Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: EndymionZA on December 07, 2023, 04:00:36 AM

Title: v23.7.9 - broken firewall rule on WAN if "Block private networks" is enabled
Post by: EndymionZA on December 07, 2023, 04:00:36 AM
Hi all, I upgraded from  OPNsense 23.7.8_1 to 23.7.9 and I think I found a bug - my apologies if this was reported already, I did search the forum and didn't see this being reported before.

Under my Interfaces, I have a PPPoE fiber connection configured. That connection also had the "Block private networks" option ticked before I did the upgrade to 23.7.9.

Before upgrading, the option resulted in a DENY rule named "Block private networks from WAN" under "Firewall/Rules/WAN" - and then "Automatically generated rules" for the WAN interface. It specifically (and correctly) created the source address list as:

`10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16`

(https://i.postimg.cc/CB3C6C4X/Screenshot-2023-12-07-033950.png) (https://postimg.cc/CB3C6C4X)

The problem is however, that after upgrading, this same rule got changed, and except for the first '10.0.0.0/8' CIDR, all the other CIDR addresses now seem to be missing the first digit ("1" in all cases) in the first octet of all the other subnet CIDRs. So the list of source networks after the upgrade is:

`10.0.0.0/8,_27.0.0.0/8,_00.64.0.0/10,_72.16.0.0/12,_92.168.0.0/16`

(https://i.postimg.cc/N2R8hyJM/Screenshot-2023-12-07-035111.png) (https://postimg.cc/N2R8hyJM)

I also disabled and re-enabled the option under the WAN interface setup, but the rule still gets recreated with the broken network CIDRs.

Hope this helps and that you can also replicate it!
Title: Re: v23.7.9 - broken firewall rule on WAN if "Block private networks" is enabled
Post by: Saarbremer on December 07, 2023, 09:03:34 AM
Yes, indeed the rule gets broken in the most recent release. Could confirm it on a test VM. Feel free to file a bug on https://github.com/opnsense/plugins/issues

Title: Re: v23.7.9 - broken firewall rule on WAN if "Block private networks" is enabled
Post by: zan on December 07, 2023, 09:37:28 AM
Yep can confirm.
I don't really use this rule, just enabled it to test and found it is indeed broken.
Title: Re: v23.7.9 - broken firewall rule on WAN if "Block private networks" is enabled
Post by: meyergru on December 07, 2023, 01:29:32 PM
Confirm as well, created a bug report: https://github.com/opnsense/core/issues/7060

P.S.: Turns out to be cosmetical only, will be fixed in some upcoming release (https://github.com/opnsense/core/commit/52f3939106abb4a501b1142ea81018f105d4c7cd).
Title: Re: v23.7.9 - broken firewall rule on WAN if "Block private networks" is enabled
Post by: EndymionZA on December 07, 2023, 04:08:08 PM
Quote from: meyergru on December 07, 2023, 01:29:32 PM
Confirm as well, created a bug report: https://github.com/opnsense/core/issues/7060

P.S.: Turns out to be cosmetical only, will be fixed in some upcoming release (https://github.com/opnsense/core/commit/52f3939106abb4a501b1142ea81018f105d4c7cd).

Thanks for the report on Github @meyergru
Text only | Text with Images