Rules ordering
I have a question to the folks who use interface groups and floating rules. When I was using the old way of rulesets, I only created floating rules. This worked wonderfully for me.
However, the new rules totally messed up the ordering of my rules. I now have floating, group and interface rules. The folks who only use interface rules probably not affect by the new OPNsense rules logic. The worse part is a old floating rules became group rules and got place below of my "internet only" rule:
Interface: all-zones (all SVIs, but WAN)
Action: pass
Direction: in
Source: any
Destination: !rfc1918
Destination Port: any
Gateway: WAN_DHCP
The "internet only" rule remained floating because of the OPNsense logic of multiple interfaces automatically a floating rule. I have a deny rule applied to the WAN such as:
Interface: surveillance (firewall group only member is SVI 5)
Action: block
Direction: in
Source: any
Destination: !rfc1918
Destination Port: any
Gateway: none
This rule used to be a floating rule and became a group rule; therefore, it got placed below the internet rule. There is no way for me to move this rule above the "internet only" rule. Now, the IP cameras are able to access the internet. This is one example.
Does this mean that instead of writing a single rule for the interface, I have now to create a rule per interface? I have 28 VLANs. If I follow the OPNsense login, I have to create 28 rules so that I put these rules at the bottom of the list. Is that right?