Text only | Text with Images

OPNsense Forum

English Forums => 26.1 Series => Topic started by: OPNenthu on April 09, 2026, 11:13:37 AM

Title: Is VPN kill switch rule strictly needed at Floating level?
Post by: OPNenthu on April 09, 2026, 11:13:37 AM
Regarding the rule discussed here: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#step-11-add-a-kill-switch-optional

Does this strictly need to be a Floating rule in order to work or can it be added at the WAN interface level?  I'm assuming it's written here as a Floating rule in order to guarantee nothing overrides it, but is there another reason?

A related question: if an internal interface rule allows a packet (e.g. LAN -> WAN for some HTTPS traffic) does the packet automatically get forwarded out after NAT-ing, or does it get filtered a second time by WAN "out" rules?  I have some conflicting information about this.  ChatGPT claims that it only gets processed once at the origin interface (LAN), but in my testing I could see that the WAN "out" filter is being applied.

In case there is no outbound NAT (as in the case with IPv6 normally, not in the VPN case), does this change things?
Title: Re: Is VPN kill switch rule strictly needed at Floating level?
Post by: OPNenthu on April 09, 2026, 12:04:03 PM
Potentially more AI misinformation (screenshot):

lies?.png

It's claiming that WAN "out" rules only match when at Floating level.  Any truth, or complete garbage?

(Again, my very limited testing refutes this, but I don't trust my test.)
Title: Re: Is VPN kill switch rule strictly needed at Floating level?
Post by: Patrick M. Hausen on April 09, 2026, 12:26:06 PM
NAT always happens before any filtering rules.
Title: Re: Is VPN kill switch rule strictly needed at Floating level?
Post by: OPNenthu on April 09, 2026, 12:45:05 PM
Uff, yeah, I had forgotten that.

https://forum.opnsense.org/index.php?topic=36326.0

So taking NAT out of the picture, the questions left are:

1) Is WAN filtering (specifically WAN "out") guaranteed to happen on egress?  In other words, in the linked packet flow diagram above, does filtering happen again at step 11 or has the system already decided "this is good to go" in step 7.2 and lets it go out?

2) Do Floating rules get any special treatment here aside from processing order?

Thanks!
Title: Re: Is VPN kill switch rule strictly needed at Floating level?
Post by: keeka on April 09, 2026, 04:47:43 PM
I may be wrong but I have feeling that was written when only floating rules provided an in/out selection. A single interface (WAN) out rule that matches on the tag should also work fine.
Title: Re: Is VPN kill switch rule strictly needed at Floating level?
Post by: OPNenthu on April 09, 2026, 05:12:06 PM
Ah, interesting.  I starting using OPNsense at the tail end of 24.7 and WAN rule directionality was already present, IIRC.

So maybe it's not misinformation, just terribly outdated.
Title: Re: Is VPN kill switch rule strictly needed at Floating level?
Post by: keeka on April 09, 2026, 06:54:30 PM
Quote from: OPNenthu on April 09, 2026, 05:12:06 PMAh, interesting.  I starting using OPNsense at the tail end of 24.7 and WAN rule directionality was already present, IIRC.

So maybe it's not misinformation, just terribly outdated.

In that case I may be mistaken as that is about the time I started using OPNsense regularly. I do recall some point in the past, only being able to select direction via floating rules. That may have been pfsense.
Text only | Text with Images