The migration worked for the most part, with one exception...My WAN2 interface rule didn't work.
I found Asymmetric routing where my external monitoring was coming in on my WAN2 and going back out on WAN1.
This worked in Legacy rules with a simple rule as follows :
Interface: WAN2Xfinity
Direction: In
Protocol: any
Source: Monitoring_Alias
Destination: WAN2Xfinity
Gateway: Default
In the New rules section I had that same rule and that's when external pings started failing.
That is where I saw packets coming in WAN2 and out WAN1.
Anyhow, in order to get it to work I needed to set reply-to (Advanced-View) to the WAN2Xfinity interface.
Interface: WAN2Xfinity
Direction: in
Action: Pass
Protocol: ICMP
Source: Monitoring_Alias
Destination: WAN2Xfinity
Reply-To : WAN2Xfinity
Other than that, all my other rules cut over just fine.
Quote from: SMiTTY on February 06, 2026, 08:49:26 PMThat is where I saw packets coming in WAN2 and out WAN1.
According to the docs OPNsense adds 'reply-to' by default on WAN rules for this reason:
https://docs.opnsense.org/manual/firewall_settings.html#disable-reply-to
I don't see anything in the 26.1 release notes indicating that this has changed. Did you check the setting under Firewall->Settings->Advanced?
I rolled back to the old rules. I have two WANs i.e. WAN and WAN2. I looked up a rule on Rules [Old] >WAN and i see this in 'Advanced features'
(https://i.imgur.com/5RWESPD.png)
On my System>Gateways>Configuration i can see that WAN2 is set as active.
With this setup everything works.
Once i migrate to the new rules, do i need to change gateway for all the WAN rules to 'WAN' instead of default?
I read the release info but not really sure: WHEN does one have to press the migration button at the latest? Before 26.1.xyz? Before 26.7? Never?
Little confused...
Quote from: trumee on February 08, 2026, 04:34:53 PMI rolled back to the old rules. I have two WANs i.e. WAN and WAN2. I looked up a rule on Rules [Old] >WAN and i see this in 'Advanced features'
(https://i.imgur.com/5RWESPD.png)
On my System>Gateways>Configuration i can see that WAN2 is set as active.
With this setup everything works.
Once i migrate to the new rules, do i need to change gateway for all the WAN rules to 'WAN' instead of default?
How do you roll back to the old rules?
Quote from: chemlud on February 08, 2026, 05:04:21 PMI read the release info but not really sure: WHEN does one have to press the migration button at the latest? Before 26.1.xyz? Before 26.7? Never?
Little confused...
See : https://forum.opnsense.org/index.php?topic=50777.msg259568#msg259568
If you don't believe me you can check his post history for the exact statement ;)
Quote from: OPNenthu on February 06, 2026, 09:44:34 PMAccording to the docs OPNsense adds 'reply-to' by default on WAN rules for this reason:
https://docs.opnsense.org/manual/firewall_settings.html#disable-reply-to
I don't see anything in the 26.1 release notes indicating that this has changed. Did you check the setting under Firewall->Settings->Advanced?
I did check that first...it is currently unchecked as it always has been. The only way for me to get "New" rules to work was to change it to reply-to WAN2Xfinity_GW. Everything seems good now.
@SMiTTY - I'm guessing you ran into this: https://github.com/opnsense/core/issues/9761
Looks like a patch is available. @franco, does this apply retroactively to those with already migrated rules? Or would we need to roll back, upgrade, apply the patch, then migrate?
Yes, the patch should be an instant fix for previously imported rules:
https://github.com/opnsense/core/issues/9761#issuecomment-3868046721
Cheers,
Franco
This patch fixed the issues I was having with migrated rules
Quote from: franco on February 09, 2026, 07:18:02 AMYes, the patch should be an instant fix for previously imported rules:
https://github.com/opnsense/core/issues/9761#issuecomment-3868046721
Cheers,
Franco