26.1: intra vlan traffic is now allowed by "let out anything from firewall..."

[giox969]

Hi, after upgrade to 26.x (currently 26.1.1-amd64), all intra vlan traffic is permitted and no longer blocked.

According to the firewall logs, the "let out anything from firewall host itself" rule, is allowing traffic from/to internal VLANS/LAN.
The rule "let out anything from firewall host itself" is applied automatically before my interface group "last match" blocking rule, so my blocking rule cannot be used. My interface group last match blocking rule was working correctly, blocking intra vlan traffic, before the upgrade.

I also tried to convert rules to the new version, deleted all old rules, rebooted, but nothing changed. Intra vlan traffic is still permitted.

Is it correct that in 26.x "let out anything from firewall host itself" allows traffic not originating from the firewall ?

[pfry]

Have a look at Investigating outbound rules in OPNsense. As for order, I haven't gone to v26 yet, but there are ordering options available that may be usable for you (Let's talk firewall rule order ...).

[giox969]

Thank you for answering.
After further investigation, I found that the rule "let out anything from the firewall host itself" is logged for every packet with the S/SA flags exiting any interface, including packets traversing the firewall. Therefore, in my case, this rule/log line was not the real indicator of the problem.

After understanding this, I enabled logging correctly and fixed the problem. At this point, I suspect that intra-VLAN traffic might also have been working with the previous firmware... but I have no way to investigate that. In any case, the problem is solved now. Thank you for sending me the links explaining the design choices behind the outbound rules; I think I've learned a bit more about pfctl now.