Firewalld failure

Hello,

Here is my problem which I have no solution although I have tried everything. We have a public server that accepts ssh connections from public and we want to forward ssh to another internal server and at the same time if the ssh is from a specific VLAN let say 10.16.20.X/24 to accept logins locally and does not forward them.
Tcp forwarding is working fine but login locally not. I have tried all combinations, add rich rules in external zone, adding rules to direct.xml, but nothing works.
Any suggestions please? Should I stop firewalld and try nftables?

Thank you in advance
M.

First, you can always check the actual ruleset that you have with:

nft list ruleset

For example, get ruleset, change something with FirewallD, and compare new ruleset to old to figure out how FirewallD implements your change.

A central piece of FirewallD thinking is zone. A zone is two things:

1. A group of other machines
2. Rules for those machines

You have now at least three groups of machines:

1. External machines on public inet
2. Internal machines inside
3. Machines on 10.16.20.0/24

You want the zone of group #1 to have a port-forward to internal server.
You want the zone of group #3 to not have port-forward.

Create new zone for the VLAN. Maybe by copy of external?

Thank you for your answer. Just to clarrify that the server has only one network interface which is assign to external zone. How can I create a second zone without interface?

Zone may have interfaces and sources. (If it has none, then it is not is use.)
Every interface (with IP address) has to be in some zone, but zone does not need interface.
There is --add-source option. See man firewall-cmd