Rules [new] Sort order Sequence?

Started by osmom, February 04, 2026, 03:30:03 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
February 04, 2026, 03:30:03 PM
What is the difference between "Sort order" and "Sequence" in the Rules [new]?
To me, both fields mean the same thing, i.e. how the firewall rules are currently processed one after the other.
February 04, 2026, 03:51:59 PM #1
It's explained here in the documentation, we try to keep it up to date :)

https://docs.opnsense.org/manual/firewall.html#rule-sequence

Hardware:
DEC740
February 04, 2026, 04:28:10 PM #2
Just to be sure, I have a floating rule with sort order 200000.0000011, then a group rule 300000.0000021 and finally an interface rule 300000.000001. Does it mean that the interface rule will be processed before the floating and the group rules?

I have to make sure that the interface rule is processed first because is a general blacklist.

In the old rule system I had the blacklist declared as a floating rule with only the WAN interface selected.
February 04, 2026, 04:31:18 PM #3
It gets processed in the way you see it sorted in the GUI.

With the new update today you can see all rules, then its easier to see the full picture.
Hardware:
DEC740
February 04, 2026, 04:37:15 PM #4
So, to get the functionality of the general backlist as I had before with the floating rule. Do I need to modify the interface rule to make it a floating one, e.g. enabling a second interface on the rule? could be a loopback?

Or may be there is a more elegant way of achieving it?
February 04, 2026, 04:46:18 PM #5
Just set the sequence to 0 on the WAN rule and it should be before all other WAN rules?

I dont understand why floating is needed.

Hardware:
DEC740
February 04, 2026, 04:47:18 PM #6
Hang on a sec...

Quote from: muchacha_grande on February 04, 2026, 04:28:10 PMJust to be sure, I have a floating rule with sort order 200000.0000011, then a group rule 300000.0000021 and finally an interface rule 300000.000001.

This doesn't seem right.  Interface rules have priority group 400000, not 300000.  Are you sure you have an interface rule with 300000?  That violates the docs and could be a bug.

Quote from: Monviech (Cedrik) on February 04, 2026, 04:31:18 PMWith the new update today you can see all rules, then its easier to see the full picture.

Looks good on my end!
February 04, 2026, 04:59:54 PM #7
Quote from: OPNenthu on February 04, 2026, 04:47:18 PMThis doesn't seem right.  Interface rules have priority group 400000, not 300000.  Are you sure you have an interface rule with 300000?  That violates the docs and could be a bug.

You are right, it was a typo, sorry. It is 400000.000001.

Quote from: Monviech (Cedrik) on February 04, 2026, 04:31:18 PMIt gets processed in the way you see it sorted in the GUI.

Quote from: Monviech (Cedrik) on February 04, 2026, 04:46:18 PMJust set the sequence to 0 on the WAN rule and it should be before all other WAN rules?

I know that floating rules should not be needed for my general blacklist case but if the rules are processed in the sorted order on the GUI, I can see the floating rules first, then the group rules and finally the interface rules. And inside each group the rules are ordered by the sequence number, that is only the second part of the sort order. So that is my confusion.
February 04, 2026, 05:12:35 PM #8
Restructure your ruleset or cheat via adding a loopback interface to some rules.

You can also create an interface group with a single interface, eg called PRIO_WAN if you feel adventurous enough :)
Hardware:
DEC740
February 04, 2026, 05:21:36 PM #9
Ok, thank you for your time and work. The new gui is really impressive.

Quote from: Monviech (Cedrik) on February 04, 2026, 04:46:18 PMJust set the sequence to 0 on the WAN rule and it should be before all other WAN rules


By the way, sequence 0 is not allowed on the gui. The input error is "Sequence shall be between 1 and 999999."
February 04, 2026, 05:56:14 PM #10
Quote from: Monviech (Cedrik) on February 04, 2026, 03:51:59 PMIt's explained here in the documentation, we try to keep it up to date :)

https://docs.opnsense.org/manual/firewall.html#rule-sequence


Thank you for add this documentation.
But I have Sort order Nr. 1 and 5, wat are this?


One other Point to discuse: If I add  2 groups to the "Interface" at the rule, the Sort order cange to 200000 = Floating. But this are only 2 Grops.
February 04, 2026, 06:00:07 PM #11
Check the prior section in the same documentation, it explains how interfaces change the priority group. Two interfaces in any rule promotes it to floating.

000000 or 500000 are automatic rules at the front or end of the ruleset.

This is all how it has been in the old GUI before (apart from not allowing single floating rules anymore).

Now its all just 100% explicit.
Hardware:
DEC740
February 04, 2026, 06:03:15 PM #12
Sequence shall be between 1 and 999999, so the first Numer after the "." of Sort order looks like a specal definition?
February 04, 2026, 06:29:26 PM #13
Quote from: Monviech (Cedrik) on February 04, 2026, 05:12:35 PMCheat via adding a loopback interface to some rules.
What would be a good one to avoid future conflicts addressing wise ?

Since 127.0.1.1 for example exists for special purposes.

I am thinking about using it for two reasons :
- Bind the webGUI and OpenSSH to it to avoid unavailability of both when the Management NIC's Port is disconnected for whatever reason.
- For the Firewall Rules "Interfaces Group" workaround should I ever need it.
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
February 04, 2026, 06:34:43 PM #14
A loopback interface can have any IP address. I usually give them like 192.168.89.4/32 or something. Doesn't matter.
Hardware:
DEC740
Print
Go Up Pages1 2
User actions