Delete one firewall rule on WAN/LAN/TEST -> All firewall rules gone

Started by patient0, Today at 08:35:25 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 08:35:25 AM Last Edit: Today at 08:46:16 AM by patient0
Good Morning,

On a OPNsense lab instance, I'm on latest DEV 26.1.a_621-amd64 and created a rule on WAN for ping. Afterwards I deleted that rule and boom, all firewall rules were gone, on all interfaces. That was ... surprising :). The firewall rules were created in the standard 'Rules', not 'Rules [new]'

That instance runs on Proxmox (which runs on a Hetzner root server) and has three virtual interfaces and Tayga: WAN (vtnet0), LAN (vtnet1), TEST (vtnet2) & Tayga.

If I delete one/any rule on WAN, LAN or TEST, all firewall rules on all four interfaces disappear in the GUI (also on Tayga). On interface Tayga deleting a rule does work normally.

In the config file the rules are present and do work, would indicate a GUI issue.

Is that something anyone else encountered? I can share the working and non-working config.

Adding, modifing, enabling/disabling rules does also work correctly.
Deciso DEC740
Today at 09:07:41 AM #1
Answering myself: After diff-ing the two configs, there is an extra <rule> ... </rule> in the config file.

Right after </nat><filter> there is the wrongly added '<rule>' and before <scrubs> is the surplus closing </rule>.
Manually removing these two lines made the rules appear again in the GUI.
Deciso DEC740
Today at 10:11:30 AM #2
Do you already have "Destination NAT" instead of "Port Forward" under NAT?

Thats a thing that changed recently, maybe there's something unexpected going on?

https://github.com/opnsense/core/commit/da976d77fb46117b3837693b43b4b34472fd19f8
Hardware:
DEC740
Today at 10:23:12 AM #3 Last Edit: Today at 10:30:26 AM by patient0
Quote from: Monviech (Cedrik) on Today at 10:11:30 AMDo you already have "Destination NAT" instead of "Port Forward" under NAT?
No, it is still called 'Port Forward', of which I have two + an Outbound NAT for IPv6.

Addition: Deleting one of the port forward rules make them all (two) disappear). In that use case there is again a <rule>...</rule> added. <rule> after </outbound> and </rule> before </nat>. Removing them resolves it.
Deciso DEC740
Today at 11:18:00 AM #4
I have never heard of this behavior before, it is quite strange. Are you confident it is a bug and can be reproduced?

If yes can you open a github ticket, and also share the config.xml file that you used?

Or more specific /a/ config.xml file it can be reproduced with, does not have to be a production one after all.
Hardware:
DEC740
Today at 11:27:51 AM #5
Quote from: Monviech (Cedrik) on Today at 11:18:00 AMI have never heard of this behavior before, it is quite strange. Are you confident it is a bug and can be reproduced?

If yes can you open a github ticket, and also share the config.xml file that you used?
Thank you Cedrik, in the current configuration I can reproduce it, yes. But I'll reset the config and try to replicate it with a minimal configuration. If it still does happen, I'll open a GH ticket and add the config.xml to the ticket.

Otherwise I'll have to dig deep :).
Deciso DEC740
Today at 11:31:03 AM #6
Very nice, thank you for confirming first. If it's not easily reproducible it would be quite hard to track.
Hardware:
DEC740
Today at 01:50:49 PM #7
Quote from: Monviech (Cedrik) on Today at 11:31:03 AMVery nice, thank you for confirming first. If it's not easily reproducible it would be quite hard to track.
I opened GH issue DEV 26.1.a_621: deleting one firewall rule => all rules disappear.

It's reproducable for me by creating a new VM from the 25.7.r1 ISO and upgrading to Development 26.1.a_621 (which is only two steps, 1) upgrade pkg and 2) upgraded directly to 26.1.a_621).

The config.xml attached in the issue (and we track the issue there, I assume)
Deciso DEC740
Print
Go Up Pages1
User actions