"Recent posts
#1
26.1 Series / Re: Firewall rules migration
Last post by OzziGoblin - Today at 02:03:14 AMHi Team
I've tested upgrading successfully 3 times on different lab environments, but I'm confused as to why the fw rules continue to remain greyed out and uneditable once migrated and step 5 is complete, am I missing something to complete the migration of fw rules?
Everything appears to function as expected although mine aren't complicated labs, but my main reason for testing was to see what happens with ISC DHCP and IPv6, which is working.
While I do appreciate all the effort that goes into the software and please I'm not disrespecting anyone, I'm not a fan of the new firewall interface to switch between networks, it's a lot of extra clicking to navigate now. If it was possible to choose a default landing page rather than floating rules, it may help. Happy to hear the reason for the change though.
I've tested upgrading successfully 3 times on different lab environments, but I'm confused as to why the fw rules continue to remain greyed out and uneditable once migrated and step 5 is complete, am I missing something to complete the migration of fw rules?
Everything appears to function as expected although mine aren't complicated labs, but my main reason for testing was to see what happens with ISC DHCP and IPv6, which is working.
While I do appreciate all the effort that goes into the software and please I'm not disrespecting anyone, I'm not a fan of the new firewall interface to switch between networks, it's a lot of extra clicking to navigate now. If it was possible to choose a default landing page rather than floating rules, it may help. Happy to hear the reason for the change though.
#2
26.1 Series / Re: Firewall rules migration
Last post by nero355 - Today at 12:28:51 AMQuote from: Monviech (Cedrik) on January 23, 2026, 03:48:54 PMThere is no automatic migration of firewall rules. Both new and old component are fully functional side by side.So eventually this :
So dont worry about upgrading, nothing will change.
After the upgrade there will be a migration assistant you can choose (or not yet choose) to follow. No rush.
Quote from: julsssark on January 22, 2026, 10:57:18 PMAnti-lockout instruction clarity:Will not be needed at all ?!
The instruction text says "Enable the anti-lockout rule" while step 2 says "Deselect anti-lockout in advanced settings".
Given the wording of the control itself ("Disable anti-lockout"), I suggest revising the instruction text to: "To prevent being locked out during the rule migration process, enable automatically generated lock-out rules..." and updating step 2 to: "Uncheck the 'Disable anti-lockout' checkbox."
I have the default Anti-Lockout option disabled and built my own Firewall Rules around it instead so I would like to know if anything will be incompatible with my setup :)
#3
25.7, 25.10 Series / Re: OPNsense 25.7.10 . Noti...
Last post by nero355 - Today at 12:23:33 AMQuote from: pfry on January 23, 2026, 05:23:16 PMI get "enterprise" or "data center" devices (a stretch for M.2, but hey)At least those are still REAL SSD's with decent Power Loss Protection unlike the earlier mentioned Samsung "Pro" Series and many of their competitors !! ;)
Quote from: dmacgowan on January 23, 2026, 08:33:54 PMIt certainly isn't overheating in my -28 degree C garage in the middle of winter.CPU's have this thing called "Cold Boot bug" often when the temperature drops that low so maybe your SSD has something similar too ?!
#4
General Discussion / Re: Where is TCP processed - C...
Last post by nero355 - Today at 12:19:30 AMQuote from: chemlud on January 23, 2026, 05:58:19 PMThe devices with Coreboot are "in production", so not easy to swap the OS.I am not talking about swapping anything : Just boot a Live ISO from a USB Stick !!
QuoteAnd as the problem is with TW updates, not with the browser (see above): how to test then?Download stuff manually via the browser or wget on the Terminal ?
QuoteSo largely: Self-inflicted pain, one might say. It bugs me not to know, what is going on here.I can relate to that! :)
QuoteOPNsense has no traffic shaper enabled, what should IPS/IDS do to the bandwith of one client, but not to another on the same switch?It would be based on IP address but if you know for sure you have not configured anything in OPNsense or on the Client/Server that is having these issues then there is not much to do there I guess...
#5
General Discussion / Re: ISC-DHCP to KEA Migration ...
Last post by nero355 - Today at 12:09:55 AMQuote from: Sheridan Computers on January 23, 2026, 08:45:39 PMNot for IPv6, IPv4 only.True, but if you leave DNS on IPv4 level there is no need to track your clients based on their IPv6 address and just use the IPv4 bindings for nice hostnames with your local domain included :)
At least I am guessing that's what you need the Static DHCPv6 Mappings for ?
#6
26.1 Series / Re: Firewall rules migration
Last post by julsssark - January 23, 2026, 11:33:58 PMThanks Franco. Those patches solved the destination field validation issue. I tested after installing the patches and the default rules with "any" imported correctly without error.
Thanks Cedrik. Your changes to the instructions help. I agree with your point that checkboxes with "disable" as their name are confusing. If there is a desire to fix those settings in a future release, I am happy to test and update docs.
In playing around with the new rules layout, I noticed that if a rule is deactivated, the controls for that row are also dimmed. The controls work so they should be enabled. See the enclosed screenshot. I saw the same behavior with Safari and Firefox.
Do the imported rules and the system-generated rules have the same rule numbers in the new engine as they do in the old one? If the rule numbers can change, it would be helpful to add that to the docs, especially for people who use syslog servers and have logic based on firewall rule numbers.
Thanks Cedrik. Your changes to the instructions help. I agree with your point that checkboxes with "disable" as their name are confusing. If there is a desire to fix those settings in a future release, I am happy to test and update docs.
In playing around with the new rules layout, I noticed that if a rule is deactivated, the controls for that row are also dimmed. The controls work so they should be enabled. See the enclosed screenshot. I saw the same behavior with Safari and Firefox.
Do the imported rules and the system-generated rules have the same rule numbers in the new engine as they do in the old one? If the rule numbers can change, it would be helpful to add that to the docs, especially for people who use syslog servers and have logic based on firewall rule numbers.
#7
25.7, 25.10 Series / Re: OPNsense 25.7.10 . Noti...
Last post by pfry - January 23, 2026, 10:53:05 PMQuote from: dmacgowan on January 23, 2026, 08:33:54 PM[...]It would appear that the program doesn't know what to do with a negative temperature reading. It certainly isn't overheating in my -28 degree C garage in the middle of winter.
Impressive. I'd really worry about thermal shock.
Sheesh. It's about to freeze here. I have a cheap house, so I'd be in a bad way if it got down that low. And now I'm off to try to keep the ice buildup on my porch to a minimum.
#8
25.7, 25.10 Series / Re: WAN has no IPv6 connectivi...
Last post by andicniko - January 23, 2026, 10:40:37 PMConfirming that specifying an "Optional prefix ID" fixed my issues.
That's a very useful explanation you linked to as well. Thank you.
That's a very useful explanation you linked to as well. Thank you.
#9
25.7, 25.10 Series / Re: IPv4 ONLY Firewall Setup w...
Last post by meyergru - January 23, 2026, 10:37:35 PMThank you for taking the time to document your experience in detail. It is clear you have invested significant effort into troubleshooting, and the level of detail is appreciated.
That said, in its current form this report does not describe a demonstrable software defect in OPNsense, Kea, or dnsmasq, but rather a set of symptoms that are most commonly associated with layer-2 topology or virtualization configuration issues—particularly in Proxmox environments.
A few observations that are important to clarify:
OPNsense does not require IPv6 to be enabled for IPv4 DHCP to function correctly. IPv4-only deployments with multiple LAN interfaces are widely deployed and fully supported.
If a DHCP client briefly receives a gateway address belonging to a different interface, that almost always indicates that the interfaces are not properly isolated at layer-2 (for example, multiple interfaces attached to the same Proxmox bridge, shared subnets across interfaces, or unintended bridging).
DHCP servers do not "forward" router addresses between interfaces. If a client sees an address from another interface, it is responding to a broadcast originating from the same L2 domain.
To move this forward constructively, the following information would be required before this can be treated as a potential bug:
Without this information, it is not possible to distinguish between a software defect and a topology issue. To date, there is no known regression in OPNsense 24.x–25.x that prevents IPv4 DHCP from functioning on secondary interfaces in correctly isolated networks.
If you are willing to provide the above details, the community will be better positioned to help identify the root cause.
That being said, you have chosen to use one of the most advanced setups with OpnSense there is (i.e. OpnSense under Proxmox). I assume you have read all the helpful hints to this (like this) or have tried to get a setup running on bare metal first?
That said, in its current form this report does not describe a demonstrable software defect in OPNsense, Kea, or dnsmasq, but rather a set of symptoms that are most commonly associated with layer-2 topology or virtualization configuration issues—particularly in Proxmox environments.
A few observations that are important to clarify:
OPNsense does not require IPv6 to be enabled for IPv4 DHCP to function correctly. IPv4-only deployments with multiple LAN interfaces are widely deployed and fully supported.
If a DHCP client briefly receives a gateway address belonging to a different interface, that almost always indicates that the interfaces are not properly isolated at layer-2 (for example, multiple interfaces attached to the same Proxmox bridge, shared subnets across interfaces, or unintended bridging).
DHCP servers do not "forward" router addresses between interfaces. If a client sees an address from another interface, it is responding to a broadcast originating from the same L2 domain.
To move this forward constructively, the following information would be required before this can be treated as a potential bug:
- Interface assignments and IP/subnet configuration for all OPNsense interfaces
- Proxmox bridge configuration (vmbr layout, VLAN awareness, and NIC attachment or in the case off passthru, physical hardware type)
- Confirmation that each LAN interface is in a unique IPv4 subnet
- DHCP logs from Kea or dnsmasq during a failed lease attempt
- A packet capture (tcpdump) on the affected interface showing the DHCP exchange
Without this information, it is not possible to distinguish between a software defect and a topology issue. To date, there is no known regression in OPNsense 24.x–25.x that prevents IPv4 DHCP from functioning on secondary interfaces in correctly isolated networks.
If you are willing to provide the above details, the community will be better positioned to help identify the root cause.
That being said, you have chosen to use one of the most advanced setups with OpnSense there is (i.e. OpnSense under Proxmox). I assume you have read all the helpful hints to this (like this) or have tried to get a setup running on bare metal first?
#10
25.7, 25.10 Series / Re: WAN has no IPv6 connectivi...
Last post by meyergru - January 23, 2026, 10:24:28 PMTry this.
