"Recent posts
#81
26.1 Series / Re: RC1: hundreds of rc.newwan...
Last post by meyergru - January 27, 2026, 11:40:11 AMIDK if this is related, but just now, after ~16hour of running time, my system crashed and rebooted silently (no core dumps or anything and nothing in the crash reporter).
After startup, I find a host of these messages in the logs:
I also have remote logging for that system. Nothing particular shows before the reboot:
You cannot view this attachment.
After startup, I find a host of these messages in the logs:
Code Select
/usr/local/opnsense/scripts/health/updaterrd.php: The command </usr/local/bin/rrdtool create '/var/db/rrd/wireguard-traffic.rrd' --step 0 DS:'inpass:COUNTER:120:0:2500000000' DS:'outpass:COUNTER:120:0:2500000000' DS:'inblock:COUNTER:120:0:2500000000' DS:'outblock:COUNTER:120:0:2500000000' DS:'inpass6:COUNTER:120:0:2500000000' DS:'outpass6:COUNTER:120:0:2500000000' DS:'inblock6:COUNTER:120:0:2500000000' DS:'outblock6:COUNTER:120:0:2500000000' RRA:'AVERAGE:0.5:1:1200' RRA:'AVERAGE:0.5:5:720' RRA:'AVERAGE:0.5:60:1860' RRA:'AVERAGE:0.5:1440:2284'> returned exit code 1 and the output was "ERROR: step size: value must be positive"
I also have remote logging for that system. Nothing particular shows before the reboot:
You cannot view this attachment.
#82
26.1 Series / Re: New rule system
Last post by Seimus - January 27, 2026, 11:27:06 AMI thought reStructured supported flow diagrams (but maybe I am making things up).
It is bit lousy yes, but it as well says a lot.
Anyway got ya. But its something that sooner or later would be worth a while.
Regards,
S.
It is bit lousy yes, but it as well says a lot.
Anyway got ya. But its something that sooner or later would be worth a while.
Regards,
S.
#83
26.1 Series / Re: New rule system
Last post by Monviech (Cedrik) - January 27, 2026, 11:19:00 AMThe packet diagram is a bit lossy, there are quite a few more invariants that would create a huge flow diagram. Not sure I can build that correctly in the docs, and a picture wouldn't be easy maintainable.
So for now I keep it in that forum post.
So for now I keep it in that forum post.
#84
Intrusion Detection and Prevention / Re: unable to delete cron job ...
Last post by DEC740airp414user - January 27, 2026, 11:03:57 AMapologies. I did find a reply from Franco
it can be disabled but not deleted, from a previous post
feel free to delete or lock this
it can be disabled but not deleted, from a previous post
feel free to delete or lock this
#85
26.1 Series / Re: New rule system
Last post by Seimus - January 27, 2026, 11:02:00 AMIn regards of rule process order (other than in the docs its correct) there is as well a packer flow process diagram made by @Cedrik some time ago, but kept updated.
https://forum.opnsense.org/index.php?topic=36326.0
This helps if you need to visualize how a packet will be processed across the pipelines. And from what I have seen and tested its correct.
@Cedrik
Maybe it would be great to have this in the official docs as well, cause this is extremely helpful for understanding and T-shooting.
Regards,
S.
https://forum.opnsense.org/index.php?topic=36326.0
This helps if you need to visualize how a packet will be processed across the pipelines. And from what I have seen and tested its correct.
@Cedrik
Maybe it would be great to have this in the official docs as well, cause this is extremely helpful for understanding and T-shooting.
Regards,
S.
#86
Intrusion Detection and Prevention / Re: unable to delete cron job ...
Last post by Patrick M. Hausen - January 27, 2026, 10:59:00 AM"When in doubt use brute force."
-- Ken Thompson
- download configuration backup
- open XML in text editor
- carefully remove cron job
- reimport configuration backup
HTH,
Patrick
-- Ken Thompson
- download configuration backup
- open XML in text editor
- carefully remove cron job
- reimport configuration backup
HTH,
Patrick
#87
Intrusion Detection and Prevention / unable to delete cron job afte...
Last post by DEC740airp414user - January 27, 2026, 10:56:35 AMVersions
OPNsense 25.10.1_2-amd64
FreeBSD 14.3-RELEASE-p7
OpenSSL 3.0.18
I scanned back 5 pages to see if this had been answered. I am unable to delete the top rule for updating IDS rules.
I've stopped the service, enabled the service. it will Not delete.
I can delete the dns block list cron below and recreate it without any issues.
OPNsense 25.10.1_2-amd64
FreeBSD 14.3-RELEASE-p7
OpenSSL 3.0.18
I scanned back 5 pages to see if this had been answered. I am unable to delete the top rule for updating IDS rules.
I've stopped the service, enabled the service. it will Not delete.
I can delete the dns block list cron below and recreate it without any issues.
#88
26.1 Series / Re: New rule system
Last post by meyergru - January 27, 2026, 10:41:14 AMI have switched those "PASS" settings out for associated rules. However, those will get disassociated during upgrade to 26.1. You will have to take care of their management manually further on (as indicated by the "MANUAL" setting in the NAT rule).
#89
26.1 Series / Re: New rule system
Last post by Patrick M. Hausen - January 27, 2026, 10:30:34 AMQuote from: meyergru on January 27, 2026, 10:22:50 AMYou are misunderstanding: Floating rules were never processed before a port forward with "PASS". We only assumed that this was the case - it never was.
If you look at the rule processing order documentation:
https://docs.opnsense.org/manual/firewall.html#processing-order
there is this large warning:
QuoteNAT rules are always processed before filter rules! So for example, if you define a NAT : Destination NAT (Port Forwarding) rules without a associated rule, i.e. Filter rule association set to Pass, this has the consequence, that no other rules will apply!
But also at the top there is the general order with the "boxes":
System defined --> Floating --> Interface Groups --> Interfaces
@meyergru and myself based on this both assumed that the "NAT before filtering" applies inside each box, respectively. So:
Floating NAT --> Floating Filtering --> Interface Groups NAT --> Interface Groups Filtering --> ...
Unfortunately we were equally both mistaken. NAT rules are *globally* applied first and always were. That leaves the question in which situations the "Pass" mechanism might be useful at all.
Kind regards,
Patrick
#90
26.1 Series / Re: New rule system
Last post by meyergru - January 27, 2026, 10:22:50 AMYou are misunderstanding: Floating rules were never processed before a port forward with "PASS". We only assumed that this was the case - it never was.
