"
I hope I can provide what you need. I'm very new to OPNsense.
Sync is set to only go from master to backup. All changes that would cause a XMLRPC Sync are from the master.
I've confirmed that any firewall rule change wipes most, but not all, categories, not just NAT changes. Simply editing a rule comment, saving - but not applying - is enough.
Between two normal configuration saves, a trivial rule-description edit triggered firewall_rules_edit.php to rewrite the entire Firewall section and erase most category entries.
--- config-before.xml 2025-10-30 18:31:50
+++ config-after.xml 2025-10-30 18:33:38
@@ -1300,7 +1300,7 @@
- <descr>AWS Host Access</descr>
+ <descr>AWS Access</descr>
<direction>in</direction>
<category>LAN Outbound,Client Computers</category>
<quick>1</quick>
@@ -1620,8 +1620,8 @@
- <description>Restored sections (OPNsense.Firewall.Category) of config file</description>
- <time>1761867110.30</time>
+ <description>/firewall_rules_edit.php made changes</description>
+ <time>1761867218.71</time>
@@ -5200,7 +5200,7 @@
- <Category version="1.0.0" persisted_at="1761862180.86">
+ <Category version="1.0.0" persisted_at="1761867218.63">
<categories>
<category uuid="xxxxxxx-...">
<name>SYNC</name>
@@ -5210,40 +5210,10 @@
- <category uuid="...">
- <name>Networks</name>
- </category>
- <category uuid="...">
- <name>VPN</name>
- </category>
- <category uuid="...">
- <name>ICMP</name>
- </category>
<category uuid="...">
<name>TCP Ports</name>
</category>
<category uuid="...">
<name>Firewall</name>
</category>
- <category uuid="...">
- <name>Apple Devices</name>
- </category>
- <category uuid="...">
- <name>Garage Door Devices</name>
- </category>
- <category uuid="...">
- <name>TV & Streaming</name>
- </category>
<category uuid="...">
<name>Client Computers</name>
</category>
<category uuid="...">
<name>Peripherals</name>
</category>
The only intentional change was a rule description (AWS Host Access → AWS Access). The GUI save was performed via /firewall_rules_edit.php. Immediately after saving, the <OPNsense><Firewall><Category> node was rewritten. Dozens of category entries vanished—only 5–6 remained.
Sync is set to only go from master to backup. All changes that would cause a XMLRPC Sync are from the master.
I've confirmed that any firewall rule change wipes most, but not all, categories, not just NAT changes. Simply editing a rule comment, saving - but not applying - is enough.
Between two normal configuration saves, a trivial rule-description edit triggered firewall_rules_edit.php to rewrite the entire Firewall section and erase most category entries.
--- config-before.xml 2025-10-30 18:31:50
+++ config-after.xml 2025-10-30 18:33:38
@@ -1300,7 +1300,7 @@
- <descr>AWS Host Access</descr>
+ <descr>AWS Access</descr>
<direction>in</direction>
<category>LAN Outbound,Client Computers</category>
<quick>1</quick>
@@ -1620,8 +1620,8 @@
- <description>Restored sections (OPNsense.Firewall.Category) of config file</description>
- <time>1761867110.30</time>
+ <description>/firewall_rules_edit.php made changes</description>
+ <time>1761867218.71</time>
@@ -5200,7 +5200,7 @@
- <Category version="1.0.0" persisted_at="1761862180.86">
+ <Category version="1.0.0" persisted_at="1761867218.63">
<categories>
<category uuid="xxxxxxx-...">
<name>SYNC</name>
@@ -5210,40 +5210,10 @@
- <category uuid="...">
- <name>Networks</name>
- </category>
- <category uuid="...">
- <name>VPN</name>
- </category>
- <category uuid="...">
- <name>ICMP</name>
- </category>
<category uuid="...">
<name>TCP Ports</name>
</category>
<category uuid="...">
<name>Firewall</name>
</category>
- <category uuid="...">
- <name>Apple Devices</name>
- </category>
- <category uuid="...">
- <name>Garage Door Devices</name>
- </category>
- <category uuid="...">
- <name>TV & Streaming</name>
- </category>
<category uuid="...">
<name>Client Computers</name>
</category>
<category uuid="...">
<name>Peripherals</name>
</category>
The only intentional change was a rule description (AWS Host Access → AWS Access). The GUI save was performed via /firewall_rules_edit.php. Immediately after saving, the <OPNsense><Firewall><Category> node was rewritten. Dozens of category entries vanished—only 5–6 remained.
