Hi, after upgrade to 26.x (currently 26.1.1-amd64), all intra vlan traffic is permitted and no longer blocked.
According to the firewall logs, the "let out anything from firewall host itself" rule, is allowing traffic from/to internal VLANS/LAN.
The rule "let out anything from firewall host itself" is applied automatically before my interface group "last match" blocking rule, so my blocking rule cannot be used. My interface group last match blocking rule was working correctly, blocking intra vlan traffic, before the upgrade.
I also tried to convert rules to the new version, deleted all old rules, rebooted, but nothing changed. Intra vlan traffic is still permitted.
Is it correct that in 26.x "let out anything from firewall host itself" allows traffic not originating from the firewall ?
Have a look at Investigating outbound rules in OPNsense (https://forum.opnsense.org/index.php?topic=49413.msg250624#msg250624). As for order, I haven't gone to v26 yet, but there are ordering options available that may be usable for you (Let's talk firewall rule order ... (https://forum.opnsense.org/index.php?topic=50578.0)).