Alright, so I don't quite know what's going on... So going to give all the experiences I've had this morning so far. Note that I actually updated to 26.1.6 (from 25.7.x) on April 28th and had no problems during that upgrade/reboot itself, or at least not that was obvious to me. But this morning, an update went for 26.1.7_1 and then I did run into some major problems. I don't think it's actually specific to that patch, but maybe it is.
I woke up this morning to no internet, and then saw that my firewall was blocking and accepting a bunch of requests that were completely against my rules (migrating to the new rules and deleting all my old rules made NO difference). Upon further inspection, I found that I was able to change one of the block rules to a direct host instead of an alias and then it worked correctly. When looking at the diagnostics>aliases section, it showed "No results found" for *all* aliases, even those that are just hardcoded ips/ports instead of pulling data via external resources and such.
I looked at the changelog for the new patch and don't see anything about aliases other than:
> o firewall: fix typo in alias update error log and make parser a bit more resilient
I doubt that would be it. To troubleshoot, from some forum searches I made, I tried to duplicate one of the aliases, but it always showed "0 loaded". I saw in the general log some errors related to pulling down the GeoIP list from Maxmind, so I removed the url from my GeoIP settings to see if that'd resolve it - it didn't. There are no other logs showing up in the general firewall logs either.
While troubleshooting for like 3 hours, out of nowhere all my aliases filled up and the firewall was properly using them. I don't understand why, even after several reboots and repetitive 'saves' to my settings, it just suddenly decided to work out of no where. But my problems are not completely solved.
I still appear to be getting an error in the logs about not being able to reach maxmind. Here's the error I get:
geoip update failed : HTTPSConnectionPool(host='download.maxmind.com', port=443): Max retries exceeded with url: /app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=[REDACTED]&suffix=zip (Caused by NewConnectionError("HTTPSConnection(host='download.maxmind.com', port=443): Failed to establish a new connection: [Errno 65] No route to host"))
I did a DNS lookup through the firewall's terminal and dns diagnostics tool and can see it properly gets the IP address back, so it's not a DNS issue. I tried to ping the IP directly and it times out. I used the Ping diagnostics tool and various random external ip addresses fail (internal ones like my router and stuff work fine). This appears to be that any request that comes from the firewall itself is being blocked. But... I see this in the logs for _all_ pings:
"let out anything from firewall host itself"
I get success pings for sites like: opnsense.org, google.com, and yahoo.com; but failures for sites like: maxmind.com, linuxmint.com, and ebay.com (where these 3 pings are successful on my local laptop)... All those requests are being permitted, yet that's where they end - it's as though it's still being blocked somewhere that I cannot quite figure out...
I looked more at my aliases and noticed any alias related to Maxmind and GeoIP lookup and they all showed "last update" on 04/28. The general log files for maxmind failures only date back to 05/01 evening, though (the update was 05/02 morning, maybe 6 hours later)... I did absolutely nothing to my firewall at the time the started failing, and in fact was just playing a game at the time it started erroring out. I'm wondering if the update to 26.1 caused the firewall to have some extra rules somewhere that's initiating some kind of killswitch and refuse to hit those ip addresses, but this is just a theory in my mind, nothing to support it.
So with that, does anyone have any suggestions on where I can troubleshoot further? I'm out of ideas with having no useful logs other than the ones mentioned above. I don't know if the timeouts from external sites are what's causing the aliases to not work initially on boot or if it's something else, but I'm hoping resolving the general connection issues from the firewall part will perhaps get it to work and then prevent me from experiencing this rather scary experience where traffic could have been "free to do whatever it wants", had I not had a single alias that was just by chance blocking things and taking down the network.