Delete one firewall rule on WAN/LAN/TEST -> All firewall rules gone

[patient0]

Good Morning,

On a OPNsense lab instance, I'm on latest DEV 26.1.a_621-amd64 and created a rule on WAN for ping. Afterwards I deleted that rule and boom, all firewall rules were gone, on all interfaces. That was ... surprising :). The firewall rules were created in the standard 'Rules', not 'Rules [new]'

That instance runs on Proxmox (which runs on a Hetzner root server) and has three virtual interfaces and Tayga: WAN (vtnet0), LAN (vtnet1), TEST (vtnet2) & Tayga.

If I delete one/any rule on WAN, LAN or TEST, all firewall rules on all four interfaces disappear in the GUI (also on Tayga). On interface Tayga deleting a rule does work normally.

In the config file the rules are present and do work, would indicate a GUI issue.

Is that something anyone else encountered? I can share the working and non-working config.

Adding, modifing, enabling/disabling rules does also work correctly.

[patient0]

Answering myself: After diff-ing the two configs, there is an extra <rule> ... </rule> in the config file.

Right after </nat><filter> there is the wrongly added '<rule>' and before <scrubs> is the surplus closing </rule>.
Manually removing these two lines made the rules appear again in the GUI.

[Monviech (Cedrik)]

Do you already have "Destination NAT" instead of "Port Forward" under NAT?

Thats a thing that changed recently, maybe there's something unexpected going on?

https://github.com/opnsense/core/commit/da976d77fb46117b3837693b43b4b34472fd19f8

[patient0]

Do you already have "Destination NAT" instead of "Port Forward" under NAT?

No, it is still called 'Port Forward', of which I have two + an Outbound NAT for IPv6.

Addition: Deleting one of the port forward rules make them all (two) disappear). In that use case there is again a <rule>...</rule> added. <rule> after </outbound> and </rule> before </nat>. Removing them resolves it.

[Monviech (Cedrik)]

I have never heard of this behavior before, it is quite strange. Are you confident it is a bug and can be reproduced?

If yes can you open a github ticket, and also share the config.xml file that you used?

Or more specific /a/ config.xml file it can be reproduced with, does not have to be a production one after all.

[patient0]

I have never heard of this behavior before, it is quite strange. Are you confident it is a bug and can be reproduced?

If yes can you open a github ticket, and also share the config.xml file that you used?

Thank you Cedrik, in the current configuration I can reproduce it, yes. But I'll reset the config and try to replicate it with a minimal configuration. If it still does happen, I'll open a GH ticket and add the config.xml to the ticket.

Otherwise I'll have to dig deep :).

[Monviech (Cedrik)]

Very nice, thank you for confirming first. If it's not easily reproducible it would be quite hard to track.

[patient0]

Very nice, thank you for confirming first. If it's not easily reproducible it would be quite hard to track.

I opened GH issue DEV 26.1.a_621: deleting one firewall rule => all rules disappear.

It's reproducable for me by creating a new VM from the 25.7.r1 ISO and upgrading to Development 26.1.a_621 (which is only two steps, 1) upgrade pkg and 2) upgraded directly to 26.1.a_621).

The config.xml attached in the issue (and we track the issue there, I assume)

[franco]

Let's call this the worst OPNsense bug of 2025 that never happened. Many thanks to patient0 for catching it in time!

Meanwhile we're not shipping the original fix that caused the issue in 25.7.9 (or any 25.7.x for that matter) and will eventually use this one instead:

https://github.com/opnsense/core/commit/2eb539d821e

Above all thanks for using the development version!  We need more of this. :)


Cheers,
Franco

[patient0]

Let's call this the worst OPNsense bug of 2025 that never happened.

Like a quote out of a action movie :)