Unlike the other interfaces in this chapter, an Interface Group is not a type of interface that can be assigned. Interface groups are used to apply firewall or NAT rules to a set of interfaces on a common tab. If this concept is unfamiliar, consider how the firewall rules for OpenVPN, the PPPoE server, or L2TP server work. There are multiple interfaces in the underlying OS, but the rules for all of them are managed on a single tab for each type. If many interfaces of a similar function are present on the firewall that need practically identical rules, an interface group may be created to add rules to all of the interfaces at the same time. Interfaces can still have their own individual rules, which are processed after the group rules.
To create an interface group:
- Navigate to Interfaces > (assign), Interface Groups tab
- Click Add to create a new group
- Enter a Group Name. This name may only contain upper and lowercase letters, no numbers, spaces, or special characters
- Enter a Group Description (optional)
- Add interfaces as Group Members by ctrl-clicking to select entries from the interface list
- Click Save
Interface groups each have an individual tab under Firewall > Rules to manage their rules. Figure Interface Group Firewall Rules Tab shows the firewall rule tab for the group defined in figure Add Interface Group
Configuring firewall rules for information on managing firewall rules.
Group Rule Processing Order¶
The rule processing order for user rules is:
- Floating rules
- Interface group rules
- Rules on the interface directly
For example, if a rule on the group tab matches a connection, the interface tab rules will not be consulted. Similarly, if a floating rule with Quick set matched a connection, the interface group rules will not be consulted.
The processing order prevents some combination of rules that otherwise might be a good fit. For example, if a general blocking rule is present on the group, it cannot be overriden by a rule on a specific interface. Same with a pass rule, a specific interface rule cannot block traffic passed on a group tab rule.
Use with WAN Interfaces¶
We do not recommend using interface groups with multiple WANs. Doing so may
appear to be convenient, but the group rules do not receive the same treatment
as actual WAN tab rules. For example, rules on a tab for a WAN-type interface
(Gateway selected on the interface configuration) will receive
which allows pf to return traffic back via the interface from which it entered.
Group tab rules do not receive
reply-to which effectively means that the
group rules only function as expected on the WAN with the default gateway.