v23.7.9 - broken firewall rule on WAN if "Block private networks" is enabled

[EndymionZA]

Hi all, I upgraded from  OPNsense 23.7.8_1 to 23.7.9 and I think I found a bug - my apologies if this was reported already, I did search the forum and didn't see this being reported before.

Under my Interfaces, I have a PPPoE fiber connection configured. That connection also had the "Block private networks" option ticked before I did the upgrade to 23.7.9.

Before upgrading, the option resulted in a DENY rule named "Block private networks from WAN" under "Firewall/Rules/WAN" - and then "Automatically generated rules" for the WAN interface. It specifically (and correctly) created the source address list as:

`10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16`



The problem is however, that after upgrading, this same rule got changed, and except for the first '10.0.0.0/8' CIDR, all the other CIDR addresses now seem to be missing the first digit ("1" in all cases) in the first octet of all the other subnet CIDRs. So the list of source networks after the upgrade is:

`10.0.0.0/8,_27.0.0.0/8,_00.64.0.0/10,_72.16.0.0/12,_92.168.0.0/16`



I also disabled and re-enabled the option under the WAN interface setup, but the rule still gets recreated with the broken network CIDRs.

Hope this helps and that you can also replicate it!

[Saarbremer]

Yes, indeed the rule gets broken in the most recent release. Could confirm it on a test VM. Feel free to file a bug on https://github.com/opnsense/plugins/issues

[zan]

Yep can confirm.
I don't really use this rule, just enabled it to test and found it is indeed broken.

[meyergru]

Confirm as well, created a bug report: https://github.com/opnsense/core/issues/7060

P.S.: Turns out to be cosmetical only, will be fixed in some upcoming release.

[EndymionZA]

Confirm as well, created a bug report: https://github.com/opnsense/core/issues/7060

P.S.: Turns out to be cosmetical only, will be fixed in some upcoming release.

Thanks for the report on Github @meyergru