OPNsense has been working fine since the upgrade to 25.7 (after I disabled Unbound, have other post on that).
Have applied a few updates since the upgrade and no issues with that process either. Today I click on "view pending updates" and update text scrolls by, followed by an error popup: The release type "opnsense" is not available on this repository
I searched and found this recent post: https://forum.opnsense.org/index.php?topic=49338 - the OP's situation is different from mine, but OP also received this popup. In that post, OP was advised to run a health audit.
I found mine here: System->Firmware->Status->Run an Audit (button at bottom)->Health (dropdown) This is the result:
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.7.4 (amd64) at Wed Oct 22 08:16:24 PDT 2025
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 25.7.3 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7.3 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
os-gdrive-backup 1.0
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 25.7.4 has 67 dependencies to check.
Checking packages: ..
ca_root_nss-3.115_2 version mismatch, expected 3.115_3
Checking packages: ...................
openssh-portable-10.0.p1_2,1 version mismatch, expected 10.2.p1,1
Checking packages: ..
opnsense-25.7.4 version mismatch, expected 25.7.6
Checking packages: ...
opnsense-update-25.7.3 version mismatch, expected 25.7.5_1
Checking packages: ..............
php83-phpseclib-3.0.46 version mismatch, expected 3.0.47
Checking packages: ................
py311-sqlite3-3.11.13_11 version mismatch, expected 3.11.14_11
Checking packages: ........
suricata-7.0.12 version mismatch, expected 8.0.1
Checking packages: .
syslog-ng-4.8.2_4 version mismatch, expected 4.10.2
Checking packages: ..
wpa_supplicant-2.11_5 version mismatch, expected 2.11_7
Checking packages: . done
***DONE***
I don't know why there are mismatches? I've not done anything in the past except apply whatever updates are waiting, as soon as I see them - every couple of weeks.
I haven't applied this update yet. I'm afraid to go ahead with it given I've never had an error message before.
Is there something else I should do or look at?
Thank you for any help. Kind regards.
Check for updates again. And read the release notes 😉
OK - I didn't have any release notes the first time, but on your advice I just checked again and now have the release notes.
I will go ahead and apply the update in a minute.
I never knew about the "audit button" before today. I just finished running all of the other audits, they all have errors too. Maybe the update will fix all of those.
Thank you.
The update followed by reboot all seemed to go fine. No errors reported. Internet access OK so far.
I still see some audit errors (rest are fine). Is there something I should do about these:
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 25.7.6 (amd64) at Wed Oct 22 09:21:07 PDT 2025
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes
1508 bytes from 89.149.222.99: icmp_seq=0 ttl=40 time=203.228 ms
1508 bytes from 89.149.222.99: icmp_seq=1 ttl=40 time=205.375 ms
1508 bytes from 89.149.222.99: icmp_seq=2 ttl=40 time=203.321 ms
1508 bytes from 89.149.222.99: icmp_seq=3 ttl=40 time=206.310 ms
--- 89.149.222.99 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 203.228/204.558/206.310/1.326 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/25.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 904 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:14:amd64/25.7
Updating OPNsense repository catalogue...
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
repository OPNsense has no meta file, using default settings
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: pkg.opnsense.org
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
verify return:1
depth=0 CN = pkg.opnsense.org
verify return:1
DONE
***DONE***
Upgrade Log:
beep-1.0_2: already unlocked
boost-libs-1.88.0_1: already unlocked
brotli-1.1.0,1: already unlocked
(...) long list of things already unlocked
unbound-1.23.1: already unlocked
wpa_supplicant-2.11_5: already unlocked
zip-3.0_4: already unlocked
zstd-1.5.7: already unlocked
Updating OPNsense repository catalogue...
pkg-static: Repository OPNsense has a wrong packagesite, need to re-create database
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 898 packages processed.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (175 candidates): .......... done
Processing candidates (175 candidates): .......... done
Checking integrity... done (1 conflicting)
- os-gdrive-backup-1.0 [OPNsense] conflicts with opnsense-25.1.12 [installed] on /usr/local/opnsense/mvc/app/library/Google/API/Drive.php
Checking integrity... done (0 conflicting)
The following 174 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
opnsense: 25.1.12 -> 25.7 [OPNsense]
opnsense-update: 25.1.11 -> 25.7 [OPNsense]
os-gdrive-backup: 0.1 -> 1.0 [OPNsense]
Installed packages to be REINSTALLED:
beep-1.0_2 [OPNsense]
boost-libs-1.88.0_1 [OPNsense]
brotli-1.1.0,1 [OPNsense]
(...) long list of packages to be reinstalled
wpa_supplicant-2.11_5 [OPNsense]
zip-3.0_4 [OPNsense]
zstd-1.5.7 [OPNsense]
Number of packages to be upgraded: 3
Number of packages to be reinstalled: 171
[1/174] Reinstalling indexinfo-0.3.1_1...
[1/174] Extracting indexinfo-0.3.1_1: .... done
[2/174] Reinstalling mpdecimal-4.0.1...
[2/174] Extracting mpdecimal-4.0.1: .......... done
(...)
[35/174] Reinstalling cyrus-sasl-2.1.28_5...
*** Updated user `cyrus'.
[35/174] Extracting cyrus-sasl-2.1.28_5: .......... done
[36/174] Reinstalling sqlite3-3.50.2_1,1...
[36/174] Extracting sqlite3-3.50.2_1,1: .......... done
(...)
[111/174] Reinstalling expat-2.7.1...
[111/174] Extracting expat-2.7.1: .......... done
[112/174] Deinstalling opnsense-25.1.12...
[112/174] Deleting files for opnsense-25.1.12: .......... done
[113/174] Reinstalling unbound-1.23.1...
===> Creating groups
Using existing group 'unbound'
===> Creating users
Using existing user 'unbound'
[113/174] Extracting unbound-1.23.1: .......... done
[114/174] Reinstalling wpa_supplicant-2.11_5...
[114/174] Extracting wpa_supplicant-2.11_5: ....... done
[115/174] Reinstalling flock-2.37.2_1...
[115/174] Extracting flock-2.37.2_1: ...... done
[116/174] Reinstalling filterlog-0.7_1...
[116/174] Extracting filterlog-0.7_1: .... done
[117/174] Reinstalling dpinger-3.3...
[117/174] Extracting dpinger-3.3: .... done
[118/174] Reinstalling lighttpd-1.4.79...
===> Creating groups
Using existing group 'www'
===> Creating users
Using existing user 'www'
[118/174] Extracting lighttpd-1.4.79: .......... done
[119/174] Reinstalling php83-filter-8.3.23...
[119/174] Extracting php83-filter-8.3.23: ......... done
[120/174] Upgrading opnsense-update from 25.1.11 to 25.7...
[120/174] Extracting opnsense-update-25.7: .......... done
[121/174] Reinstalling hostapd-2.11_3...
[121/174] Extracting hostapd-2.11_3: ....... done
[122/174] Reinstalling flowd-0.9.1_5...
===> Creating groups
Using existing group '_flowd'
===> Creating users
Using existing user '_flowd'
[122/174] Extracting flowd-0.9.1_5: .......... done
[123/174] Reinstalling php83-curl-8.3.23...
[123/174] Extracting php83-curl-8.3.23: .......... done
[124/174] Reinstalling monit-5.35.2...
[124/174] Extracting monit-5.35.2: ....... done
[125/174] Reinstalling dhcrelay-1.0...
[125/174] Extracting dhcrelay-1.0: ....... done
[126/174] Reinstalling php83-ldap-8.3.23...
[126/174] Extracting php83-ldap-8.3.23: ........ done
[127/174] Reinstalling choparp-20150613_1...
[127/174] Extracting choparp-20150613_1: ...... done
[128/174] Reinstalling openvpn-2.6.14...
===> Creating groups
Using existing group 'openvpn'
===> Creating users
Using existing user 'openvpn'
[128/174] Extracting openvpn-2.6.14: .......... done
[129/174] Reinstalling cpustats-0.1...
[129/174] Extracting cpustats-0.1: . done
[130/174] Reinstalling php83-google-api-php-client-2.4.0...
[130/174] Extracting php83-google-api-php-client-2.4.0: .......... done
[131/174] Reinstalling dnsmasq-2.91_1,1...
[131/174] Extracting dnsmasq-2.91_1,1: .......... done
[132/174] Reinstalling py311-netaddr-1.3.0...
[132/174] Extracting py311-netaddr-1.3.0: .......... done
[133/174] Reinstalling php83-simplexml-8.3.23...
[133/174] Extracting php83-simplexml-8.3.23: ......... done
[134/174] Reinstalling rrdtool-1.9.0_1...
[134/174] Extracting rrdtool-1.9.0_1: .......... done
[135/174] Reinstalling dhcp6c-20250513...
[135/174] Extracting dhcp6c-20250513: ........ done
[136/174] Reinstalling radvd-2.20...
[136/174] Extracting radvd-2.20: .......... done
[137/174] Reinstalling isc-dhcp44-server-4.4.3P1_2...
===> Creating groups
Using existing group 'dhcpd'
===> Creating users
Using existing user 'dhcpd'
[137/174] Extracting isc-dhcp44-server-4.4.3P1_2: .......... done
[138/174] Reinstalling ntp-4.2.8p18_4...
[138/174] Extracting ntp-4.2.8p18_4: .......... done
[139/174] Reinstalling syslog-ng-4.8.2_3...
[139/174] Extracting syslog-ng-4.8.2_3: .......... done
[140/174] Reinstalling php83-sockets-8.3.23...
[140/174] Extracting php83-sockets-8.3.23: .......... done
[141/174] Reinstalling py311-jq-1.8.0_1...
[141/174] Extracting py311-jq-1.8.0_1: ........ done
[142/174] Reinstalling php83-pear-Crypt_CHAP-1.5.0_1...
[142/174] Extracting php83-pear-Crypt_CHAP-1.5.0_1: ...... done
uninstall ok: channel://pear.php.net/Crypt_CHAP-1.5.0
install ok: channel://pear.php.net/Crypt_CHAP-1.5.0
[143/174] Reinstalling php83-pcntl-8.3.23...
[143/174] Extracting php83-pcntl-8.3.23: ......... done
[144/174] Reinstalling ca_root_nss-3.108...
[144/174] Extracting ca_root_nss-3.108: ..... done
(...)
[173/174] Reinstalling py311-Jinja2-3.1.6...
[173/174] Extracting py311-Jinja2-3.1.6: .......... done
[174/174] Upgrading os-gdrive-backup from 0.1 to 1.0...
[174/174] Extracting os-gdrive-backup-1.0: .... done
[174/174] Installing opnsense-25.7...
[174/174] Extracting opnsense-25.7: .......... done
Creating group 'wwwonly' with gid '789'
Creating user 'wwwonly' with uid '789'
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh.sh'
Migrated OPNsense\Kea\KeaDhcpv4 from 1.0.3 to 1.0.4
Flushing all caches...done.
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: Modified 192 trust store links.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
Generating GIO modules cache
Compiling glib schemas
No schema files found: doing nothing.
You may need to manually remove /usr/local/openssl/openssl.cnf if it is no longer needed.
=====
Message from py311-urllib3-1.26.20,1:
--
Since version 1.25 HTTPS connections are now verified by default which is done
via "cert_reqs = 'CERT_REQUIRED'". While certificate verification can be
disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on.
Various consumers of net/py-urllib3 already have implemented routines that
either explicitly enable or disable HTTPS certificate verification (e.g. via
configuration settings, CLI arguments, etc.).
Yet it may happen that there are still some consumers which don't explicitly
enable/disable certificate verification for HTTPS connections which could then
lead to errors (as is often the case with self-signed certificates).
In case of an error one should try first to temporarily disable certificate
verification of the problematic urllib3 consumer to see if that approach will
remedy the issue.
=====
Message from oniguruma-6.9.10:
--
===> NOTICE:
This port is deprecated; you may wish to reconsider installing it:
Project archived upstream.
It is scheduled to be removed on or after 2026-12-01.
=====
Message from openvpn-2.6.14:
--
Note that OpenVPN now configures a separate user and group "openvpn",
which should be used instead of the NFS user "nobody"
when an unprivileged user account is desired.
It is advisable to review existing configuration files and
to consider adding/changing user openvpn and group openvpn.
You may need to manually remove /usr/local/etc/dnsmasq.conf if it is no longer needed.
=====
Message from dnsmasq-2.91_1,1:
--
To enable dnsmasq, edit /usr/local/etc/dnsmasq.conf and
set dnsmasq_enable="YES" in /etc/rc.conf[.local]
Further options and actions are documented inside
/usr/local/etc/rc.d/dnsmasq
NOTE: when using dnssec, inaccurate system clocks
can cause DNS resolution to fail
because DNSSEC signatures may then not validate.
SECURITY RECOMMENDATION
~~~~~~~~~~~~~~~~~~~~~~~
It is recommended to enable the wpad-related options
at the end of the configuration file (you may need to
copy them from the example file to yours) to fix
CERT Vulnerability VU#598349.
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/kea-ctrl-agent.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/kea-dhcp4.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/keactrl.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/ssh/sshd_config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/classification.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/reference.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/suricata.yaml if it is no longer needed.
=====
Message from strongswan-5.9.14:
--
The default strongSwan configuration interface have been updated to vici.
To use the stroke interface by default either compile the port without the vici option or
set 'strongswan_interface="stroke"' in your rc.conf file.
=====
Message from opnsense-25.7:
--
Some will win, some will lose, some are born to sing the blues
Checking all packages: .......... done
Thank you for any guidance on what to do (or nothing) with the above messages.
Kind regards.
Quote from: pseudonym3k on October 22, 2025, 06:36:46 PMThank you for any guidance on what to do (or nothing) with the above messages.
Nothing.
Because:
(https://forum.opnsense.org/index.php?action=dlattach;attach=48729;image)
Installed packages to be UPGRADED:
opnsense: 25.1.12 -> 25.7 [OPNsense]
opnsense-update: 25.1.11 -> 25.7 [OPNsense]
os-gdrive-backup: 0.1 -> 1.0 [OPNsense]
From 25.1.12 to 25.7 when we talk about 25.7.6? This looks like it broke earlier. Hopefully applying the update will fix all the inconsistencies.
Cheers,
Franco
Quote from: franco on October 22, 2025, 06:57:44 PMHopefully applying the update will fix all the inconsistencies.
This is the audit *after* applying the update today.
I spoke too soon, internet connectivity became sporadic then stopped just after I posted last. Could have nothing to do with OPNsense update and just a coincidence... I have powered all equipment off and powered back on, beginning with cable modem and waiting a few minutes, then each with same pause between.
All internet seems to be back up; however, intermittently pages are loading incompletely and require a browser refresh to get full page. This was not happening prior to the update this morning. Not sure how to determine cause.
Quote from: Patrick M. Hausen on October 22, 2025, 06:48:02 PMQuote from: pseudonym3k on October 22, 2025, 06:36:46 PMThank you for any guidance on what to do (or nothing) with the above messages.
Nothing.
Because:
(https://forum.opnsense.org/index.php?action=dlattach;attach=48729;image)
List was from Audit, not the list after update which has that message. Audit has no such message.
Quote from: pseudonym3k on October 22, 2025, 07:18:01 PMList was from Audit, not the list after update which has that message. Audit has no such message.
I mistook the whole lot of package messages for the installation log. Sorry.
> This is the audit *after* applying the update today.
The update 25.1.12 -> 25.7 is not from the audit and cannot and will not happen when you are on 25.7.x proper.
I would suggest a clean bootstrap...
# opnsense-bootstrap -r 25.7
But the file system could already be unreliable.
Cheers,
Franco
Yes it is, from the audit I just ran following the update this morning. Full copy attached, without my "clipping".
Also attached is a screensot of the upgrade changelog.
Quote from: Patrick M. Hausen on October 22, 2025, 07:45:55 PMI mistook the whole lot of package messages for the installation log. Sorry.
No worries, just wanted us on same page.
I have had no trouble with OPNsense since first installing a couple of years ago, having taken all the install defaults (including Unbound enabled by default), and changing only those things necessary to get connected to my ISP. I also switched the order of ports so WAN was first. I put my DNS servers in Unbound, and configured nothing else. This ran fine until upgrade to 25.7 earlier this year. I have another post about that, long story longer, after I disabled Unbound and put my DNS servers in general settings, all has again been fine. Until this morning and the reason for this post.
Just lost all connectivity here again. Cable modem appears fine (it did earlier, too, when connection dropped) at least based on blinky-lights. Rebooted just Protectli box with OPNsense this time (instead of all equipment) and internet is back online again.
After a lot of reading this summer, I have been wanting to try using ZFS for filesystem and perhaps even installing Proxmox. Maybe now would be a good time. Hoping not to have to wipe and reinstall OPNsense only because my time is really scarce next couple of weeks. But also can't deal with an unstable connection next couple of weeks either.
Ideas? Kind regards.
If your system is unstable with newer OpnSense revisions, then maybe look at this, #23 (https://forum.opnsense.org/index.php?topic=42985.0). There have been reports about instabilities with non-N Intel CPUs from the same generation.
I see, the 25.1.12->25.7 was from the upgrade log. It's all a bit too convoluted here posting every audit type and more.
I would suggest two things:
1. Run the health audit again to see you made progress WRT you original health audit post.
2. Consider the possibility that 25.7.x updates are not your apparent issue with stability.
Cheers,
Franco
We just went offline again. Unplugging Protectli box only again, waited 30 seconds, plugged back in, we are back online again.
Quote from: meyergru on October 22, 2025, 09:24:45 PMIf your system is unstable with newer OpnSense revisions, then maybe look at this, #23 (https://forum.opnsense.org/index.php?topic=42985.0). There have been reports about instabilities with non-N Intel CPUs from the same generation.
My hardware was bought new from Protectli, a Protectli Vault VP4630 - 6 Port Intel® i3 × 1 in February 2024. It doesn't say anything in the specs about "N" or "non-N" - how would I find out? ETA: I found a further detail on my invoice: Intel® i3-10110U Dual Core / 4 Thread at 2.1 GHz (Turbo up to 4 GHz) - is that useful?
Quote from: franco on October 22, 2025, 09:27:44 PM1. Run the health audit again to see you made progress WRT you original health audit post.
2. Consider the possibility that 25.7.x updates are not your apparent issue with stability.
I already wrote I ran the Health audit again after the update and it was fine. I only posted the full unclipped audit upgrade log because what you claimed was false. And I attached the full log in a text file to avoid the clutter you mention. I wish people wouldn't skim posts when they're trying to help, it makes me waste time on defense instead of learning what I can do.
My connection is very unstable right now. Three times now I have had to reset equipment to get back online since this mornings updates. It no longer seems coincidental, since I have had no issues since early summer when I had to disable Unbound after updating to 25.7.
I have so far concluded it is something connected to the updates but will investigate anything I can.
1. I had my house cabling checked a couple of years ago (before I had OPNsense) because I had an unstable connection. My cable modem would go on and offline repeatedly. Repairs were made and that solved it.
2. My modem is not going offline, at least not according to the "blinky lights". I checked my ISP's website and they have not reported any connection troubles in my area. I have run the ISP troubleshooter online and it reports no connection issues have been logged with my account. I do take all that with a grain of salt.
3. I am able to power cycle the Protectli box (only) to get a connection again. When the issue is external to my house (wiring, ISP), the modem always has to be power cycled to get a connection.
What else can I investigate, to determine it is NOT OPNsense update this morning causing the instability?
i3-10110U is Comet Lake (10th) series, whereas N100 is Alder Lake (12th) series. so that should not be a problem.