Alright so I did a quick search and learned that there is now a new rules system in place and the most recent update of 26.1 completely destroyed my network, by destroy I mean nothing would route properly anymore. I had to go back to a two weeks old backup / VM to fix everything.
I'm not sure why this change was done and why it couldn't be made optional. What this really necessary? The upgrade procedure seems to be very painful and involving a lot of work. Not sure this change was really thought out, it breaks way too much than it fixes.
Update : Seems that shortly after installing the old backup which is still 26.1, routing rules worked for 5 minutes and then nothing worked anymore so I suppose something is being done running in the background that causes old routing rules to no longer work.. What a PAIN!
The new rule system in 26.1 is completely optional. Unless you actively and manually migrate your rules nothing is done to rules that are in place before the update.
Alright so I guess has to be another issue post update that broken something.. I'll have to look more into this.
Make sure you go to the latest minor release (at least 26.1.4) before testing things again. There were issues with reply-to rule generations, I think due to the Port Forward -> Destination NAT change.
A good test is before the upgrade do:
pfctl -s rules
Safe output in a file.
Go all the way to 26.1.4 or 5, then do pfctl -s rules again
diff both files, if there is no explainable difference then the firewall does not do anything wrong (on the packet filter level)
Quote from: Monviech (Cedrik) on Today at 01:21:38 PMMake sure you go to the latest minor release (at least 26.1.4) before testing things again. There were issues with reply-to rule generations, I think due to the Port Forward -> Destination NAT change.
A good test is before the upgrade do:
pfctl -s rules
Safe output in a file.
Go all the way to 26.1.4 or 5, then do pfctl -s rules again
diff both files, if there is no explainable difference then the firewall does not do anything wrong (on the packet filter level)
Thanks for the help. I printed the output of what I have now I can't really see any issue and I am using 26.1.5. Not sure what happened and it could be that it has nothing to do with OPNSense. Until I have more information I can't say for sure what happened...
Is there documentation somewhere that explains the changes between the old and new rules system?
Sure here, just recently refreshed:
https://docs.opnsense.org/manual/firewall.html#rules
Both go to the same library that generate rules, and the same ruleset comes out afterwards. So mostly the GUI is different, the backend (rule generator) mostly the same.