Automatically generated rules - is the reason I stopped migrating to OPNSense

[Monviech (Cedrik)]

I mean... you could have just copy pasted them... it's text.

[newjohn]

filter rules
@0 scrub on vmx0 all fragment reassemble
@1 scrub on vlan0.100 all fragment reassemble
@2 scrub on vlan0.110 all fragment reassemble
evaluations
 
:
 244699
packets
 
:
 38898
bytes
 
:
 0
states
 
:
 0
inserted
 
:
 uid 0 pid 79126
state_creations
 
:
 0
@3 scrub on vlan0.120 all fragment reassemble
@4 scrub on vlan0.130 all fragment reassemble
@5 scrub on vlan0.140 all fragment reassemble
@6 scrub on vlan0.150 all fragment reassemble
@7 scrub on vlan0.160 all fragment reassemble
@8 scrub on vlan0.170 all fragment reassemble
@9 scrub on vlan0.180 all fragment reassemble
@10 scrub on vlan0.190 all fragment reassemble
@11 scrub on vlan0.200 all fragment reassemble
@12 scrub on vlan0.210 all fragment reassemble
@13 scrub on vlan0.220 all fragment reassemble
@14 scrub on vlan0.230 all fragment reassemble
@15 scrub on vlan0.240 all fragment reassemble
@16 scrub on vlan0.250 all fragment reassemble
@17 scrub on vlan0.260 all fragment reassemble
@18 scrub on vlan0.270 all fragment reassemble
@19 scrub on vlan0.280 all fragment reassemble
@20 scrub on vlan0.290 all fragment reassemble
@21 scrub on vlan0.300 all fragment reassemble
@22 scrub on vmx1 all fragment reassemble
@23 scrub on ovpnc1 all fragment reassemble
@24 scrub on ovpnc4 all fragment reassemble
@25 scrub on ovpnc3 all fragment reassemble
@26 scrub on ovpnc2 all fragment reassemble
@0 block drop in log on ! ovpnc1 inet from 10.8.3.0/24 to any
@1 block drop in log on ! ovpnc3 inet from 10.8.3.0/24 to any
@2 block drop in log on ! vmx0 inet from 10.10.95.0/24 to any
@3 block drop in log inet from <__automatic_cc423130_0:26> to any
@4 block drop in log on ! vlan0.100 inet from 10.0.1.0/24 to any
@5 block drop in log on ! vlan0.110 inet from 10.10.10.0/24 to any
@6 block drop in log on ! vlan0.120 inet from 10.10.20.0/24 to any
@7 block drop in log on ! vlan0.130 inet from 10.10.30.253 to any
@8 block drop in log on ! vlan0.140 inet from 10.10.40.0/24 to any
@9 block drop in log on ! vlan0.150 inet from 10.10.50.0/24 to any
@10 block drop in log on ! vlan0.160 inet from 10.10.60.0/24 to any
@11 block drop in log on ! vlan0.170 inet from 10.10.70.0/24 to any
@12 block drop in log on ! vlan0.180 inet from 10.10.80.0/24 to any
@13 block drop in log on ! vlan0.190 inet from 10.10.90.0/24 to any
@14 block drop in log on ! vlan0.200 inet from 10.20.0.0/24 to any
@15 block drop in log on ! vlan0.210 inet from 10.20.10.0/24 to any
@16 block drop in log on ! vlan0.220 inet from 10.20.20.0/24 to any
@17 block drop in log on ! vlan0.230 inet from 10.20.30.0/24 to any
@18 block drop in log on ! vlan0.240 inet from 10.20.40.0/24 to any
@19 block drop in log on ! vlan0.250 inet from 10.20.50.0/24 to any
@20 block drop in log on ! vlan0.260 inet from 10.20.60.0/24 to any
@21 block drop in log on ! vlan0.270 inet from 10.20.70.0/24 to any
@22 block drop in log on ! vlan0.280 inet from 10.20.80.0/24 to any
@23 block drop in log on ! vlan0.290 inet from 10.20.90.0/24 to any
@24 block drop in log on ! vlan0.300 inet from 10.30.0.0/24 to any
@25 block drop in log on ! vmx1 inet from 10.0.0.0/24 to any
@26 block drop in log on ! ovpnc4 inet from 10.8.0.0/24 to any
@27 block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
@28 block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131"
@29 pass in log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "1d245529367b2e34eeaff16086aeafe9"
@30 pass in log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "1d245529367b2e34eeaff16086aeafe9"
@31 pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "1d245529367b2e34eeaff16086aeafe9"
@32 pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "1d245529367b2e34eeaff16086aeafe9"
@33 pass out log quick inet6 proto ipv6-icmp from (self:2) to fe80::/10 icmp6-type echoreq keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
@34 pass out log quick inet6 proto ipv6-icmp from (self:2) to ff02::/16 icmp6-type echoreq keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
@35 pass out log quick inet6 proto ipv6-icmp from (self:2) to fe80::/10 icmp6-type echorep keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
@36 pass out log quick inet6 proto ipv6-icmp from (self:2) to ff02::/16 icmp6-type echorep keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
@37 pass out log quick inet6 proto ipv6-icmp from (self:2) to fe80::/10 icmp6-type routersol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
@38 pass out log quick inet6 proto ipv6-icmp from (self:2) to ff02::/16 icmp6-type routersol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
@39 pass out log quick inet6 proto ipv6-icmp from (self:2) to fe80::/10 icmp6-type routeradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
@40 pass out log quick inet6 proto ipv6-icmp from (self:2) to ff02::/16 icmp6-type routeradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
@41 pass out log quick inet6 proto ipv6-icmp from (self:2) to fe80::/10 icmp6-type neighbrsol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
@42 pass out log quick inet6 proto ipv6-icmp from (self:2) to ff02::/16 icmp6-type neighbrsol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
@43 pass out log quick inet6 proto ipv6-icmp from (self:2) to fe80::/10 icmp6-type neighbradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
@44 pass out log quick inet6 proto ipv6-icmp from (self:2) to ff02::/16 icmp6-type neighbradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
@45 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "42e9d787749713a849d8e92432efdfaa"
@46 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "42e9d787749713a849d8e92432efdfaa"
@47 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "42e9d787749713a849d8e92432efdfaa"
@48 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "42e9d787749713a849d8e92432efdfaa"
@49 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "42e9d787749713a849d8e92432efdfaa"
@50 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "42e9d787749713a849d8e92432efdfaa"
@51 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "42e9d787749713a849d8e92432efdfaa"
@52 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "42e9d787749713a849d8e92432efdfaa"
@53 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "42e9d787749713a849d8e92432efdfaa"
@54 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "42e9d787749713a849d8e92432efdfaa"
@55 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "8752fca75c6be992847ea984161bd3f1"
@56 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "8752fca75c6be992847ea984161bd3f1"
@57 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "8752fca75c6be992847ea984161bd3f1"
@58 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "8752fca75c6be992847ea984161bd3f1"
@59 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "8752fca75c6be992847ea984161bd3f1"
@60 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state label "71dd196398b3f1da265dbd9dcad00e70"
@61 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state label "71dd196398b3f1da265dbd9dcad00e70"
@62 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state label "71dd196398b3f1da265dbd9dcad00e70"
@63 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state label "71dd196398b3f1da265dbd9dcad00e70"
@64 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state label "71dd196398b3f1da265dbd9dcad00e70"
@65 block drop in log quick inet proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
@66 block drop in log quick inet proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
@67 block drop in log quick inet6 proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
@68 block drop in log quick inet6 proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
@69 block drop in log quick inet proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
@70 block drop in log quick inet proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
@71 block drop in log quick inet6 proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
@72 block drop in log quick inet6 proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
@73 pass log quick inet6 proto carp from any to ff02::12 keep state label "3b14fa6f8072123bf7a59d2fd29cbec3"
@74 pass log quick inet proto carp from any to 224.0.0.18 keep state label "8203357325e6f08a501a6dec36b19112"
@75 block drop in log quick proto tcp from <sshlockout:0> to (self:26) port = ssh label "669143f420c3ab4118bcb0bf4b5fd823"
@76 block drop in log quick proto tcp from <sshlockout:0> to (self:26) port = https label "6baefc2a9cf2536834c092a51134a45c"
@77 block drop in log quick from <virusprot:0> to any label "8e367e2f9944d93137ae56d788c5d5e1"
@78 pass in log quick on vmx0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "5168be2cca1e130b1ef2ac18161356a8"
@79 pass in log quick on vmx0 proto udp from any port = bootpc to (self:26) port = bootps keep state label "0b032d1bab91fc97e4a7faf03a7f17c3"
@80 pass out log quick on vmx0 proto udp from (self:26) port = bootps to any port = bootpc keep state label "5039e43005a9aa50eb032af274cc9aad"
@81 pass in log quick on vmx0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "fef3d333d96a8d3558956de1fffc61cc"
@82 pass in log quick on vmx0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "fef3d333d96a8d3558956de1fffc61cc"
@83 pass in log quick on vmx0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "d2bd536587a9f5680c1f850b2d346839"
@84 pass in log quick on vmx0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "3420206ced96c01ef73fbc4ac9deb745"
@85 pass in log quick on vmx0 inet6 proto udp from fe80::/10 to (self:2) port = dhcpv6-client keep state label "0fd202708c326aebbe44ab710b6d3652"
@86 pass out log quick on vmx0 inet6 proto udp from (self:2) port = dhcpv6-server to fe80::/10 keep state label "83f6c28de8efae9b444094e4a5bf898c"
@87 pass in log quick on vmx1 proto udp from any port = bootps to any port = bootpc keep state label "f994f615e00b8be0042263f86c79913f"
@88 pass out log quick on vmx1 proto udp from any port = bootpc to any port = bootps keep state label "5cf7ab808da1fcbca1ddb9ba9b46b669"
@89 block drop in log quick on vmx1 inet from <bogons:10> to any label "b7cd97a164650b538506fb551a0369e7"
@90 block drop in log quick on vmx1 inet6 from <bogonsv6:76> to any label "f140a48ddade668b9d6f5259669a1d5c"
@91 block drop in log quick on vmx1 inet from 10.0.0.0/8 to any label "1eb94a38e58994641aff378c21d5984f"
@92 block drop in log quick on vmx1 inet from 127.0.0.0/8 to any label "1eb94a38e58994641aff378c21d5984f"
@93 block drop in log quick on vmx1 inet from 100.64.0.0/10 to any label "1eb94a38e58994641aff378c21d5984f"
@94 block drop in log quick on vmx1 inet from 172.16.0.0/12 to any label "1eb94a38e58994641aff378c21d5984f"
@95 block drop in log quick on vmx1 inet from 192.168.0.0/16 to any label "1eb94a38e58994641aff378c21d5984f"
@96 block drop in log quick on vmx1 inet6 from fc00::/7 to any label "45afd72424c84d011c07957569151480"
@97 pass in quick on lo0 all no state label "7535c94082e72e2207679aadb26afd92"
@98 pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2"
@99 pass in log quick on vmx0 proto tcp from any to (self:26) port = http flags S/SA keep state label "fc644ddefed1dc33844f7142cb756947"
@100 pass in log quick on vmx0 proto tcp from any to (self:26) port = https flags S/SA keep state label "fc644ddefed1dc33844f7142cb756947"
@101 pass out log route-to (vmx1 10.0.0.254) inet from (vmx1:1) to ! (vmx1:network:1) flags S/SA keep state allow-opts label "d70281046ba3974025350c5d8da4f133"
@102 pass out log route-to (ovpnc1 10.8.3.1) inet from (ovpnc1:*) to ! (ovpnc1:network:*) flags S/SA keep state allow-opts label "a164ec9a5d3709134b7b5e44ba923a1c"
@103 pass out log route-to (ovpnc4 10.8.0.1) inet from (ovpnc4:*) to ! (ovpnc4:network:*) flags S/SA keep state allow-opts label "6d88f54aa9de84ef076a457714eeb76f"
@104 pass out log route-to (ovpnc3 10.8.3.1) inet from (ovpnc3:*) to ! (ovpnc3:network:*) flags S/SA keep state allow-opts label "23993926179df54d470f26fbd1f31db5"
@105 pass in quick on vmx0 inet from (vmx0:network:1) to any flags S/SA keep state label "06dffb3e75f145a93fec873d7a40bcab"
@106 pass in quick on vmx0 inet6 from (vmx0:network:*) to any flags S/SA keep state label "18e5297df4bdcfe5310a1ff8fff0513f"
@107 pass in quick on vmx0 inet6 from fe80::/10 to any flags S/SA keep state label "18e5297df4bdcfe5310a1ff8fff0513f"
@108 pass in log quick on vlan0.100 inet proto tcp from (vlan0.100:network:1) to any flags S/SA keep state label "4a1ae6f37e26333f95f6ab5ede4aec74"
@109 pass in log quick on vlan0.100 inet proto udp from (vlan0.100:network:1) to any keep state label "4a1ae6f37e26333f95f6ab5ede4aec74"
@110 pass in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to <Aliase_DNS_Server:1> port = domain flags S/SA keep state label "a8edaca1d7de7c58ad92856fcba9a634"
@111 pass in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to <Aliase_DNS_Server:1> port = domain keep state label "a8edaca1d7de7c58ad92856fcba9a634"
@112 pass in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to <Aliase_NTP_Server:0> port = ntp flags S/SA keep state label "6e4c11415d0b524c0fb500998ac4d814"
@113 pass in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to <Aliase_NTP_Server:0> port = ntp keep state label "6e4c11415d0b524c0fb500998ac4d814"
@114 pass in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to <Aliase_PLEX_Server:0> port = 32400 flags S/SA keep state label "bfc71631e10051c599bd217509098a2c"
@115 pass in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to <Aliase_PLEX_Server:0> port = ssdp flags S/SA keep state label "bfc71631e10051c599bd217509098a2c"
@116 pass in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to <Aliase_PLEX_Server:0> port = 32410 flags S/SA keep state label "bfc71631e10051c599bd217509098a2c"
@117 pass in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to <Aliase_PLEX_Server:0> port = 32412 flags S/SA keep state label "bfc71631e10051c599bd217509098a2c"
@118 pass in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to <Aliase_PLEX_Server:0> port = 32413 flags S/SA keep state label "bfc71631e10051c599bd217509098a2c"
@119 pass in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to <Aliase_PLEX_Server:0> port = 32414 flags S/SA keep state label "bfc71631e10051c599bd217509098a2c"
@120 pass in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to <Aliase_PLEX_Server:0> port = 32400 keep state label "bfc71631e10051c599bd217509098a2c"
@121 pass in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to <Aliase_PLEX_Server:0> port = ssdp keep state label "bfc71631e10051c599bd217509098a2c"
@122 pass in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to <Aliase_PLEX_Server:0> port = 32410 keep state label "bfc71631e10051c599bd217509098a2c"
@123 pass in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to <Aliase_PLEX_Server:0> port = 32412 keep state label "bfc71631e10051c599bd217509098a2c"
@124 pass in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to <Aliase_PLEX_Server:0> port = 32413 keep state label "bfc71631e10051c599bd217509098a2c"
@125 pass in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to <Aliase_PLEX_Server:0> port = 32414 keep state label "bfc71631e10051c599bd217509098a2c"
@126 block drop in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to <Aliase_ALL_Int_Subnets:3> label "f01942ec52167b5d1d80bb1385ff0526"
@127 block drop in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to <Aliase_ALL_Int_Subnets:3> label "f01942ec52167b5d1d80bb1385ff0526"
@128 block return in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to any port = netbios-ns label "d67d8e39143a2b775b1f0bd0acd42d77"
@129 block return in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to any port = netbios-dgm label "d67d8e39143a2b775b1f0bd0acd42d77"
@130 block return in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to any port = netbios-ssn label "d67d8e39143a2b775b1f0bd0acd42d77"
@131 block return in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to any port = epmap label "d67d8e39143a2b775b1f0bd0acd42d77"
@132 block return in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to any port = telnet label "d67d8e39143a2b775b1f0bd0acd42d77"
@133 block return in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to any port = snmp label "d67d8e39143a2b775b1f0bd0acd42d77"
@134 block return in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to any port = snmptrap label "d67d8e39143a2b775b1f0bd0acd42d77"
@135 block return in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to any port = tftp label "d67d8e39143a2b775b1f0bd0acd42d77"
@136 block return in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to any port = netbios-ns label "d67d8e39143a2b775b1f0bd0acd42d77"
@137 block return in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to any port = netbios-dgm label "d67d8e39143a2b775b1f0bd0acd42d77"
@138 block return in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to any port = netbios-ssn label "d67d8e39143a2b775b1f0bd0acd42d77"
@139 block return in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to any port = epmap label "d67d8e39143a2b775b1f0bd0acd42d77"
@140 block return in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to any port = telnet label "d67d8e39143a2b775b1f0bd0acd42d77"
@141 block return in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to any port = snmp label "d67d8e39143a2b775b1f0bd0acd42d77"
@142 block return in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to any port = snmptrap label "d67d8e39143a2b775b1f0bd0acd42d77"
@143 block return in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to any port = tftp label "d67d8e39143a2b775b1f0bd0acd42d77"
@144 pass in log quick on vlan0.110 inet proto tcp from (vlan0.110:network:1) to any flags S/SA keep state label "f88edceafb900272eeec4ad509568953"
@145 pass in log quick on vlan0.110 inet proto udp from (vlan0.110:network:1) to any keep state label "f88edceafb900272eeec4ad509568953"
@146 pass in log quick on vlan0.110 inet proto icmp from (vlan0.110:network:1) to any keep state label "6a42b74c5f094f53780344a5fa9386b7"
@147 pass in quick on vlan0.190 inet all flags S/SA keep state label "33bdb49cf3ed631fee86930d96e7e374"

[Monviech (Cedrik)]

I don't see any allow rules related to vlan0.160. So pinging from vlan0.160 to vlan0.190 shouldn't work.

There's an explicit drop rule:
@10 block drop in log on ! vlan0.160 inet from 10.10.60.0/24 to any

I see this rule:

@147 pass in quick on vlan0.190 inet all flags S/SA keep state label "33bdb49cf3ed631fee86930d96e7e374"

It allows vlan0.190 to send any traffic to any destination, including vlan0.160. So ping works.

[newjohn]

thank you.

thats baffling than.

to be 100% sure the traffic is being routed through the opnsense. I shut it down and the second the opnsense was down the ping stopped. So we can safely say the ping is traversing trough the opnsense.

But the baffling question remains of how this is posisble?

[Monviech (Cedrik)]

I just showed you how it is possible.

There are default block rules without "quick", so they match last and block all traffic in those vlans that don't have an allow rule. They're the default deny rules:
@10 block drop in log on ! vlan0.160 inet from 10.10.60.0/24 to any
@13 block drop in log on ! vlan0.190 inet from 10.10.90.0/24 to any

And there has to be a user generated "allow rule" in the GUI with "quick", so it matches before the block rules:
@147 pass in quick on vlan0.190 inet all flags S/SA keep state label "33bdb49cf3ed631fee86930d96e7e374"

Due to this rule, any client in vlan0.190 can ping anywhere.

The rule has to be either in:

Firewall: Rules: vlan0.190
or
Firewall: Rules: Floating

[CJ]

Can you list your interface definitions?  What do you have assigned to WAN and LAN?  What is the parent interface for each VLAN?

[newjohn]

I just showed you how it is possible.

There are default block rules without "quick", so they match last and block all traffic in those vlans that don't have an allow rule. They're the default deny rules:
@10 block drop in log on ! vlan0.160 inet from 10.10.60.0/24 to any
@13 block drop in log on ! vlan0.190 inet from 10.10.90.0/24 to any

And there has to be a user generated "allow rule" in the GUI with "quick", so it matches before the block rules:
@147 pass in quick on vlan0.190 inet all flags S/SA keep state label "33bdb49cf3ed631fee86930d96e7e374"

Due to this rule, any client in vlan0.190 can ping anywhere.

The rule has to be either in:

Firewall: Rules: vlan0.190
or
Firewall: Rules: Floating

Hi Monviech, yes you explained how VLAN190 can ping VLAN 160, but not how VLAN160 can ping VLAN190. Thats what is baffling. I have a rule in VLAN190 so it can ping VLAN 160 i understand that. But i have NO rules on either the floating page nor VLAN 160. So its NOT clear how VLAN160 can ping VLAN 190? there is NO rule to allow it? AM i missing something here? Is the rules not supposed to work like that? if you have no rule defined all blocked?

Please see the attached pic, it shows VLAN160, VLAN190, their rules and the floating rules. no where i can see a config which would explain why VLAN160 can ping VLAN190?

[newjohn]

Can you list your interface definitions?  What do you have assigned to WAN and LAN?  What is the parent interface for each VLAN?

WAN is using vmx1 and LAN is using vmx0. All the VLANs are attached to the LAN interface vmx0.
please see the attached:

[Monviech (Cedrik)]

Can you tell me if in Firewall: Settings: Advanced

"Disable Firewall" -  "Disable all packet filtering" is enabled?

[newjohn]

Can you tell me if in Firewall: Settings: Advanced

"Disable Firewall" -  "Disable all packet filtering" is enabled?

No its looks like disabled:

[newsense]

Can you please take a couple screenshots with the auto generated rules expanded in each vlan ?

[Monviech (Cedrik)]

My only guess left would be that the hosts can find themselves directly via layer 2. Maybe the vlan setup isnt working right.

The arp table would be interesting.
Interfaces: Diagnostics: ARP Table

Also the arp tables and mac address of both clients so it can be seen if they prefer a direct route.

EDIT: Thats really grasping at straws though, I'm not that firm at layer 2. So I give up here at this point.

[newjohn]

My only guess left would be that the hosts can find themselves directly via layer 2. Maybe the vlan setup isnt working right.

The arp table would be interesting.
Interfaces: Diagnostics: ARP Table

Also the arp tables and mac address of both clients so it can be seen if they prefer a direct route.

EDIT: Thats really grasping at straws though, I'm not that firm at layer 2. So I give up here at this point.

Thank you all for the support and effort. Windows will not even attempt to contact the other PC directly over layer 2. layer 2 is only mac add. As they are communicating over IP they need to use layer 3.

In any case to test this thoery i moved the firewall and the PCs all to different esxi hosts but that did not make a difference. So we can rule out an esxi issue. Also if that was the case and PCs communicating directly you would expect for the ping to continue when i shutdown the opnsense vm. but they stop as soon as i shutdown the vm.

at this stage i think you are right i am also giving up.

[IsaacFL]

Are you are running opnsense virtualized?

I think you have your Virtual Host configured incorrectly to support vlans. Either that or your external smart switch is incorrectly set up.  The symptoms you are describing is exactly what happens when vlans are not configured correctly on the external switch and they are getting combined. This is external to opnsense.

[newjohn]

Are you are running opnsense virtualized?

I think you have your Virtual Host configured incorrectly to support vlans. Either that or your external smart switch is incorrectly set up.  The symptoms you are describing is exactly what happens when vlans are not configured correctly on the external switch and they are getting combined. This is external to opnsense.

Yes its virtulised. When i first read your input in the first instance it did seem to make sense. But as i thought it through i thought otherwise. Let me explain why i think its not the case.

Suppose i misconfigured ESXi and/or the switch. opnsense should still block the ping when it passes through it. we know it passes through it because if i shut it down both vms stop being able to ping each other. Therefore althought its always a possiility due to misconfiguration i think its unlikely?