OPNsense Firewall Category vs Group β€” Function, Usage, and Differences

Posted on by Rico

🧭 Overview

FeatureLayerPurposeAffects Traffic
CategoryRule-levelFor tagging and organizing firewall rules❌ No
GroupInterface/User-levelFor combining interfaces or users under shared policyβœ… Yes

βš™οΈ Category

Purpose:
Categories are visual tags for firewall rules.
They do not change packet behavior β€” they simply help administrators organize, color-code, and filter rules.

Use cases:

  • Separate rules by function: VPN, LAN, DMZ, Logging
  • Assign rules by department: IT-Team, HR-Team
  • Quickly filter using β€œFilter by Category” on the rules page

Path:

Firewall β†’ Rules β†’ (Select Interface) β†’ Edit Rule β†’ Category

Best Practices:

ScenarioExample
Multi-department useCategories named HR, IT, LOGISTICS
Project-basedD365, SAP, MAIL
Large rule setsColor-coded for clarity

🟒 Category = Management-only, no effect on traffic filtering.

βš™οΈ Group

Purpose:
Groups allow rules or permissions to apply collectively β€” either across multiple interfaces or users.

TypeDescription
Interface GroupCombines multiple interfaces (LAN, DMZ, VPN) under one logical firewall rule set.
User GroupCombines user accounts for access control (Captive Portal, VPN, Proxy ACL).

Examples:

  • Interface Group:
    Create Internal_Net including LAN, VLAN10, and VLAN20.
    Apply firewall rules once to the group β€” all members inherit them.
  • User Group:
    Create VPN_Users for rico.wu, sam.lin, ada.chuang.
    Use for VPN access or web proxy permissions.

Best Practices:

ScenarioTip
Multiple LAN/VLANs share same rulesCreate Interface Group
Remote access usersUse User Group for access control
Reduce duplicationManage rules at group level

🟣 Group = Enforcement-level, directly affects filtering behavior.

βš–οΈ Comparison Table

ItemCategoryGroup
PurposeOrganize rulesCombine rules/interfaces
ScopeSingle ruleMultiple interfaces or users
Impact on traffic❌ Noneβœ… Yes
Typical useLabel, filterApply shared policy
LevelVisual managementLogical enforcement
LocationFirewall β†’ RulesFirewall β†’ Groups

πŸ’‘ Summary

  • Category helps manage and find rules β€” good for organization.
  • Group defines shared policies β€” good for simplification and consistency.
  • Combine both:
    • Use Group to unify control.
    • Use Category to label and visualize rules.