"Recent posts
#81
26.1 Series / Re: Firewall rules migration
Last post by Monviech (Cedrik) - January 23, 2026, 03:48:54 PMThere is no automatic migration of firewall rules. Both new and old component are fully functional side by side.
So dont worry about upgrading, nothing will change.
After the upgrade there will be a migration assistant you can choose (or not yet choose) to follow. No rush.
So dont worry about upgrading, nothing will change.
After the upgrade there will be a migration assistant you can choose (or not yet choose) to follow. No rush.
#82
26.1 Series / Re: Firewall rules migration
Last post by agh1701 - January 23, 2026, 03:43:11 PMIs there a page of migration instructions that we can review prior to upgrade?
#83
25.7, 25.10 Series / Re: Seting up Vlan
Last post by meyergru - January 23, 2026, 03:42:23 PMThere are multiple purposes for VLANs, it seems you misunderstood the concept.
Basically, a VLAN, as its names suggests, is a vitual network that is created on top of an existing physical network connection, but logically separated from it.
This can be used in order to separate the logical WAN internet connection over a VLAN (potentially with PPPoE) from the connection to the media converter (DSL modem or ONT) web interface. That is the reason why many ISPs choose to use internet connections via a VLAN, like Odido with VLAN 300.
On the other hand, with a local manageable switch, you can connect to your router via a "trunk" port that carries multiple (tagged or untagged) VLANs. The switch can then be configured to split these (V)LANs out to different untagged ports that are set to one specific VLAN. That way, the switch can act like mutiple switches, one for each VLAN, effectively separating multiple local networks.
The latter is what you probably wanted, but you may see right now why it cannot be done when you create new VLANs on the WAN port - they must be set on the LAN port. There is no additonal VLAN on WAN, because your only got two:
a. VLAN 300 for your internet connection
b. The untagged WAN to access your media converter
You would not connect anything else to your WAN port, would you?
Basically, a VLAN, as its names suggests, is a vitual network that is created on top of an existing physical network connection, but logically separated from it.
This can be used in order to separate the logical WAN internet connection over a VLAN (potentially with PPPoE) from the connection to the media converter (DSL modem or ONT) web interface. That is the reason why many ISPs choose to use internet connections via a VLAN, like Odido with VLAN 300.
On the other hand, with a local manageable switch, you can connect to your router via a "trunk" port that carries multiple (tagged or untagged) VLANs. The switch can then be configured to split these (V)LANs out to different untagged ports that are set to one specific VLAN. That way, the switch can act like mutiple switches, one for each VLAN, effectively separating multiple local networks.
The latter is what you probably wanted, but you may see right now why it cannot be done when you create new VLANs on the WAN port - they must be set on the LAN port. There is no additonal VLAN on WAN, because your only got two:
a. VLAN 300 for your internet connection
b. The untagged WAN to access your media converter
You would not connect anything else to your WAN port, would you?
#84
25.7, 25.10 Series / Seting up Vlan
Last post by JustSecure - January 23, 2026, 03:26:59 PMHello everybody,
Im new on the forum, and new to opnsense in general. Im not new to tech tho.
So for my question, i have setup a opnsense router in this hardware.
Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz (2 cores, 4 threads) 8GB. its a old optiplex 3020.
i sticked a extra nic in there, and setup everything for my provider odido(NL).
They require i made a vlan with tag 300(vlan02 odido), i assigned that vlan to my WAN interface.
I also have the LAN interface (em0).
Everything works as expected in have installed zenarmor adguard home. again this all works.
But no i wanted to make a seperate vlan for my IOT/hacking adventures, my kid likes it alot.
So i made a vlan which i pointed to my WAN interface, i thought everything worked, i did apply all changes. butafter some time all internet stopped working all together, it was late in the evening so i even had to drag a monitor and keyboard over since i didnt have ssh openend.
I did reset all the vlan's and re apply'd them.
Maybe somebody can explain when i did wrong? or maybe help me setup this extra vlan.
Thanks in advance.
Im new on the forum, and new to opnsense in general. Im not new to tech tho.
So for my question, i have setup a opnsense router in this hardware.
Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz (2 cores, 4 threads) 8GB. its a old optiplex 3020.
i sticked a extra nic in there, and setup everything for my provider odido(NL).
They require i made a vlan with tag 300(vlan02 odido), i assigned that vlan to my WAN interface.
I also have the LAN interface (em0).
Everything works as expected in have installed zenarmor adguard home. again this all works.
But no i wanted to make a seperate vlan for my IOT/hacking adventures, my kid likes it alot.
So i made a vlan which i pointed to my WAN interface, i thought everything worked, i did apply all changes. butafter some time all internet stopped working all together, it was late in the evening so i even had to drag a monitor and keyboard over since i didnt have ssh openend.
I did reset all the vlan's and re apply'd them.
Maybe somebody can explain when i did wrong? or maybe help me setup this extra vlan.
Thanks in advance.
#85
26.1 Series / Destination NAT and Firewall R...
Last post by thebraz - January 23, 2026, 02:29:39 PMFirst of all...............upgrade to RC1 succeeded.
Applied all the patches mentioned in the other thread.
All the old rules migrated to new following the 5 steps of the Migration Assistant done.
OpenVPN Instance and port forwarding rules (now Destination NAT) all working (also the ones using Aliases).
Not tried the Shaper yet.
I'd have a question: in the OpenVPN section and in the WAN section of the Rules (new) I find rules that are already present in Destination NAT.
Furthemore if a rule is disabled in Destination NAT but enabled in the WAN section of Rules (new) the thing doesn't work till I enable it in Destination NAT.
I find confusing the apparent "duplication" of rules, could someone please help me clarifyng the function of the two section and why rules are present in both?
Thanks in advance
Applied all the patches mentioned in the other thread.
All the old rules migrated to new following the 5 steps of the Migration Assistant done.
OpenVPN Instance and port forwarding rules (now Destination NAT) all working (also the ones using Aliases).
Not tried the Shaper yet.
I'd have a question: in the OpenVPN section and in the WAN section of the Rules (new) I find rules that are already present in Destination NAT.
Furthemore if a rule is disabled in Destination NAT but enabled in the WAN section of Rules (new) the thing doesn't work till I enable it in Destination NAT.
I find confusing the apparent "duplication" of rules, could someone please help me clarifyng the function of the two section and why rules are present in both?
Thanks in advance
#86
General Discussion / Re: Forum connection issues
Last post by mooh - January 23, 2026, 02:28:29 PMOn a side note, I had lots of TLS Handshake timeouts with fontawsome.com in the last 2 days (Firefox 140). Luckily, they can be blocked without defects to the site using noscript ...
#87
26.1 Series / Re: Upgrade to RC1 successful
Last post by Ametite - January 23, 2026, 02:27:29 PMFrom my side all seems working well, upgraded from 25.7.11_2 to 26.1-RC1.
I've already tested IPSEC, BIND, unbound, BGP with FFR, Wiregard, OVPN, Crowdsec, Suricata, and other plugins less deeply.
FW rules migrated completely.
The only thing that I noticed is that the auto-generated floating rules are visible correctly only on old rules, in the new section I see some blank rules.
I would also ask the diff between NAT outbound rules and SNAT.
Thanks :)
⚠️EDIT: it seems that floating rules apparently blank was in fact a very dangerous "any to any" and I rolled back to snapshot this time for being sure 100% that all is properly blocked as before
I've already tested IPSEC, BIND, unbound, BGP with FFR, Wiregard, OVPN, Crowdsec, Suricata, and other plugins less deeply.
FW rules migrated completely.
The only thing that I noticed is that the auto-generated floating rules are visible correctly only on old rules, in the new section I see some blank rules.
I would also ask the diff between NAT outbound rules and SNAT.
Thanks :)
⚠️EDIT: it seems that floating rules apparently blank was in fact a very dangerous "any to any" and I rolled back to snapshot this time for being sure 100% that all is properly blocked as before
#88
25.7, 25.10 Series / Re: openvpn instances
Last post by viragomann - January 23, 2026, 01:49:46 PMOPNsense provide automatically generated aliases for the interface addresses, which you can use for translation in an outbound NAT rule.
So "WAN1 address" (pppoe) should be the current pppoe IP at any time. As well "WAN2 address".
So "WAN1 address" (pppoe) should be the current pppoe IP at any time. As well "WAN2 address".
#89
General Discussion / Re: I appear to have a hardwar...
Last post by pasha-19 - January 23, 2026, 01:49:16 PMI will proceed accordingly and install the change. Sorry I missed the clarification.
#90
General Discussion / Re: Where is TCP processed - C...
Last post by chemlud - January 23, 2026, 01:36:40 PMWeekly Tumbleweed updates and on starting the update download for a very short moment I see download with 5.6MiB/s, which immediately collapses to 300-400KiB/s and persists at creepy bandwidth.
What is going on here? FAST has 10.6MiB/s with same servers at same time.
PS: Just for the record: Confirmed again that both machines use identical, hard-coded update servers.
What can downgrade HTTPS for a specific client? Fingerprinting, ID of install, whatever?
What is going on here? FAST has 10.6MiB/s with same servers at same time.
PS: Just for the record: Confirmed again that both machines use identical, hard-coded update servers.
What can downgrade HTTPS for a specific client? Fingerprinting, ID of install, whatever?
