Matching traffic for both in and out interface

Started by unlikely, April 20, 2025, 07:54:56 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 20, 2025, 07:54:56 PM
Hello everyone,

I've been experimenting with OPNsense for a few days now. I've also gone through the documentation and explored search results, but I haven't been able to find an answer to my question.

I would like to allow all traffic originating from one group of interfaces and directed to another group of interfaces without any additional filtering.

In RouterOS, this can be done in the Filter chain since the routing decision has already been made. However, I don't fully understand when OPNsense performs packet filtering, whether this is achievable, and if so, how to set it up.

I couldn't find any options in the UI to accomplish this.
April 20, 2025, 08:39:26 PM #1
There are no from interface to interface mechanisms in OPNsense, unfortunately.

Commonly you place rules on the ingress interface direction "in" and you can then filter on destination IP address or network. But not on egress interface. It's all IP addresses in rules.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 23, 2025, 12:40:21 AM #2 Last Edit: April 23, 2025, 12:44:23 AM by unlikely
Using network IP addresses is inconvenient in my case due to the potentially large and unpredictable number of networks routed via OSPF. Maintaining aliases under such conditions would be impractical, tedious, or outright unfeasible.

But, after further investigation, I believe I have gained some new insight.

Packet flow in OPNsense, and possibly FreeBSD, appears to differ from RouterOS and potentially Linux. From what I understand (please correct me if I'm mistaken), a packet is inspected not once, but twice: once when it enters the firewall and again when it exits, provided it has been accepted in the first stage. When a packet enters the firewall, no routing decision has been made yet (or it's not exposed in pf/OPNsense), meaning the rules system does not know where the packet would be directed if accepted.

The behavior I aim to achieve could be implemented in two steps:
  • Using an inbound rule for interface group A: when a packet enters interface A, we accept it and mark it with the tag from-interface-A.
  • Using an outbound rule for interface group A: when a packet is about to exit toward interface A, and it carries the tag from-interface-A we accept it.

In this way, all packets originating from interface A are guaranteed to be allowed to exit toward interface A.
April 23, 2025, 02:00:12 AM #3
Quote from: unlikely on April 23, 2025, 12:40:21 AMmeaning the rules system does not know where the packet would be directed if accepted

Correct - inbound firewall rule is applied before any routing decision. That's why you cannot have a "from interface - to interface" style of rule. Only "to IP address/network".
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions