OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: rjdza on September 16, 2021, 09:33:56 pm

Title: Setting a firewall option without passing or rejecting traffic
Post by: rjdza on September 16, 2021, 09:33:56 pm: Hi all

I need to set a firewall option on all traffic coming into an interface (I need to set the reply-to field. I know I shouldn't need to, but I do. I think it's a bug).

How do I add a rule that will set the option, but will not pass or block traffic otherwise, and will not interfere with pass or block rules added later?

Thanks in advance.

EDIT: Here is why I need to set reply-to for the entire interface: https://forum.opnsense.org/index.php?topic=24776.0
Title: Re: Setting a firewall option without passing or rejecting traffic
Post by: Patrick M. Hausen on September 16, 2021, 09:37:49 pm: What's the reply-to field in a networking context? I only know this in email.
Title: Re: Setting a firewall option without passing or rejecting traffic
Post by: rjdza on September 16, 2021, 09:45:21 pm: Quote from: pmhausen on September 16, 2021, 09:37:49 pm
What's the reply-to field in a networking context? I only know this in email.

It tells the firewall to add a field telling it which interface to send the replies out through. This is used for multiwan where traffic should leave on the interface it came in on.

My setup has a peculiarity where for one type of link the default reply-to doesn't work. It works for the rest of them, though, which is why I consider it a bug.
Title: Re: Setting a firewall option without passing or rejecting traffic
Post by: Patrick M. Hausen on September 16, 2021, 09:47:10 pm: Got it. Sorry, no clue.
Title: Re: Setting a firewall option without passing or rejecting traffic
Post by: Greelan on September 17, 2021, 01:26:47 am: AFAIK you can’t specify simply a “Match” action for a rule.

Can’t you just set the reply-to field on all the other rules?
Title: Re: Setting a firewall option without passing or rejecting traffic
Post by: muchacha_grande on September 17, 2021, 02:04:13 am: Try disabling "Quick" option, so the action is not taken inmediately. The firewall will continue evaluating for the other rules until it reaches a quick rule or the last matching one.
Title: Re: Setting a firewall option without passing or rejecting traffic
Post by: Greelan on September 17, 2021, 02:16:54 am: Don’t see how that solves the issue? Only one of the rules will apply
Title: Re: Setting a firewall option without passing or rejecting traffic
Post by: Greelan on September 17, 2021, 03:01:15 am: OP - just a thought. If you configure the IPv4 upstream gateway for the relevant interface under the interface settings, does that achieve the outcome for you?
Title: Re: Setting a firewall option without passing or rejecting traffic
Post by: rjdza on September 17, 2021, 07:09:26 am: Quote from: Greelan on September 17, 2021, 01:26:47 am
AFAIK you can’t specify simply a “Match” action for a rule.

Can’t you just set the reply-to field on all the other rules?

I can, but that creates layers of complexity because I cannot use floating rules or firewall IF groups.
Title: Re: Setting a firewall option without passing or rejecting traffic
Post by: rjdza on September 17, 2021, 07:13:00 am: Quote from: Greelan on September 17, 2021, 03:01:15 am
OP - just a thought. If you configure the IPv4 upstream gateway for the relevant interface under the interface settings, does that achieve the outcome for you?

It has been set all along. I had reliability issues with multiwan and auto detect years ago, and haven;t used it since.
Title: Re: Setting a firewall option without passing or rejecting traffic
Post by: rjdza on September 17, 2021, 08:03:09 am: Quote from: muchacha_grande on September 17, 2021, 02:04:13 am
Try disabling "Quick" option, so the action is not taken inmediately. The firewall will continue evaluating for the other rules until it reaches a quick rule or the last matching one.

Can confirm what Greelan said - does not work, only the last rule takes effect.

Confirmation comes from testing...