Latest 26.1 completely destroyed my network routing rules...

Started by tessierp, Today at 12:43:55 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 12:43:55 PM Last Edit: Today at 12:50:03 PM by tessierp
Alright so I did a quick search and learned that there is now a new rules system in place and the most recent update of 26.1 completely destroyed my network, by destroy I mean nothing would route properly anymore. I had to go back to a two weeks old backup / VM to fix everything.

I'm not sure why this change was done and why it couldn't be made optional. What this really necessary? The upgrade procedure seems to be very painful and involving a lot of work. Not sure this change was really thought out, it breaks way too much than it fixes.

Update : Seems that shortly after installing the old backup which is still 26.1, routing rules worked for 5 minutes and then nothing worked anymore so I suppose something is being done running in the background that causes old routing rules to no longer work.. What a PAIN!
Today at 12:53:49 PM #1
The new rule system in 26.1 is completely optional. Unless you actively and manually migrate your rules nothing is done to rules that are in place before the update.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 01:02:17 PM #2
Alright so I guess has to be another issue post update that broken something.. I'll have to look more into this.
Today at 01:21:38 PM #3
Make sure you go to the latest minor release (at least 26.1.4) before testing things again. There were issues with reply-to rule generations, I think due to the Port Forward -> Destination NAT change.

A good test is before the upgrade do:

pfctl -s rules

Safe output in a file.

Go all the way to 26.1.4 or 5, then do pfctl -s rules again

diff both files, if there is no explainable difference then the firewall does not do anything wrong (on the packet filter level)
Hardware:
DEC740
Today at 01:46:30 PM #4
Quote from: Monviech (Cedrik) on Today at 01:21:38 PMMake sure you go to the latest minor release (at least 26.1.4) before testing things again. There were issues with reply-to rule generations, I think due to the Port Forward -> Destination NAT change.

A good test is before the upgrade do:

pfctl -s rules

Safe output in a file.

Go all the way to 26.1.4 or 5, then do pfctl -s rules again

diff both files, if there is no explainable difference then the firewall does not do anything wrong (on the packet filter level)

Thanks for the help. I printed the output of what I have now I can't really see any issue and I am using 26.1.5. Not sure what happened and it could be that it has nothing to do with OPNSense. Until I have more information I can't say for sure what happened...

Is there documentation somewhere that explains the changes between the old and new rules system?
Today at 01:50:28 PM #5
Sure here, just recently refreshed:

https://docs.opnsense.org/manual/firewall.html#rules

Both go to the same library that generate rules, and the same ruleset comes out afterwards. So mostly the GUI is different, the backend (rule generator) mostly the same.
Hardware:
DEC740
Today at 07:30:04 PM #6 Last Edit: Today at 08:04:02 PM by tessierp
Quote from: Monviech (Cedrik) on Today at 01:50:28 PMSure here, just recently refreshed:

https://docs.opnsense.org/manual/firewall.html#rules

Both go to the same library that generate rules, and the same ruleset comes out afterwards. So mostly the GUI is different, the backend (rule generator) mostly the same.

Thanks for the link. I guess I'll have to do some more reading.

I had a synapse server setup that worked well and I needed port 443 and 8448 to be allowed in to connect to the backend. I created two new rules (in the new rules) with the exact same configuration from the "OLD" rules and the connection fails. So either there is an extra step that I have to do now or something is not as it should (a bug).

Just to be clear, when adding the new rules to the new interface, I disabled the ones from the old interface... And that fails.. In order to get things to work again I had to disable the ones from the new interface and enabled the ones in the old interface.. The old stuff does something more that I am not aware of.
Today at 08:18:49 PM #7
Instead of doing everything manually, I created a backup of my VM, I used the migration tool, imported everything in the new rules and deleted the legacy ones and it all works now.. Not sure what went wrong, perhaps disabling one thing in the old rules after enabling it in the new caused an issue.
Today at 08:35:29 PM #8
Nothing fundamental changed and the new UI still has some room for improvement but all in all it's a step in the right direction.

After 26.1.5 I also moved my outbound NAT rules to "Source NAT".

Great work by the team!
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions