We are setting up a new firewall based on RL9.3. Two interfaces, inside and outside. We put outside in the external zone, and inside in the internal zone. This means that external zone does the masquerading.
This setup works fine on another firewall running RL8.x.
If we setup a DNS server on the RL9.3 firewall, it accepts connections and answers the queries. But traffic like icmp going in to inside and then out to outside fails, see below for network traffic
22:42:35.760684 IP 172.16.1.202 > 1.1.1.1: ICMP echo request, id 7, seq 1, length 64
22:42:35.760703 IP 172.16.1.254 > 172.16.1.202: ICMP host 1.1.1.1 unreachable - admin prohibited filter, length 92
22:42:36.772378 IP 172.16.1.202 > 1.1.1.1: ICMP echo request, id 7, seq 2, length 64
22:42:36.772390 IP 172.16.1.254 > 172.16.1.202: ICMP host 1.1.1.1 unreachable - admin prohibited filter, length 92
Failing firewall config below:-
external (active)
target: default
icmp-block-inversion: no
interfaces: outside
sources:
services: ssh
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal (active)
target: default
icmp-block-inversion: no
interfaces: ens1f0 inside
sources:
services: dhcp dns http https mdns ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Working RL8.x firewall config:-
external (active)
target: default
icmp-block-inversion: no
interfaces: outside
sources:
services: ssh
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal (active)
target: default
icmp-block-inversion: no
interfaces: inside
sources:
services: dhcp http mdns ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Any ideas would be appreciated