A firewalll rule pattern that consistently causes issues

Started by opnseeker, May 08, 2026, 02:47:05 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 08, 2026, 02:47:05 AM
I have an interface group with a rule that sends all internet traffic over a gateway ( can be the default or VPN ).

The above rule is setup with FirstMatch disabled so that I can have rules in individual interfaces that can override the gateway.

When I have a rule in one of the member interfaces to redirect traffic from a specific ip address over a different gateway with FirstMatch enabled, I expect the traffic from that specific ip address to be sent over the 2nd gateway while the rest use the first gateway (set in the group rule).

But it doesn't work. The traffic that matches the rule in the interface is rejected or blocked. Many times, traffic from the entire interface containing the override rule is blocked.

This seems to happen quite consistently. I have two instances with the above pattern and both have the same issue.

If the override rule blocks traffic instead of redirecting it over a different gateway, it seems to work as expected.

Is this the way it is supposed to work or is it a bug?
Proxmox 9.1.x Ryzen 5600U (6Cores/12Threads)  16GB 2x 2.5Gbps Intel NICs
Opnsense 26.1.x 6GB 6 CPUs
May 08, 2026, 06:14:47 AM #1
Please post all details of the rules in question.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 20, 2026, 11:50:29 AM #2
Sorry about the late reply. I somehow missed your reply asking for more details.

I am still troubleshooting the issue. I found the issue in one of the cases and fixed it. It was to do with rule tags which were used to prevent bypassing VPN by creating a kill switch rule.

In the other case, it is not consistent. It works sometimes and not at others. In this case there is no kill switch being used.

There is also a case where it constantly seem to work.

I will post the details later in the day.
Proxmox 9.1.x Ryzen 5600U (6Cores/12Threads)  16GB 2x 2.5Gbps Intel NICs
Opnsense 26.1.x 6GB 6 CPUs
May 20, 2026, 09:38:23 PM #3
Firewall Interface group: IG

IG: VL1, VL2, WG1

VL1 and VL2 are VLAN interfaces
WG1 is a Wireguard interface used for incoming connections with multiple peers: WGP1, WGP2 & WGP3

Rules

Quick off
Dir: In
Action: Pass
Interface: IG
Version: IP4
Protocols: TCP/UDP
Source:any
Source port: any
Dest: not private networks
Dest port: any
Gateway: default

Quick on
Dir: In
Action: Pass
Interface: WG1
Version: IP4/IP6
Protocols: TCP/UDP
Source:WGP1
Source port: any
Dest: not private networks
Dest port: any
Gateway: VPN gateway

First rule sends all traffic to internet over the ISP connection using IP4 (IP6 is not supported by the ISP).

Second rule is supposed to override that for one of the incoming wireguard connections and send its internet traffic over VPN using both IP4 and IP6.

Problem:

When WGP1 and WGP2 are both connected behavior is unpredictable. Sometimes everything works. Sometimes both cannot get to the internet. Sometimes, one gets to the internet and the other doesn't. I can't think of any specific pattern when one happens vs another.

For internal clients not connected over wireguard, this pattern seems to work.

Hopefully, this provides enough detail. Thanks in advance for the help.

Proxmox 9.1.x Ryzen 5600U (6Cores/12Threads)  16GB 2x 2.5Gbps Intel NICs
Opnsense 26.1.x 6GB 6 CPUs
May 20, 2026, 11:37:22 PM #4
What happens when you set the Gateway in these two rules to None?

You will also have rules for your outbound traffic - what do they look like?

With your first rule, you could set the source to WGP1 and enable the Invert Source option. In addition, you could also enable Quick.

Which rules appear in the logs that are blocking these connections?
Today at 04:01:06 AM #5

Quote from: lmoore on May 20, 2026, 11:37:22 PMWhat happens when you set the Gateway in these two rules to None?

First rule, gateway is None. I said default which is the same behavior as it uses the default gateway.

For second rule, setting gateway to None defeats the purpose but I will try and see what happens.

You will also have rules for your outbound traffic - what do they look like?

I have one outbound rule on the WAN interface which is a killswitch when a tag is set. The tags are not used in these two rules.

With your first rule, you could set the source to WGP1 and enable the Invert Source option. In addition, you could also enable Quick.

I can. But I use interface groups to reduce number of rules. In this case this group is to allow internet traffic over default gateway.

I will have do it as a resort if nothing else solves the issue - have separate rules for WG1 interface and remove it from the interface group. I can give it a try.

Which rules appear in the logs that are blocking these connections?

I haven't checked the logs as this issue occurs when I am connecting to home while I am away. I will simulate it and check the logs.


Proxmox 9.1.x Ryzen 5600U (6Cores/12Threads)  16GB 2x 2.5Gbps Intel NICs
Opnsense 26.1.x 6GB 6 CPUs
Print
Go Up Pages1
User actions