Potential issue with renaming FW groups

Started by EndiRabbit, Today at 01:12:23 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 01:12:23 PM
Hi,

I primarily use groups for setting policies for my configuration. In a test config running in Proxmox this morning, I tried to go back and sanitize some FW group names, changing three of them from

  • all_internal SEQ 11
  • priv_internal SEQ 9
  • iot_internal SEQ 9

to

  • GRP_all_int SEQ 11
  • GRP_priv_int SEQ 9
  • GRP_iot_int SEQ 9

After changing them in the test network and clicking [APPLY] (in the web GUI), access to the Internet went down (defined in rules in GRP_all_int). For reference, the GRP_all_int has general network rules to the Internet, and GRP_priv_int and GRP_iot_int have internal rules that are specific to the VLANs for the interfaces that make up each group. Then each interface has interface specific FW rules and a final rule to block all other undefined network traffic as a catch all.

I rebooted and reloaded the web admin interface, but no joy - couldn't access google.com. Traffic was hitting the catch all rule. Not until I rolled back in the GUI the names and clicked [APPLY] was Internet access restored. Has anyone else encountered this issue by changing FW group names in the web GUI?
Today at 03:52:53 PM #1
OK - I can verify this is a bug because I tested this on my live network during a planned network maintenance window. Unfortunately, all network access went down when doing the FW group renaming in the same way I did this in the test environment on real hardware. I would not recommend changing a FW group name until this is resolved.
Today at 04:02:25 PM #2
If you think this is a bug, it would be great if you open an issue on github with simple steps to reproduce. Thank you :)

https://github.com/opnsense/core/issues
Hardware:
DEC740
Today at 04:04:59 PM #3 Last Edit: Today at 04:28:10 PM by OPNenthu
I can reproduce this also and I think I found a cause.

I have a group named "IG_OUT_WAN" that I renamed to "IG_OUT_WAN_TEST."  The internet went down.  Then I went to view the rules in the new UI (mine are migrated) and I can see that the Source network name was not updated and still reflects "IG_OUT_WAN."

You cannot view this attachment.

Renaming the group back to "IG_OUT_WAN" to match the network name restored the connectivity.
Today at 04:19:28 PM #4
Quote from: Monviech (Cedrik) on Today at 04:02:25 PMIf you think this is a bug, it would be great if you open an issue on github with simple steps to reproduce. Thank you :)

https://github.com/opnsense/core/issues

That was my next step ^^. Updated here: https://github.com/opnsense/core/issues/9680
Print
Go Up Pages1
User actions