Hello,
Doing a fresh install of OPNsense on 26.1, having used v25 in the past. I noticed two things in the new "Firewall Rules [new]" that I believe are worth calling out for improvement.
- When creating a new rule, it's unclear if "Interface" is actually being parsed for the rule or if it's a display value to help with filtering. If it's a display, I'd expect it to say "(not parsed)" or similar in the help text, like the Description and other not parsed fields. If it is parsed, how is it different than the Source value? I checked the wiki, and this isn't called out clearly: https://docs.opnsense.org/manual/firewall.html#interface-filter. The wiki seems to describe interface filtering on the rules page, not in creating a new rule or the purpose of that value.
- Moving forward under the assumption it's a non-parsed value to be used for filtering, I set the "Invert Interface = true" and Interface = WAN. In Source, I selected all net except my "WAN net". I'm now creating a rule that should apply to all Interfaces except my WAN. However, when I go back to the Rules list and filter by interface, I can't find that rule under any category. It should appear under all interfaces except WAN, but instead, it's only available under "All rules". With anyfilter applied, it's missing.
Let me know if I'm wrong on the above please!
Have a good one!
Screenshots for clarity:
With your !WAN rule, it is being applied to more than 1 other interface. You will find it listed under your Floating rules.
Check out your generated ruleset with "pfctl -s rules" or "cat /tmp/rules.debug"
You'll see the interface is part of the generated rules and affects the match of the rule (which interface did the packet enter)