When a host sends a packet to the router, the packet ingresses through the VRRP interface. But when the router sends traffic to the host, traffic egresses through the parent interface or virtual interface.

The firewall rule sets for the VRRP interface and the physical interface are independent. Specifically, packet-filtering rules applied to incoming traffic on the parent interface are not applied to traffic arriving on the VRRP interface. When designing firewall rule sets for incoming traffic, make sure you apply an appropriate rule set for your VRRP interface; otherwise, all incoming traffic is unfiltered.

The example in Filtering on source IP address shows how to define a simple firewall rule set, FWTEST-1, which filters on source IP address. The following example shows how to apply the same rule set to inbound traffic on the VRRP interface. In this example, the dp0p1p3 interface is already configured. Specifically:

• It is a member of VRRP group 15.
• It has rule set FWTEST-1 applied for inbound traffic.

To apply the rule set to the VRRP interface, perform the following steps in configuration mode.

vyatta@R1# show interfaces

 dataplane dp0p160p1 {
     address 10.1.32.73/24
     mtu 1500
 }
 dataplane dp0p192p1 {
     address 10.10.10.3/24
     address 2014:14::3/64
     mtu 1500
     vrrp {
         vrrp-group 10 {
             virtual-address 10.10.10.50
         }
     }
 }
 dataplane dp0p224p1 {
     address 192.168.1.1/24
     ip {
     }
     mtu 1500
 }
 dataplane dp0p256p1 {
     address 20.20.20.3/24
     address 2020:20::3/64
     mtu 1500
 }
 loopback lo {
     ipv6 {
     }
 }

vyatta@R1# set interfaces dataplane dp0p192p1 firewall in NEGATED-EXAMPLE

vyatta@R1# commit

vyatta@R1# show interfaces dataplane dp0p192p1

 address 172.16.1.20/24
 firewall {
        in FWTEST-1
 }
 mtu 1500
 vrrp {
     vrrp-group 15 {
        advertise-interval 1
        preempt true
        sync-group test
        virtual-address 172.16.1.25
  }
}