OPNsense Forum
English Forums => General Discussion => Topic started by: TheChickenMan on February 28, 2021, 06:38:00 pm
-
I'm familiar with the general rules processing order as discussed in the manual: Auto Generated -> Floating -> Groups -> Interfaces. I'm just not sure how this holds if an interface is added to more than one group.
Group_LAN (containing interface: LAN, LAB)
Allow ALL
Group_LAB (containing interface: LAN, LAB)
Block ALL
What exactly would happen here? Does it execute in alphabetical order by group name or something? Is it just bad policy to put an interface into more than one group?
-
Well, I managed to figure it out after making some test interface groups and rules. It apparently uses alphabetical order by group name.
In my previous example therefore the packets would be blocked as "Group_LAB" comes before "Group_LAN" in alphabetical ordering. I think though that I probably should avoid this where possible since it just doesn't feel like it's really a best practice.
-
Got the same problem. Thanks for test.
Another example can be. Wnat some rules for all interfaces and some rules for subset only.
Group_A: LAN1, LAN2, LAN3, DMZ1, DMZ2
Group_B: LAN1, LAN2, LAN3
The sort is now based on the 'name'.
Maybe good point to be confirmed by dev and to be documented.
-
I have now posted this feature request about the issue: https://github.com/opnsense/core/issues/6471