Interfaces in Multiple Groups

Started by TheChickenMan, February 28, 2021, 06:38:00 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 28, 2021, 06:38:00 PM
I'm familiar with the general rules processing order as discussed in the manual: Auto Generated -> Floating -> Groups -> Interfaces. I'm just not sure how this holds if an interface is added to more than one group.

Code Select
Group_LAN (containing interface: LAN, LAB)
Allow ALL

Group_LAB (containing interface: LAN, LAB)
Block ALL

What exactly would happen here? Does it execute in alphabetical order by group name or something? Is it just bad policy to put an interface into more than one group?
March 01, 2021, 12:32:23 AM #1
Well, I managed to figure it out after making some test interface groups and rules. It apparently uses alphabetical order by group name.


In my previous example therefore the packets would be blocked as "Group_LAB" comes before "Group_LAN" in alphabetical ordering. I think though that I probably should avoid this where possible since it just doesn't feel like it's really a best practice.
March 18, 2022, 12:20:02 PM #2
Got the same problem. Thanks for test.

Another example can be. Wnat some rules for all interfaces and some rules for subset only.

Group_A: LAN1, LAN2, LAN3, DMZ1, DMZ2
Group_B: LAN1, LAN2, LAN3

The sort is now based on the 'name'.

Maybe good point to be confirmed by dev and to be documented.
April 03, 2023, 09:47:48 PM #3
I have now posted this feature request about the issue: https://github.com/opnsense/core/issues/6471
Intel Celeron J4125 CPU @ 2GHz (4 cores), 8GB RAM, 4 Intel NICs
Print
Go Up Pages1
User actions