Messages

I also think it's inconsistent: Showing floating and not groups rules seems confusing.

And redundant: "Inspect" button is there exactly for that, and it shows all the relevant rules. Should be one behavior or the other, I suppose.

Official docs:

https://docs.opnsense.org/manual/firewall.html#processing-order

Have a look at https://forum.opnsense.org/index.php?topic=46990.0

It's a long thread, but takes a deep insight of traffic shaping, so it may be helpful.

Try Alias with

Type > Host(s)

Content > The IP addresses of the devices you want to block as:
    1.2.3.4
    5.6.7.8
    ...

I always read the notes that are being shown when I'm about to update.  I don't recall any mentioning of the new rules at all, though my memory isn't what it used to be.

Yet if there had been a suitable warning about the new rules like I suggested in my previous post, I would have remembered it.

It looks like you have not even read my post. There has been a whole lot of mentions to the new rules area, starting with version 26.1. To be clear, I will repeat it again:

o The firewall migration page is not something you need to jump into right away.  Please make yourself familiar with the new rules GUI first and check the documentation for incompatibilities.  Single interface from the floating interface will not be considered "floating" in priorities.

This just has been handled badly.

Did you absolutely need to migrate to a brand new rules GUI?
Did you check the exported ruleset on a spreadsheet?
Did you have a configuration backup?
Did you have an snapshot?
Did you try it on a test system beforehand?
Did you have a replicate machine to test the changes beforehand?
Do you have a written design of your ruleset?
Maybe it's you that are handling this badly?

Changes usually have some learning curve or adaptation from the user's perspective, but with the new-rules-GUI, you are not forced to change. Just stick to the well known rules-GUI. On the other hand, the best part of OPNsense is probably its active, participative and fast development, so I don't understand your anger with the devs about something absolutely new, and not forced until (at least) two more years (wow) of development.

You should always have a configuration backup (and best to add an snapshot) for your production firewall. If so, you simply recover the last good config are you are done, until you feel ready for the new-rules-GUI transition.

Please, read the release notes before upgrading. They are posted on a dedicated section of this forum and they are showed to the admin before upgrading, either by GUI or console.

26.1 release notes are from January 28, 2026.

The OP's post is from April 21, 2026.

Meanwhile, in Announcements...


From https://forum.opnsense.org/index.php?topic=50544.0:

o firewall: added a rule migration page (use with care)

Migration notes, known issues and limitations:

o The firewall migration page is not something you need to jump into right away.  Please make yourself familiar with the new rules GUI first and check the documentation for incompatibilities.  Single interface from the floating interface will not be considered "floating" in priorities.
o Firewall: NAT: Port Forwarding is now called "Destination NAT".  Firewall rule associations are no longer supported, but the old associated firewall rules remain in place with their last known configuration and can now be edited to suit future needs.
o Firewall: NAT: Source NAT is from the set of pages formerly known as automation, but Outbound NAT is still the main page for these types of rules.


From https://forum.opnsense.org/index.php?topic=50704.0:

We are very happy with the current state of the new rules GUI and all the
discussions we have had on how it can be further improved.  It is just the
beginning.

o firewall: validate UUID on rules migration import
o firewall: fix overload table setting being written as UUID into pf.conf in new rules GUI
o firewall: local-port field in destination NAT does not support range and well-known name
o firewall: change toggle_log icon to help visibility in new rules GUI
o firewall: add missing schedules support for new rules GUI
o firewall: make statistics column responsive for new rules GUI
o firewall: add link to states and put it first in list in new rules GUI
o firewall: add "any" interface filter option and make it the default


From https://forum.opnsense.org/index.php?topic=50868.0:

o firewall: use local-port as target when specified in destination NAT
o firewall: fix missing reply-to when not specifically set in new rules
o firewall: live view: fix parsing of combined filters stored as converted strings
o firewall: fix group rename in source_net, destination_net and SNAT/DNAT target fields
o firewall: add tcpflags_any in new rules GUI for parity with legacy rules
o firewall: exclude loopback from interface selectpicker in new rules GUI
o firewall: well known ports added to filter rule selection
o firewall: undefined is also "*" in new rules grid
o firewall: add download button for validation errors in rule import


From https://forum.opnsense.org/index.php?topic=51145.0:

o firewall: check for schedules in use in new rules
o firewall: add import/export function and missing lock on set action
o firewall: implement missing ICMP types in new rules GUI (contributed by Bjoern Jakobsen)
o firewall: adjust for parseReplace() for icmp-type "skip"
o firewall: fix NAT rule enabled checks display (contributed by Aaron Rogers)
o firewall: add validation to prevent using both gateway and reply-to in the same rule in new GUI
o firewall: add a command button to open the live log with pre-filled rule ID in new GUI
o firewall: move download and upload commands out of partial into global commands in new GUI
o firewall: reduce complexity in URL hash handling and when using firewall_rule_lookup.php in new GUI


From https://forum.opnsense.org/index.php?topic=51239.0:

o firewall: when repopulating the interface selectpicker, always restore current selection in new rules GUI
o firewall: remove hardcoded colors where possible in new rules GUI
o firewall: fix category colors in new rules GUI
o firewall: merge read of groups and interfaces in new rules GUI
o firewall: make MVC protocol selection match the old rules pages


From https://forum.opnsense.org/index.php?topic=51402.0:

o firewall: fix regression in alias summary not shown in new rules GUI


From https://forum.opnsense.org/index.php?topic=51570.0:

Further UX tweaks reached the new firewall rules GUI

o firewall: adjust sort order in networks and aliases in new rules GUI
o firewall: change sorting to interface/group name and stop caring about counted rules in new rules GUI
o firewall: change category sorting using names instead of counted rules in new rules GUI
o firewall: remove tokenizer from categories and use selectpicker instead  in new rules GUI

[think]

I'm not sure if this debate is going about the UX on the platform or more deriving towards the capability of getting the right information. With the overloaded interfaces that (per mention) Reddit, Discourse, etc. have implemented, attentions goes easily where the owners want (ads, etc.) while the information passes to a second focus. There are so many distractions that keeping the attention is simply much harder.

think about the 16y old teenager that gets newly drawn into a topic.

Teenagers have to learn to think. Those mentioned platforms make it just more difficult, starting from the distractions and sometimes confusing interfaces.

Teenagers have to learn to ask the right question. Not only that, but also in the right place an in the right way.

Teenagers have to learn to find information. Overwhelming sites, with useless links, ads, too many (almost always unrelated) images...

Teenagers have to learn to filter information. What is true, useful, and applicable to my current search?

Teenagers have to learn to sort information. Disperse contents are one of the worst realities on those kind of sites. Other are "content creators" publishing everywhere, pontificating their truth without the proper knowledge, incomplete, unverified, or just wrong.

There are so many things that teenagers have to learn, and so many wrong ways to go for... Nowadays, only a few get to the level of thinking that any old-school graduate had at the end of the studies. And the way information is displayed on the web has something to do with this.

Please, let's try to minimize that narrow-minding process.

Forums itself are a dying breed.

Maybe or maybe not. While the Big Players are trying to keep their (very profitable) model, what I see is the more people trying to get rid of those distractions, filtering ads and trackers, getting tired of sites that offer less-information/more-profitable-content pages, etc. How would the Reddit website if you remove all the useless content from every single page?

early 2000 style forum is another fritction point.

Absolutely not for me. There is no friction at all about having a clean interface without any non-related content to my reading or search.
Try making a simple search at https://www.scopus.com and see how tons of information can be displayed in a clean and orderly manner. It's just an example.

In my experience, most of the times, the more cluttered is a site, the lower quantity and quality information it has. That must be for a reason. And consequently, is always harder to find.

Going back to the OP original question: you better ask in Ubiquity sites and read Ubiquity docs. Keep in mind that the approach and features of OPNsense and Ubiquity are very different.

["Turn off IPv6"]

If you are not using IPv6 on OPNsense, you may want to check the option at:

Interfaces > Settings > "Turn off IPv6"

Better use a port alias with exact definitions.

Creating a virtual switch (bridge) that manages the VLANs can be a good approach. Then, the client machines networks can be connected as the user needs with no config inside.

When you create a VLAN in OPNsense, it's traffic will be always tagged, so the next hop must be VLAN-aware, either a (virtual)switch or a (virtual)machine. Otherwise, you have the proper Layer 2 segmentation.

I suspect that ISC is retaining the dynamic lease, even after a restart. That is also the behavior you will find in Kea at the moment, but it seems it will have a "Delete lease" button very soon, according to https://github.com/opnsense/core/pull/10019

If you want to migrate from ISC to dnsmasq or Kea, you can export your reserves and import them in the new service. Don't forget to deactivate ISC before activating the new DHCP service. No need to reinstall or re-create a new firewall from scratch.

Assuming that the alias has been created correctly:

interface
      -lan

That implies that the IoT devices resides in the "lan" interface. If they are in a different network, choose accordingly.

direction
      -both

Only direction "in" is needed if you want to prevent the IoT devices accessing outside.

source
      -internet net, internet address

Source should be your IoT devices (the alias you created beforehand).

destination
      -IOT devices (I have set an aliase and direct IP)

Destination should be "Any" if you don't want them to communicate outside their network.

I nearly fell for it.... April Fools.

I suppose that, too, but found this:

https://www.netgate.com/blog/netgate-releases-pfsense-plus-software-version-26.03

And it says "It lays the foundation for the future of pfSense software, including native Linux support."

Probably, your widget is one-column width. Try expanding it to two columns. That works for me.