OpenVPN group vs Interface Group firewall rule order

  • Let's assume I have an OpenVPN interface assigned (name: OVPN_IF1) that is also part of an interface group (name: IF_GROUP1). What is the processing order for the rules? Is it like below?
    1. floating rules
    2. the interface group IF_GROUP1
    3. the OpenVPN group
    4. the interface: OVPN_IF1

    The general idea is described in the Firewall Rule Processing Order page. There I can see that the OpenVPN is just a generic interface group. The question now becomes: what is the processing order for diferent groups (i.e. OpenVPN vs IF_GROUP1 in the example above)? Is there anything special about the OpenVPN group in regards to the rule processing order?

    Also, looking at /tmp/rules.debug I can see that IF_GROUP1 rules come before OpenVPN rules. Is this based on string comparison only or is there something else?

    Last edit:
    What about the corner case where an interface is part of multiple groups. What is the processing order between groups in general?


  • Rebel Alliance Developer Netgate

    Just look in rules.debug and you'll see the actual order.

    Generally speaking manual groups will come before the VPN interface groups, the manual groups are processed in the order they exist in config.xml

  • Hi Jim. Thanks for the insight.

    I'm a bit worried that this process is non-deterministic. I can imagine a situation with 2 identical boxes where I have the same rules applied on the same interface groups that were created in a different order resulting in a different behavior for the rules. Is there anything I can do to make this process deterministic?

  • Rebel Alliance Developer Netgate

    Use floating rules rather than groups, or always create the groups in the same order. Groups are still a bit of a lower-tier feature since they aren't used often (and are misused more often than used correctly).

    At some point we may allow sorting or re-ordering of interface groups which would help here. It may not be too hard to do in 2.3 with the new framework.

  • I realize that this is an old post, but I couldn't find the answer to the Interface Group order anywhere in the forums. Using /tmp/rules.debug. I found that manually created Interface Groups come before OpenVPN rules. I also found that if you have multiple interface groups then they are processed in alphabetical order.

    I have three Interface groups: Local for all my local subnets, Clients for local client subnets, and IoT for local IoT subnets. They were processed in the following order: Clients, IoT, Local. When I renamed Local to All_LAN and made a minor change to the rules so they were rewritten, the order changed to All_LAN, Clients, IoT, which is the order I wanted.

    I realize I probably don't need so many subnets, but using Interface groups and RADIUS to assign VLANs made it easy to setup. I have a VLAN for each person in my household in Clients Interface Group and my IoT devices are in different VLANs by type. It was simple using FreeRADIUS.


Log in to reply