1
17.1 Legacy Series / Policy Routing Broken in 17.1?
« on: February 01, 2017, 09:47:49 pm »
Hello,
I upgraded from 16.7 to 17.1. After upgrading, all of my firewall rules that forced traffic out through a particular gateway stopped working pretty much breaking my entire setup. I have multiple gateways some of which are over OpenVPN links. Different servers on my LAN need to be routed out through different gateways (different path to internet and different outbound NAT). I tried fiddling with it and creating floating rules instead of LAN rules to force the gateway but nothing worked. I ended reinstalling with 16.7 and restoring a config backup.
<rant>
I love OPNsense and plan to continue to use it for my personal home network described here and in the future switch the work networks I manage from Sophos UTM to OPNsense. But are updates regression tested? In other words how much can I trust that an update will not break my networks? It seems to me that testing that core functionality like policy routing still works is something that could be done by adding a test case that is automatically run for each build. I see from perusing the forum there are other examples of rules that worked before but no longer working on 17.1. I would suggest that certain types of software projects (even open source) cannot afford to have breakage after upgrade because stability and reputation are things that are of paramount importance to the project's success. No one is going to trust their data (or their careers) to OPNsense if it gets a reputation of only working sometimes. To that end I volunteer to help set up a test harness on your test servers if you need people. Thanks!
</rant>
I upgraded from 16.7 to 17.1. After upgrading, all of my firewall rules that forced traffic out through a particular gateway stopped working pretty much breaking my entire setup. I have multiple gateways some of which are over OpenVPN links. Different servers on my LAN need to be routed out through different gateways (different path to internet and different outbound NAT). I tried fiddling with it and creating floating rules instead of LAN rules to force the gateway but nothing worked. I ended reinstalling with 16.7 and restoring a config backup.
<rant>
I love OPNsense and plan to continue to use it for my personal home network described here and in the future switch the work networks I manage from Sophos UTM to OPNsense. But are updates regression tested? In other words how much can I trust that an update will not break my networks? It seems to me that testing that core functionality like policy routing still works is something that could be done by adding a test case that is automatically run for each build. I see from perusing the forum there are other examples of rules that worked before but no longer working on 17.1. I would suggest that certain types of software projects (even open source) cannot afford to have breakage after upgrade because stability and reputation are things that are of paramount importance to the project's success. No one is going to trust their data (or their careers) to OPNsense if it gets a reputation of only working sometimes. To that end I volunteer to help set up a test harness on your test servers if you need people. Thanks!
</rant>