OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: drivera on November 03, 2018, 11:18:49 pm

Title: OpenVPN Firewall rules evaluation order
Post by: drivera on November 03, 2018, 11:18:49 pm
Hi, all!

For my setup, I have several OpenVPN links going to-and-fro.  I managed to get everything working in a pretty clean manner, but have found one inconsistency that I thought could bear some discussion.

Out of preference, and b/c the tunnels I have are pretty much constantly up, I decided to assign a static interface to each of the tunnels so their access rules would be easier to manage.  That worked as expected, minus a speedbump when I realized that the OpenVPN tunnels had to be bounced after all the configuration was done. Minor setback, but easily resolved. Moving on...

What I discovered is that the rules for "OpenVPN" are evaluated *before* the rules for each of the individual tunnels. Intuitively, I would have thought that the most specific rules groups are always evaluated first, but this doesn't appear to be the case here.

Is this by design? Is this a defect that needs correcting?

I discovered this when I added what I hoped to be a "catch-all" REJECT rule, for easier debugging, and found that it was the cause of the traffic not flowing. As soon as the rule was disabled (later removed), everything worked as it should.

So... thoughts?