Is there a hidden difference between a float and interface rule?

Started by openMe, February 02, 2025, 12:49:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 02, 2025, 12:49:04 PM
Is there a difference between a float and interface rule
- regarding the very same interface
- having exactly the same rule setting
- the interface rule gets triggered, if the float rule is off (there is nothing blocking traffic before)

I assumed that, if I consider one interface, the only difference between a float and an interface rule with the same settings is the order of processing: float before interface.

I have a float rule, which only gets triggered on the WAN interface (replacement for the built-in "let anything OUT from firewall itself"). That's what I see in the log.

I set up a rule with exactly the same settings, but on the WAN interface instead of a float one, so the only difference in the rules is the "Interface" field (well, and the Description). Both rules are enabled. As expected, I only see the float rule in the log, as it is quick and gets triggered before interface rules.
Now I disable the float rule and try to refresh a web page or connect to another web page. Browser tries, but I don't get my web page. As soon as I enable the float rule again, the browser loads the page.

I am clueless :-(
February 02, 2025, 04:03:45 PM #1
By default rules are applied in order (you can change this by unchecking the Quick box in the rule definition).  The order in which rules are examined is:

Automatically Generated Rules
Floating Rules
Interface Specific Rules

Floating Rules are intended to apply to multiple interfaces.  A floating rule setup for one interface should be the same as an interface specific rule for that interface, excpet thet the default rule is examined first.

As to what is happeing with your WAN rule I cannot say without looking at your ruleset.  Maybe you have a block rule ahead of the interface rule but after the floating rule.
February 02, 2025, 05:59:22 PM #2
Always remember: implicit NAT firewall rules are prioritized even higher.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+
February 02, 2025, 10:28:17 PM #3
Is there a reason why you don't attach/show the 2 rules (alternate pairs of eyes looking can't hurt)?

Alternatively (or in addition), a screenshot of the FW live view in both cases would be helpful.
For a web page, I'd expect an IN on a LAN facing interface from PS:random to WEBSERVER:HTTP(s) followed by an OUT on the WAN from OPN_WANIP:random2 to WEBSERVER:HTTP(s)
The latter would likely be the Force GW rule by default.

What's happening with the floating and interface rules in place?
Print
Go Up Pages1
User actions