"
I'm experiencing state tracking issues after upgrading from 25.x to 26.1.x that make ClassLink (educational portal) completely unusable, returning 403 Forbidden errors.
Environment:
Hardware: Protectli fanless router
OPNsense versions tested: 26.1.7_3 and 26.1.8_5 (both exhibit same issue)
Last working version: 25.x series
Network: Single WAN, 3 VLANs (LAN, VLAN10, VLAN20)
Firewall optimization: Tested both Normal and Conservative
Problem: After upgrading to any 26.1.x version, ClassLink (login.classlink.com, launchpad.classlink.com) returns 403 Forbidden errors. Firewall logs show state violation blocks for ClassLink traffic on both IPv4 and IPv6.
Example log entries:
VLAN10_LAN In TCP 192.168.10.50:53925 → 23.219.1.21:443
block - Default deny / state violation rule
VLAN10_LAN In IPv6 [fdb9:5629:...]:50583 → [2600:1402:...]:443
block - Default deny / state violation rule
What I've tried (all unsuccessful):
Conservative firewall optimization + reboot
Resetting state table
Disabling IPv6 on affected VLANs
Adding IPv6 allow rules
Creating sloppy state / no state rules for ClassLink
Disabling NAT reflection
Disabling Hostwatch automatic discovery
Downgrading from 26.1.8_5 to 26.1.7_3 (same issue)
What works:
All other internet access functions normally
Accessing ClassLink via cellular hotspot (bypassing OPNsense) works
ClassLink worked perfectly on 25.x
Firewall rules verified:
Default allow rules present for all VLANs
Source port set to "*"
No conflicting deny rules
This appears to be related to the 26.1.x unified firewall system changes. Has anyone else experienced ClassLink issues on 26.1.x?
Environment:
Hardware: Protectli fanless router
OPNsense versions tested: 26.1.7_3 and 26.1.8_5 (both exhibit same issue)
Last working version: 25.x series
Network: Single WAN, 3 VLANs (LAN, VLAN10, VLAN20)
Firewall optimization: Tested both Normal and Conservative
Problem: After upgrading to any 26.1.x version, ClassLink (login.classlink.com, launchpad.classlink.com) returns 403 Forbidden errors. Firewall logs show state violation blocks for ClassLink traffic on both IPv4 and IPv6.
Example log entries:
VLAN10_LAN In TCP 192.168.10.50:53925 → 23.219.1.21:443
block - Default deny / state violation rule
VLAN10_LAN In IPv6 [fdb9:5629:...]:50583 → [2600:1402:...]:443
block - Default deny / state violation rule
What I've tried (all unsuccessful):
Conservative firewall optimization + reboot
Resetting state table
Disabling IPv6 on affected VLANs
Adding IPv6 allow rules
Creating sloppy state / no state rules for ClassLink
Disabling NAT reflection
Disabling Hostwatch automatic discovery
Downgrading from 26.1.8_5 to 26.1.7_3 (same issue)
What works:
All other internet access functions normally
Accessing ClassLink via cellular hotspot (bypassing OPNsense) works
ClassLink worked perfectly on 25.x
Firewall rules verified:
Default allow rules present for all VLANs
Source port set to "*"
No conflicting deny rules
This appears to be related to the 26.1.x unified firewall system changes. Has anyone else experienced ClassLink issues on 26.1.x?
