"Recent posts
#81
General Discussion / Re: No internet to clients con...
Last post by pfry - February 01, 2026, 04:26:43 PMI may not be following your precise configuration. Is the AP in bridge mode?
Context: I have a similar setup: multiple bridges on an OPNsense firewall, with a Linksys MX8500 running OpenWRT connected to one bridge. The MX8500 is also in bridge mode - that is, the wireless radios are attached to a bridge which contains the Ethernet interface connected to the firewall; it (the radio bridge on the AP) has no IP address assigned and no DHCP client (or server, of course) running. (For completeness I have a second bridge on the MX8500 for management which is not accessible from the client/radio bridge, which is a DHCP client, connected to a different bridge on the firewall.)
Context: I have a similar setup: multiple bridges on an OPNsense firewall, with a Linksys MX8500 running OpenWRT connected to one bridge. The MX8500 is also in bridge mode - that is, the wireless radios are attached to a bridge which contains the Ethernet interface connected to the firewall; it (the radio bridge on the AP) has no IP address assigned and no DHCP client (or server, of course) running. (For completeness I have a second bridge on the MX8500 for management which is not accessible from the client/radio bridge, which is a DHCP client, connected to a different bridge on the firewall.)
#82
26.1 Series / Re: Anti-Lockout Rule (Destina...
Last post by meyergru - February 01, 2026, 04:20:22 PMI have the Anti-Lockout rules enabled and administration on all interfaces, too. During 26.1 upgrade, two separate non-editable rules have shown up on top of the destination NAT rules, for IPv4 and IPv6. The source interface for both is LAN.
I have done no rules migration to new rules and also created no new rules. Reflection settings are all on in "Firewall: Settings: Advanced".
SSH and Web GUI are not open on WAN.
I have done no rules migration to new rules and also created no new rules. Reflection settings are all on in "Firewall: Settings: Advanced".
SSH and Web GUI are not open on WAN.
#83
26.1 Series / updated to 26.1_4, exported an...
Last post by coffeecup25 - February 01, 2026, 04:15:37 PMI updated to 26.1_4 with no issues. Very smooth. I exported my current rules, all 6 or so of them, into a csv. I tried to upload the csv into the new screen. Yes, I imported them in the right place. Yes I clicked 'Apply'. Yes, the csv had records.
Nothing happened. I did it 2x. Nothing happened. I rebooted. Nothing happened.
My rules are default LAN rules, default LAN rules copied to IOT and edited. Then rules in both to restrict LAN from IOT and vice versa.
Whatever other rules that might be there are the ones that came from the base install. No idea about them.
So how is this thing supposed to work as a simple import doesn't appear to do anything?
Happily, I tried the upgrade and migration on a backup router.
EDIT:
Like the other post, I found the check box.
I don't mean to be rude, but somebody needs to work on that screen a little more. It was already checked so why would I check a box that alread has a check mark???
I wasted an hour on this.
Nothing happened. I did it 2x. Nothing happened. I rebooted. Nothing happened.
My rules are default LAN rules, default LAN rules copied to IOT and edited. Then rules in both to restrict LAN from IOT and vice versa.
Whatever other rules that might be there are the ones that came from the base install. No idea about them.
So how is this thing supposed to work as a simple import doesn't appear to do anything?
Happily, I tried the upgrade and migration on a backup router.
EDIT:
Like the other post, I found the check box.
I don't mean to be rude, but somebody needs to work on that screen a little more. It was already checked so why would I check a box that alread has a check mark???
I wasted an hour on this.
#84
General Discussion / Re: No internet to clients con...
Last post by nero355 - February 01, 2026, 04:09:25 PMQuote from: darkencraft on February 01, 2026, 12:08:44 AMso all the wired devices that are connected to the bridge port works fine.If that is the case then you need to figure out what is going on at your Omada Accesspoint ?!
the problem is the wifi clients not having access to internet, which i cannot figure out what else i need to tweak in opnsense configs.
For example : If the WiFi SSID has Tagged VLAN setup instead of just using the Native/Untagged VLAN then the Clients obviously won't have any Internet Access in this new setup :)
And just to be sure :
- Did you setup new Firewall Rules similar to those that the LAN network has by Default ?
- DHCP settings are also adjusted ?
Quote from: darkencraft on January 31, 2026, 10:30:19 PM(yes, I can remove bridge and set up wifi AP underneath the switch, but this means i need to buy a switch with more ports. So before I actually decide on spending more money, I want to try if I can some how work with current setup)For what's it worth :
I really like having each NIC dedicated to one of my VLAN's in OPNsense :
- eth0 = WAN
- eth1 = Untagged Port for LAN a.k.a. VLAN 1
- eth2 = Untagged Port for VLAN 10 Network
- eth3 = Tagged Port for a small Guest VLAN network and in the future maybe some other stuff...
(This last one is not recommended by many, but I was curious to see how it would work and what is different (or not) compared to the WAN Tagged VLAN setup...)
For a cheap small 8-port Switch there are TP-Link and Netgear options and both have '108E' in their model name.
#85
25.7, 25.10 Series / Re: Seting up Vlan
Last post by JustSecure - February 01, 2026, 04:05:25 PMQuote from: nero355 on January 30, 2026, 03:22:55 PMQuote from: JustSecure on January 30, 2026, 02:51:32 PMAfter reading it all, i have ordered a TP-Link TL-SG105E. This should hook me up properly.Usually the 8-port version is pretty much the same price, but the 5-port version is OK too ofcourse! :)
Yeah for my needs it just enough.
I changed the whole setup put cables around but now its running fine. Thanks to all your answers, setup is now.
so i made a IOT/Vlan Which is seperated from all other lans/wans. made some firewall rules to permit the localVM(inside Vlan) ssh and all. Hooked up a spare 2,4 ghz zyxel as my IOT-WIFI. its riddled with bugs, but they can only be abused locally thru telnet for instance. everything is of on there except wifi. no dhcp, no remote, no telnet or ssh.
the switch has 1 uplink offcourse. port 2 and 3 are on my main lan. port 4 and 5 Vlan. (1 port left)
Today im switching everything "smartIOT" over to the "safe" wifi :P
everything hooked up and ready.
Even found a old IPcam, which when booted screams something in chinese. think its hacked, now it got time to check it.
#86
General Discussion / Re: No internet to clients con...
Last post by darkencraft - February 01, 2026, 04:00:41 PMComing back from some more additional findings:
When I ping OPN (192.168.1.1) from wifi device (internet not working), I can see from OPN packet capture that ARP who is request (from wifi device) and ARP reply (from OPN) are being sent.
But after this OPN packet capture does not see ICMP echo request from wifi device.
I compared this behavior with wifi device pinging an other internal device (ie. my NAS). In the OPN capture, I see ARP request/reply, followed by ICMP packet echo request/reply.
Based on this and "considering that wifi device works fine when OPN not in bridging ports", could there be cirmcumstances where:
1. Although ARP reply is sent an OPN packet capture, it is blocked by firewall rules, and never reached to the wifi device
2. Or, ICMP echo request was sent from the wifi device, but firewall rules blocking the ICMP request to OPN (but passing any other ICMP request to internal devices), therefore OPN capture not seeing any ICMP request coming in.
Is there anyway to verify 1 and 2? Or any other ideas?
When I ping OPN (192.168.1.1) from wifi device (internet not working), I can see from OPN packet capture that ARP who is request (from wifi device) and ARP reply (from OPN) are being sent.
But after this OPN packet capture does not see ICMP echo request from wifi device.
I compared this behavior with wifi device pinging an other internal device (ie. my NAS). In the OPN capture, I see ARP request/reply, followed by ICMP packet echo request/reply.
Based on this and "considering that wifi device works fine when OPN not in bridging ports", could there be cirmcumstances where:
1. Although ARP reply is sent an OPN packet capture, it is blocked by firewall rules, and never reached to the wifi device
2. Or, ICMP echo request was sent from the wifi device, but firewall rules blocking the ICMP request to OPN (but passing any other ICMP request to internal devices), therefore OPN capture not seeing any ICMP request coming in.
Is there anyway to verify 1 and 2? Or any other ideas?
#87
26.1 Series / Re: Anti-Lockout Rule (Destina...
Last post by Patrick M. Hausen - February 01, 2026, 03:58:27 PMPossibly a bad interaction of anti-lockout and NAT reflection? I use neither, sorry.
#88
26.1 Series / Re: Nextcloud Backup creates m...
Last post by Patrick M. Hausen - February 01, 2026, 03:57:28 PMThis is completely unusable. I have to revamp my entire backup strategy for >10 firewalls.
At the very least use readable timestamps for which alphabetical and chronological order is identical like YYYY-MM-dd-hh:mm:ss or similar.
I backup half a dozen of firewalls to the same Nextcloud directory - how am I going to tell them apart without the hostname in the file name?
EDIT: I'll switch to git I guess. I stopped using git because performing a local config rollback breaks the connection of the local and the upstream repo with a merge conflict, but probably one can work around that. Having one properly time stamped file every 24 hours was perfect.
At the very least use readable timestamps for which alphabetical and chronological order is identical like YYYY-MM-dd-hh:mm:ss or similar.
I backup half a dozen of firewalls to the same Nextcloud directory - how am I going to tell them apart without the hostname in the file name?
EDIT: I'll switch to git I guess. I stopped using git because performing a local config rollback breaks the connection of the local and the upstream repo with a merge conflict, but probably one can work around that. Having one properly time stamped file every 24 hours was perfect.
#89
26.1 Series / Re: os-isc-dhcp-1.0_3 failed t...
Last post by iorx - February 01, 2026, 03:56:00 PMFWIW: I mocked around a bit with removing, changing and adding static mappings. Worked as intended.
#90
26.1 Series / Re: Anti-Lockout Rule (Destina...
Last post by RamSense - February 01, 2026, 03:55:21 PMLooks like a bug, when I place a block rule on wan port 444 I can still externally reach the OPNsense gui:
