This business release is based on the OPNsense 25.1.6 community version
with additional reliability improvements, but without Dnsmasq DHCP support
and the recent captive portal backend switch.
Here are the full patch notes:
o system: extend XMLRPC "nosync" support to keep backup items for new cases
o system: use RADIUS Message Authenticator by default
o system: prevent recursion loop when CAs are cross-referencing each other
o system: fix off by one error due to line ending at the end of a log file
o system: offer config directory to store locations for external certificates and support it in the certificates widget
o system: allow multiple manual DNS search domains
o system: fix gateway watcher backoff
o system: minor code cleanups in auth.inc
o system: kill gateways states for failback scenario when a higher priority gateway goes back online
o system: update to latest tzdata content for time zones and ISO 3166 definitions
o system: clean up a number of unused functions
o system: refactor a VIP access in auth.inc
o system: add field "boottime" to api/system/systemTime (contributed by eopo)
o reporting: move NetFlow backend single_pass to command line parameters for easier debugging
o reporting: use client time in traffic dashboard widget
o reporting: replace insights totals chart with ChartJS variant
o reporting: minor style fixes and cleanups in health graphs
o interfaces: refactor bridge configuration backend
o interfaces: refactor wireless device assignment
o interfaces: allow literal comma by escape sequence in DHCP advanced option modifiers
o interfaces: fix refresh button in ARP page
o interfaces: fix "(de)select all" button in packet capture
o interfaces: rename ip_in_subnet() to reflect it is only for IPv4
o interfaces: remove unused get_vip_descr()
o dnsmasq: domain to host migration for hosts
o firewall: automation filter UI revamp
o firewall: fix regression in alias table in JSON format
o firewall: replace update_params for argparse in filter log reader
o firewall: prevent source/destination inversion when multiple nets are selected
o firewall: support comma separated alias targets in refactor() call
o firewall: added multi-select for ICMP type
o firewall: update user agent in alias URL fetch
o firmware: ignore dashboard check for updates link automation if user clicks check for updates too
o firmware: fix reboot flag handling due to changed BooleanField default in 25.1.4
o firmware: add cleanup audit script
o intrusion detection: fix a log reader regression in the alert view
o intrusion detection: fix alert info button
o ipsec: move mobile clients charon attributes to "Advanced settings"
o ipsec: fix auth server parsing regression
o ipsec: copy "Split DNS name" to undocumented "25" option
o ipsec: fix more ACLs related to individual IPsec page use
o ipsec: add DH Group 2 for basic Azure VPN gateway compatibility
o ipsec: fix trimming NULL values
o ipsec: attr 28673 previously rendered as 1 instead of strongswan default "yes"/"no" for a boolean
o isc-dhcp: use "lease_type" to key lease map in addition to "iaid_duid" (contributed by Alex Goodkind)
o isc-dhcp: fix invalid FQDN generation from DHCPv4 static map domains (contributed by Steven Zimmermann)
o kea-dhcp: allow manual configuration for advanced scenarios
o kea-dhcp: add DHCPv6 support
o kea-dhcp: split into multiple id-based services
o kea-dhcp: fix menu for overlapping leases links
o kea-dhcp: correct static mapping returns for IPv6 addresses
o kea-dhcp: translate reservation MAC address when dash is used
o openvpn: display virtual IPv6 addresses for clients in dashboard widget (contributed by cs-1 and lucaspalomodevelop)
o openvpn: simplify the VIP handling in legacy pages
o router advertisements: fix list of source addresses on overlapping link-locals (contributed by Robin Müller)
o unbound: add optional TTL field
o backend: support "errors:no" clause on actions
o mvc: prefer ui/user_portal above system_usermanager_passwordmg.php in ACLs
o mvc: implement "ignore" field type in forms
o mvc: allow referencing disabled interfaces in LinkAddressField
o mvc: fix scoping issue in CertificatesField
o mvc: BooleanField now defaults to "0" on creation
o mvc: add static $internalStaticChildren in classes extending ArrayField
o mvc: safeguard JsonKeyValueStoreField->setSourceField()
o ui: include "all" instead of only "solid" and "brands" Font Awesome styles
o ui: ensure fields stay aligned relatively to another when headers are used in forms
o ui: add fetch_options() which can build grouped selectpickers
o ui: improve and extend Bootgrid behaviour
o plugins: os-caddy 1.8.5[1]
o plugins: os-ndproxy 1.1[2]
o plugins: os-sftp-backup 1.1 adds hostname prefix and filedrop-only support (contributed by beposec)
o plugins: os-theme-rebellion 1.9.3 (contributed by Team Rebellion)
o plugins: os-turnserver 1.0 (contributed by Frank Wall)
o plugnis: os-squid 1.2[3]
o src: ifconfig: fix reporting optics on most 100g interfaces
o src: igc: fix attach for I226-K and LMVP devices
o src: inpcb: assorted changes for upcoming FIB support
o src: ipfw: fix dump_soptcodes() handler
o src: ixgbe: add support for 1000BASE-BX SFP modules
o src: ixgbe: fix mailbox ack handling
o src: netinet6: add the missing lock acquire to nd6_get_llentry
o src: netinet: fix getcred sysctl handlers to do nothing if no input is given
o src: netinet: if mb_unmapped_to_ext() failed, return directly
o src: netlink: fix getting route scope of interface IPv4 addresses
o src: ovpn: fix use-after-free of mbuf
o src: pf: improve pf_state_key_attach() error handling
o src: pfkey2: use correct value for a key length
o src: routing: do not allow PINNED routes to be overriden
o src: sctp: fix double unlock in case adding a remote address fails
o src: tcp: clear sendfile logging struct
o src: udp: do not recursively enter net epoch
o src: wg: remove overly-restrictive address family check
o src: caroot: update the root bundle
o src: openssl: import OpenSSL 3.0.16
o src: daemon: stop rebuilding the kqueue every restart of the child
o src: contrib/expat: update libexpat from 2.6.0 to 2.7.1
o src: contrib/tzdata: import tzdata 2025b
o src: pfctl: fix faulty rule anchor counter print
o src: pfctl: fix recursive printing of NAT rules
o src: pf: Use a macro to get the hash row in pf_find_state_byid()
o src: netinet6: work around synchronization issue in dying netgraph device
o src: wg: Improve wg_peer_alloc() to simplify the calling
o src: bnxt_en: Retrieve maximum of 128 APP TLVs
o src: Revert "amd64 GENERIC: Switch uart hints from isa to acpi"
o ports: curl 8.13.0[4]
o ports: expat 2.7.1[5]
o ports: kea 2.6.2[6]
o ports: lighttpd 1.4.79[7]
o ports: monit 5.35.2[8]
o ports: nss 3.110[9]
o ports: openssh 10.0p1[10]
o ports: phalcon 5.9.3[11]
o ports: php 8.3.20[12]
o ports: py-duckdb 1.2.2[13]
o ports: python 3.11.12[14]
o ports: syslog-ng 4.8.2[15]
o ports: unbound 1.23.0[16]
Stay safe,
Your OPNsense team
--
[1] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.1/net/ndproxy/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.1/www/squid/pkg-descr
[4] https://curl.se/changes.html#8_13_0
[5] https://github.com/libexpat/libexpat/blob/R_2_7_1/expat/Changes
[6] https://downloads.isc.org/isc/kea/2.6.2/Kea-2.6.2-ReleaseNotes.txt
[7] https://www.lighttpd.net/2025/4/4/1.4.79/
[8] https://mmonit.com/monit/changes/
[9] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_110.html
[10] https://www.openssh.com/txt/release-10.0
[11] https://github.com/phalcon/cphalcon/releases/tag/v5.9.3
[12] https://www.php.net/ChangeLog-8.php#8.3.20
[13] https://github.com/duckdb/duckdb/releases/tag/v1.2.2
[14] https://docs.python.org/release/3.11.12/whatsnew/changelog.html
[15] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.8.2
[16] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-23-0
SHA256 (OPNsense-business-25.4.1-dvd-amd64.iso.bz2) = 12aa36a2ce6743217e9714ac1ba16de6bc81ef2f8a4f3c7635215268a0944b18
SHA256 (OPNsense-business-25.4.1-nano-amd64.img.bz2) = 12361c910da612fe37cdec2814ff6d8363d9bee6171fe50de8cd58adb6a0e22d
SHA256 (OPNsense-business-25.4.1-serial-amd64.img.bz2) = 41283f6cf854608b56cb08f7960c5e0291c9ef1a32e6f0736f59f287cf2e9ba2
SHA256 (OPNsense-business-25.4.1-vga-amd64.img.bz2) = f20dd969784088eb1578df9c8dc5eb0a90502405027ab95b2b66277960803225