Messages

Hello thanks for the report we are looking into it.

Thank you.

Also related, the migration firewall rules import failed due to the same issue. Export of old firewall rules produced alias names rather than uuids. The only way I was able to import was to remove the overload table alias names from the csv.

After upgrading to OPNsense 26.1, PF is refusing to load the ruleset whenever a firewall rule uses rate‑limit / max‑src‑conn‑rate options.
The overload table names appear to be UUIDs, which exceed PF's maximum table‑name length.
This results in PF rejecting the entire ruleset.

Error output:
There were error(s) loading the rules: /tmp/rules.debug:317:
table name 'cc63f2df-3dc0-4fe5-a002-b8e7a2d5ade1' too long

The line in question reads [317]:
pass in quick on igc0 inet proto tcp from {any} to $ssh_ipv4 port {22}
keep state ( max 100 max-src-nodes 50 max-src-conn 20 max-src-states 3
tcp.established 300 max-src-conn-rate 2 /60,
overload <cc63f2df-3dc0-4fe5-a002-b8e7a2d5ade1> flush global )
label "4622edd3-7c20-497c-ba73-8c044b3cfcca" # SSH/RL/IPv4

Multiple similar UUID‑style table names are generated for other rules with rate‑limit settings, and PF rejects all of them.

Steps to reproduce
1. Create a firewall rule (e.g., SSH on WAN)
2. Open Advanced Options
3. Enable - Max src‑conn‑rate and Overload table alias.
4. Apply changes
5. PF fails to load ruleset with "table name too long"

For those who have the same issue - you can remove the overload alias from the rule until a fix has been applied.

Just letting you know that the recent OPNsense 25.7.3 upgrade appears to have broken the 'Intrusion Detection' - 'Download' tab view. I understand that there was improvements to table views.

See attached screenshot.

https://kasiviswanathanblog.wordpress.com/2017/06/04/dnsmasq-a-simple-dhcpv6-server-for-embedded-devices/

FWIW, Dnsmasq rework moves further into 2025 territory. Just too much other priorities at the moment.


Cheers,
Franco

Thanks @franco.

So given the findings would you suggest reverting back to ISC DHCPv4 and ISC DHCPv6 until further changes are made in 2025?

No. The idea is:

* DNSmasq DHCP becomes the default DHCP
* ISC DHCP moves to plugins
* Kea DHCP will gain DHCPv6 eventually

The mere fact that Kea is the only maintained effort for HA features will make it stick to the core, but honestly we do not like to see it become the default.


Cheers,
Franco

Am I correct in assuming that DNSmasq only supports IPv4? I am currently using a mix of KEA for IPv4 and ISC DHCPv6.

I guess what I am trying to understand is what will the default for DHCPv6 be? KEA or DNSmasq?

I wanted to reach out suggesting a much needed enhancment to OPNsense and the 'Alerts' section under 'Intrusion Detection'. I am surprised that there is no option to filter logs.

Would love to see this option added. Adding such option would allow users to filter blocked or alerts within the log.

Yes, maybe 24.7 if all goes well. We will discuss roadmap stuff in two weeks.


Cheers,
Franco

Excellent, look forward to it. Thanks Franco :)

With the implementation of Kea DHCP for IPv4 I was wondering if there was plans to implement Kea DHCP IPv6?

Same issue with me.

Disabling IDS OPNsense started working again. Hope a fix is developed soon.