Messages

Wasn't it this one? https://github.com/opnsense/plugins/commit/2cc2215bb

If so we're hotfixing this for the last update of 25.7.11_x shortly after 26.1 is out this week.


Cheers,
Franco

It kind of depends what parameters you're targeting the traffic on. You can just use a floating rule without an interface selected while select the source or destination of the traffic in an "in" direction rule correctly. There's no apparent need for an interface and routing domains don't exist so networks don't overlap in a routing setup.


Cheers,
Franco

"state-policy" directives have nothing to do with the parting of the rule GUI "floating" tab concept and they won't change behaviour either.


Cheers,
Farnco

True, it's more likely the errors were always there or at least for a while.


Cheers,
Franco

> What I did see was two popups about errors and then this in the crash reporter:

That's the usual update hiccup.  I think that at some point we will consider replacing files instead of a flat delete and install that pkg is doing, but not yet.

> Did not see too many php-cgi processes, but I did not have rapid commit enabled.

The two are not related.  ;)

> Don't know about the hostwatch thing.

The missing automatic flag comes from using "pkg install" or "pkg add -f" on the command line. opnsense-revert can take care of it:

# opnsense-revert hostwatch


Cheers,
Franco

It will always auto-install when doing the upgrade 25.7 -> 26.1, yes.


Cheers,
Franco

First time I hear this. Kernel ABI and upstream software didn't change from 25.7.x so not sure what we're looking at here.



Cheers,
Franco

A hotfix release was issued as 26.1.r2_2:

o interfaces: if no idassoc6/track6 LAN is used also emit a PD request like before
o firewall: make previously associated DNAT rules editable

I'm closing the CFT and open a new one for 26.1. Thanks for everyone's time and input! <3


Cheers,
Franco

Rapid-commit (new in 26.1) may run into the same issue if the server refused the request altogether. It's probably going to remain optional anyway.  Let he hotfix that one then.

About php-cgi... this is normal

Code Select Expand

root    82341   0.0  0.1  23728  11060  -  S    13:50      0:01.69 |-- /usr/local/sbin/lighttpd -f /usr/local/etc/lighttpd_webgui/lighttpd.conf
root    82362   0.0  0.4  54960  30396  -  Is   13:50      0:00.08 | |-- /usr/local/bin/php-cgi
root    83021   0.0  0.4  58608  33652  -  I    13:50      0:00.12 | | |-- /usr/local/bin/php-cgi
root    83050   0.0  0.4  54960  30412  -  I    13:50      0:00.00 | | |-- /usr/local/bin/php-cgi
root    83117   0.0  0.4  54960  30412  -  I    13:50      0:00.00 | | |-- /usr/local/bin/php-cgi
root    83262   0.0  0.4  54960  30412  -  I    13:50      0:00.00 | | |-- /usr/local/bin/php-cgi
root    83357   0.0  0.4  54960  30412  -  I    13:50      0:00.00 | | `-- /usr/local/bin/php-cgi
root    82549   0.0  0.4  54960  30424  -  Is   13:50      0:00.08 | |-- /usr/local/bin/php-cgi
root    84675   0.0  0.5  64832  41580  -  I    13:50      0:00.80 | | |-- /usr/local/bin/php-cgi
root    85321   0.0  0.5  64832  41652  -  I    13:50      0:02.43 | | |-- /usr/local/bin/php-cgi
root    85551   0.0  0.5  62704  38208  -  I    13:50      0:01.23 | | |-- /usr/local/bin/php-cgi
root    85821   0.0  0.4  54960  30428  -  I    13:50      0:00.00 | | |-- /usr/local/bin/php-cgi
root    85989   0.0  0.4  54960  30428  -  I    13:50      0:00.00 | | `-- /usr/local/bin/php-cgi
root    82807   0.0  0.4  54960  30396  -  Is   13:50      0:00.08 | |-- /usr/local/bin/php-cgi
root    84184   0.0  0.4  60720  35500  -  I    13:50      0:01.36 | | |-- /usr/local/bin/php-cgi
root    84450   0.0  0.4  54960  30400  -  I    13:50      0:00.00 | | |-- /usr/local/bin/php-cgi
root    84621   0.0  0.4  54960  30400  -  I    13:50      0:00.00 | | |-- /usr/local/bin/php-cgi
root    84829   0.0  0.4  54960  30400  -  I    13:50      0:00.00 | | |-- /usr/local/bin/php-cgi
root    85030   0.0  0.4  54960  30400  -  I    13:50      0:00.00 | | `-- /usr/local/bin/php-cgi
root    82960   0.0  0.4  54960  30420  -  Is   13:50      0:00.08 | `-- /usr/local/bin/php-cgi
root    83590   0.0  0.6  72808  47280  -  I    13:50      0:06.43 |   |-- /usr/local/bin/php-cgi
root    83855   0.0  0.5  67072  43228  -  I    13:50      0:02.49 |   |-- /usr/local/bin/php-cgi
root    83910   0.0  0.4  54960  30424  -  I    13:50      0:00.00 |   |-- /usr/local/bin/php-cgi
root    84257   0.0  0.4  54960  30424  -  I    13:50      0:00.00 |   |-- /usr/local/bin/php-cgi
root    84586   0.0  0.4  54960  30424  -  I    13:50      0:00.00 |   `-- /usr/local/bin/php-cgi
see https://github.com/opnsense/core/commit/724f8494d and https://github.com/opnsense/core/commit/ec7a72f72d2 which lets lighttpd keep 4 processes with 5 children open by default it seems. This to ensure dashboard responsiveness and accommodate for long-running API locks.


Cheers,
Franco

I do hope that the menu is back AND the thing actually works ;)

And here's the second half of editing associated firewall rules

https://github.com/opnsense/core/commit/8493f8d6

I'll hotfix this when I have confirmation on the fix for https://forum.opnsense.org/index.php?topic=50505.0


Cheers,
Franco

# opnsense-patch https://github.com/opnsense/core/commit/9a80c6ddb29

This should make it behave as before on 25.7.x, best done with a reboot right after apply.

If that's the case we found a very old bug in dhcp6c.


Cheers,
Franco

Nice, if you can try a reboot since it's currently not forced and hostwatch and dhcp6c will not fully restart into their latest version due to this.


Cheers,
Franco

Good morning again,

The second release candidate for 26.1 brings fixes for issues found by
our awesome community.  As an online-only update you need 26.1-RC1 to
install it.

The long-awaited dhcp6c refresh has been included as well as the latest
version for hostwatch addressing the community concerns collected from
25.7.11.

Here are the changes against version 26.1-RC1:

o system: add XMLRPC option for hostwatch
o interfaces: show ISC-DHCPv6 menu in "idassoc6" mode
o interfaces: fix validation issue in "idassoc6" mode
o interfaces: handle hostwatch user/group via package
o interfaces: avoid forced reloads when PDINFO is not set
o firewall: fix 3 issues and improve instructions in rule migration page
o firewall: improve GeoIP alias expiry condition
o firewall: escape selector in rule_protocol
o kea: add libdhcp_host_cmds.so to expose internal API commands for reservations
o kea: allow "hw-address" for reservations
o kea: add pool in subnet validation
o openvpn: account for CARP status in start and restart cases as well
o radvd: remove faulty empty address exception
o lang: various translation updates
o mvc: add ChangeCase support to ProtocolField for DNAT special case
o ports: dhcp6c v20260122
o ports: hostwatch 1.0.9

Migration notes, known issues and limitations:

o ISC-DHCP moves to a plugin. It will be automatically installed during upgrades. It is not installed on new installations because it is not being used, but you can still install and keep using it.
o To accomodate the change away from ISC-DCHP defaults the "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.
o Due to command line execution safety concerns the historic functions mwexec_bg() and mwexec() will be removed in 26.1.x.  Make sure your custom code is not using them and use mwexecf(), mwexecfb() and mwexecfm() instead.
o The function sessionClose() has also been removed from the MVC code and is no longer needed.  Make sure to remove it from your custom code.
o The custom.yaml support has been removed from intrusion detection.  Please migrate to the newer /usr/local/etc/suricata/conf.d override directory.
o The new host discovery service "hostwatch" is enabled by default (since 25.7.11).  You can always turn it off under Interfaces: Neighbors: Automatic Discovery if you so choose.
o The firewall migration page is not something you need to jump into right away.  Please make yourself familiar with the new rules GUI first and check the documentation for incompatibilities.
o Firewall: NAT: Port Forwarding is now called "Destination NAT".  Firewall rule associations are no longer supported, but the old associated firewall rules remain in place with their last known configuration and can now be edited to suit future needs.

Please let us know about your experience!


Stay safe,
Your OPNsense team

@meyergru haven't forgotten the talk about NAT rule association edits but it's not in RC2 since I need to look at it and RC2 should be out in a few minutes already for further feedback.  I did https://github.com/opnsense/core/commit/6c10a1cb which unhides the edit button but the edit page also has glue regarding that so I need a bit more time to prepare.


Cheers,
Franco