Text only | Text with Images

OPNsense Forum

English Forums => 26.1 Series => Topic started by: opnessense on January 30, 2026, 02:57:54 AM

Title: Best practices for migrating complex firewall rules to the new Rules UI in 26.1
Post by: opnessense on January 30, 2026, 02:57:54 AM
Hi all,

I've just upgraded to 26.1 and started looking at the new firewall "Rules [new]" interface and the Migration assistant. My setup is a bit on the complex side and I'd like to get the migration right without breaking anything.

Current setup (high level):

Multiple VLANs, grouped into Internal and Restricted interface groups, using groups as policies and interfaces as zones.

Group sequence is used to enforce "global block policies first, more permissive per‑zone rules later" (e.g. blocks for DNS/NTP/SMTP in Internal, allows in Restricted).

Multi‑layer DNS stack: dnscrypt‑proxy on localhost → Unbound as validating resolver → AdGuard Home on a separate VLAN, now with Q‑Feeds domain/IP feeds integrated into Unbound and firewall aliases.

I've read the docs about the Firewall: Rules → Migration assistant and I understand the general flow:

Take ZFS snapshots / use configuration history as backup.

Export legacy rules as CSV via the migration API.

Inspect/adjust in a spreadsheet if needed.

Import into the new Rules UI and, once confirmed, remove legacy rules.

What I'm interested in is best practices and "gotchas" for setups that rely heavily on:

Interface groups + sequence for policy ordering (Internal / Restricted / IoT / Guest, etc.).

Security zones style design (policies via groups, zones via interfaces).

DNS‑centric controls (Unbound blocklists, Q‑Feeds, AdGuard, per‑VLAN policies).

Concretely:

Does the CSV export/import fully preserve group‑based rules and their evaluation order (especially with different group sequence values), or are there manual adjustments you'd recommend doing after import?

Are there specific fields in the CSV that tend to fail validation or translate poorly into the new UI when using lots of aliases / advanced options (schedules, tags, quick, etc.)?

For people already running 26.1 in production with a similar zone/policy approach: did you migrate everything in one go, or did you do it interface‑by‑interface/groups‑by‑groups and test in between?

Any advice on testing strategy after migration (e.g. particular logs/views in the new UI that helped to quickly confirm rule evaluation order and policy behaviour)?

I've seen the notes about snapshots, configuration history and the anti‑lockout rule, but for those of you with more advanced setups I'd really appreciate any lessons learned or checklists before I press "Remove all legacy rules".

Thanks in advance
Text only | Text with Images