Is there a difference between a float and interface rule
- regarding the very same interface
- having exactly the same rule setting
- the interface rule gets triggered, if the float rule is off (there is nothing blocking traffic before)
I assumed that, if I consider one interface, the only difference between a float and an interface rule with the same settings is the order of processing: float before interface.
I have a float rule, which only gets triggered on the WAN interface (replacement for the built-in "let anything OUT from firewall itself"). That's what I see in the log.
I set up a rule with exactly the same settings, but on the WAN interface instead of a float one, so the only difference in the rules is the "Interface" field (well, and the Description). Both rules are enabled. As expected, I only see the float rule in the log, as it is quick and gets triggered before interface rules.
Now I disable the float rule and try to refresh a web page or connect to another web page. Browser tries, but I don't get my web page. As soon as I enable the float rule again, the browser loads the page.
I am clueless :-(
By default rules are applied in order (you can change this by unchecking the Quick box in the rule definition). The order in which rules are examined is:
Automatically Generated Rules
Floating Rules
Interface Specific Rules
Floating Rules are intended to apply to multiple interfaces. A floating rule setup for one interface should be the same as an interface specific rule for that interface, excpet thet the default rule is examined first.
As to what is happeing with your WAN rule I cannot say without looking at your ruleset. Maybe you have a block rule ahead of the interface rule but after the floating rule.
Always remember: implicit NAT firewall rules are prioritized even higher.
Is there a reason why you don't attach/show the 2 rules (alternate pairs of eyes looking can't hurt)?
Alternatively (or in addition), a screenshot of the FW live view in both cases would be helpful.
For a web page, I'd expect an IN on a LAN facing interface from PS:random to WEBSERVER:HTTP(s) followed by an OUT on the WAN from OPN_WANIP:random2 to WEBSERVER:HTTP(s)
The latter would likely be the Force GW rule by default.
What's happening with the floating and interface rules in place?
Thanks for your answers.
Quote from: meyergru on February 02, 2025, 05:59:22 PMAlways remember: implicit NAT firewall rules are prioritized even higher.
I assume, that no implicit NAT rules run, for my NAT setting is "Manual outbound NAT rule generation" and I wouldn't see any NAT rule in the live log, if I ticked "Log packets matched by automatic outbound NAT rules".
I have 1 manual NAT rule, which NATs everything from "Internal LANs" to the OPNsense VIP (I have 2 nodes in HA mode). If I tick "Log packets handled by this rule", I will see NAT in the live log.
Quote from: EricPerl on February 02, 2025, 10:28:17 PMIs there a reason why you don't attach/show the 2 rules (alternate pairs of eyes looking can't hurt)?
Of course not. Float.png shows my Float rules. I tried to mimic a built-in rule. The first one (first row) isn't working (browser not displaying the web page and giving up after time). The only difference between this and the 3rd one is, that I set the interface field to WAN in the first one, hence you see "1" in the number of interfaces column (for whatever it's worth on a Float rule???). Either the 2nd or 3rd rule will work and I do get to my web page. In the example shown, I randomly activated the 3rd one.
Trying to imitate the built-in rule, I noticed that the built-in one is for IPv4+IPv6 AND has the gateway field set to a gateway. Trying to do this on my rule leads to an error, for I am not allowed to set a gateway on a IPv4+IPv6 rule?!
WAN.png shows my WAN rules. Either of these will only get triggered, if no Float rule is activated, because otherwise the Float rules will execute first and processing will stop, because the Floats are quick.
You can see from the picture, that only the first one - an IPv4 only rule with a gw set - works and let me see my web pages. Deactivating the 1st one and activating the 2nd one instead leaves me stuck again.
The corresponding live log snippets, taken while all Float rules were deactivated!, are OK-WAN.png, which shows the 1st, the working WAN rule. ERROR-WAN.png shows the outcome, while the 2nd WAN rule is active and I couldn't get to any web page. I did not attach an error snippet for the faulty Float rule, for it's the same as for the faulty WAN rule.
Traceroute and ping aren't working as well if the "ERROR" rules are in charge. Traceroute then only gets as far as the internal interface (internal LAN IP address) of my OPNsense.
BTW: 10.0.0.20 is the WAN VIP of my OPNsense (NAT in effect) and target IP is microsoft.com
One more thing: ONLY with the Float one will my Wireguard access to internal LAN work...
Hmm, the presence of HA is new. That's beyond my skill level. I'm out. I can't experiment with it (only one WAN IP).
The 1 on the floating rule is the number of interfaces affected by the rule, per tip on the column name.
You might want to specify whether you have IPv6 WAN connectivity as well.
I'm not sure it is relevant, but it might have implications (given the mix of IPv4 & IPv4+6 rules) or remove possible causes.
I'm at a loss as to what you are trying to achieve with OUT rules but that's a different story.
Quote from: EricPerl on February 04, 2025, 07:25:58 PMI can't experiment with it (only one WAN IP).
Shouldn't make a difference. The WAN VIP is behaving like a WAN IP on the (current) master node. Usually I don't have failovers (except for tests and OPNsense updates), so one and the same node is almost anytime the master node and thus holds the VIP.
Quote from: EricPerl on February 04, 2025, 07:25:58 PMI'm at a loss as to what you are trying to achieve with OUT rules but that's a different story.
I try to mimic the builtin rules so that for any user traffic (as opposed to administrative access to the OPNsense nodes or OPNsense communication between HA nodes) is handled by my own instead of out-of-the-box builtin rules. So I try to replace the builtin "let out anything from firewall host itself" OUT rule.
Quote from: EricPerl on February 04, 2025, 07:25:58 PMYou might want to specify whether you have IPv6 WAN connectivity as well.
Maybe I should simplify and turn off IPv6 for now, as internally I am only using IPv4 yet.
May I push this using slightly different wording:
How to duplicate the built-in "let anything OUT from firewall itself" rule with my own non-float rules, so that the built-in rule can be disabled without breaking connections.
Please don't hesitate to ask further details, if needed. I guess one important part - implicit nat rules - is already answered.
Quote from: openMe on February 12, 2025, 04:56:04 PMHow to duplicate the built-in "let anything OUT from firewall itself" rule with my own non-float rules, so that the built-in rule can be disabled without breaking connections.
You cannot disable automatic rules.