What is the difference between "Sort order" and "Sequence" in the Rules [new]?
To me, both fields mean the same thing, i.e. how the firewall rules are currently processed one after the other.
It's explained here in the documentation, we try to keep it up to date :)
https://docs.opnsense.org/manual/firewall.html#rule-sequence
Just to be sure, I have a floating rule with sort order 200000.0000011, then a group rule 300000.0000021 and finally an interface rule 300000.000001. Does it mean that the interface rule will be processed before the floating and the group rules?
I have to make sure that the interface rule is processed first because is a general blacklist.
In the old rule system I had the blacklist declared as a floating rule with only the WAN interface selected.
It gets processed in the way you see it sorted in the GUI.
With the new update today you can see all rules, then its easier to see the full picture.
So, to get the functionality of the general backlist as I had before with the floating rule. Do I need to modify the interface rule to make it a floating one, e.g. enabling a second interface on the rule? could be a loopback?
Or may be there is a more elegant way of achieving it?
Just set the sequence to 0 on the WAN rule and it should be before all other WAN rules?
I dont understand why floating is needed.
Hang on a sec...
Quote from: muchacha_grande on February 04, 2026, 04:28:10 PMJust to be sure, I have a floating rule with sort order 200000.0000011, then a group rule 300000.0000021 and finally an interface rule 300000.000001.
This doesn't seem right. Interface rules have priority group 400000, not 300000. Are you sure you have an interface rule with 300000? That violates the docs and could be a bug.
Quote from: Monviech (Cedrik) on February 04, 2026, 04:31:18 PMWith the new update today you can see all rules, then its easier to see the full picture.
Looks good on my end!
Quote from: OPNenthu on February 04, 2026, 04:47:18 PMThis doesn't seem right. Interface rules have priority group 400000, not 300000. Are you sure you have an interface rule with 300000? That violates the docs and could be a bug.
You are right, it was a typo, sorry. It is 400000.000001.
Quote from: Monviech (Cedrik) on February 04, 2026, 04:31:18 PMIt gets processed in the way you see it sorted in the GUI.
Quote from: Monviech (Cedrik) on February 04, 2026, 04:46:18 PMJust set the sequence to 0 on the WAN rule and it should be before all other WAN rules?
I know that floating rules should not be needed for my general blacklist case but if the rules are processed in the sorted order on the GUI, I can see the floating rules first, then the group rules and finally the interface rules. And inside each group the rules are ordered by the sequence number, that is only the second part of the sort order. So that is my confusion.
Restructure your ruleset or cheat via adding a loopback interface to some rules.
You can also create an interface group with a single interface, eg called PRIO_WAN if you feel adventurous enough :)
Ok, thank you for your time and work. The new gui is really impressive.
Quote from: Monviech (Cedrik) on February 04, 2026, 04:46:18 PMJust set the sequence to 0 on the WAN rule and it should be before all other WAN rules
By the way, sequence 0 is not allowed on the gui. The input error is "Sequence shall be between 1 and 999999."
Quote from: Monviech (Cedrik) on February 04, 2026, 03:51:59 PMIt's explained here in the documentation, we try to keep it up to date :)
https://docs.opnsense.org/manual/firewall.html#rule-sequence
Thank you for add this documentation.
But I have Sort order Nr. 1 and 5, wat are this?
One other Point to discuse: If I add 2 groups to the "Interface" at the rule, the Sort order cange to 200000 = Floating. But this are only 2 Grops.
Check the prior section in the same documentation, it explains how interfaces change the priority group. Two interfaces in any rule promotes it to floating.
000000 or 500000 are automatic rules at the front or end of the ruleset.
This is all how it has been in the old GUI before (apart from not allowing single floating rules anymore).
Now its all just 100% explicit.
Sequence shall be between 1 and 999999, so the first Numer after the "." of Sort order looks like a specal definition?
Quote from: Monviech (Cedrik) on February 04, 2026, 05:12:35 PMCheat via adding a loopback interface to some rules.
What would be a good one to avoid future conflicts addressing wise ?
Since 127.0.1.1 for example exists for special purposes.
I am thinking about using it for two reasons :
- Bind the webGUI and OpenSSH to it to avoid unavailability of both when the Management NIC's Port is disconnected for whatever reason.
- For the Firewall Rules "Interfaces Group" workaround should I ever need it.
A loopback interface can have any IP address. I usually give them like 192.168.89.4/32 or something. Doesn't matter.
26.1.1 adds some really nice updates to the rules interface!
Quote from: Monviech (Cedrik) on February 04, 2026, 06:34:43 PMA loopback interface can have any IP address. I usually give them like 192.168.89.4/32 or something. Doesn't matter.
OK, so a bit like CISCO Router ID addresses ?
Do you use any Firewall rules for it ?
I would think it's not needed since it's /32 and only local anyways ?