Hello everyone,
I've been experimenting with OPNsense for a few days now. I've also gone through the documentation and explored search results, but I haven't been able to find an answer to my question.
I would like to allow all traffic originating from one group of interfaces and directed to another group of interfaces without any additional filtering.
In RouterOS, this can be done in the Filter chain since the routing decision has already been made. However, I don't fully understand when OPNsense performs packet filtering, whether this is achievable, and if so, how to set it up.
I couldn't find any options in the UI to accomplish this.
There are no from interface to interface mechanisms in OPNsense, unfortunately.
Commonly you place rules on the ingress interface direction "in" and you can then filter on destination IP address or network. But not on egress interface. It's all IP addresses in rules.
Using network IP addresses is inconvenient in my case due to the potentially large and unpredictable number of networks routed via OSPF. Maintaining aliases under such conditions would be impractical, tedious, or outright unfeasible.
But, after further investigation, I believe I have gained some new insight.
Packet flow in OPNsense, and possibly FreeBSD, appears to differ from RouterOS and potentially Linux. From what I understand (please correct me if I'm mistaken), a packet is inspected not once, but
twice: once when it enters the firewall and again when it exits, provided it has been accepted in the first stage. When a packet enters the firewall, no routing decision has been made yet (or it's not exposed in pf/OPNsense), meaning the rules system does not know where the packet would be directed if accepted.
The behavior I aim to achieve could be implemented in two steps:
- Using an inbound rule for interface group A: when a packet enters interface A, we accept it and mark it with the tag from-interface-A.
- Using an outbound rule for interface group A: when a packet is about to exit toward interface A, and it carries the tag from-interface-A we accept it.
In this way, all packets originating from interface A are guaranteed to be allowed to exit toward interface A.
Quote from: unlikely on April 23, 2025, 12:40:21 AMmeaning the rules system does not know where the packet would be directed if accepted
Correct - inbound firewall rule is applied before any routing decision. That's why you cannot have a "from interface - to interface" style of rule. Only "to IP address/network".