OPNsense 26.1 Firewall Rule Migration

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

With the release of the OPNsense 26.1 version, work continued on the gradual migration of all configuration menus to MVC/API code. The firewall-rules area has been extended with this release by a MVC/API configuration menu Firewall → Rules [new]. The previous menu under Firewall → Rules will remain in parallel as a legacy and will receive a migration assistant. This article shows how to perform this migration of the firewall rules onto the new firewall configuration menu.

Please note: This migration worked perfectly with various OPNsense firewalls, but there is no guarantee that this migration will always work without problems. A backup of the configuration is essential.

Click here to view our OPNSense firewalls in the Thomas-Krenn online shop

Preparation to migrate the rules

Before the rules are exported and then imported into the new menu, you should follow the steps suggested by the migration assistant for safety reasons.

  • Start the migration process in the menu Firewall → Rules → Migration assistant.
    Start the migration process in the menu Firewall → Rules → Migration assistant.
  • If you are running a ZFS-based installation of the OPNsense firewall, you can take a snapshot of the system in the System → Snapshots menu.
    If you are running a ZFS-based installation of the OPNsense firewall, you can take a snapshot of the system in the System → Snapshots menu.
  • Click on the orange plus to create a new snapshot.
    Click on the orange plus to create a new snapshot.
  • Click on Save.
    Click on Save.
  • The snapshot was created
    The snapshot was created
  • Alternatively, you can also safe the configuration, which is possible via the menu System → Configuration → Backups.
    Alternatively, you can also safe the configuration, which is possible via the menu System → Configuration → Backups.
  • By clicking on Download configuration, you can download the configuration as CSV-file.
    By clicking on Download configuration, you can download the configuration as CSV-file.
  • Verify in the menu Firewall → Settings → Advanced if the variable Disable anti-lockout is deactivated.
    Verify in the menu Firewall → Settings → Advanced if the variable Disable anti-lockout is deactivated.

Export existing firewall rules

The actual migration process starts with this step and the rules are exported in a CSV-format.

  • In the menu Firewall → Rules → Migration assistant, you can export the existing firewall rules in step 3.
    In the menu Firewall → Rules → Migration assistant, you can export the existing firewall rules in step 3.
  • These existing rules are downloaded as CSV-file. You can change them at this point.
    These existing rules are downloaded as CSV-file. You can change them at this point.

Import exported rules

In this final step, the previously downloaded CSV file is now imported into the new firewall rule menu, and finally the old firewall rules are deleted.

  • In step 4 of the migration wizard, you can now import them again for the new configuration menu.
    In step 4 of the migration wizard, you can now import them again for the new configuration menu.
  • You will be linked to the new firewall rules menu. Click on the "Import csv" icon on the right.
    You will be linked to the new firewall rules menu. Click on the "Import csv" icon on the right.
  • By clicking on Choose File, select the previously downloaded CSV-file.
    By clicking on Choose File, select the previously downloaded CSV-file.
  • Click on the check mark to import the rules.
    Click on the check mark to import the rules.
  • The rules have been imported. Click on the X in the top right corner to close the menu.
    The rules have been imported. Click on the X in the top right corner to close the menu.
  • Finally, all you have to do is click on "Apply", and the rules will be stored and activated in the new menu.
    Finally, all you have to do is click on "Apply", and the rules will be stored and activated in the new menu.
  • The existing legacy rules can now be removed all at once. Click on Remove all legacy rules.
    The existing legacy rules can now be removed all at once. Click on Remove all legacy rules.
  • Click on Yes.
    Click on Yes.
  • You will be redirected to the new firewall menu. Click on Apply. The migration is now finished.
    You will be redirected to the new firewall menu. Click on Apply. The migration is now finished.


Author: Thomas Niedermeier

Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.


Translator: Alina Ranzinger

Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.


Related articles

AMD based Thomas-Krenn Firewall Server
Show article
Querying FreeBSD hardware information
Show article
Using the LCD display of FWA-3034 under FreeBSD and OPNsense
Show article