 description 'icmp'
set firewall ipv6 name net-local-6 rule 900 protocol 'ipv6-icmp'
set firewall ipv6 name net-nos-6 default-action 'drop'
set firewall ipv6 name net-nos-6 default-log
set firewall ipv6 name net-nos-6 rule 900 action 'return'
set firewall ipv6 name net-nos-6 rule 900 description 'icmp'
set firewall ipv6 name net-nos-6 rule 900 protocol 'ipv6-icmp'
set firewall zone local default-action 'reject'
set firewall zone local description 'Local zone'
set firewall zone local from mgmt firewall name 'mgmt-local'
set firewall zone local from net firewall ipv6-name 'net-local-6'
set firewall zone local from net firewall name 'net-local'
set firewall zone local from nos firewall ipv6-name 'accept-all-6'
set firewall zone local from nos firewall name 'accept-all'
set firewall zone local local-zone
set firewall zone mgmt from local firewall name 'accept-all'
set firewall zone mgmt member vrf 'mgmt'
set firewall zone net default-action 'reject'
set firewall zone net description 'NET zone'
set firewall zone net from local firewall ipv6-name 'accept-all-6'
set firewall zone net from local firewall name 'accept-all'
set firewall zone net from nos firewall ipv6-name 'accept-all-6'
set firewall zone net from nos firewall name 'accept-all'
set firewall zone net member interface 'eth1'
set firewall zone nos default-action 'reject'
set firewall zone nos description 'NOS zone'
set firewall zone nos from local firewall ipv6-name 'accept-all-6'
set firewall zone nos from local firewall name 'accept-all'
set firewall zone nos from net firewall ipv6-name 'net-nos-6'
set firewall zone nos from net firewall name 'net-nos'
set firewall zone nos member interface 'eth2'
set firewall zone nos member interface 'eth3'
set high-availability vrrp group NOS address xxx.xxx.34.1/24
set high-availability vrrp group NOS interface 'eth2'
set high-availability vrrp group NOS priority '70'
set high-availability vrrp group NOS vrid '2'
set high-availability vrrp sync-group sync member 'NOS'
set interfaces ethernet eth0 address 'xxx.xxx.10.4/23'
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload sg
set interfaces ethernet eth0 offload tso
set interfaces ethernet eth0 vrf 'mgmt'
set interfaces ethernet eth1 address 'xxx.xxx.32.34/24'
set interfaces ethernet eth1 address 'xxxx:xxxx:d822:100::34/64'
set interfaces ethernet eth1 description 'NET'
set interfaces ethernet eth1 ipv6 dup-addr-detect-transmits '1'
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 offload gso
set interfaces ethernet eth1 offload sg
set interfaces ethernet eth1 offload tso
set interfaces ethernet eth2 address 'xxx.xxx.34.4/24'
set interfaces ethernet eth2 address 'xxxx:xxxx:d822:120::4/64'
set interfaces ethernet eth2 description 'NOS'
set interfaces ethernet eth2 hw-id 'xx:xx:xx:xx:xx:b2'
set interfaces ethernet eth2 ipv6 dup-addr-detect-transmits '1'
set interfaces ethernet eth2 offload gro
set interfaces ethernet eth2 offload gso
set interfaces ethernet eth2 offload sg
set interfaces ethernet eth2 offload tso
set interfaces ethernet eth3 address 'xxx.xxx.254.10/24'
set interfaces ethernet eth3 hw-id 'xx:xx:xx:xx:xx:7d'
set interfaces ethernet eth3 offload gro
set interfaces ethernet eth3 offload gso
set interfaces ethernet eth3 offload sg
set interfaces ethernet eth3 offload tso
set interfaces loopback lo
set service conntrack-sync accept-protocol 'tcp'
set service conntrack-sync accept-protocol 'udp'
set service conntrack-sync accept-protocol 'icmp'
set service conntrack-sync accept-protocol 'icmp6'
set service conntrack-sync failover-mechanism vrrp sync-group 'sync'
set service conntrack-sync interface eth2
set service conntrack-sync mcast-group 'xxx.xxx.0.50'
set service dhcp-relay interface 'eth1'
set service dhcp-relay interface 'eth2'
set service dhcp-relay relay-options relay-agents-packets 'discard'
set service dhcp-relay server 'xxx.xxx.255.67'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/0'
set service ntp allow-client xxxxxx '::/0'
set service ntp server xxxxx.tld
set service router-advert interface eth2 interval max '600'
set service router-advert interface eth2 name-server 'xxxx:xxxx:d822:ff00::53:2'
set service router-advert interface eth2 prefix ::/64 preferred-lifetime '86400'
set service router-advert interface eth2 prefix ::/64 valid-lifetime '604800'
set service router-advert interface eth2 reachable-time '0'
set service router-advert interface eth2 retrans-timer '0'
set service ssh disable-password-authentication
set service ssh vrf 'mgmt'
set system config-management commit-revisions '100'
set system conntrack
set system console device ttyS0
set system domain-name xxxxxx
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx key xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx type 'ecdsa-sha2-nistp384'
set system name-server 'xxx.xxx.255.54'
set system syslog local facility all level 'info'
set system syslog local facility local7 level 'debug'
set system time-zone 'America/New_York'
set vrf name mgmt table '100'
```
The config works as expected once I add:
```
set firewall ipv4 name accept-all rule 1 action 'accept'
set firewall ipv4 name accept-all rule 1 state 'established'
set firewall ipv4 name accept-all rule 2 action 'accept'
set firewall ipv4 name accept-all rule 2 state 'related'
```