26.1 - after export & import incl floating rules , new floating rules is empty

Started by nzkiwi68, January 31, 2026, 11:55:06 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
March 05, 2026, 10:10:26 PM #15
Yes, automatic rules are shown under "👁 Inspect".

But if old floating rules that only used 1 interface are no longer displayed why do they appear under "All rules" with the red layer icon if you inspect them?

Also if you inspect the rules in "All rules" they are listed as follows:

1. Automatic Rules
2. Floating Rules
3. Interface Rules (I guess in a-Z order) with checkboxes to enable/disable
4. Interface Rules again (from the legacy rules)

This was very confusing at first but I just noticed that the duplicates are actually the old rules that I didn't delete yet. So I just answered my own question again. ^^

I guess the old rules are active until you delete them and then the new ones take over?
March 06, 2026, 09:24:08 AM #16
https://github.com/opnsense/changelog/blob/7c2bcc9c4b7f6f4858a6105ff531536f4881297d/community/26.1/26.1#L123

https://docs.opnsense.org/manual/firewall.html#rules-new

> I guess the old rules are active until you delete them and then the new ones take over?

Both can and will be used.


Cheers,
Franco
March 06, 2026, 03:28:54 PM #17 Last Edit: March 06, 2026, 03:35:58 PM by vimage22
I just did a clean install to version 26.1.3. I have setup everything manually, no import from old config.
I setup DNAT with 2 LAN and 2 WAN rules. At the end of each of them, I set "Register Rule".
The docs state "Adds a linked filter rule in Firewall ‣ Rules [new]..."

However, when I go to Rules [new], I can only see them by choosing inspect, as stated above.
Is the reason because they "cannot be manually edited", so you do not want confusion with a rule displayed,
but with no way to edit? (Apologize if this has been answered already.)

Edit: I created a category, added the 4 rules. Went back to Rules [new], with 'All Rules' and my new category, and Inspect active. Hoping to see just my 4 rules, but it was blank. Could this be changed at some point?
March 06, 2026, 03:39:28 PM #18
Do you mean you want the linked firewall rules to inherit the category from the NAT rule?

It would most likely be better to create manual firewall rules.
Hardware:
DEC740
March 06, 2026, 03:47:39 PM #19 Last Edit: March 06, 2026, 03:50:59 PM by vimage22
Quote from: Monviech (Cedrik) on March 06, 2026, 03:39:28 PMDo you mean you want the linked firewall rules to inherit the category from the NAT rule?

Yes, indeed. If it could work, then I would only see "my" rules. It would just be less scrolling to get to the end of the list. I will also try "Groups", but need to read up on it first.
Edit: No, 'Groups' has a very different function.

But could you confirm the 4 rules should be hidden, unless you choose Inspect? Thanks.
March 06, 2026, 04:23:12 PM #20
Register rules for DNAT are automatic rules and only visible with inspect in the new GUI, yes. That's also the reason you can't edit them directly.


Cheers,
Franco
March 06, 2026, 04:30:17 PM #21
Great, thank you for confirming. BTW, the new features are amazing. Just about done with the setup.
March 06, 2026, 05:27:43 PM #22 Last Edit: March 06, 2026, 05:37:28 PM by vpx23
Quote from: franco on March 06, 2026, 09:24:08 AMBoth can and will be used.

But according to the processing order the old rules are effectively never reached if the new rules are also "First match" which is probably 99.9% of all rules (except for floating and group rules). So because everything is working fine I'm safe to delete the old ones.

The only thing bothering me now is the very laggy loading of the new rules. I have a very slow system - Biostar A68N-2100K. :)

You probably don't notice it on a fast system.

By the way what is the priority for these?

Quote2. Firewall ‣ Rules [new] and Firewall ‣ Rules floating rules
3. Firewall ‣ Rules [new] and Firewall ‣ Rules group rules

They can't really be on the same level, I see that my old floating rules are before the new single interface rules, so the list should have more numbers?

Edit: Nvm I overlooked that 2. is both floating rules, in that case the new floating rules don't even exist, so there can't be a priority issue.
March 06, 2026, 07:01:08 PM #23
Quote from: Monviech (Cedrik) on March 06, 2026, 03:39:28 PMDo you mean you want the linked firewall rules to inherit the category from the NAT rule?

It would most likely be better to create manual firewall rules.
But isn't that the preferred method advised here : https://docs.opnsense.org/manual/how-tos/nat_reflection.html#nat-method1 ?!

Quote from: vpx23 on March 06, 2026, 05:27:43 PMThe only thing bothering me now is the very laggy loading of the new rules. I have a very slow system - Biostar A68N-2100K. :)

You probably don't notice it on a fast system.
IMHO that is not a slow CPU for something like a Firewall with a webGUI so perhaps you got a webbrowser issue ?!
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
March 06, 2026, 09:37:52 PM #24
@franco The documentation only explains processing order but not application order of the rules.

Can you confirm that this application order is correct?

You cannot view this attachment.

The graphic is from the last post of this thread: https://www.reddit.com/r/opnsense/comments/11et0b1/help_understanding_firewall_quick_and_nonquick/
March 06, 2026, 09:56:16 PM #25
Quote from: vpx23 on March 06, 2026, 09:37:52 PMThe documentation only explains processing order but not application order of the rules.

Processing and application is one and the same in my book.

Also curiously waiting for a definite answer. I think that picture is not accurate, but I don't know, so I won't post what would be just my speculation.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages 1 2
User actions