Messages

I took a snapshot before every major upgrade and only used the function once to reboot on the last knows good version because of an error, but I'll check out your tip. 

Regards,

Joel

Dear community,
I am trying to disable the rules (the manual part) in order to set up the rules using policies only, but when I select all entries (or 1000/500/200) and click the "Disable" button, the waiting circle appears, and when it is finished, nothing happens; the checkboxes are not empty.
Is this a known bug or something similar? Because it's crazy to manually deactivate about 30,000 entries.
Thank you in advance for your help.
Best regards,
Joel.

If you have evidence that an update really caused the loss of firewall rules, you can still open an issue on Github to reach the developers. My main point is that this is the community forum and although I run a handful of systems with the business edition I do not have the expertise to help you. Also I never experienced anything like that myself.

Side note - why do you need a maintenance window to run an audit?

That's the only time I can devote to it. I take care of many other networks and application infrastructures, and since the problem didn't block the system's communication (I've simply re-create the 4/5 missing rules), I'll take care of it next time.
It's not about the OPNSense-Firewalls, It's about the workflow in the company.

Cheers,
Joel.

Well, you can audit System: Configuration: History for where these disappeared (and restore them if they were lost then I suppose).

That also goes for opening a business support case as a starting point to investigate.

Without support hours posting here is as good as it gets.


Cheers,
Franco

Dear Franco and Patrick,
I get your point, but I don't understand the business model of why we should pay for troubleshooting the Deciso Business Appliance (which we purchased with a license). I understand that I need to purchase support if I need something that is beyond my expertise or if information is missing from the documentation because we need something more specific. But in my opinion, this is simply an automated update from the Deciso server that is faulty.
I'm will auditing the system the next monthly maintenance (I've already done a part of it, when I've found that some rules are missing), thank you for your advice.
Best regards,
Joel.

Please let me know if I've done something wrong this time. I already mentioned that this is a business device, not a VM for the firewall at home.

Dear Opnsense community,

This morning we performed our monthly maintenance and we are certain that we lost some rules and objects during the upgrade.
We noticed this because our AMS group created a ticket for some rules that had already been created for a customer project, and we couldn't find any of these rules or categories after the upgrade.
The upgrade went strangely: Without warning, we were downgraded from version 25.10.1_2 to version 25.10, and after that we had to upgrade again to get version 25.10.2. Is this a mistake on the part of the OPNsense team? Has anyone ever heard of anything like this before?
We did not attempt to uninstall anything. The device did this on its own.

It's quite disturbing as a customer.

2026-02-19T08:16:56
Notice
pkg-static
opnsense-business-25.10.2 installed
2026-02-19T08:15:52
Notice
pkg-static
opnsense-business-25.10 deinstalled
2026-01-22T06:18:23
Notice
pkg-static
opnsense-business-25.10.1_2 installed

Regards

Joel.

Dear community,

I cannot see the other severity of the access log in Squid (plug-in Squid Web Proxy). It remains empty. The only thing that works is the notification.
Can anyone give me a hint about this?

example:

only 2026-02-19T12:23:41
Notice
squid
ACL-REQ |opnproxy_ext_acl_net| |

even with multiple selection

with ssh:
tail -f /var/log/squid/access.log

xx.xx.xx.xx - xx:xx:xx:xx:xx:xx - [dd/mmm/2026:hh:mm:ss +0100] "CONNECT static.licdn.com:443 HTTP/1.1" 200 39 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36" TCP_TUNNEL:HIER_DIRECT
xx.xx.xx.xx - xx:xx:xx:xx:xx:xx - [dd/mmm/2026:hh:mm:ss +0100] "CONNECT platform.linkedin.com:443 HTTP/1.1" 403 20345 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36" TCP_DENIED:HIER_NONE
xx.xx.xx.xx - xx:xx:xx:xx:xx:xx - [dd/mmm/2026:hh:mm:ss +0100] "CONNECT ponf.linkedin.com:443 HTTP/1.1" 403 20349 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36" TCP_DENIED:HIER_NONE


Thank you in advance

Joel.

Are you referring to the sshlockout alias?

No

Have you made any progress on this? 25.4.3 was released today but I suspect it will not change the situation you've seen with 25.4.2.


Cheers,
Franco

Hi Franco,

I've upgraded today the appliance to the version 25.4.3_4 and it works like a charm.
I don't understand, what was the problem with the version 25.4.2.
Regards,

Joel

Dear Community,

right now for us there's some penetration tests from an external company in progress on our opnsense appliance and we need a possibility to remove ip addresses from the blacklist without any whitelisting, because they will attack again with another kind of attack.
Is there any possibility to remove the ip address from the blacklist "on demand"?

Thank you ahead.
Regards

Joel.

Hi Franco,

sorry for the moment, I need to do other things for our customers and ourselves (system migrations).

I will try when my colleagues won't be in vacation anymore.

Regards,

Joel.

To me, it seems to be something like (not identical, but similar) in this post:
https://forum.opnsense.org/index.php?topic=48640.0
And I think that "no one else" is no longer accurate.

I'm vague because, I don't have time to mess around and figure out why it isn't working. I will do this in my own time, not during our company's working hours with coworkers who aren't working at that time.

The only thing I can say. With the version 25.4.1 -> the communication with our cisco main (incl. the connection with the management software) gateway is working flawlessly. We can access our web application located in our DMZs with a resolution through our own DNS Server (inside). The DMZs are located on the cisco and the opnsense is bridged on the inside of the cisco interface to assure the ips/ids security of our internal network. All IPs of the DMZs are NATed on the cisco and the opnsense has a route to send everything unknown to the cisco main gateway (0.0.0.0/0). LAN/WAN are bridged. After the Upgrade 25.4.2 we cannot access the management software of the cisco gateway (the inside IP of the cisco is in the same segment as the problematic opnsense), the colleagues are receiving timeouts in browser when the try to access our web applications in the DMZs. I cannot explain here everything because the topology is much more complex and every tier (DMZs / outside network segment) we have one OPNsense Business on an OPNsense Hardware. It's a star topology with the cisco gw in the middle and the satellites / tiers are OPNsense appliances if you want.
To sum up with 25.4.2 the forwarding of the request to the NATed addresses (on the cisco gw) and the cisco gw itself aren't done anymore - The routing rule with 0.0.0.0/0 through the cisco gw isn't correctly applied when the ip addresses are on the same network segment.

Now, I can no longer describe in detail what happened with the help of the logs. This is because I had to use the snapshot function really quickly because the project managers had directed calls/complaints to our department. All I can say is that nothing was displayed in the live part of the firewall (request also made on the Cisco gateway), and I am sure that this is the case with version 25.4.1.

For me, paid business support makes sense when we need an additional feature or something we don't understand technically. But not to fix problems where everything was working fine before and suddenly stopped working after the update/upgrade without any further changes. That can't be part of any business plan. The logic of having a paid stable business version is not followed here. Please don't take us the wrong way, we are OPNsense customer. But anyway... it's not here the subject.

I'll try again when no one is working on our internal network. I just need to plan it now.

Regards,

Joel.

I can guarantee that this is a problem with version 25.4.2 -> version 25.4.1 works and we will keep using it!

It would be good if the OPNsense team would improve its business version before releasing it.

Dear OPNsense community,

for us it's not the first time that nevertheless a Business Edition after an Upgrade we are loosing some of our connection to our dmz application for our company (for example with suricata which broke some our communications if IPS mode wasn't deactivated) .
This time, we have simply lost the access management on our main GW (cisco) and the communication with our NATed systems to our DMZs. The NATed systems are done on our main Gateway (cisco)

The routing configuration is really simple by us Network 0.0.0.0/0 to our main GW (cisco) and we have a bridge LAN/WAN to use IPS/IDS/Proxy possibilities of OPNSense. Until now this setting has worked flawlessly, but after the upgrade, we cannot manage our main GW anymore and the resolution of our dmz web app aren't accessible.

On our side it's critical because every colleagues here cannot work anymore on any our app. I cannot check anything on the main GW because it's not accessible too.

Could something give me a hint?
We used to believe that the Business Edition is well tested and tailored for the Business environment.

Thank you in Advance for your information,

Regards,

Joel.

Many thanks!

Regards,

Joel