Messages

Thanks for taking the time to respond.

I take it that such a rule cannot be written on a firewall group or floating rule level. So my question comes down to is there some sort of automatic variable that can used in a rule to fill in the <network> placeholder (ideally the broadcast bits as well)? Otherwise, that part of the interface configuration would be duplicated into the rule and create two places that need to be kept consistent without being obviously related. Same would be true for using an aliases for the directed broadcast addresses.

Ignore as in suppress in logs, etc. The general question being, is there a way to handle directed broadcasts other than on an interface basis.

In a network full of SMB devices, there's lot of IPv4 directed broadcasting to <network>.255:137, e.g. in 192.168.1.0/24 192.168.1.255:137. Is there a way to have a floating or firewall group rule to ignore such traffic?

At one of my sites, there's heavy use of network segmentation. Firewall groups keep the rules in check. In such a scenario, monitoring a group of interfaces can be extremely helpful. The interfaces within a group have already been named in a consistent way, i.e. they all share a common prefix.

Unfortunately, in Firewall: Log Files: Live View, selecting "interface contains" brings up the same menu list as "interface is", i.e. it is not possible to select multiple interfaces by matching their names as partial strings nor is it possible to select a firewall group.

The work-around is to create a composite filtering template, joining the individual results. Such a template however requires adjustment every time there is a change to a group of interfaces, but there is no obvious connection between them, making maintenance hard.

So my proposal is to either make "interface contains" a string match or allow firewall groups to be matched. At the very least, remove "contains" if it yields the same result as "is".

Heute morgen hat mein Telekom Glasfasermodem 2 zu Hause seine Firmware selbstständig auf 090144.1.0.009 aktualisiert und wieder hat's keiner gemerkt. Im Log meiner DEC750 mit 25.4.3 steht was von Link State Down / UP, das WAN Interface hat sich neu initialisiert und alles lief weiter, sogar mit gleichem IPv6 Präfix.

Mikrotik hat ne vergleichsweise gute Erklärung für VLAN Einstellungen. Nur die Beschreibung für Force VLAN ID ist sprachlich sinnlos.

Thanks for looking this up, meyergru. The discussion on github is taking a wrong turn, in my opinion. Other 2FA enabled systems use a two step approach, the 2FA only being queried after the account and password screen. The point is, the second screen will always be displayed, regardless of the correctness of the account/password pair, thus not giving away any indication of the correctness of the info in the first.

+1 for Patrick's point

It appears that in order to enforce OTP authentication the local database must not be used concurrently. However, when configured this way, access via ssh + password is lost. Thus, you can have it only one way or the other at a time. I think it should be possible to use both methods concurrently. Is there a way to achieve that?

P.S.: Please no discussion about ssh + password...

I've been playing with the OTP in OPNsense and have come to the conclusion that the current implementation is getting in the way of password managers. The reason is that by concatenating the OTP digits to the password in the same input field makes the password manager believe that the user has changed the password and offers to update it in its database, invalidating the password. So, every time logging in with the password manager active, the update needs to be cancelled. This makes OTP usage awkward. I'd like to suggest to do what every other websites does and provide separate fields for password and OTP code.

Btw, are there any plans to support passkeys?

Thanks a lot, guys! The floating rules only appear in the interface rules if there is at least one match. I expected to see an empty floating rules section when there are no matches.

That's my question: The way I understand it, floating rules should apply to all interfaces implicitly. Is that not the case?

I was trying to enter text in another window but unintentionally the input was sent to the web interface of the firewall, where I has an interface config open. When I noticed this, the UI had a button on top to apply the changes. I could not identify any change, so eventually I just pressed apply and checked the version history:

Code Select Expand

--- /conf/backup/config-1754987170.9107.xml 2025-08-12 10:26:10.917094000 +0200
+++ /conf/backup/config-1755073081.1818.xml 2025-08-13 10:18:01.189208000 +0200
@@ -1477,9 +1477,9 @@
     <interfaceslistfilter>opt10,lan</interfaceslistfilter>
   </widgets>
   <revision>
-    <username>root@192.168.50.42</username>
-    <description>/firewall_rules_edit.php made changes</description>
-    <time>1754987170.9107</time>
+    <username>root@192.168.50.45</username>
+    <description>/interfaces.php made changes</description>
+    <time>1755073081.1818</time>
   </revision>
   <OPNsense>
     <captiveportal version="1.0.2">
@@ -3114,7 +3114,9 @@
       <vlanif>vlan010</vlanif>
     </vlan>
   </vlans>
-  <bridges version="1.0.0"/>
+  <bridges version="1.0.0">
+    <bridged/>
+  </bridges>
   <gifs version="1.0.0">
     <gif/>
   </gifs>
The only substantial change is the bridged flag. Does anyone know what this is referring to?

Here are the screenshots. The floating rules don't even show up on the WANoE rule set.

Looking at the floating rules a bit closer, there's a counter "6" saying how many interfaces these rules apply to and hovering above the number even shows them by name. This FW has 11 interfaces, one of them disabled. The others are physical, VLANs and PPPoE, V4 only and dual stack, DHCP and static,... I don't see a pattern.

So, my question I guess is what causes floating rules not to be applied? I can't find anything in the docs

I just realised that floating rules are not always applied to WAN interfaces. Running 25.4.2 on 2 DEC750 systems, one has a PPPoE with VLAN WAN interface, the other has a physical ethernet interface as WAN. The floating rules are not applied to the PPPoE WAN. I haven't found any documentation on that. What should be the right behaviour?

Focussing on layer 2, are there any other bridges in your network that circumvent the FW, a switch, a laptop, etc? To find out, I would disconnect the LAN interface from whatever it is currently connected to, then connect something to make sure the interface is up, a simple switch maybe. If you still see traffic ingress from the WAN, your FW is behaving strangely.

And I don't understand your quote. When I do an ifconfig on a VLAN it doen't show the VLAN ID as part of the interface name but this:

Code Select Expand

vlan011: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: NetMA2 (opt12)
        options=4000000<MEXTPG>
        ether f4:90:ea:00:85:2d
        inet 192.168.144.1 netmask 0xffffff00 broadcast 192.168.144.255
        inet6 fe80::f690:eaff:fe00:852d%vlan011 prefixlen 64 scopeid 0xb
        groups: vlan Mitarbeiter
        vlan: 144 vlanproto: 802.1q vlanpcp: 0 parent interface: igb2
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>