1
23.7 Legacy Series / v23.7.9 - broken firewall rule on WAN if "Block private networks" is enabled
« on: December 07, 2023, 04:00:36 am »
Hi all, I upgraded from OPNsense 23.7.8_1 to 23.7.9 and I think I found a bug - my apologies if this was reported already, I did search the forum and didn't see this being reported before.
Under my Interfaces, I have a PPPoE fiber connection configured. That connection also had the "Block private networks" option ticked before I did the upgrade to 23.7.9.
Before upgrading, the option resulted in a DENY rule named "Block private networks from WAN" under "Firewall/Rules/WAN" - and then "Automatically generated rules" for the WAN interface. It specifically (and correctly) created the source address list as:
`10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16`
![](https://i.postimg.cc/CB3C6C4X/Screenshot-2023-12-07-033950.png)
The problem is however, that after upgrading, this same rule got changed, and except for the first '10.0.0.0/8' CIDR, all the other CIDR addresses now seem to be missing the first digit ("1" in all cases) in the first octet of all the other subnet CIDRs. So the list of source networks after the upgrade is:
`10.0.0.0/8,_27.0.0.0/8,_00.64.0.0/10,_72.16.0.0/12,_92.168.0.0/16`
![](https://i.postimg.cc/N2R8hyJM/Screenshot-2023-12-07-035111.png)
I also disabled and re-enabled the option under the WAN interface setup, but the rule still gets recreated with the broken network CIDRs.
Hope this helps and that you can also replicate it!
Under my Interfaces, I have a PPPoE fiber connection configured. That connection also had the "Block private networks" option ticked before I did the upgrade to 23.7.9.
Before upgrading, the option resulted in a DENY rule named "Block private networks from WAN" under "Firewall/Rules/WAN" - and then "Automatically generated rules" for the WAN interface. It specifically (and correctly) created the source address list as:
`10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16`
![](https://i.postimg.cc/CB3C6C4X/Screenshot-2023-12-07-033950.png)
The problem is however, that after upgrading, this same rule got changed, and except for the first '10.0.0.0/8' CIDR, all the other CIDR addresses now seem to be missing the first digit ("1" in all cases) in the first octet of all the other subnet CIDRs. So the list of source networks after the upgrade is:
`10.0.0.0/8,_27.0.0.0/8,_00.64.0.0/10,_72.16.0.0/12,_92.168.0.0/16`
![](https://i.postimg.cc/N2R8hyJM/Screenshot-2023-12-07-035111.png)
I also disabled and re-enabled the option under the WAN interface setup, but the rule still gets recreated with the broken network CIDRs.
Hope this helps and that you can also replicate it!