[solved] Group rules with overlapping sort priority

Started by OPNenthu, Today at 06:05:56 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 06:05:56 AM Last Edit: Today at 07:01:38 AM by OPNenthu
After the upgrade from 26.1.9 -> 26.1.10 I am just now realizing an overlap in rule order between two interface groups when using the "All rules" filter in the new UI.  My "IG_OUT_WAN" group is interspersed with the "IG_OUT_VPN" group.  These are the only two affected.

Curiously, both groups are using the same "300002.xxx" sort order which should not happen, right?  I think the last digit in the priority group should be unique per interface/group if I'm not mistaken.

I will roll back to the snapshot for 26.1.9 and check the rule ordering there but that's as far back as I can go.  Was there a change in 26.1.10 that might affect this, or is it likely that this happened during my rule migration several releases ago and I never noticed?

I'm curious how this can happen.  Are there issues with cloning rules between groups that might cause the priority group number to carried over, perhaps?
N5105 | 8/250GB | 4xi226-V | Community
Today at 06:28:11 AM #1
The priority group number seems to be entirely decided by the number you put into the group itself when you create it.

Inside "Firewall - Groups" it has a sequence, and that influences the priority group.

EG all VPN groups will have 300010 because their Group Sequence is 10.
Hardware:
DEC740
Today at 07:01:15 AM #2
Yep, you're right.  The groups are both set to sequence 2.  My mistake.

Thanks!
N5105 | 8/250GB | 4xi226-V | Community
Today at 08:51:27 AM #3
Hardware:
DEC740
Today at 09:19:17 AM #4
Since we're on the topic there's another quirk that I want to run by you.  When I set up my WG interfaces I cloned rules from WAN_VPN1 -> WAN_VPN2, and this is now reflected in the sequence of the rules.  You can clearly see where I created the first rule, cloned it, created the next two rules, cloned them, etc.

You cannot view this attachment.

I don't think this causes a problem in terms of firewalling because the traffic is anyway exclusive to each interface, but the mixed order of the interface rules is unsettling.

Since I don't manually manage sequence IDs and I typically let the system do it, I'm wondering if there's a possibility to clean up the automatic sequencing so that there are always cleanly separated ranges between interfaces?  Cloning seems problematic for overlaps.
N5105 | 8/250GB | 4xi226-V | Community
Today at 09:36:38 AM #5
And just one more (sorry!)

I noticed that when you delete an interface from Interfaces->Assignments, any existing rules that were present for that interface get left hanging around in the config.  Next time you assign a new interface that automatically inherits the old device identifier (e.g. opt10) then it also silently inherits the old interface's rules.

Can there be an option (or better, a prompt) to delete interface rules when an interface is removed?

I don't mind adding feature requests for either of these if you think they might be reasonable.
N5105 | 8/250GB | 4xi226-V | Community
Print
Go Up Pages1
User actions