Messages

I had some trouble with a system that used to be routed using a static route or firewall rule with gateway.

This doesn't work anymore with 26.1.

Static routes are not added as check with netstat -rn shows
adding a route with route add destination internal-IP-address   then it DOES work...

I have an address block...  one of the addresses (PUB-1) is handing all NATted ports. usual NAT rules apply, works no problem.
An other address is routed through....

This used to be a static route:  IP address = PUB-2, with gateway 192.168.x.10
The system on 192.168.x.10 has the PUB-2 address as default and 192.168.x.10 as an alias.

On previous versions this was no problem.  Current version fails to add the route needed.

Also adding a in the firewall with a gateway added does not work.
There is a reason for NOT using NAT..., it helps when some systems have the public address on the local system, due to software/protocol limitations.

The do become visible under inspection, then again  in the drop down selector   "all rulles" only shows the non-automatic ones.
Whereas the "inspect button" mentions  "all rules" to mean inclusing automatic ones.   including an extra column with counter.
Could have been more clear though.

Where did the automatic rules end up?
Those that were installed by f.e. crowsec etc.

I do use floating rules that are generic for ALL interfaces, it could be replaced by a group that has ALL interfaces in it if it needs to be.
That would require an ALL interface group to be applied first i guess, and requires an ordering on Groupnames in the rules section.

[Allow Float -> ICMP out]

Feedback on New Rule interface...
Looks nice, needs a bit of getting acquainted i guess.

Two issues that could be handled better.
1) During export old, import new there was one error: interface lo0..? rule.  I deleted that one as i see no reason for a rule filtering traffic on lo0.  appearently it doesn't exist in 26.1 anymore. 

2) There is an error either in export or import  of rules with html encoding.  allrules having special signs like > are different.
Allow Float -> ICMP out      changed into    Allow Float -> ICMP out
If exporting uses HTML safe data, then import should as well.

https://github.com/opnsense/core/issues/9694

Can't fix that. This and other things are unavoidable when enabling the FreeBSD repository.


Cheers,
Franco

What needs to be disabled?

This might have been the result of installing zenarmor... :-(

Only thing left i cannot resolve is this message... which looks like an annoyance not a problem.

pkg: warning: database version 37 is newer than libpkg(3) version 36, but still compatible

That worked out:

Type opnsense
Version 26.1_4
Architecture amd64
Commit 889098cfa
Mirror https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Repositories OPNsense (Priority: 11)
Updated on Fri Jan 30 22:40:46 CET 2026
Checked on N/A

Reinstall didnt work So now i try:

# pkg install --force pkg-2.3.1_1
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be DOWNGRADED:
        pkg: 2.5.1 -> 2.3.1_1

Number of packages to be downgraded: 1

The process will require 2 MiB more space.

Proceed with this action? [y/N]: y
[1/1] Downgrading pkg from 2.5.1 to 2.3.1_1...
[1/1] Extracting pkg-2.3.1_1: 100%

It took a little bit longer.

***GOT REQUEST TO UPGRADE***
Currently running OPNsense 25.7.11_9 (amd64) at Fri Jan 30 22:12:43 CET 2026
Fetching packages-26.1-amd64.tar: ............ done
Fetching base-26.1-amd64.txz: .... done
Fetching kernel-26.1-amd64.txz: ... done
Extracting packages-26.1-amd64.tar... done
Extracting base-26.1-amd64.txz... done
Extracting kernel-26.1-amd64.txz... done
Please reboot.
>>> Invoking upgrade script 'sanity.sh'
The Package manager "pkg" is incompatible and needs a reinstall.
>>> Error in upgrade script '10-sanity.sh'
>>> Invoking upgrade script 'isc-dhcp-plugin.sh'
Skipping already installed legacy ISC-DHCP plugin...
>>> Invoking upgrade script 'cleanup.sh'
The upgrade was aborted due to an error.
***DONE***



# pkg info pkg
pkg-2.5.1
Name          : pkg
Version        : 2.5.1
Installed on  : Fri Jan 23 00:52:37 2026 CET
Origin        : ports-mgmt/pkg
Architecture  : FreeBSD:14:amd64
Prefix        : /usr/local
Categories    : ports-mgmt
Licenses      : BSD2CLAUSE
Maintainer    : pkg@FreeBSD.org
WWW            : https://github.com/freebsd/pkg
Comment        : Package manager
Options        :
        DOCS          : on
Shared Libs required:
        libarchive.so.7
        libc.so.7
        libcrypto.so.30
        libelf.so.2
        libjail.so.1
        libm.so.5
        libssl.so.30
        libthr.so.3
        libutil.so.9
        libz.so.6
Shared Libs provided:
        libpkg.so.4
Annotations    :
        FreeBSD_version: 1403000
        build_timestamp: 2026-01-15T01:04:23+0000
        built_by      : poudriere-git-3.4.4-15-g61aba751
        port_checkout_unclean: no
        port_git_hash  : 9514ac9990434680c9394df1a07b7b7469198293
        ports_top_checkout_unclean: no
        ports_top_git_hash: 9514ac9990434680c9394df1a07b7b7469198293
        repo_type      : binary
        repository    : FreeBSD
Flat size      : 23.6MiB
Description    :
Package management tool

Ok

***GOT REQUEST TO REINSTALL***
Currently running OPNsense 25.7.11_9 (amd64) at Fri Jan 30 22:10:22 CET 2026
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following packages will be fetched:

New packages to be FETCHED:
   pkg: 2.3.1_1 (6 MiB: 100.00% of the 6 MiB to download)

Number of packages to be fetched: 1

The process will require 6 MiB more space.
6 MiB to be downloaded.
Fetching pkg-2.3.1_1: .......... done
pkg-2.5.1: already unlocked
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***

try again.

Well that stops quickly.
Copy paste from the status window.

***GOT REQUEST TO UPGRADE***
Currently running OPNsense 25.7.11_9 (amd64) at Fri Jan 30 20:31:26 CET 2026
Fetching packages-26.1-amd64.tar: ............. done
Fetching base-26.1-amd64.txz: ..... done
Fetching kernel-26.1-amd64.txz: ... done
Extracting packages-26.1-amd64.tar... done
Extracting base-26.1-amd64.txz... done
Extracting kernel-26.1-amd64.txz... done
Please reboot.
>>> Invoking upgrade script 'sanity.sh'
The Package manager "pkg" is incompatible and needs a reinstall.
>>> Error in upgrade script '10-sanity.sh'
>>> Invoking upgrade script 'isc-dhcp-plugin.sh'
Installing legacy ISC-DHCP plugin for compatibility...
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
   os-isc-dhcp: 0.1

Number of packages to be installed: 1

883 B to be downloaded.
[1/1] Fetching os-isc-dhcp-0.1: . done
Checking integrity... done (0 conflicting)
[1/1] Installing os-isc-dhcp-0.1...
[1/1] Extracting os-isc-dhcp-0.1: . done
Checking integrity... done (0 conflicting)
Nothing to do.
>>> Invoking upgrade script 'cleanup.sh'
The upgrade was aborted due to an error.
***DONE***

It still generates an invalid QR-code.  Still in 25.7.10

The QR-code should be plain text...  Not Markup format.
The generated code is for addresses a (address)[URL]   pair...? with URL = http://address   in stead of just the address
If there is a blank in the string two link with mulitple addresses, if there is a , between them ONE link for both addresses. (DNS entries f.e.).
like in addr1, addr2   => (addr1)[URL1], (addr2)[URL2]
and addr1,addr2 => (addr1,addr2)[URL3]    Where URL3= http://addr1,addr2/

The issue always was on the OpnSense router, all phones, tablets and a mobile WiFi router were unable to communicate.
The Phone OS's are: GrapheneOS, tablets are Samsung & GrapheneOS, router uses OpenWRT.

On the OpnSense router regularly restarting wireguard fixes that.  (it causes other issues,,,,) so not perfect.
The cause is related to somehow the routes through the tunnels get dropped / packets are sent to the WAN interfase WITHOUT NAT.

[SOURCE]

The SOURCE NAT, ... SHOULD NOT HAPPEN.
As the Source NAT will hide the actual response.
It is not explicitly configured for source NAT on the LAN interface.
There are source NATs in the system,, those are all constrained to the source ranges (except for traffic leaving the WAN interface for IPv4, those are the automatic rules)

There are other NAT issues with OpnSense 25.7, Wireguard traffic does NOT get it's  SOURCE NAT on the WAN interface after a *while* for packets.  Regular restart of Wireguard service will mitigate this.  (every few hours).

BTW different question is how to exclude 2 interfaces from the 8 internal interfaces from the automatic rule... other than creating 6 rules by hand