plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

Firewall rules assigned to interface groups, including ZeroTier interfaces, are disregarded for ZeroTier interfaces after a reboot.

Open outofsight opened this issue 8 months ago • 0 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

Firewall rules assigned to interface groups, including ZeroTier interfaces, are disregarded for ZeroTier interfaces after a reboot. This behavior persists until a minor or insignificant change is made to any rule via the web GUI.

This behavior has been observed specifically with multicast OSPFv2 traffic using the OSPF IPv4 protocol. However, it could also potentially affect non-multicast traffic or standard TCP/UDP protocols.

See also https://forum.opnsense.org/index.php?topic=46912.msg235449#msg235449

To Reproduce

Steps to reproduce the behavior:

  1. Set up ZeroTier, a ZeroTier interface, and an interface group that includes the ZeroTier interface.
  2. Apply a firewall rule to the group.
  3. Verify that the newly created rule is being enforced.
  4. Reboot the system.
  5. Observe that the rule is no longer applied to the ZeroTier interface.
  6. Make a minor or insignificant change to any firewall rule.
  7. Confirm that the rule is now enforced again.

Expected behavior

The rules applied to interface groups, including ZeroTier interfaces, should be enforced on traffic originating from ZeroTier interfaces after a reboot.

Describe alternatives you considered

  • To enforce the recalculation of firewall rules after every reboot, perform a minor adjustment to the rules through the web GUI.
  • Replicating rules both in groups and ZeroTier interfaces can be tedious and prone to errors, especially when dealing with large sets.

Screenshots

The same allow rule is present both in the group and the specific ZeroTier interface. Ideally, packets processed by the interface-specific rule should be zero, but they are not.

Image

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 25.1.5_5-amd64. Microsoft Hyper-V Server Core 2019 Virtual Machine Generation 2

outofsight avatar Apr 23 '25 08:04 outofsight