Rule enable doesn't block active traffic

[MS52390]

Hello All, kind of odd thing I am seeing with my FW:

I have WAN and LAN interfaces configured to block traffic from one specific LAN address to the rest of the LAN network (but still allow to outside WAN). With the rule enabled, pings from this LAN address to the other LAN addresses are blocked - good. However, If I disable the rule, run a -t on the ping, then enable the rule...the pings don't get blocked. I also don't see the actual blocks in the logs. Odd or just something I have set wrong?

[bartjsmit]

This is because OPNsense is a stateful firewall. https://en.wikipedia.org/wiki/Stateful_firewall

Not a bug - this behaviour is by design ;-)

Bart...

[chemlud]

...would love to see your set of rules for both, WAN and LAN.

[MS52390]

...would love to see your set of rules for both, WAN and LAN.

Nothing is needed on the WAN side. On the LAN side, it's just a simple Block action, source: LAN, destination: LAN, source addr: single address: <VM IP>

This is because OPNsense is a stateful firewall. https://en.wikipedia.org/wiki/Stateful_firewall

Not a bug - this behaviour is by design ;-)

Bart...

I have seen other stateful firewalls conduct said action just fine. I'm not so sure it has to do with the type of firewall it is.

[chemlud]

An a LAN (= bunch of devices on a dumb switch) the traffic from LAN_IP A to LAN_IP B will never hit the router/firewall (except for the case that the router/firewall is either LAN_IP A or LAN_IP B). So I don't see how this should work at all...