25.4.2 "Business Edition" Upgrade today -> no connection to our main GW or DMZ

Started by Wuensch-AG-Adm, August 28, 2025, 09:41:36 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 28, 2025, 09:41:36 AM
Dear OPNsense community,

for us it's not the first time that nevertheless a Business Edition after an Upgrade we are loosing some of our connection to our dmz application for our company (for example with suricata which broke some our communications if IPS mode wasn't deactivated) .
This time, we have simply lost the access management on our main GW (cisco) and the communication with our NATed systems to our DMZs. The NATed systems are done on our main Gateway (cisco)

The routing configuration is really simple by us Network 0.0.0.0/0 to our main GW (cisco) and we have a bridge LAN/WAN to use IPS/IDS/Proxy possibilities of OPNSense. Until now this setting has worked flawlessly, but after the upgrade, we cannot manage our main GW anymore and the resolution of our dmz web app aren't accessible.

On our side it's critical because every colleagues here cannot work anymore on any our app. I cannot check anything on the main GW because it's not accessible too.

Could something give me a hint?
We used to believe that the Business Edition is well tested and tailored for the Business environment.

Thank you in Advance for your information,

Regards,

Joel.
August 28, 2025, 10:02:20 AM #1
I can guarantee that this is a problem with version 25.4.2 -> version 25.4.1 works and we will keep using it!

It would be good if the OPNsense team would improve its business version before releasing it.
August 28, 2025, 10:26:07 AM #2
Can you pinpoint this to a specific behaviour pre and post update?

I'm a bit surprised you've found an issue that is so vague that nobody else ran into it, which could mean it's simply an unreliable configuration quirk. But I'm only guessing here.

25.4.2 is based on 25.1.12. 25.4.1 was based on 25.1.6. We add more fixes to each business release, but there is no magic bullet in the release engineering or strangeness that suddenly appears on 25.1.12 that wouldn't have been there anyway and went undetected at the same time.

Also, this may be what the business support offering is for.


Cheers,
Franco
August 28, 2025, 11:37:55 AM #3
To me, it seems to be something like (not identical, but similar) in this post:
https://forum.opnsense.org/index.php?topic=48640.0
And I think that "no one else" is no longer accurate.

I'm vague because, I don't have time to mess around and figure out why it isn't working. I will do this in my own time, not during our company's working hours with coworkers who aren't working at that time.

The only thing I can say. With the version 25.4.1 -> the communication with our cisco main (incl. the connection with the management software) gateway is working flawlessly. We can access our web application located in our DMZs with a resolution through our own DNS Server (inside). The DMZs are located on the cisco and the opnsense is bridged on the inside of the cisco interface to assure the ips/ids security of our internal network. All IPs of the DMZs are NATed on the cisco and the opnsense has a route to send everything unknown to the cisco main gateway (0.0.0.0/0). LAN/WAN are bridged. After the Upgrade 25.4.2 we cannot access the management software of the cisco gateway (the inside IP of the cisco is in the same segment as the problematic opnsense), the colleagues are receiving timeouts in browser when the try to access our web applications in the DMZs. I cannot explain here everything because the topology is much more complex and every tier (DMZs / outside network segment) we have one OPNsense Business on an OPNsense Hardware. It's a star topology with the cisco gw in the middle and the satellites / tiers are OPNsense appliances if you want.
To sum up with 25.4.2 the forwarding of the request to the NATed addresses (on the cisco gw) and the cisco gw itself aren't done anymore - The routing rule with 0.0.0.0/0 through the cisco gw isn't correctly applied when the ip addresses are on the same network segment.

Now, I can no longer describe in detail what happened with the help of the logs. This is because I had to use the snapshot function really quickly because the project managers had directed calls/complaints to our department. All I can say is that nothing was displayed in the live part of the firewall (request also made on the Cisco gateway), and I am sure that this is the case with version 25.4.1.

For me, paid business support makes sense when we need an additional feature or something we don't understand technically. But not to fix problems where everything was working fine before and suddenly stopped working after the update/upgrade without any further changes. That can't be part of any business plan. The logic of having a paid stable business version is not followed here. Please don't take us the wrong way, we are OPNsense customer. But anyway... it's not here the subject.

I'll try again when no one is working on our internal network. I just need to plan it now.

Regards,

Joel.
August 28, 2025, 12:41:49 PM #4
There's two tests here to consider that's normal procedure for community users:

1.

revert the core to test your theory

# opnsense-revert -r 25.4.1

(best to reboot or at least reload the firewall rules)

2. revert the kernel to test your theory

# opnsense-update -kr 25.1.6

(this needs a reboot)

Depending on this we can make assumptions about the change.

If the result is the same it's something else.

Just to make it clear you're buying a software package, not support time. This here is community support time and, yes, this is the same for everyone.


Cheers,
Franco
Print
Go Up Pages1
User actions