OPNsense 26.7-BETA images

patient0 · June 28, 2026, 11:49:19 AM

Quote from: Monviech (Cedrik) on June 28, 2026, 11:22:16 AMegardless of automatic or manual being selected after the apply?

Yep, the output of `pfctl -s nat` is identical for both Automatic or Hybrid (not using Manual) (the "inet all -> (vtnet1:0)" line):

Code Select

root@OPNsense:~ # pfctl -s nat
no nat proto carp all
nat on vtnet0 inet all -> (vtnet1:0) port 1024:65535
nat on vtnet0 inet from (vtnet1:network) to any port = isakmp -> (vtnet0:0) static-port
nat on vtnet0 inet from (lo0:network) to any port = isakmp -> (vtnet0:0) static-port
nat on vtnet0 inet from 127.0.0.0/8 to any port = isakmp -> (vtnet0:0) static-port
nat on vtnet0 inet from (vtnet1:network) to any -> (vtnet0:0) port 1024:65535
nat on vtnet0 inet from (lo0:network) to any -> (vtnet0:0) port 1024:65535
nat on vtnet0 inet from 127.0.0.0/8 to any -> (vtnet0:0) port 1024:65535
no rdr proto carp all
no rdr on vtnet1 proto tcp from any to (vtnet1) port = ssh
no rdr on vtnet1 proto tcp from any to (vtnet1) port = http
no rdr on vtnet1 proto tcp from any to (vtnet1) port = https

Monviech (Cedrik) · June 28, 2026, 12:09:04 PM

Can you open a ticket on github with this issue? We will look into it. Thanks for testing.

patient0 · June 28, 2026, 12:10:28 PM

Quote from: Monviech (Cedrik) on June 28, 2026, 12:09:04 PMCan you open a ticket on github with this issue?

Yes, I'll do that later this evening.

newsense · June 28, 2026, 12:44:31 PM

I may be affected by this NAT issue as well, however my experience is a bit different ( or @patient0 didn't test for it)

My tests so far:

- test vm on 26.1 upgraded to 26.7.b, pretty much bare bones in terms of settings ( the only two rules there allow me to https/ssh from wan to manage it ). One Linux vm behind it. Traffic works as expected. Rules not migrated to New. NAT untouched.

- local hardware FW upgraded to 26.7.b. Rules not migrated. Traffic flows through the FW from vlans. NAT on hybrid. WireGuard server operational and allows me to connect to the FW mgmt but I don't have access to internet over WireGuard post upgrade - which sounds like a NAT issue
Interestingly IPsec works fine and I can remote into machines in various vlans.

- another FW and the first one who saw 15.1 couple weeks ago. Worked just fine with the kernel and when I installed base no traffic passed through. Rules not migrated and NAT hybrid.

- last FW, same HW as the first one in this post, upgraded to 26.7.b. Rules not migrated and NAT hybrid although now only the LAN exists. No traffic passing through from lan to wan however I can ZeroTier and manage it remotely and everything works apart from the lan-wan traffic issue.

I kept the one with the WireGuard issue on 26.7.b for now and I'll see what happens in the meantime.

When testing only the 15.1 kernel ( before 26.7.b was ready ) all these firewalls ran fine on it which is a good sign.

franco · June 28, 2026, 08:37:21 PM

@patient0 sorry, I failed to count properly and this should fix it on top:

# opnsense-patch https://github.com/opnsense/core/commit/283ce7026a

Cheers,
Franco

patient0 · Reply #20 - Re: OPNsense 26.7-BETA images

Quote from: franco on June 28, 2026, 08:37:21 PM@patient0 sorry, I failed to count properly and this should fix it on top:

# opnsense-patch https://github.com/opnsense/core/commit/283ce7026a

I was _not_ able to reproduce it on a clean 26.7.b_110 where I imported the NAT rules only.

Thank you @franco, with this patch on top of the previous one, export was possible. Now I do get the following PHP error everytime I visit 'Firewall: NAT: Outbound' if there is at least one rule and mode set to Manual or Hybrid (Outbound is not visible of course in Automatic mode).

Code Select

[29-Jun-2026 10:35:45 Europe/Berlin] PHP Warning: Undefined array key "network" in /usr/local/www/firewall_nat_out.php on line 471|

But as mentioned, I was not able to isolate the issue on a clean installation, don't spend anymore time on it. If I can reproduce it on a clean installation, I'll be back.

Monviech (Cedrik) · Reply #21 - Re: OPNsense 26.7-BETA images

@patient0 the SNAT automatic issue should be fixed via

# opnsense-patch https://github.com/opnsense/core/commit/aa2a54a5a8

patient0 · Reply #22 - Re: OPNsense 26.7-BETA images

Quote from: Monviech (Cedrik) on Today at 10:56:51 AMhe SNAT automatic issue should be fixed via

# opnsense-patch https://github.com/opnsense/core/commit/aa2a54a5a8

Works like a charm now, excellent and thank you.

newsense · Reply #23 - Re: OPNsense 26.7-BETA images

>>> don't spend anymore time on it. If I can reproduce it on a clean installation, I'll be back.

Well that's the kicker: not everyone will have migrated to the new rules before upgrading to 26.7 and not everyone will have Automatic in SNAT.

There's an issue there for sure and whether Cedrik's latest patch fixes everything or not is unclear as I'm not able to test for now.

What is likely though in the absence of the fix is that anyone not using automatic or doing fresh installs might be affected.

Thankfully 26.7 is still weeks away and by RC1 things should be clearer.

The biggest question mark for me is where the issue actually is... since it would appear that installing base 15.1 affects the core where the NAT code resides (?)

patient0 · Reply #24 - Re: OPNsense 26.7-BETA images

Quote from: newsense on Today at 11:25:10 AMWell that's the kicker: not everyone will have migrated to the new rules before upgrading to 26.7 and not everyone will have Automatic in SNAT.

You are right, yes. But as long as I can't show steps on how to reproduce it, the devs won't be able to fix it.

I did read through your post but I didn't take the time to build a system with a WG tunnel. In your case it could be NAT or something else.
What outgoing NAT rules did you create? For what you wrote it seems that all necessary rules should have been automatic rule, no?

newsense · Reply #25 - Re: OPNsense 26.7-BETA images

Quote from: patient0 on Today at 11:36:26 AMWhat outgoing NAT rules did you create? For what you wrote it seems that all necessary rules should have been automatic rule, no?

The road warrior WG setup worked fine for years, only broke when moving to 26.7.b

Why exactly I had to move to hybrid I don't remember right now, once everything was working I didn't have to go back there for a long time.

Monviech (Cedrik) · Reply #26 - Re: OPNsense 26.7-BETA images

@newsense

Can you show your NAT ruleset that has problems (26.7.b), and the NAT ruleset which does not have problems (pre 26.7.b, e.g. 26.1.10)?

# pfctl -s nat
# pfctl -s rules

If there is something unexpected also check rules.debug, it shows if rules have been skipped before being loaded for some reason. (DEBUG: lines)

# cat /tmp/rules.debug

Try do find if there is a difference, e.g. by piping both outputs in files and using a command like "diff -u file1 file2" or a diff capabable editor.

OPNsense 26.7-BETA images

patient0

June 28, 2026, 11:49:19 AM #15 Last Edit: June 28, 2026, 11:50:57 AM by patient0

Monviech (Cedrik)

June 28, 2026, 12:09:04 PM #16

patient0

June 28, 2026, 12:10:28 PM #17

newsense

June 28, 2026, 12:44:31 PM #18

franco

June 28, 2026, 08:37:21 PM #19

patient0

Today at 10:51:07 AM #20

Monviech (Cedrik)

Today at 10:56:51 AM #21

patient0

Today at 11:21:07 AM #22

newsense

Today at 11:25:10 AM #23

patient0

Today at 11:36:26 AM #24

newsense

Today at 11:50:30 AM #25

Monviech (Cedrik)

Today at 11:54:06 AM #26 Last Edit: Today at 11:58:07 AM by Monviech (Cedrik)