Potential issue with renaming FW groups

Started by EndiRabbit, January 30, 2026, 01:12:23 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 30, 2026, 01:12:23 PM
Hi,

I primarily use groups for setting policies for my configuration. In a test config running in Proxmox this morning, I tried to go back and sanitize some FW group names, changing three of them from

  • all_internal SEQ 11
  • priv_internal SEQ 9
  • iot_internal SEQ 9

to

  • GRP_all_int SEQ 11
  • GRP_priv_int SEQ 9
  • GRP_iot_int SEQ 9

After changing them in the test network and clicking [APPLY] (in the web GUI), access to the Internet went down (defined in rules in GRP_all_int). For reference, the GRP_all_int has general network rules to the Internet, and GRP_priv_int and GRP_iot_int have internal rules that are specific to the VLANs for the interfaces that make up each group. Then each interface has interface specific FW rules and a final rule to block all other undefined network traffic as a catch all.

I rebooted and reloaded the web admin interface, but no joy - couldn't access google.com. Traffic was hitting the catch all rule. Not until I rolled back in the GUI the names and clicked [APPLY] was Internet access restored. Has anyone else encountered this issue by changing FW group names in the web GUI?
January 30, 2026, 03:52:53 PM #1
OK - I can verify this is a bug because I tested this on my live network during a planned network maintenance window. Unfortunately, all network access went down when doing the FW group renaming in the same way I did this in the test environment on real hardware. I would not recommend changing a FW group name until this is resolved.
January 30, 2026, 04:02:25 PM #2
If you think this is a bug, it would be great if you open an issue on github with simple steps to reproduce. Thank you :)

https://github.com/opnsense/core/issues
Hardware:
DEC740
January 30, 2026, 04:04:59 PM #3 Last Edit: January 30, 2026, 04:28:10 PM by OPNenthu
I can reproduce this also and I think I found a cause.

I have a group named "IG_OUT_WAN" that I renamed to "IG_OUT_WAN_TEST."  The internet went down.  Then I went to view the rules in the new UI (mine are migrated) and I can see that the Source network name was not updated and still reflects "IG_OUT_WAN."

You cannot view this attachment.

Renaming the group back to "IG_OUT_WAN" to match the network name restored the connectivity.
January 30, 2026, 04:19:28 PM #4
Quote from: Monviech (Cedrik) on January 30, 2026, 04:02:25 PMIf you think this is a bug, it would be great if you open an issue on github with simple steps to reproduce. Thank you :)

https://github.com/opnsense/core/issues

That was my next step ^^. Updated here: https://github.com/opnsense/core/issues/9680
February 04, 2026, 08:41:25 PM #5
I added my diff to the ticket as well.  The src/dest values in the rules are not getting updated correctly in my case.

I feel that this is impactful enough (though not sure how many will run into it) that it should be considered for inclusion in a hotfix?
February 04, 2026, 08:59:24 PM #6
It depends on the scope of the fix to be made.  Though there were similar issues before and the impact is limited in general so in the best case it can wait one more week especially when it was in there for a year or so.


Cheers,
Franco
Print
Go Up Pages1
User actions