New rule system

Started by tessus, Today at 03:06:56 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 03:06:56 AM
I have read the topics in this new 26.1 Series forum and I tried to understand what the new rule system entails.

I couldn't find any documentation or a clear direction and I am worried that my rules stop working, because I am using floating rules quite extensively and some posts suggest that the evaluation order will change with this new rule system in 26.1.

Can you please explain what the new rule system will look like and what the difference to the current one is?

P.S.: I don't have a test OPNsense VM, because I haven't had the time to properly isolate and setup such a test instance. It can't be a clone of my current (physical) OPNsense instance, since it would mess up my network. I would have to setup a system from scratch and create X VLANs for all interfaces in this test VM and then try to replicate my prod rules which would be a nightmare. This is just an explanation why I have to ask instead of playing around and testing it myself.
Today at 04:23:16 AM #1
I am curious about this also. From what I can tell, the difference is in the way Floating rules are assigned.

Floating rules are no longer directly specified as Floating. Now, instead you simply assign your rule to more than one interface, and this automatically makes it a Floating rule vs a typical interface rule.

You can see the order process of all rules on a specific interface by pressing the new Inspect button at the top of your rule table. This shows you ALL rules associated with this particular interface, and the sequence they are processed in (you may need to enable the "sequence" option in the filter). This shows Floating rules still processing first, as they always have in the past.
Today at 05:49:13 AM #2 Last Edit: Today at 07:48:22 AM by OPNenthu
These were asked in another 26.1 series thread (page 1, posts #9 and #10) but there hasn't been a dev response yet.

In the legacy rules UI, it's possible to create a Floating rule for a single interface (e.g. WAN).  That can be used to override NAT rules on the interface such as with a blocklist.

If we have existing Floating rules for a single interface, how are those translated by the migration tool?  Are they converted to interface rules, or are they "upgraded" to apply on all interfaces (to preserve them as Floating rules)?  It sounds like there could be implications either way.
Today at 09:05:00 AM #3
I was under the impression this has been documented for a while and yielded no extensive feedback...

https://docs.opnsense.org/manual/firewall_automation.html#processing-order

Not sure if and how this will fundamentally change.  "Automation" rules are already used in production environments by many users and from support experience setups can have a few thousand rules which are easy to administer and perform nicely (compared to the old rules pages where this is not the case as much).


Cheers,
Franco
Today at 09:29:02 AM #4
I'm familiar with that :)  It doesn't answer how existing Floating rules for a single interface will get migrated (or not) to MVC.  If there is already a migration document, I haven't found it.

What I do understand from that document, is that MVC has a design restriction that a single-interface Floating rule is not possible.

Ergo, do some uses cases not transfer?  Do those types of existing Floating rules simply remain in the legacy UI, or...?
Print
Go Up Pages1
User actions