"
Could be a disk issue.
Cheers,
Franco
Cheers,
Franco
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
26.1 Series / Re: Instant reboot wchen i check for update. (update to 26.1.2)
Today at 04:30:59 PM #2
26.1 Series / Re: zfs and sqlite
February 12, 2026, 08:58:28 PM
Yep, if you want the complaint gone just reinstall it from the packages tab.
#3
General Discussion / Re: upgrade from 21.7.8 failed
February 12, 2026, 08:14:35 PM
Hi Thierry,
21.x is so old it's difficult to give proper instructions on recovery with historic tools that likely don't support this or that magic we've added over the years.
This may help... there's still a lot of stuck old binary packages while you are on a newer base system:
# pkg bootstrap -f
Cheers,
Franco
21.x is so old it's difficult to give proper instructions on recovery with historic tools that likely don't support this or that magic we've added over the years.
This may help... there's still a lot of stuck old binary packages while you are on a newer base system:
# pkg bootstrap -f
Cheers,
Franco
#4
General Discussion / Re: http_proxy for bogons-update (and possibly others?)
February 12, 2026, 08:06:50 PM
Using configctl should work at the loss of the output sometimes, but as far as I know bogons fetch writes elaborate logs about its progress:
# /usr/local/sbin/configctl filter update bogons
# opnsense-log | grep -i bogons
If you find anything weird with that I'm happy for any feedback. I'm not doubting this area/type of setup can use a few tweaks to work better.
Thanks for looking into OPNsense and good luck :)
Cheers,
Franco
# /usr/local/sbin/configctl filter update bogons
# opnsense-log | grep -i bogons
If you find anything weird with that I'm happy for any feedback. I'm not doubting this area/type of setup can use a few tweaks to work better.
Thanks for looking into OPNsense and good luck :)
Cheers,
Franco
#5
25.7, 25.10 Series / Re: Midnight Commander missing
February 12, 2026, 08:00:13 PM
It's package "mc". I think FreeBSD ports decided to drop the flavours and disable X11 support completely.
Cheers,
Franco
Cheers,
Franco
#6
26.1 Series / Re: 26.1.1: Unbound: Option "query forwarding"->"Unexpected error, check log for."
February 12, 2026, 07:58:22 PM
I tried to reproduce this with what you said now but failed like my colleague before me this earlier today.
Can you give me the exact data that caused the issue? I do not doubt there is a problem somewhere so better to fix it.
Thanks,
Franco
Can you give me the exact data that caused the issue? I do not doubt there is a problem somewhere so better to fix it.
Thanks,
Franco
#7
General Discussion / Re: http_proxy for bogons-update (and possibly others?)
February 12, 2026, 04:56:39 PM
> Is there a(n easy) way to make fetch in the bogons-download use the http_proxy as well? Also without breaking other stuff?
Well:
# cat /var/cron/tabs/root | grep bogon
1 3 * * 0 (/usr/local/sbin/configctl -d filter schedule bogons) > /dev/null
So that means when configd environment is set up correctly the bogons fetch should work. Unless the daemon call loses the env, but I haven't heard of this before:
src/opnsense/service/conf/actions.d/actions_filter.conf:[schedule.bogons]
src/opnsense/service/conf/actions.d/actions_filter.conf-command:daemon -f /usr/local/opnsense/scripts/firmware/launcher.sh -ur 900 bogons
> Is there other cronjobs/daemons/functions that I missed that may have the same problem when no Internet is available on the secondary firewall?
I'm not sure. That's not a usual setup and most people in stricter environments don't care too much about not having outside access for stray components since everything is configured to use local services.
Cheers,
Franco
Well:
# cat /var/cron/tabs/root | grep bogon
1 3 * * 0 (/usr/local/sbin/configctl -d filter schedule bogons) > /dev/null
So that means when configd environment is set up correctly the bogons fetch should work. Unless the daemon call loses the env, but I haven't heard of this before:
src/opnsense/service/conf/actions.d/actions_filter.conf:[schedule.bogons]
src/opnsense/service/conf/actions.d/actions_filter.conf-command:daemon -f /usr/local/opnsense/scripts/firmware/launcher.sh -ur 900 bogons
> Is there other cronjobs/daemons/functions that I missed that may have the same problem when no Internet is available on the secondary firewall?
I'm not sure. That's not a usual setup and most people in stricter environments don't care too much about not having outside access for stray components since everything is configured to use local services.
Cheers,
Franco
#8
26.1 Series / Re: Divert mode "Write to ipfw divert socket failed: Permission denied"
February 12, 2026, 04:48:19 PM
> Invalid argument
This wasn't fixed by the recent change. It's also different from the initial "Permission denied".
> Will this fix allow the firewall to continue if suricata crashes/fails?
This isn't supported by FreeBSD at the moment as far as I know.
Cheers,
Franco
This wasn't fixed by the recent change. It's also different from the initial "Permission denied".
> Will this fix allow the firewall to continue if suricata crashes/fails?
This isn't supported by FreeBSD at the moment as far as I know.
Cheers,
Franco
#9
26.1 Series / Re: 26.1.1: Unbound: Option "query forwarding"->"Unexpected error, check log for."
February 12, 2026, 04:46:17 PM
Are you using any browser extensions? And is the health audit clean?
#10
26.1 Series / Re: Clean upgrade from 25.1.7 to 26.1.1 via fresh install + config restore
February 12, 2026, 04:32:59 PM
> My question is: would you advise against doing a clean 26.1.1 install and restoring the config? If so, what are the main risks, and what alternative approach would you recommend?
There's no reals pros and cons except maybe the time you spend doing this. You'll lose historic logs but normally not a big deal either.
The most pressing reasons for a reinstall are change of file system (to ZFS) or a damaged install beyond repair or switching the disk.
Cheers,
Franc
There's no reals pros and cons except maybe the time you spend doing this. You'll lose historic logs but normally not a big deal either.
The most pressing reasons for a reinstall are change of file system (to ZFS) or a damaged install beyond repair or switching the disk.
Cheers,
Franc
#11
26.1 Series / Re: Upgrade to RC1 successful
February 12, 2026, 11:23:30 AM
Outbound NAT isn't legacy just yet, but probably going to be in 26.7. Otherwise: nice!
Cheers,
Franco
Cheers,
Franco
#12
Announcements / OPNsense 26.1.2 released
February 12, 2026, 10:41:09 AM
Hi there,
This is a smallish update with a number of fixes and another round of Python
CVEs addressed. New images based on this stable version are planned for next
week.
At the moment work focuses on the IPv6 support for the captive portal which
should not be too far away now. The 26.7 roadmap will also be published at
the end of this month.
Here are the full patch notes:
o system: remove "upstream" from gateway grid as priority already reflects the proper data
o system: adjust gateway group priority (tier) wording
o interfaces: fix wlanmode argument usage
o firewall: fix target mapping inconsistency leading to references not being processed in destination NAT
o firewall: use local-port as target when specified in destination NAT
o firewall: fix missing reply-to when not specifically set in new rules
o firewall: live view: fix parsing of combined filters stored as converted strings
o firewall: fix group rename in source_net, destination_net and SNAT/DNAT target fields
o firewall: add tcpflags_any in new rules GUI for parity with legacy rules
o firewall: exclude loopback from interface selectpicker in new rules GUI
o firewall: well known ports added to filter rule selection
o firewall: undefined is also "*" in new rules grid
o firewall: add download button for validation errors in rule import
o firewall: allow TTL usage on host entries
o firmware: avoid update-hook background cleanups
o firmware: revoke 25.7 fingerprint
o kea: fix subnets GUI missing root node
o radvd: change tabs to spaces in radvd.conf for better maintenance
o unbound: safeguard the blocklist tester against empty configuration testing
o mvc: add $separator as parameter for CSV export and switch the default to a semicolon
o mvc: InterfaceField: minor adjustments and add resetStaticOptionList()
o mvc: catch empty data in CSV import
o tests: Shell: add testing framework
o plugins: os-haproxy 5.0[1]
o ports: expat 2.7.4[2]
o ports: hostwatch 1.0.12 now rate-limits database writes for recently seen hosts
o ports: ldns 1.9.0[3]
o ports: nss 3.120[4]
o ports: openldap 2.6.12[5]
o ports: openvpn 2.6.19[6]
o ports: py-duckdb 1.4.4[7]
o ports: python additional security fixes[8][9]
Stay safe,
Your OPNsense team
--
[1] https://github.com/opnsense/plugins/blob/stable/26.1/net/haproxy/pkg-descr
[2] https://github.com/libexpat/libexpat/blob/R_2_7_4/expat/Changes
[3] https://raw.githubusercontent.com/NLnetLabs/ldns/1.9.0/Changelog
[4] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_120.html
[5] https://www.openldap.org/software/release/changes_lts.html
[6] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.19
[7] https://github.com/duckdb/duckdb/releases/tag/v1.4.4
[8] https://www.cve.org/cverecord?id=CVE-2026-1299
[9] https://www.cve.org/cverecord?id=CVE-2026-0865
This is a smallish update with a number of fixes and another round of Python
CVEs addressed. New images based on this stable version are planned for next
week.
At the moment work focuses on the IPv6 support for the captive portal which
should not be too far away now. The 26.7 roadmap will also be published at
the end of this month.
Here are the full patch notes:
o system: remove "upstream" from gateway grid as priority already reflects the proper data
o system: adjust gateway group priority (tier) wording
o interfaces: fix wlanmode argument usage
o firewall: fix target mapping inconsistency leading to references not being processed in destination NAT
o firewall: use local-port as target when specified in destination NAT
o firewall: fix missing reply-to when not specifically set in new rules
o firewall: live view: fix parsing of combined filters stored as converted strings
o firewall: fix group rename in source_net, destination_net and SNAT/DNAT target fields
o firewall: add tcpflags_any in new rules GUI for parity with legacy rules
o firewall: exclude loopback from interface selectpicker in new rules GUI
o firewall: well known ports added to filter rule selection
o firewall: undefined is also "*" in new rules grid
o firewall: add download button for validation errors in rule import
o firewall: allow TTL usage on host entries
o firmware: avoid update-hook background cleanups
o firmware: revoke 25.7 fingerprint
o kea: fix subnets GUI missing root node
o radvd: change tabs to spaces in radvd.conf for better maintenance
o unbound: safeguard the blocklist tester against empty configuration testing
o mvc: add $separator as parameter for CSV export and switch the default to a semicolon
o mvc: InterfaceField: minor adjustments and add resetStaticOptionList()
o mvc: catch empty data in CSV import
o tests: Shell: add testing framework
o plugins: os-haproxy 5.0[1]
o ports: expat 2.7.4[2]
o ports: hostwatch 1.0.12 now rate-limits database writes for recently seen hosts
o ports: ldns 1.9.0[3]
o ports: nss 3.120[4]
o ports: openldap 2.6.12[5]
o ports: openvpn 2.6.19[6]
o ports: py-duckdb 1.4.4[7]
o ports: python additional security fixes[8][9]
Stay safe,
Your OPNsense team
--
[1] https://github.com/opnsense/plugins/blob/stable/26.1/net/haproxy/pkg-descr
[2] https://github.com/libexpat/libexpat/blob/R_2_7_4/expat/Changes
[3] https://raw.githubusercontent.com/NLnetLabs/ldns/1.9.0/Changelog
[4] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_120.html
[5] https://www.openldap.org/software/release/changes_lts.html
[6] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.19
[7] https://github.com/duckdb/duckdb/releases/tag/v1.4.4
[8] https://www.cve.org/cverecord?id=CVE-2026-1299
[9] https://www.cve.org/cverecord?id=CVE-2026-0865
#13
26.1 Series / Re: Firewall rules migration
February 11, 2026, 07:31:37 PM
That's because the old rules don't have as much integrity checks. "opt2" is gone I think so you don't need these rules?
Cheers,
Franco
Cheers,
Franco
#14
26.1 Series / Re: upgrade from 25.7.11_9 and ISC
February 11, 2026, 04:15:10 PM
Yeah, that's the issue that can happen where the plugin doesn't update. I'm working on it. Sorry for the trouble.
Cheers,
Franco
Cheers,
Franco
#15
General Discussion / Re: external ip was blocked by forum.. ended up being a good learning experience
February 11, 2026, 03:00:02 PM
It's going to be configurable in 26.1.2, see https://github.com/opnsense/core/issues/9767
Yay for tickets :D
Cheers,
Franco
Yay for tickets :D
Cheers,
Franco
