Do you think that UI on firewall editing rules could be enhanced in terms of visibility?
Imo there are 3 important segments of rule: source info, destination info and action info. Grouping or for example different colors of those segments would result in better visibility.
For example, source direction is candidate for advanced screen, when source direction can be out?
For me, sometimes less is more, and visibility is better on less.
If you are on the latest version you could check out Firewall - Automation - Filter
In there you can put rules into categories and press "Tree" to show them in folders in these categories.
I think the OP is referring to layout and colors within a rule definition rather than the organisation of a list rules.
Regarding migrating existing conventional rule definitions to the new MVC based rules. If I were to do it piecemeal, say convert floating rules, then later rules for one interface, is there a possibility of unexpected consequences with, for example, rule ordering?
Yeah but with the new flexibility of categories and possibly the tree view they could structure the rules in a way that makes sense for them.
Regarding your question the rule precedence is described here, both features can live happily side by side:
https://docs.opnsense.org/manual/firewall_automation.html
Thanks.
When automation rules eventually supersede firewall rules, will port-forward rules create their corresponding firewall rule under automation rules? Will that functionality remain available?
According to the docs, those are completely separate and the processing order is explained at the end of the man page.
"Superceding" by abolishing the old rules would render many installations useless, so I reckon that they will both exist side-by-side for a long time.
I was thinking of fw rules that are created when 'filter rule association' is enabled in a port-forward rule. The corresponding rules can be manually reordered whilst their association with the port forward rule (as shown in the UI/config) remains intact.
I formed the impression the new firewall management would ultimately supersede the existing method, much like how OpenVPN has been modernised. I also formed the impression that the new automation was not intended solely to expose the rules via the API but aimed to offer improved fw rule management generally. I was not worried the existing method was suddenly going to disappear though :-)
The features exist side by side and will continue for a long time as theres no simple automatic migration or overlay possible.
I dont know if the automagic port forward rule creating will be implemented for the mvc part, you can ask in the roadmap ticket:
https://github.com/opnsense/core/issues/8401
Thanks. Just a matter of interest on what was planned for the new mvc based rules management. It looks promising and I'm looking forward to trying it some time soon.
One more thing regarding UI. When I create IPSEC site to site tunnel, it gets interface automatically associated to it. Since I have 50+ tunnels with same simple rules (LAN to remote OK, remote to LAN ping one IP), I created firewall group and put all IPSEC interfaces in. Those simple rules are applied on group and it works OK.
In Interfaces menu I have clean visibility - all of 50+ interfaces are grouped and expandable.
In Firewall Rules menu I have:
- one generic ipsec submenu
- firewall group submenu
- each of 50+ interface submenu
In terms of visibility, that is a problem. I hoped for submenus in Firewall Rules to be grouped as they are in Interfaces menu. Can it be accomplished?
Sorry Im not sure I understand, maybe screenshots will help.
Screenshots contain sensitive data, names of the real companies. I will redact them on Monday and put them here.
Here are the screenshots, i redacted info and shortened it only to 3 tunnels, I hope you will get the picture.
Firewall group IPSEC_VPN contains IPsec and all tunnels (Tun1_IPSEC, Tun2_IPSEC, Tun3_IPSEC ...)
In Interface those tunnels (Tun1_IPSEC, Tun2_IPSEC, Tun3_IPSEC ...) are grouped.
In Firewall rules, I have each TunX_IPSEC interface, as well as generic IPsec, my IPSEC_VPN group etc.
So, I have 50 entries in Firewall-Rules I don't want and don't need. I tried to delete assignment for that interface, nothing happens, assignment is not deleted, no error message, not even after reboot.
I removed gateway and route for that interface (all the references), same.
Bug?
Quote from: ivica.glavocic on September 30, 2025, 11:16:42 AMIn Interface those tunnels (Tun1_IPSEC, Tun2_IPSEC, Tun3_IPSEC ...) are grouped.
In Firewall rules, I have each TunX_IPSEC interface, as well as generic IPsec, my IPSEC_VPN group etc.
Ah I see what you mean, no thats not possible right now, in Firewall the groups cannot be shown like that in the menu.
Quote from: ivica.glavocic on October 01, 2025, 04:11:37 PMSo, I have 50 entries in Firewall-Rules I don't want and don't need. I tried to delete assignment for that interface, nothing happens, assignment is not deleted, no error message, not even after reboot.
I removed gateway and route for that interface (all the references), same.
Bug?
There is not enough information to know if its a bug or not. But a bug is highly unlikely, as interface assignment has been around for a very long time and there are currently no open reports and nothing has been changed.
Try a different browser, disable browser plugins that might interfere.
Why a different browser? Their grief is that the Interfaces Menu shows 50 entries that are not used making it clumsy to navigate. Same for Firewall > Rules.
They said they tried to unassign the interface in Interfaces->Assignments and that failed to process, or so I read.
Since interface can't be deassigned in GUI, I removed it's entries from config.xml and finally got what I wanted, no more 50 unnecessary firewall rules ... until I upgraded, they are all back.