Open Unspec7 opened 1 week ago
Have the exact same issue. It completely grabs anything.
The current more elegant workaround, other than to make a bunch of firewall interface groups, is to create firewall network aliases with the relevant networks placed in them.
Still not great, but working as a temporary workaround.
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
I have a couple of internet NAT redirect rules, specifically to enforce my pihole DNS for my IOT devices, since Google Homes hardcode google DNS. I noticed that despite only wanting to enforce it on the IOT network, it was being enforced on all networks, despite selecting interface as "IOT".
Turns out, this was due to the fact that source was set to "ANY". So it appears that NAT redirects, if source is ANY, completely ignore the set interface and matches all traffic with that rule. This has firewall implications because it can inadvertently allow certain devices on an interface to bypass a firewall rule on that interface due to the unintended redirect. It also makes it impossible to create a single redirect rule that applies to multiple interfaces without creating an interface group.
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce
Steps to reproduce the behavior (note: using DNS redirect for ease of testing):
Expected behavior
Describe alternatives you considered
Using interface net as the source, but as mentioned before, this is not ideal since it forces you to create interface groups.
Screenshots
NAT redirect rule for pihole:
Log live view RDR:
DMZ firewall rules. Second rule doesn't apply even though it should since the redirect shouldn't be redirecting DMZ network traffic:
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 24.7.5_3-amd64