Is VPN kill switch rule strictly needed at Floating level?

Started by OPNenthu, April 09, 2026, 11:13:37 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 09, 2026, 11:13:37 AM
Regarding the rule discussed here: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#step-11-add-a-kill-switch-optional

Does this strictly need to be a Floating rule in order to work or can it be added at the WAN interface level?  I'm assuming it's written here as a Floating rule in order to guarantee nothing overrides it, but is there another reason?

A related question: if an internal interface rule allows a packet (e.g. LAN -> WAN for some HTTPS traffic) does the packet automatically get forwarded out after NAT-ing, or does it get filtered a second time by WAN "out" rules?  I have some conflicting information about this.  ChatGPT claims that it only gets processed once at the origin interface (LAN), but in my testing I could see that the WAN "out" filter is being applied.

In case there is no outbound NAT (as in the case with IPv6 normally, not in the VPN case), does this change things?
N5105 | 8/250GB | 4xi226-V | Community

https://www.youtube.com/watch?v=XI9NG068TwI
April 09, 2026, 12:04:03 PM #1
Potentially more AI misinformation (screenshot):

You cannot view this attachment.

It's claiming that WAN "out" rules only match when at Floating level.  Any truth, or complete garbage?

(Again, my very limited testing refutes this, but I don't trust my test.)
N5105 | 8/250GB | 4xi226-V | Community

https://www.youtube.com/watch?v=XI9NG068TwI
April 09, 2026, 12:26:06 PM #2
NAT always happens before any filtering rules.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 09, 2026, 12:45:05 PM #3 Last Edit: April 09, 2026, 12:48:24 PM by OPNenthu
Uff, yeah, I had forgotten that.

https://forum.opnsense.org/index.php?topic=36326.0

So taking NAT out of the picture, the questions left are:

1) Is WAN filtering (specifically WAN "out") guaranteed to happen on egress?  In other words, in the linked packet flow diagram above, does filtering happen again at step 11 or has the system already decided "this is good to go" in step 7.2 and lets it go out?

2) Do Floating rules get any special treatment here aside from processing order?

Thanks!
N5105 | 8/250GB | 4xi226-V | Community

https://www.youtube.com/watch?v=XI9NG068TwI
April 09, 2026, 04:47:43 PM #4
I may be wrong but I have feeling that was written when only floating rules provided an in/out selection. A single interface (WAN) out rule that matches on the tag should also work fine.
April 09, 2026, 05:12:06 PM #5
Ah, interesting.  I starting using OPNsense at the tail end of 24.7 and WAN rule directionality was already present, IIRC.

So maybe it's not misinformation, just terribly outdated.
N5105 | 8/250GB | 4xi226-V | Community

https://www.youtube.com/watch?v=XI9NG068TwI
April 09, 2026, 06:54:30 PM #6
Quote from: OPNenthu on April 09, 2026, 05:12:06 PMAh, interesting.  I starting using OPNsense at the tail end of 24.7 and WAN rule directionality was already present, IIRC.

So maybe it's not misinformation, just terribly outdated.

In that case I may be mistaken as that is about the time I started using OPNsense regularly. I do recall some point in the past, only being able to select direction via floating rules. That may have been pfsense.
Print
Go Up Pages1
User actions