Messages

Ok, fair. The menu part is https://github.com/opnsense/core/commit/e1325c5d4 .. the previous refactor wasn't needed there apparently but let's make it explicit for both modes.

The plugin side is clear but I'll push a patch tomorrow morning when I can verify it since the patch is a bit longer due to all the exceptions.


Cheers,
Franco

Worth creating a ticket about then :)

No, that's not something we're considering at the moment.


Cheers,
Franco

It's likely, but I'm not sure which version.  We're at 1.0.9 now which goes into RC2 tomorrow and then we'll decide.


Cheers,
Franco

Yep, RC2 on Monday. There have been a few nice reports in that area. Exactly what the RCs are for.  :)


Cheers,
Franco

I was under the impression this has been documented for a while and yielded no extensive feedback...

https://docs.opnsense.org/manual/firewall_automation.html#processing-order

Not sure if and how this will fundamentally change.  "Automation" rules are already used in production environments by many users and from support experience setups can have a few thousand rules which are easy to administer and perform nicely (compared to the old rules pages where this is not the case as much).


Cheers,
Franco

No, Identity association mode is a trick that enforces "Allow manual adjustment of DHCPv6 and Router Advertisements" so you can still use RA and DHCPv6, but only if configured manually. You can also mix and match the Track interface mode and the new one for LANs.

The relevant patches illustrates this clearly for reference:

https://github.com/opnsense/core/commit/f8da6e147b2
https://github.com/opnsense/core/commit/e790033253c


Cheers,
Franco

Correct, you can read about support tiers here https://docs.opnsense.org/support.html#supplemental-tier-2

There are no plans to remove either this year so they will keep working. If a problem appears with them (like a major OpenVPN update) it's likely the legacy plugin will not be updated until that is shipped for the MVC version in core, which could introduce incompatibilities for example.

At some point we will make an inventory for feature parity and when there's enough overlap we will let go of the old plugins (maybe 2027, 2028, who knows yet). The tier switch is an encouragement to move to the new core GUI and report issues and missing features to reach for feature parity (as far as that's possible or wanted for a couple of reasons like design, security and robustness).


Cheers,
Franco

No problem. The advanced rules are relatively hidden for mostly good reasons and the Kea documentation on our side is not all that complete, see

https://docs.opnsense.org/manual/kea.html

where the option is not mentioned (yet).


Cheers,
Franco

Sorry, I can't find your PM in my inbox.

> This does very much seem like a validation error.

It is, but I'm wondering if this is new since 25.7.11 or if it was there before. I tried to keep the state of 25.7.x compatible with 26.1 although there's clearly a refactor there that could have caused it but it uses the same code as before.

If you have a custom dhcp6c.conf also by some means the validation error doesn't even effect your setup since it only tries to validate what goes into dhcp6c.conf to avoid a syntax error.

But again I may have missed something and I'd really appreciate the interface dump so it can be fixed before 26.1 is out. You can also send via mail to franco AT opnsense DOT org


Thanks,
Franco

Hi again,

In subnets under advanced settings, see https://github.com/opnsense/core/commit/65bd273b33

It was added in 25.1.7 so many months ago :)


Cheers,
Franco

Hi,

I'm not entirely sure what config you use and what the scripting looks like but I'm working on better PD selection, see

https://github.com/opnsense/core/commit/52018a0260

Patch does not readily apply at the moment but once 26.1 comes out I want to make another round of testing.

If you can privately dump the output of "pluginctl -g interfaces" for your config that produces the error I can try to see if that is expected given the constraints or if there is a new bug with the validation.

That being said in the new patch you can (optionally) select different PDs for each interface.  The author of the ticket https://github.com/opnsense/core/issues/7647 also uses AT&T.


Cheers,
Franco

Thanks for testing. At first glance I don't see much except the NFS4 which may add more RAM consumption. That would heavily depend on the network traffic that your Suricata is seeing anyway, perhaps also related to the rulesets being used. In any case if it is 8.0.3 it's not a widespread phenomenon.

https://redmine.openinfosecfoundation.org/versions/227


Cheers,
Franco

Since Sam mentioned it we've made the GUI consistent https://github.com/opnsense/plugins/commit/14a130188

But more tools are certainly nice :)


Thanks,
Franco

@OPNenthu https://github.com/opnsense/hostwatch/issues/7

@iMx might be room for disabling it on Nano images and adding a wizard option for it. In any case we'll add a migration note. Disabling this manually is not an inconvenience IMO.


Cheers,
Franco