When to migrate to new firewall rules?

Started by mlenje, July 02, 2026, 08:09:11 AM

Previous topic - Next topic
I just read that the 26.7 release is planned for July 15. Does that mean we need to migrate firewall rules before then?

July 02, 2026, 08:32:16 AM #1 Last Edit: July 02, 2026, 08:47:21 AM by OzziGoblin
I've been worry about this as well, but since the upgrade to 26.1.11 my new rules are populated without my having done anything, is this by design, did I miss something again when ready the release notes? :-)

thanks

The new rules are populated with old rules read only, they still only exist in the old rules.

Old rules have a distinct command button that opens the legacy rule page, and cannot be deleted/cloned in the new GUI

You still have to migrate eventually.

In 26.7 the old rules will be turned into a plugin, so they will still work. No pressure to migrate yet.
Hardware:
DEC740

I recently took the plunge, and used the rules migration assistant tool, the UI was a little clunky, but it worked, and the migrated rules to new format are all working as intended...i've since deleted all the old legacy format rules...
OPNsense 26.1.10-amd64 running on ESXi 6.7 U2 VM, 4Gbytes RAM, 2 x vCPU
frr OSPF + eBGP, IDS, AdGuard Home, mDNS proxy, sftp-backup plugins. OpenVPN, kea DHCP server deployment.

Quote from: Monviech (Cedrik) on July 02, 2026, 10:33:27 AMIn 26.7 the old rules will be turned into a plugin, so they will still work. No pressure to migrate yet.
I don't like depending on stuff that's moved to a plug-in so I guess it's time to migrate before the 26.7 upgrade :)

I did the same with ISC and moved to KEA before the 26.x upgrade to avoid plug-in weirdness that some people eventually had who did not follow the same plan as I did so I was very happy with my choice!

And it looks like I might have to do the same with the Outbound NAT to Source NAT migration according to the 26.1.11 Release Notes so it's going to be very interesting the next couple of weeks :P
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)

Just did the migration of the rules and nat rules. It was a matter of exporting & importing them using the migration assistant, then a review audit of the rules - along with testing connectivity to be as expected. Indeed all worked correctly. I had tried this a few months ago, and it was bad experience that I just reverted to the backup, and in an earlier forum chat, I concluded that I'd leave this till December / January. But now that it's done, things will hopefully be smoother moving forward with the upgrades, and any changes.

Took the plunge yesterday, two sites with all precautions (backup and snapshot) been taken care of. Firewall rules and Outbound/Source NAT transition worked out just fine - the migration assistant did his job very well.