Text only | Text with Images

OPNsense Forum

English Forums => 26.1 Series => Topic started by: grb on February 20, 2026, 06:17:44 PM

Title: move anti-lockout rules to different interface or recreate by hand
Post by: grb on February 20, 2026, 06:17:44 PM
Hi,
While setting OPNsense I noticed that default anti-lockout rules are set for LAN ( I have VLAN192) , later on I decided that I would like to have access to OPNsense on MGMT VLAN (in my case it's VLAN30) but I didn't found a way to change this "default" LAN.
Then I thought to recreate that rules by my own, and then disable, but I have an error in pf filter.
Code Select
There were error(s) loading the rules: /tmp/rules.debug:113: syntax error - The line in question reads [113]: no rdr on vlan0.1.30 proto tcp from {any} to {(vlan0.1.30)} port {ssh} -> any # OWN anti-lockout

It's about the rules in Destination NAT
Original anti-lockout rule says in /tmp/rules.debug:
Code Select
no rdr on vlan0.1.192 proto tcp to {(vlan0.1.192)} port {22} # Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on vlan0.1.192 proto tcp to {(vlan0.1.192)} port {80} # Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on vlan0.1.192 proto tcp to {(vlan0.1.192)} port {443} # Anti lockout, prevent redirects for protected ports to this interface ip

I was trying to recreate it:
Code Select
no rdr on vlan0.1.30 proto tcp from {any} to {(vlan0.1.30)} port {ssh} -> any # OWN anti-lockout
I think the problem is with Source Address or Redirect Target IP but it's not possible to not select anything there.


Is there any way to recreate this rule in GUI or in shell, or just move default security rules to different interface?



PS. I found another post (https://forum.opnsense.org/index.php?topic=6593.0) with very similar question but it's from 8 years ago, so decided to create a new one.
Title: Re: move anti-lockout rules to different interface or recreate by hand
Post by: nero355 on February 21, 2026, 12:46:22 AM
I am not sure if you need the following, but just FYI :

- Create Firewall Rules for the Default LAN Interface/Network that are basically the same as the Default Anti-Lockout Rule.
- If you are 110% sure that you have done it right you can Disable the Default Anti-Lockout Rule.
- Now as long as you Allow at least one of your other networks to access the Default LAN Network they can also access the Default LAN Network and thus also the OPNsense webGUI and SSH too !!

That's it! :)
Text only | Text with Images