Legacy Rules Migration

Started by SMiTTY, February 06, 2026, 08:49:26 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 06, 2026, 08:49:26 PM
The migration worked for the most part, with one exception...My WAN2 interface rule didn't work.
I found Asymmetric routing where my external monitoring was coming in on my WAN2 and going back out on WAN1.

This worked in Legacy rules with a simple rule as follows :
 
Code Select
Interface: WAN2Xfinity

Direction: In

Protocol: any

Source: Monitoring_Alias

Destination: WAN2Xfinity

Gateway: Default

In the New rules section I had that same rule and that's when external pings started failing.
That is where I saw packets coming in WAN2 and out WAN1.


Anyhow, in order to get it to work I needed to set reply-to (Advanced-View) to the WAN2Xfinity interface.

Code Select
Interface: WAN2Xfinity

Direction: in

Action: Pass

Protocol: ICMP

Source: Monitoring_Alias

Destination: WAN2Xfinity

Reply-To : WAN2Xfinity
Other than that, all my other rules cut over just fine.
February 06, 2026, 09:44:34 PM #1
Quote from: SMiTTY on February 06, 2026, 08:49:26 PMThat is where I saw packets coming in WAN2 and out WAN1.

According to the docs OPNsense adds 'reply-to' by default on WAN rules for this reason:

https://docs.opnsense.org/manual/firewall_settings.html#disable-reply-to

I don't see anything in the 26.1 release notes indicating that this has changed.  Did you check the setting under Firewall->Settings->Advanced?
A better 2000::/3 starts with healthy fe80::/10, good NDP, and keeping fc00::/7 in check.
February 08, 2026, 04:34:53 PM #2
I rolled back to the old rules. I have two WANs i.e. WAN and WAN2. I looked up a rule on Rules [Old] >WAN and i see this in 'Advanced features'



On my System>Gateways>Configuration i can see that WAN2 is set as active.

With this setup everything works.

Once i migrate to the new rules, do i need to change gateway for all the WAN rules to 'WAN' instead of default?
February 08, 2026, 05:04:21 PM #3
I read the release info but not really sure: WHEN does one have to press the migration button at the latest? Before 26.1.xyz? Before 26.7? Never?

Little confused...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
February 08, 2026, 06:51:05 PM #4
Quote from: trumee on February 08, 2026, 04:34:53 PMI rolled back to the old rules. I have two WANs i.e. WAN and WAN2. I looked up a rule on Rules [Old] >WAN and i see this in 'Advanced features'



On my System>Gateways>Configuration i can see that WAN2 is set as active.

With this setup everything works.

Once i migrate to the new rules, do i need to change gateway for all the WAN rules to 'WAN' instead of default?

How do you roll back to the old rules?
February 08, 2026, 06:52:29 PM #5
Quote from: chemlud on February 08, 2026, 05:04:21 PMI read the release info but not really sure: WHEN does one have to press the migration button at the latest? Before 26.1.xyz? Before 26.7? Never?

Little confused...
See : https://forum.opnsense.org/index.php?topic=50777.msg259568#msg259568

If you don't believe me you can check his post history for the exact statement ;)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
February 08, 2026, 07:34:24 PM #6
Quote from: OPNenthu on February 06, 2026, 09:44:34 PMAccording to the docs OPNsense adds 'reply-to' by default on WAN rules for this reason:

https://docs.opnsense.org/manual/firewall_settings.html#disable-reply-to

I don't see anything in the 26.1 release notes indicating that this has changed.  Did you check the setting under Firewall->Settings->Advanced?


I did check that first...it is currently unchecked as it always has been. The only way for me to get "New" rules to work was to change it to reply-to WAN2Xfinity_GW. Everything seems good now.
February 08, 2026, 07:58:22 PM #7
@SMiTTY - I'm guessing you ran into this: https://github.com/opnsense/core/issues/9761
A better 2000::/3 starts with healthy fe80::/10, good NDP, and keeping fc00::/7 in check.
February 09, 2026, 07:09:02 AM #8
Looks like a patch is available.  @franco, does this apply retroactively to those with already migrated rules?  Or would we need to roll back, upgrade, apply the patch, then migrate?
A better 2000::/3 starts with healthy fe80::/10, good NDP, and keeping fc00::/7 in check.
February 09, 2026, 07:18:02 AM #9
Yes, the patch should be an instant fix for previously imported rules:

https://github.com/opnsense/core/issues/9761#issuecomment-3868046721


Cheers,
Franco
February 10, 2026, 04:57:43 PM #10
This patch fixed the issues I was having with migrated rules

Quote from: franco on February 09, 2026, 07:18:02 AMYes, the patch should be an instant fix for previously imported rules:

https://github.com/opnsense/core/issues/9761#issuecomment-3868046721


Cheers,
Franco
Print
Go Up Pages1
User actions