"Recent posts
#21
26.1 Series / Re: 26.1 - after export & imp...
Last post by OPNenthu - Today at 12:55:06 AMIt wasn't just you and @meyergru, I had seen it elsewhere in the past. Also ChatGPT believed the same (maybe it was trained on old posts from here) :)
I'm sorry to link to the competition's documentation but they have some descriptions there which have me thinking that we are losing some capability with this change. Some of it is over my head though e.g. ALTQ.
I'm sorry to link to the competition's documentation but they have some descriptions there which have me thinking that we are losing some capability with this change. Some of it is over my head though e.g. ALTQ.
#22
26.1 Series / Re: 26.1 - after export & imp...
Last post by Patrick M. Hausen - Today at 12:47:35 AMQuote from: OPNenthu on Today at 12:40:46 AMfiltering egress e.g. WAN out before NAT takes place) but I can't find anything to support that now.
The idea that floating rules would precede NAT on interface groups or interfaces was a misunderstanding by - most prominently - @meyergru and myself.
NAT always goes before filtering, period.
So up until now we could have three stages of filtering:
- floating
- interface group
- interfaces
and create a single interface floating rule if necessary or convenient. That is for the time being not possible, anymore, for a single interface.
Everything else has not changed.
#23
26.1 Series / Re: 26.1 - after export & imp...
Last post by OPNenthu - Today at 12:40:46 AMI think that's true as long as Floating rules are not special in some way. I had previously thought that there were some things only Floating rules could do (for example, filtering egress e.g. WAN out before NAT takes place) but I can't find anything to support that now. The current documentation says that NAT takes place first *always*.
Are there any special properties of Floating rules besides that they have highest priority?
Are there any special properties of Floating rules besides that they have highest priority?
#24
General Discussion / Re: No internet to clients con...
Last post by darkencraft - Today at 12:38:59 AMyes, i rebooted OPN after tunable changes.this is actually my third attempt (each attempt, i factory defaulted OPN) and am pretty sure all steps in the documentation was followed. also, i'm not using ipv6.
As for the AP, TP Link EAP610 to be specific, its not running any dhcp server. When I compare the network parameter assignment between wired device (which internet works) and wifi device (no internet), they are quite identical.
Wi-Fi client (internet not working):
IP: 192.168.1.165
Subnet: 255.255.255.0
Default gateway: 192.168.1.1
DNS: 192.168.1.1
Wired client (internet working):
IP: 192.168.1.103
Subnet: 255.255.255.0
Default gateway: 192.168.1.1
DNS: 192.168.1.1
As for the firewall live log, can you advise what i should look for, or how i should test?
As for the AP, TP Link EAP610 to be specific, its not running any dhcp server. When I compare the network parameter assignment between wired device (which internet works) and wifi device (no internet), they are quite identical.
Wi-Fi client (internet not working):
IP: 192.168.1.165
Subnet: 255.255.255.0
Default gateway: 192.168.1.1
DNS: 192.168.1.1
Wired client (internet working):
IP: 192.168.1.103
Subnet: 255.255.255.0
Default gateway: 192.168.1.1
DNS: 192.168.1.1
As for the firewall live log, can you advise what i should look for, or how i should test?
#25
26.1 Series / Re: 26.1 - after export & imp...
Last post by Patrick M. Hausen - Today at 12:34:44 AMQuote from: OPNenthu on Today at 12:04:41 AMuse cases where the ability to keep a single-interface floating rule might be needed
A single interface group might still do the trick.
#26
General Discussion / Re: No internet to clients con...
Last post by cookiemonster - Today at 12:32:37 AMdid you reboot OPN after changing tunables? It is needed for these.
Otherwise review the steps just in case. AP definitively not running its own dhcp server or any other service?
Next is to look at firewall live log to see if the traffic is arriving. Are you using IPV6 ?
Otherwise review the steps just in case. AP definitively not running its own dhcp server or any other service?
Next is to look at firewall live log to see if the traffic is arriving. Are you using IPV6 ?
#27
General Discussion / Re: No internet to clients con...
Last post by darkencraft - Today at 12:08:44 AMthank you for the response. but actually, the document was the exact document that I used to configure the bridge. I also change the configuration in the tunables already. so all the wired devices that are connected to the bridge port works fine.
the problem is the wifi clients not having access to internet, which i cannot figure out what else i need to tweak in opnsense configs.
the problem is the wifi clients not having access to internet, which i cannot figure out what else i need to tweak in opnsense configs.
#28
26.1 Series / Re: 26.1 - after export & imp...
Last post by OPNenthu - Today at 12:04:41 AMThere is a GH ticket where the development team is soliciting feedback on use cases where the ability to keep a single-interface floating rule might be needed:
https://github.com/opnsense/core/issues/9652
If either enough voices are added, or if someone finds a use case that can't be solved otherwise, then I think there could be some traction on getting this added back.
Right now it seems the position of the devs is that the single-interface floating rule concept is flawed and existed as a work around to an old problem.
https://github.com/opnsense/core/issues/9652
If either enough voices are added, or if someone finds a use case that can't be solved otherwise, then I think there could be some traction on getting this added back.
Right now it seems the position of the devs is that the single-interface floating rule concept is flawed and existed as a work around to an old problem.
#29
General Discussion / Re: No internet to clients con...
Last post by cookiemonster - January 31, 2026, 11:57:49 PMyes there are some additional settings to add. Please look in the documentation. Actually it is here https://docs.opnsense.org/manual/how-tos/lan_bridge.html#lan-bridge
#30
26.1 Series / 26.1 - after export & import ...
Last post by nzkiwi68 - January 31, 2026, 11:55:06 PMI see what happened.
Because my floating rules only have a single interface referenced, they were migrated to the appropriate interface as LAN or WAN etc interface rules.
However - this is a significant behavior change
The reason I use these rules on floating, is to ensure these block rules are always processed before interface rules. That way, special rules like Spamhaus DROP are always processed before the WAN interface rules. I can reorder WAN rules without fear of accidentally undoing special block rules.
OPNsense firewall processing order (in part):
1. Floating rules first
2. Interface rules second
Lastly, if I then add a 2nd WAN later on, it's very easy with a floating rule to have these block rules apply to WAN and WAN2, etc.
Because my floating rules only have a single interface referenced, they were migrated to the appropriate interface as LAN or WAN etc interface rules.
However - this is a significant behavior change
The reason I use these rules on floating, is to ensure these block rules are always processed before interface rules. That way, special rules like Spamhaus DROP are always processed before the WAN interface rules. I can reorder WAN rules without fear of accidentally undoing special block rules.
OPNsense firewall processing order (in part):
1. Floating rules first
2. Interface rules second
Lastly, if I then add a 2nd WAN later on, it's very easy with a floating rule to have these block rules apply to WAN and WAN2, etc.
