Firewall Rules Not Executing In Order

[OzTechGeek]

Hi All,

Setting up OPNsense for the first time, and created a couple of test rules in my test VM to see how everything works, but having an issue with the rule firing order. I have 4 basic rules for testing the firewall and I was expecting the "first match" to apply to my traffic, but looks like it's applying the "last match" even though I have all rules set to "quick"

LAN Rules:

Code Select Expand


Description Action Quick Interface Direction TCP/IP Version Protocol Source Source Port Destination Destination Port
Allow Gateway Access Pass Yes LAN IN IPv4 ANY LAN net ANY LAN address ANY
Allow Subnet Access Pass Yes LAN IN IPv4 ANY LAN net ANY LAN net ANY
Block Access To All Internal Networks Block Yes LAN IN IPv4 ANY LAN net ANY N_Internal_Networks ANY
Block Access To All External Networks Block Yes LAN IN IPv4 ANY LAN net ANY ANY ANY


Firewall: Log Files: Live View:

Code Select Expand

__timestamp__ Jul 23 10:56:46
ack 3701013923
action [block]
anchorname
datalen 1460
dir [in]
dst 192.168.10.10
dstport 25793
ecn
id 0
interface em0
interface_name lan
ipflags DF
label Block Access To All Internal Networks
length 1500
offset 0
proto 6
protoname tcp
reason match
rid 310440840809ac6ac297342b87a2292f
ridentifier 0
rulenr 342
seq 2133222556:2133224016
src 192.168.10.251
srcport 443
subrulenr
tcpflags A
tcpopts
tos 0x0
ttl 63
urp 65535
version 4


Firewall: Log Files: Plain View

Code Select Expand


filterlog[2196]: 342,,,0,em0,match,block,in,4,0x0,,63,0,0,DF,6,tcp,355,192.168.10.251,192.168.10.10,443,1533,315,PA,257669456:257669771,2691555010,65535,,
filterlog[2196]: 342,,,0,em0,match,block,in,4,0x0,,63,0,0,DF,6,tcp,52,192.168.10.251,192.168.10.10,443,1533,0,A,,2691555010,65535,,nop;nop;sack
filterlog[2196]: 342,,,0,em0,match,block,in,4,0x0,,63,0,0,DF,6,tcp,40,192.168.10.251,192.168.10.10,443,1533,0,A,,2691555010,65031,,
filterlog[2196]: 342,,,0,em0,match,block,in,4,0x0,,63,0,0,DF,6,tcp,52,192.168.10.251,192.168.10.10,443,1533,0,A,,2691554341,65535,,nop;nop;sack


HOTE: 192.168.10.251 is my test OPNsense VM and 192.168.10.10 is my laptop connecting to the web GUI.

I was expecting rule ""Allow Subnet Access" to be applied not rule "Block Access To All Internal Networks"

Thoughts/ideas?

[OzTechGeek]

As a test a created a new firewall group called "Internet_Access" and added only my internal interfaces to it "LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5"

I created the following 2 rules in "Internet_Access" as a test

Code Select Expand


Rule #: 1
Description: FG_Internet_Access - Allow My Laptop
Action: Pass
Protocol: IPv4 TCP/UDP
Source: H_MyLaptop
Port: *
Destination: ! N_Internal_Networks
Port: *

Rule #: 2
Description: FG_Internet_Access - Block Internet Access
Action: Block
Protocol: IPv4 *
Source: *
Port: *
Destination: ! N_Internal_Networks
Port: *


The results are very strange to me it allowed very few to "PASS" but "BLOCKED" more

PASS:

Code Select Expand


__timestamp__ Jul 23 13:08:52
ack
action [pass]
anchorname
datalen 0
dir [in]
dst 23.41.185.132
dstport 443
ecn
id 41110
interface em0
interface_name lan
ipflags DF
label FG_Internet_Access - Allow My Laptop
length 48
offset 0
proto 6
protoname tcp
reason match
rid 396c2761adcb1337d5dc65ff744048a7
ridentifier 0
rulenr 103
seq 1760592743
src 192.168.10.10
srcport 1951
subrulenr
tcpflags S
tcpopts
tos 0x0
ttl 128
urp 65535
version 4


BLOCK:

Code Select Expand


mp__ Jul 23 13:08:28
ack 693860067
action [block]
anchorname
datalen 0
dir [in]
dst 31.216.147.136
dstport 443
ecn
id 49096
interface em0
interface_name lan
ipflags DF
label FG_Internet_Access - Block Internet Access
length 52
offset 0
proto 6
protoname tcp
reason match
rid 7b03c448b9cc820f0876734f8f45ba38
ridentifier 0
rulenr 105
seq
src 192.168.10.10
srcport 29367
subrulenr
tcpflags A
tcpopts
tos 0x0
ttl 127
urp 65330
version 4