Recent posts

#81
26.1 Series / Re: New firewall rule interfac...
Last post by Monviech (Cedrik) - January 31, 2026, 08:04:57 PM
Hey that is a pretty cool usecase. I didnt think of using it this way with multiple categories in such a descriptive way. Nice :)
#82
26.1 Series / Re: Suricata - Divert (IPS)
Last post by RamSense - January 31, 2026, 08:04:41 PM
Oh? thanks for sharing. My assumption was that is was something like this: the divert rule -> suricata allows -> on to the next firewall rule in wan in line, but not allow all.
That makes this divert rather different than a "blocklist" block and on to the next rule concept...
#83
26.1 Series / Re: Old rules deprecation
Last post by OPNenthu - January 31, 2026, 07:59:52 PM
I guess "rulenr" is the volatile one?

I don't understand why it would change unless you add/remove rules, in which case a reordering of the rule numbers would be called for. 🤷
#84
Q-Feeds (Threat intelligence) / Re: Q-Feeds blocks the Tor Bro...
Last post by Q-Feeds - January 31, 2026, 07:47:19 PM
Thank you very much for bringing this to our attention. We will investigate the options.

Kind Regards,

Stefan
#85
26.1 Series / Re: Suricata - Divert (IPS)
Last post by jeffrey0 - January 31, 2026, 07:38:04 PM
Quote from: greY on January 31, 2026, 07:24:15 PM
Quote from: xpendable on January 31, 2026, 05:01:28 PMFor me my rule is simple, a new rule in Rules [New] on the WAN interface coming in to pass all traffic and Divert-to set to Intrusion Detection. This basically replicates my previous setup by capturing all packets for inspection, I don't want it to be more granular, maybe in an enterprise environment but not my homelab. The order is up to you, place the rule accordingly based on your other rules for the WAN interface.

NOTE: Divert-to is hidden and is only available in the "Advanced Mode", so be sure to enable that in the top left corner of the new rule dialog.

I use the WAN interface and add my ISP routers IP address to Home Networks in the suricata config, as far as I am aware this is the best method when using an IPS. As when on the LAN interface you may get more false positives and a lack of detection's since that interface is on your internal network. Intrusion attempts come from the external network in most cases, especially for homelab environments.

https://docs.opnsense.org/manual/ips.html#general-setup
https://docs.opnsense.org/manual/ips.html#advanced-options

Be careful: a broad WAN "pass any + divert-to" rule will effectively allow all inbound traffic on WAN. That can expose services running on OPNsense itself (e.g. SSH, DNS, GUI) to the internet.

It likely makes more sense to apply divert-to only on the specific WAN allow rules / opened ports you actually intend to expose.



Thank you very much for this information!
#86
26.1 Series / Re: New firewall rule interfac...
Last post by TheRealDoug - January 31, 2026, 07:24:45 PM
I use them to group different rules together and can see them visually.
#87
26.1 Series / Re: Suricata - Divert (IPS)
Last post by greY - January 31, 2026, 07:24:15 PM
Quote from: xpendable on January 31, 2026, 05:01:28 PMFor me my rule is simple, a new rule in Rules [New] on the WAN interface coming in to pass all traffic and Divert-to set to Intrusion Detection. This basically replicates my previous setup by capturing all packets for inspection, I don't want it to be more granular, maybe in an enterprise environment but not my homelab. The order is up to you, place the rule accordingly based on your other rules for the WAN interface.

NOTE: Divert-to is hidden and is only available in the "Advanced Mode", so be sure to enable that in the top left corner of the new rule dialog.

I use the WAN interface and add my ISP routers IP address to Home Networks in the suricata config, as far as I am aware this is the best method when using an IPS. As when on the LAN interface you may get more false positives and a lack of detection's since that interface is on your internal network. Intrusion attempts come from the external network in most cases, especially for homelab environments.

https://docs.opnsense.org/manual/ips.html#general-setup
https://docs.opnsense.org/manual/ips.html#advanced-options

Be careful: a broad WAN "pass any + divert-to" rule will effectively allow all inbound traffic on WAN. That can expose services running on OPNsense itself (e.g. SSH, DNS, GUI) to the internet.

It likely makes more sense to apply divert-to only on the specific WAN allow rules / opened ports you actually intend to expose.

#88
26.1 Series / Re: [26.1_4] New Firewall rule...
Last post by Tubs - January 31, 2026, 07:14:31 PM
Solved.
I am not sure if this was the reason, but I deleted some non-standard characters in the descriptions fields.
Now all rules are imported.
#89
26.1 Series / Re: Another smooth upgrade exp...
Last post by MCMLIX - January 31, 2026, 07:09:46 PM
I also just updated. 25.7.11_9 to 26.1_4 and all seems good. I migrated my rules to Rules(New) and it seems ok. I use Proxmox Virtual Environment 9.1.4. I was worried when it took awhile to reboot, but made a cup of tea and it had rebooted when I returned.

Thank you OPNsense Team for all your work!
#90
26.1 Series / Re: MiniUPNPD
Last post by obiwantoby - January 31, 2026, 07:07:48 PM
Assuming this is going to make it into the next hot fix, not in the commit history for 26.1 yet?