OPNsense Forum

Greetings,
this archived forum post (https://forum.opnsense.org/index.php?topic=25241.0) is what I am currently wish to solve. Some good suggestions in that thread but they seem to behave weird for me.

For example, if you select multiple (inverted) destination aliases on a quick rule:
Screenshot 2025-02-05 151325.png
pass in log quick on home inet proto {tcp udp} from {(home:network)} to !$Private keep state label "45a2751bd6a8450b96853b456e68e098" # allow wan traffic
pass in log quick on home inet6 proto {tcp udp} from {(home:network),fe80::/10} to !$Private keep state label "45a2751bd6a8450b96853b456e68e098" # allow wan traffic
pass in log quick on home inet proto {tcp udp} from {(home:network)} to !$Blocked keep state label "45a2751bd6a8450b96853b456e68e098" # allow wan traffic
pass in log quick on home inet6 proto {tcp udp} from {(home:network),fe80::/10} to !$Blocked keep state label "45a2751bd6a8450b96853b456e68e098" # allow wan traffic
pass in log quick on home inet proto {tcp udp} from {(home:network)} to {!(self)} keep state label "45a2751bd6a8450b96853b456e68e098" # allow wan traffic
pass in log quick on home inet6 proto {tcp udp} from {(home:network),fe80::/10} to {!(self)} keep state label "45a2751bd6a8450b96853b456e68e098" # allow wan traffic
pass in log quick on home inet proto {tcp udp} from {(home:network)} to {!(home:network)} keep state label "45a2751bd6a8450b96853b456e68e098" # allow wan traffic

The result is probably not as intended, because the "!$Private" rule will pass traffic that the "!$Blocked" would block for example.

So it seems you should create a new alias that contains all the other aliases...but:

Isn't the "better" solution to use a "policy based routing" rule? Eg. using a "allow all via wan gateway" rule on those interfaces? That should only allow internet access afaik? Are there any problems with that solution?

Or would that possibly route some local traffic to wan as well? Thats at least what the "routing" part would suggest...


Thank you

The policy based routing rule did not work as a solution (as you may have suspected). Basically it was a allow all rule that routed all traffic to the wan (including everything that would normally route to local networks). XD

So I created a nested alias and using that works as expected.

But shouldn't a selection of multiple target aliases create a new alias automatically?
The problem is: You see one rule in the UI but get multiple rules in the back which behave differently than expected.
Either that, or all the created rules should be visible in the UI as well.

@Franco is this something you would agree to?