Recent posts

#81
26.1 Series / Re: RC1: hundreds of rc.newwan...
Last post by meyergru - January 27, 2026, 11:40:11 AM
IDK if this is related, but just now, after ~16hour of running time, my system crashed and rebooted silently (no core dumps or anything and nothing in the crash reporter).

After startup, I find a host of these messages in the logs:

/usr/local/opnsense/scripts/health/updaterrd.php: The command </usr/local/bin/rrdtool create '/var/db/rrd/wireguard-traffic.rrd' --step 0 DS:'inpass:COUNTER:120:0:2500000000' DS:'outpass:COUNTER:120:0:2500000000' DS:'inblock:COUNTER:120:0:2500000000' DS:'outblock:COUNTER:120:0:2500000000' DS:'inpass6:COUNTER:120:0:2500000000' DS:'outpass6:COUNTER:120:0:2500000000' DS:'inblock6:COUNTER:120:0:2500000000' DS:'outblock6:COUNTER:120:0:2500000000' RRA:'AVERAGE:0.5:1:1200' RRA:'AVERAGE:0.5:5:720' RRA:'AVERAGE:0.5:60:1860' RRA:'AVERAGE:0.5:1440:2284'> returned exit code 1 and the output was "ERROR: step size: value must be positive"

I also have remote logging for that system. Nothing particular shows before the reboot:

You cannot view this attachment.
#82
26.1 Series / Re: New rule system
Last post by Seimus - January 27, 2026, 11:27:06 AM
I thought reStructured supported flow diagrams (but maybe I am making things up).

It is bit lousy yes, but it as well says a lot.

Anyway got ya. But its something that sooner or later would be worth a while.

Regards,
S.
#83
26.1 Series / Re: New rule system
Last post by Monviech (Cedrik) - January 27, 2026, 11:19:00 AM
The packet diagram is a bit lossy, there are quite a few more invariants that would create a huge flow diagram. Not sure I can build that correctly in the docs, and a picture wouldn't be easy maintainable.

So for now I keep it in that forum post.
#84
apologies.  I did find a reply from Franco

it can be disabled but not deleted,  from a previous post

feel free to delete or lock this
#85
26.1 Series / Re: New rule system
Last post by Seimus - January 27, 2026, 11:02:00 AM
In regards of rule process order (other than in the docs its correct) there is as well a packer flow process diagram made by @Cedrik some time ago, but kept updated.

https://forum.opnsense.org/index.php?topic=36326.0

This helps if you need to visualize how a packet will be processed across the pipelines. And from what I have seen and tested its correct.

@Cedrik
Maybe it would be great to have this in the official docs as well, cause this is extremely helpful for understanding and T-shooting.

Regards,
S.
#86
"When in doubt use brute force."

-- Ken Thompson

- download configuration backup
- open XML in text editor
- carefully remove cron job
- reimport configuration backup

HTH,
Patrick
#87
Versions
OPNsense 25.10.1_2-amd64
FreeBSD 14.3-RELEASE-p7
OpenSSL 3.0.18

I scanned back 5 pages to see if this had been answered.   I am unable to delete the top rule for updating IDS rules.
I've stopped the service, enabled the service.   it will Not delete.

I can delete the dns block list cron below and recreate it without any issues.
#88
26.1 Series / Re: New rule system
Last post by meyergru - January 27, 2026, 10:41:14 AM
I have switched those "PASS" settings out for associated rules. However, those will get disassociated during upgrade to 26.1. You will have to take care of their management manually further on (as indicated by the "MANUAL" setting in the NAT rule).
#89
26.1 Series / Re: New rule system
Last post by Patrick M. Hausen - January 27, 2026, 10:30:34 AM
Quote from: meyergru on January 27, 2026, 10:22:50 AMYou are misunderstanding: Floating rules were never processed before a port forward with "PASS". We only assumed that this was the case - it never was.

If you look at the rule processing order documentation:

https://docs.opnsense.org/manual/firewall.html#processing-order

there is this large warning:

QuoteNAT rules are always processed before filter rules! So for example, if you define a NAT : Destination NAT (Port Forwarding) rules without a associated rule, i.e. Filter rule association set to Pass, this has the consequence, that no other rules will apply!

But also at the top there is the general order with the "boxes":

System defined --> Floating --> Interface Groups --> Interfaces


@meyergru and myself based on this both assumed that the "NAT before filtering" applies inside each box, respectively. So:

Floating NAT --> Floating Filtering --> Interface Groups NAT --> Interface Groups Filtering --> ...


Unfortunately we were equally both mistaken. NAT rules are *globally* applied first and always were. That leaves the question in which situations the "Pass" mechanism might be useful at all.


Kind regards,
Patrick
#90
26.1 Series / Re: New rule system
Last post by meyergru - January 27, 2026, 10:22:50 AM
You are misunderstanding: Floating rules were never processed before a port forward with "PASS". We only assumed that this was the case - it never was.