Messages

Where did the automatic rules end up?
Those that were installed by f.e. crowsec etc.

I do use floating rules that are generic for ALL interfaces, it could be replaced by a group that has ALL interfaces in it if it needs to be.
That would require an ALL interface group to be applied first i guess, and requires an ordering on Groupnames in the rules section.

[Allow Float -> ICMP out]

Feedback on New Rule interface...
Looks nice, needs a bit of getting acquainted i guess.

Two issues that could be handled better.
1) During export old, import new there was one error: interface lo0..? rule.  I deleted that one as i see no reason for a rule filtering traffic on lo0.  appearently it doesn't exist in 26.1 anymore. 

2) There is an error either in export or import  of rules with html encoding.  allrules having special signs like > are different.
Allow Float -> ICMP out      changed into    Allow Float -> ICMP out
If exporting uses HTML safe data, then import should as well.

https://github.com/opnsense/core/issues/9694

Can't fix that. This and other things are unavoidable when enabling the FreeBSD repository.


Cheers,
Franco

What needs to be disabled?

This might have been the result of installing zenarmor... :-(

Only thing left i cannot resolve is this message... which looks like an annoyance not a problem.

pkg: warning: database version 37 is newer than libpkg(3) version 36, but still compatible

That worked out:

Type opnsense
Version 26.1_4
Architecture amd64
Commit 889098cfa
Mirror https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Repositories OPNsense (Priority: 11)
Updated on Fri Jan 30 22:40:46 CET 2026
Checked on N/A

Reinstall didnt work So now i try:

# pkg install --force pkg-2.3.1_1
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be DOWNGRADED:
        pkg: 2.5.1 -> 2.3.1_1

Number of packages to be downgraded: 1

The process will require 2 MiB more space.

Proceed with this action? [y/N]: y
[1/1] Downgrading pkg from 2.5.1 to 2.3.1_1...
[1/1] Extracting pkg-2.3.1_1: 100%

It took a little bit longer.

***GOT REQUEST TO UPGRADE***
Currently running OPNsense 25.7.11_9 (amd64) at Fri Jan 30 22:12:43 CET 2026
Fetching packages-26.1-amd64.tar: ............ done
Fetching base-26.1-amd64.txz: .... done
Fetching kernel-26.1-amd64.txz: ... done
Extracting packages-26.1-amd64.tar... done
Extracting base-26.1-amd64.txz... done
Extracting kernel-26.1-amd64.txz... done
Please reboot.
>>> Invoking upgrade script 'sanity.sh'
The Package manager "pkg" is incompatible and needs a reinstall.
>>> Error in upgrade script '10-sanity.sh'
>>> Invoking upgrade script 'isc-dhcp-plugin.sh'
Skipping already installed legacy ISC-DHCP plugin...
>>> Invoking upgrade script 'cleanup.sh'
The upgrade was aborted due to an error.
***DONE***



# pkg info pkg
pkg-2.5.1
Name          : pkg
Version        : 2.5.1
Installed on  : Fri Jan 23 00:52:37 2026 CET
Origin        : ports-mgmt/pkg
Architecture  : FreeBSD:14:amd64
Prefix        : /usr/local
Categories    : ports-mgmt
Licenses      : BSD2CLAUSE
Maintainer    : pkg@FreeBSD.org
WWW            : https://github.com/freebsd/pkg
Comment        : Package manager
Options        :
        DOCS          : on
Shared Libs required:
        libarchive.so.7
        libc.so.7
        libcrypto.so.30
        libelf.so.2
        libjail.so.1
        libm.so.5
        libssl.so.30
        libthr.so.3
        libutil.so.9
        libz.so.6
Shared Libs provided:
        libpkg.so.4
Annotations    :
        FreeBSD_version: 1403000
        build_timestamp: 2026-01-15T01:04:23+0000
        built_by      : poudriere-git-3.4.4-15-g61aba751
        port_checkout_unclean: no
        port_git_hash  : 9514ac9990434680c9394df1a07b7b7469198293
        ports_top_checkout_unclean: no
        ports_top_git_hash: 9514ac9990434680c9394df1a07b7b7469198293
        repo_type      : binary
        repository    : FreeBSD
Flat size      : 23.6MiB
Description    :
Package management tool

Ok

***GOT REQUEST TO REINSTALL***
Currently running OPNsense 25.7.11_9 (amd64) at Fri Jan 30 22:10:22 CET 2026
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following packages will be fetched:

New packages to be FETCHED:
   pkg: 2.3.1_1 (6 MiB: 100.00% of the 6 MiB to download)

Number of packages to be fetched: 1

The process will require 6 MiB more space.
6 MiB to be downloaded.
Fetching pkg-2.3.1_1: .......... done
pkg-2.5.1: already unlocked
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***

try again.

Well that stops quickly.
Copy paste from the status window.

***GOT REQUEST TO UPGRADE***
Currently running OPNsense 25.7.11_9 (amd64) at Fri Jan 30 20:31:26 CET 2026
Fetching packages-26.1-amd64.tar: ............. done
Fetching base-26.1-amd64.txz: ..... done
Fetching kernel-26.1-amd64.txz: ... done
Extracting packages-26.1-amd64.tar... done
Extracting base-26.1-amd64.txz... done
Extracting kernel-26.1-amd64.txz... done
Please reboot.
>>> Invoking upgrade script 'sanity.sh'
The Package manager "pkg" is incompatible and needs a reinstall.
>>> Error in upgrade script '10-sanity.sh'
>>> Invoking upgrade script 'isc-dhcp-plugin.sh'
Installing legacy ISC-DHCP plugin for compatibility...
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
   os-isc-dhcp: 0.1

Number of packages to be installed: 1

883 B to be downloaded.
[1/1] Fetching os-isc-dhcp-0.1: . done
Checking integrity... done (0 conflicting)
[1/1] Installing os-isc-dhcp-0.1...
[1/1] Extracting os-isc-dhcp-0.1: . done
Checking integrity... done (0 conflicting)
Nothing to do.
>>> Invoking upgrade script 'cleanup.sh'
The upgrade was aborted due to an error.
***DONE***

It still generates an invalid QR-code.  Still in 25.7.10

The QR-code should be plain text...  Not Markup format.
The generated code is for addresses a (address)[URL]   pair...? with URL = http://address   in stead of just the address
If there is a blank in the string two link with mulitple addresses, if there is a , between them ONE link for both addresses. (DNS entries f.e.).
like in addr1, addr2   => (addr1)[URL1], (addr2)[URL2]
and addr1,addr2 => (addr1,addr2)[URL3]    Where URL3= http://addr1,addr2/

The issue always was on the OpnSense router, all phones, tablets and a mobile WiFi router were unable to communicate.
The Phone OS's are: GrapheneOS, tablets are Samsung & GrapheneOS, router uses OpenWRT.

On the OpnSense router regularly restarting wireguard fixes that.  (it causes other issues,,,,) so not perfect.
The cause is related to somehow the routes through the tunnels get dropped / packets are sent to the WAN interfase WITHOUT NAT.

[SOURCE]

The SOURCE NAT, ... SHOULD NOT HAPPEN.
As the Source NAT will hide the actual response.
It is not explicitly configured for source NAT on the LAN interface.
There are source NATs in the system,, those are all constrained to the source ranges (except for traffic leaving the WAN interface for IPv4, those are the automatic rules)

There are other NAT issues with OpnSense 25.7, Wireguard traffic does NOT get it's  SOURCE NAT on the WAN interface after a *while* for packets.  Regular restart of Wireguard service will mitigate this.  (every few hours).

BTW different question is how to exclude 2 interfaces from the 8 internal interfaces from the automatic rule... other than creating 6 rules by hand

I think i found part of the issue......
outside:
51   108.436969   X   1.1.1.1   TCP   44   52439 → 80 [SYN] Seq=0 Win=0 Len=0
52   108.437547   185.93.175.230   X   ICMP   60   Time-to-live exceeded (Time to live exceeded in transit)


13   91.725489   192.168.7.72   1.1.1.1   TCP   56   41611 → 80 [SYN] Seq=0 Win=0 Len=0
14   91.725573   192.168.7.1   192.168.7.72   ICMP   82   Time-to-live exceeded (Time to live exceeded in transit)

The ICMP Does enter the system...., it gets NATted or the source is morfed.
The changed source address probably is the issue....
Question what is the cause.

Outgoing port 80 is open to anywhere so that is not the blocking factor.
The client in question has no filters when on the home network. (Linux client).
A curl request instantly returns an answer. It more or less looks like either ICMP is not matched or Only matured (SYN - SYN/ACK - ACK is considered).

Code Select Expand

# tcptraceroute 1.1.1.1
Selected device wlp45s0, address 192.168.7.72, port 33297 for outgoing packets
Tracing the path to 1.1.1.1 on TCP port 80 (http), 30 hops max
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  one.one.one.one (1.1.1.1) [open]  4.402 ms  4.013 ms  4.058 ms
# curl http://1.1.1.1/
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare</center>
</body>
</html>

I'll check what the firewall log tells me.
BTW tcptraceroute is not limited to port 80 any port can be specified....
It has helped me in the past where someone had routing for IMAP/IMAPS differing, causing IMAPS to fail.
(IMAP was forwarded to a dovecot server, the IMAPS ended up on their webserver).