Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN group vs Interface Group firewall rule order

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bkraptor
      last edited by

      Let's assume I have an OpenVPN interface assigned (name: OVPN_IF1) that is also part of an interface group (name: IF_GROUP1). What is the processing order for the rules? Is it like below?
      1. floating rules
      2. the interface group IF_GROUP1
      3. the OpenVPN group
      4. the interface: OVPN_IF1

      The general idea is described in the Firewall Rule Processing Order page. There I can see that the OpenVPN is just a generic interface group. The question now becomes: what is the processing order for diferent groups (i.e. OpenVPN vs IF_GROUP1 in the example above)? Is there anything special about the OpenVPN group in regards to the rule processing order?

      Also, looking at /tmp/rules.debug I can see that IF_GROUP1 rules come before OpenVPN rules. Is this based on string comparison only or is there something else?

      Last edit:
      What about the corner case where an interface is part of multiple groups. What is the processing order between groups in general?

      Thanks

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Just look in rules.debug and you'll see the actual order.

        Generally speaking manual groups will come before the VPN interface groups, the manual groups are processed in the order they exist in config.xml

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B
          bkraptor
          last edited by

          Hi Jim. Thanks for the insight.

          I'm a bit worried that this process is non-deterministic. I can imagine a situation with 2 identical boxes where I have the same rules applied on the same interface groups that were created in a different order resulting in a different behavior for the rules. Is there anything I can do to make this process deterministic?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Use floating rules rather than groups, or always create the groups in the same order. Groups are still a bit of a lower-tier feature since they aren't used often (and are misused more often than used correctly).

            At some point we may allow sorting or re-ordering of interface groups which would help here. It may not be too hard to do in 2.3 with the new framework.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • MajicJayJM
              MajicJayJ
              last edited by

              I realize that this is an old post, but I couldn't find the answer to the Interface Group order anywhere in the forums. Using /tmp/rules.debug. I found that manually created Interface Groups come before OpenVPN rules. I also found that if you have multiple interface groups then they are processed in alphabetical order.

              I have three Interface groups: Local for all my local subnets, Clients for local client subnets, and IoT for local IoT subnets. They were processed in the following order: Clients, IoT, Local. When I renamed Local to All_LAN and made a minor change to the rules so they were rewritten, the order changed to All_LAN, Clients, IoT, which is the order I wanted.

              I realize I probably don't need so many subnets, but using Interface groups and RADIUS to assign VLANs made it easy to setup. I have a VLAN for each person in my household in Clients Interface Group and my IoT devices are in different VLANs by type. It was simple using FreeRADIUS.

              Thanks

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.