New rule system

[Monviech (Cedrik)]

Another way to force priority changes:

- Fake Floating: Add a random loopback interface additionally to any single interface rule

- Fake Group: Add a new firewall group with a single interface

Or you change the approach how you build your ruleset.

[tessus]

Thanks for the all the replies. I am still trying to understand how the new interface will look like. Are there annotated before/after screenshots for all the changes available? I have read the link Franco provided about the processing order when I started to use OPNsense (many yers ago), but since I do not use "Rule Automation", the overall processing order documentation was much more helpful to me back then.

While I could glean that the changes mostly pertain to the automation rules and UI, a bunch of posts suggested that the order of other rules (interface, floating, NAT) will change with 26.1.

If this is not the case and if everything will still work without changes when I do not use automation, this can be closed from my side. (Although I am still interested in the current discussion about automation as well.)

However, if there's anything in the UI and/or processing order that will change for anything but automation, I would like to repeat my question: how exactly does it change and what is the difference to the current UI and/or processing order?

[OPNenthu]

@tessus The "Automation" rules UI in 25.7 has been moved to "Rules [new]" in 26.1.  The idea is that this UI (regardless of whether you use automation or not) will eventually replace the legacy Rules UI.  I think what we're talking about here will eventually affect everyone, but not for a while.

What I'm hearing from the responses so far is that nothing changes except for the ability to set Floating rules on a single, specific interface.  That is a loss in flexibility with the new rules system, but I don't know if it will be a big deal or not.  If that doesn't affect you then you can happily use the new system.

I don't think anything is changed in the old rules system so if you're still using that you're good for now.  The concerns people had around NAT and rule order impacts were regarding the new rules system and those turned out to be incorrect as @meyergru explained to me.

[OPNenthu]

I added a feature request: https://github.com/opnsense/core/issues/9652

If this gets rejected, so be it.  I don't know what limitations or challenges there are to doing this with the new MVC approach.

[tessus]

Thanks @OPNenthu

nothing changes except for the ability to set Floating rules on a single, specific interface.

Yep, this might be bad for me. I actually use quite a few of those.

Of course I could move them to the specific interface, but I used the floating rules UI for a reason. It is easier and more convenient to have an overview, especially if you want to clone a rule for a new interface. You don't have to click on every interface to find the rule.
The workaround to create groups with a single interface is a massive overhead in terms of administration. Why not support a single interface instead?

Anyway, I am sure I will adapt. I just hope it's not too much work and that the result won't be less intuitive and convenient.

[OPNenthu]

@tessus sorry, pay attention to this note in the latest release notes also:

o Firewall: NAT: Port Forwarding is now called "Destination NAT".  Firewall rule associations are no longer supported, but the old associated firewall rules remain in place with their last known configuration and can now be edited to suit future needs.

This was discussed in another thread too.  If you have existing NAT association rules on your interfaces they'll still be there after the upgrade, but they're unlinked now from the NAT rules.  You have to remember to manage them manually.