"Recent posts
#21
26.1 Series / New firewall rule interface
Last post by stanps - Today at 03:03:58 PMSo...other than the obvious visual difference, is this just a new way to manage firewall rules? Or are there actual technical advantages to the new firewall rule interface?
Also, is there a way to remove the [old and busted] Rules menu option, after you've successfully migrated?
Thanks again,
S
Also, is there a way to remove the [old and busted] Rules menu option, after you've successfully migrated?
Thanks again,
S
#22
26.1 Series / Re: RC1: hundreds of rc.newwan...
Last post by franco - Today at 03:02:18 PMSince we're here can you try this commit?
# opnsense-patch https://github.com/opnsense/core/commit/6933841c6
Cheers,
Franco
# opnsense-patch https://github.com/opnsense/core/commit/6933841c6
Cheers,
Franco
#23
26.1 Series / Re: Suricata - Divert (IPS)
Last post by agh1701 - Today at 02:53:08 PMWhat does the new divert rule look like?
#24
General Discussion / Re: Certificate update
Last post by stanps - Today at 02:45:23 PMThank you so much!
And I was able to clean up a bunch of other plugins I tried and removed....NOW I know what that section is for! :)
-S
And I was able to clean up a bunch of other plugins I tried and removed....NOW I know what that section is for! :)
-S
Quote from: franco on Today at 10:00:31 AMIf you don't use ntopng anymore you can clear its configration under System: Configuration: Defaults: Components. That will also release the certificate reference.
Cheers,
Franco
#25
26.1 Series / [Help] Multi-WAN Reply-to Brok...
Last post by metacyx - Today at 02:40:24 PMHey everyone,
I'm reaching out to see if anyone else is experiencing Multi-WAN routing issues on the new v26.1 release. I recently upgraded from v25.7, and while the rule migration to "Rule (new)" seemed successful, my inbound load balancing/failover logic is broken.
The Setup:
- OPNsense v26.1 (previously rock-solid on v25.7.11_9).
- Dual WAN setup using PPPoE (pppoe0 for WAN1, pppoe1 for WAN2).
- Internal AmneziaWG service hosted in the LAN.
The Issue:
Prior to the upgrade, external clients could handshake with the AmneziaWG service via either WAN1 or WAN2 public IPs without issue. Post-upgrade, WAN2 is effectively "dead" for inbound connections. WAN1 continues to work perfectly.
Packet Capture & Behavior:
I did some digging via shell packet captures, and the results are baffling:
1. When a client attempts to connect to the WAN2 IP, I see traffic hitting BOTH pppoe0 and pppoe1 simultaneously.
2. The source IP on both interfaces is identified as the WAN2 public IP.
3. Despite the traffic being visible, the handshake never completes.
Troubleshooting Steps Taken:
- Completely deleted and recreated the Port Forward (NAT) and Firewall rules for the service.
- Isolated the issue by disabling WAN1 rules entirely, but WAN2 still refused to pass the handshake.
- Followed the official migration guide to ensure rules were correctly mapped to the new architecture.
Workaround:
I've since rolled back to v25.7.11_9, and everything started working instantly without a single configuration change.
Is there a known regression in v26.1 regarding "Reply-to" behavior for PPPoE interfaces or Multi-WAN policy routing? It feels like the return path is being misrouted or the state is getting confused between the two WAN interfaces.
Any help or pointers on what to check in the new rule logic would be much appreciated!
I'm reaching out to see if anyone else is experiencing Multi-WAN routing issues on the new v26.1 release. I recently upgraded from v25.7, and while the rule migration to "Rule (new)" seemed successful, my inbound load balancing/failover logic is broken.
The Setup:
- OPNsense v26.1 (previously rock-solid on v25.7.11_9).
- Dual WAN setup using PPPoE (pppoe0 for WAN1, pppoe1 for WAN2).
- Internal AmneziaWG service hosted in the LAN.
The Issue:
Prior to the upgrade, external clients could handshake with the AmneziaWG service via either WAN1 or WAN2 public IPs without issue. Post-upgrade, WAN2 is effectively "dead" for inbound connections. WAN1 continues to work perfectly.
Packet Capture & Behavior:
I did some digging via shell packet captures, and the results are baffling:
1. When a client attempts to connect to the WAN2 IP, I see traffic hitting BOTH pppoe0 and pppoe1 simultaneously.
2. The source IP on both interfaces is identified as the WAN2 public IP.
3. Despite the traffic being visible, the handshake never completes.
Troubleshooting Steps Taken:
- Completely deleted and recreated the Port Forward (NAT) and Firewall rules for the service.
- Isolated the issue by disabling WAN1 rules entirely, but WAN2 still refused to pass the handshake.
- Followed the official migration guide to ensure rules were correctly mapped to the new architecture.
Workaround:
I've since rolled back to v25.7.11_9, and everything started working instantly without a single configuration change.
Is there a known regression in v26.1 regarding "Reply-to" behavior for PPPoE interfaces or Multi-WAN policy routing? It feels like the return path is being misrouted or the state is getting confused between the two WAN interfaces.
Any help or pointers on what to check in the new rule logic would be much appreciated!
#26
25.7, 25.10 Series / Re: upgrade to 25.7.2 from 25....
Last post by lebowski - Today at 02:40:07 PMQuote from: BrandyWine on January 21, 2026, 10:30:20 PMThis one says it can do crosstalk tests (but not sure what test for FEXT and NEXT). You can login to Amazon and use Rufus to post a question.
Amazon item B0DSHWHC7R "NOYAFA NF-8601S Network Cable Tester"
Another issue can be Alien Crosstalk, which is much harder to identify.
Crosstalk is an issue because it confuses the transceivers
https://www.flukenetworks.com/blog/cabling-chronicles/cable-testing-101-cross-talk-near-and-far
Thank you, i'll look into that.
Meanwhile, just yesterday, i updated my opnsense appliance to v26.1 , and lo and behold, my wan ethernet connection (between firewall and cablemodem) is up to 1gbs for more then a day now! What has been happening the last months is that it got to 1gbs after a reboot, and after a couple of hours reverted back to 100mbit.
I really hope this is permanent now, since i didnt change anything to my cabling, after the last time when i replaced a piece of cable (which tested ok afterwards) for a factory fresh premium cat7 cable.
#27
26.1 Series / Re: RC1: hundreds of rc.newwan...
Last post by Patate - Today at 02:39:31 PM #28
26.1 Series / Re: DNAT auto firewall [Regist...
Last post by franco - Today at 02:36:45 PM #29
26.1 Series / Re: [Solved] OpnSense 25.7.11_...
Last post by franco - Today at 02:36:02 PMCan't fix that. This and other things are unavoidable when enabling the FreeBSD repository.
Cheers,
Franco
Cheers,
Franco
#30
Tutorials and FAQs / Re: Tutorial: Caddy (Reverse P...
Last post by n3 - Today at 02:35:48 PMQuote from: Monviech (Cedrik) on January 23, 2026, 08:55:10 AMIf you want to use caddy for hosting your websites you will also probably need php and databases most likely, better to run that on a dedicated machine.Thanks for the answer. I took it to read more about it and actually I'm thinking to use caddy as a reverse proxy in an DMZ. Actually I don't have a dmz and my services like homeassitant, MariaDB, Wordpress, nextcloud, etc. runs in an SERVICE-Interface. I have stativ IPv4 and IPv6 and actually only the LAN-Interface hast IPv6 but I want to go IPv6 First. Therefore I think it is better make a DMZ and host caddy in it and move my wordpress and nextcloud into the DMZ. It is not as simple like the plugin but with stativ IPv6 the better choise, or what do you think?
Other than that, running caddy as the intended reverse proxy and layer 4 proxy on the firewall is safe. If you want the highest security run it as www user (supported from the GUI).
