"Recent posts
#21
General Discussion / Re: No internet to clients con...
Last post by darkencraft - Today at 12:08:44 AMthank you for the response. but actually, the document was the exact document that I used to configure the bridge. I also change the configuration in the tunables already. so all the wired devices that are connected to the bridge port works fine.
the problem is the wifi clients not having access to internet, which i cannot figure out what else i need to tweak in opnsense configs.
the problem is the wifi clients not having access to internet, which i cannot figure out what else i need to tweak in opnsense configs.
#22
26.1 Series / Re: 26.1 - after export & imp...
Last post by OPNenthu - Today at 12:04:41 AMThere is a GH ticket where the development team is soliciting feedback on use cases where the ability to keep a single-interface floating rule might be needed:
https://github.com/opnsense/core/issues/9652
If either enough voices are added, or if someone finds a use case that can't be solved otherwise, then I think there could be some traction on getting this added back.
Right now it seems the position of the devs is that the single-interface floating rule concept is flawed and existed as a work around to an old problem.
https://github.com/opnsense/core/issues/9652
If either enough voices are added, or if someone finds a use case that can't be solved otherwise, then I think there could be some traction on getting this added back.
Right now it seems the position of the devs is that the single-interface floating rule concept is flawed and existed as a work around to an old problem.
#23
General Discussion / Re: No internet to clients con...
Last post by cookiemonster - January 31, 2026, 11:57:49 PMyes there are some additional settings to add. Please look in the documentation. Actually it is here https://docs.opnsense.org/manual/how-tos/lan_bridge.html#lan-bridge
#24
26.1 Series / 26.1 - after export & import ...
Last post by nzkiwi68 - January 31, 2026, 11:55:06 PMI see what happened.
Because my floating rules only have a single interface referenced, they were migrated to the appropriate interface as LAN or WAN etc interface rules.
However - this is a significant behavior change
The reason I use these rules on floating, is to ensure these block rules are always processed before interface rules. That way, special rules like Spamhaus DROP are always processed before the WAN interface rules. I can reorder WAN rules without fear of accidentally undoing special block rules.
OPNsense firewall processing order (in part):
1. Floating rules first
2. Interface rules second
Lastly, if I then add a 2nd WAN later on, it's very easy with a floating rule to have these block rules apply to WAN and WAN2, etc.
Because my floating rules only have a single interface referenced, they were migrated to the appropriate interface as LAN or WAN etc interface rules.
However - this is a significant behavior change
The reason I use these rules on floating, is to ensure these block rules are always processed before interface rules. That way, special rules like Spamhaus DROP are always processed before the WAN interface rules. I can reorder WAN rules without fear of accidentally undoing special block rules.
OPNsense firewall processing order (in part):
1. Floating rules first
2. Interface rules second
Lastly, if I then add a 2nd WAN later on, it's very easy with a floating rule to have these block rules apply to WAN and WAN2, etc.
#25
26.1 Series / Re: Old rules deprecation
Last post by Noci - January 31, 2026, 11:38:03 PMFeedback on New Rule interface...
Looks nice, needs a bit of getting acquainted i guess.
Two issues that could be handled better.
1) During export old, import new there was one error: interface lo0..? rule. I deleted that one as i see no reason for a rule filtering traffic on lo0. appearently it doesn't exist in 26.1 anymore.
2) There is an error either in export or import of rules with html encoding. allrules having special signs like > are different.
Allow Float -> ICMP out changed into Allow Float -> ICMP out
If exporting uses HTML safe data, then import should as well.
https://github.com/opnsense/core/issues/9694
Looks nice, needs a bit of getting acquainted i guess.
Two issues that could be handled better.
1) During export old, import new there was one error: interface lo0..? rule. I deleted that one as i see no reason for a rule filtering traffic on lo0. appearently it doesn't exist in 26.1 anymore.
2) There is an error either in export or import of rules with html encoding. allrules having special signs like > are different.
Allow Float -> ICMP out changed into Allow Float -> ICMP out
If exporting uses HTML safe data, then import should as well.
https://github.com/opnsense/core/issues/9694
#26
26.1 Series / Re: Cannot console upgrade to...
Last post by patient0 - January 31, 2026, 11:30:49 PMQuote from: Monju0525 on January 31, 2026, 03:37:01 PMUpdate: via console took about an hour to upgrade to 26.1_4 and the vpn + other packages workedGlad it work, what kind of up- and download do you have? One hour is not exactly fast, what hardware is it?
#27
Q-Feeds (Threat intelligence) / Re: Testing firewall rules wit...
Last post by vk2him - January 31, 2026, 11:22:58 PMQuote from: Q-Feeds on January 31, 2026, 11:07:50 PMThis doesn't seem to be related to the Q-Feeds Plugin since you're using AGH. As your screenshot shows it perfectly pulls in the domains? If you try to reach 'cherrypharm.com' (just checked, still in the domains list), can you see any DNS requests for that domain in AGH ?
Yes, you're correct - after a bit more checking, it seems the Warning for that website was generated by my browser natively, or via an add-in (Brave) - I could see within the AGH log that it actually blocked access. When I tried Safari, I didn't get the warning as it must not have the same website checking, and again aGH blocked it. Sorry for my misunderstanding :)
#28
26.1 Series / Re: Rules migration completion...
Last post by Cheezio - January 31, 2026, 11:18:00 PMQuote from: jp0469 on January 29, 2026, 08:55:32 PMI'm glad this happened to someone and I got to see it because I'm pretty sure this would've happened to me eventually. Now I'm ready.
Happened to me as well. Took me a few minutes to notice the selectpicker. By then I had multiple rule copies that I had to delete. LOL
#29
Q-Feeds (Threat intelligence) / Re: Q-Feeds blocks the Tor Bro...
Last post by Q-Feeds - January 31, 2026, 11:12:34 PMAnother solution could be to add a whitelist rule with an alias with all the TOR nodes.
#30
Q-Feeds (Threat intelligence) / Re: Testing firewall rules wit...
Last post by Q-Feeds - January 31, 2026, 11:07:50 PMQuote from: vk2him on January 31, 2026, 01:30:09 AMQuote from: Q-Feeds on January 26, 2026, 06:10:59 PMAllright! Will look into it together with Deciso and get back to you. Thanks for digging into it already, very helpful!
FYI - I'm seeing this issue too however I'm using the qfeed Domains blocklist only within AGH and not within Unbound. I'm running OPNsense 25.7.11_9-amd64 with AGH setup as the main DNS on port 53, and Unbound is on 5335. Within AGH I have 127.0.0.1:5335 setup as a Private reverse DNS server, and for Local resolution via Unbound on 127.0.0.1:5335 - this has been working well for years.
Blocking of sites on the qfeeds Domains blocklist within AGH worked well previously, however it now seems to have stopped as the example problem url's posted earlier in this thread are no longer blocked and they display warnings in my browser.
The widget shows the blocked number incrementing as I have the floating rules setup to block the qfeeds IPs which works properly - it's just the Domain blocklist isn't working anymore
edited to add - this is the url added to the AGH Qfeeds Malware Domains shown in the screenshot:
https://api.qfeeds.com/api.php?feed_type=malware_domains&api_token=tip_xxxxxxx
Hi vk2him,
This doesn't seem to be related to the Q-Feeds Plugin since you're using AGH. As your screenshot shows it perfectly pulls in the domains? If you try to reach 'cherrypharm.com' (just checked, still in the domains list), can you see any DNS requests for that domain in AGH ?
