OPNsense has been working fine since the upgrade to 25.7 (after I disabled Unbound, have other post on that).
Have applied a few updates since the upgrade and no issues with that process either. Today I click on "view pending updates" and update text scrolls by, followed by an error popup: The release type "opnsense" is not available on this repository
I searched and found this recent post: https://forum.opnsense.org/index.php?topic=49338 - the OP's situation is different from mine, but OP also received this popup. In that post, OP was advised to run a health audit.
I found mine here: System->Firmware->Status->Run an Audit (button at bottom)->Health (dropdown) This is the result:
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.7.4 (amd64) at Wed Oct 22 08:16:24 PDT 2025
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 25.7.3 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7.3 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
os-gdrive-backup 1.0
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 25.7.4 has 67 dependencies to check.
Checking packages: ..
ca_root_nss-3.115_2 version mismatch, expected 3.115_3
Checking packages: ...................
openssh-portable-10.0.p1_2,1 version mismatch, expected 10.2.p1,1
Checking packages: ..
opnsense-25.7.4 version mismatch, expected 25.7.6
Checking packages: ...
opnsense-update-25.7.3 version mismatch, expected 25.7.5_1
Checking packages: ..............
php83-phpseclib-3.0.46 version mismatch, expected 3.0.47
Checking packages: ................
py311-sqlite3-3.11.13_11 version mismatch, expected 3.11.14_11
Checking packages: ........
suricata-7.0.12 version mismatch, expected 8.0.1
Checking packages: .
syslog-ng-4.8.2_4 version mismatch, expected 4.10.2
Checking packages: ..
wpa_supplicant-2.11_5 version mismatch, expected 2.11_7
Checking packages: . done
***DONE***
I don't know why there are mismatches? I've not done anything in the past except apply whatever updates are waiting, as soon as I see them - every couple of weeks.
I haven't applied this update yet. I'm afraid to go ahead with it given I've never had an error message before.
Is there something else I should do or look at?
Thank you for any help. Kind regards.
Check for updates again. And read the release notes 😉
OK - I didn't have any release notes the first time, but on your advice I just checked again and now have the release notes.
I will go ahead and apply the update in a minute.
I never knew about the "audit button" before today. I just finished running all of the other audits, they all have errors too. Maybe the update will fix all of those.
Thank you.
The update followed by reboot all seemed to go fine. No errors reported. Internet access OK so far.
I still see some audit errors (rest are fine). Is there something I should do about these:
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 25.7.6 (amd64) at Wed Oct 22 09:21:07 PDT 2025
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes
1508 bytes from 89.149.222.99: icmp_seq=0 ttl=40 time=203.228 ms
1508 bytes from 89.149.222.99: icmp_seq=1 ttl=40 time=205.375 ms
1508 bytes from 89.149.222.99: icmp_seq=2 ttl=40 time=203.321 ms
1508 bytes from 89.149.222.99: icmp_seq=3 ttl=40 time=206.310 ms
--- 89.149.222.99 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 203.228/204.558/206.310/1.326 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/25.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 904 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:14:amd64/25.7
Updating OPNsense repository catalogue...
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
repository OPNsense has no meta file, using default settings
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: pkg.opnsense.org
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
verify return:1
depth=0 CN = pkg.opnsense.org
verify return:1
DONE
***DONE***
Upgrade Log:
beep-1.0_2: already unlocked
boost-libs-1.88.0_1: already unlocked
brotli-1.1.0,1: already unlocked
(...) long list of things already unlocked
unbound-1.23.1: already unlocked
wpa_supplicant-2.11_5: already unlocked
zip-3.0_4: already unlocked
zstd-1.5.7: already unlocked
Updating OPNsense repository catalogue...
pkg-static: Repository OPNsense has a wrong packagesite, need to re-create database
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 898 packages processed.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (175 candidates): .......... done
Processing candidates (175 candidates): .......... done
Checking integrity... done (1 conflicting)
- os-gdrive-backup-1.0 [OPNsense] conflicts with opnsense-25.1.12 [installed] on /usr/local/opnsense/mvc/app/library/Google/API/Drive.php
Checking integrity... done (0 conflicting)
The following 174 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
opnsense: 25.1.12 -> 25.7 [OPNsense]
opnsense-update: 25.1.11 -> 25.7 [OPNsense]
os-gdrive-backup: 0.1 -> 1.0 [OPNsense]
Installed packages to be REINSTALLED:
beep-1.0_2 [OPNsense]
boost-libs-1.88.0_1 [OPNsense]
brotli-1.1.0,1 [OPNsense]
(...) long list of packages to be reinstalled
wpa_supplicant-2.11_5 [OPNsense]
zip-3.0_4 [OPNsense]
zstd-1.5.7 [OPNsense]
Number of packages to be upgraded: 3
Number of packages to be reinstalled: 171
[1/174] Reinstalling indexinfo-0.3.1_1...
[1/174] Extracting indexinfo-0.3.1_1: .... done
[2/174] Reinstalling mpdecimal-4.0.1...
[2/174] Extracting mpdecimal-4.0.1: .......... done
(...)
[35/174] Reinstalling cyrus-sasl-2.1.28_5...
*** Updated user `cyrus'.
[35/174] Extracting cyrus-sasl-2.1.28_5: .......... done
[36/174] Reinstalling sqlite3-3.50.2_1,1...
[36/174] Extracting sqlite3-3.50.2_1,1: .......... done
(...)
[111/174] Reinstalling expat-2.7.1...
[111/174] Extracting expat-2.7.1: .......... done
[112/174] Deinstalling opnsense-25.1.12...
[112/174] Deleting files for opnsense-25.1.12: .......... done
[113/174] Reinstalling unbound-1.23.1...
===> Creating groups
Using existing group 'unbound'
===> Creating users
Using existing user 'unbound'
[113/174] Extracting unbound-1.23.1: .......... done
[114/174] Reinstalling wpa_supplicant-2.11_5...
[114/174] Extracting wpa_supplicant-2.11_5: ....... done
[115/174] Reinstalling flock-2.37.2_1...
[115/174] Extracting flock-2.37.2_1: ...... done
[116/174] Reinstalling filterlog-0.7_1...
[116/174] Extracting filterlog-0.7_1: .... done
[117/174] Reinstalling dpinger-3.3...
[117/174] Extracting dpinger-3.3: .... done
[118/174] Reinstalling lighttpd-1.4.79...
===> Creating groups
Using existing group 'www'
===> Creating users
Using existing user 'www'
[118/174] Extracting lighttpd-1.4.79: .......... done
[119/174] Reinstalling php83-filter-8.3.23...
[119/174] Extracting php83-filter-8.3.23: ......... done
[120/174] Upgrading opnsense-update from 25.1.11 to 25.7...
[120/174] Extracting opnsense-update-25.7: .......... done
[121/174] Reinstalling hostapd-2.11_3...
[121/174] Extracting hostapd-2.11_3: ....... done
[122/174] Reinstalling flowd-0.9.1_5...
===> Creating groups
Using existing group '_flowd'
===> Creating users
Using existing user '_flowd'
[122/174] Extracting flowd-0.9.1_5: .......... done
[123/174] Reinstalling php83-curl-8.3.23...
[123/174] Extracting php83-curl-8.3.23: .......... done
[124/174] Reinstalling monit-5.35.2...
[124/174] Extracting monit-5.35.2: ....... done
[125/174] Reinstalling dhcrelay-1.0...
[125/174] Extracting dhcrelay-1.0: ....... done
[126/174] Reinstalling php83-ldap-8.3.23...
[126/174] Extracting php83-ldap-8.3.23: ........ done
[127/174] Reinstalling choparp-20150613_1...
[127/174] Extracting choparp-20150613_1: ...... done
[128/174] Reinstalling openvpn-2.6.14...
===> Creating groups
Using existing group 'openvpn'
===> Creating users
Using existing user 'openvpn'
[128/174] Extracting openvpn-2.6.14: .......... done
[129/174] Reinstalling cpustats-0.1...
[129/174] Extracting cpustats-0.1: . done
[130/174] Reinstalling php83-google-api-php-client-2.4.0...
[130/174] Extracting php83-google-api-php-client-2.4.0: .......... done
[131/174] Reinstalling dnsmasq-2.91_1,1...
[131/174] Extracting dnsmasq-2.91_1,1: .......... done
[132/174] Reinstalling py311-netaddr-1.3.0...
[132/174] Extracting py311-netaddr-1.3.0: .......... done
[133/174] Reinstalling php83-simplexml-8.3.23...
[133/174] Extracting php83-simplexml-8.3.23: ......... done
[134/174] Reinstalling rrdtool-1.9.0_1...
[134/174] Extracting rrdtool-1.9.0_1: .......... done
[135/174] Reinstalling dhcp6c-20250513...
[135/174] Extracting dhcp6c-20250513: ........ done
[136/174] Reinstalling radvd-2.20...
[136/174] Extracting radvd-2.20: .......... done
[137/174] Reinstalling isc-dhcp44-server-4.4.3P1_2...
===> Creating groups
Using existing group 'dhcpd'
===> Creating users
Using existing user 'dhcpd'
[137/174] Extracting isc-dhcp44-server-4.4.3P1_2: .......... done
[138/174] Reinstalling ntp-4.2.8p18_4...
[138/174] Extracting ntp-4.2.8p18_4: .......... done
[139/174] Reinstalling syslog-ng-4.8.2_3...
[139/174] Extracting syslog-ng-4.8.2_3: .......... done
[140/174] Reinstalling php83-sockets-8.3.23...
[140/174] Extracting php83-sockets-8.3.23: .......... done
[141/174] Reinstalling py311-jq-1.8.0_1...
[141/174] Extracting py311-jq-1.8.0_1: ........ done
[142/174] Reinstalling php83-pear-Crypt_CHAP-1.5.0_1...
[142/174] Extracting php83-pear-Crypt_CHAP-1.5.0_1: ...... done
uninstall ok: channel://pear.php.net/Crypt_CHAP-1.5.0
install ok: channel://pear.php.net/Crypt_CHAP-1.5.0
[143/174] Reinstalling php83-pcntl-8.3.23...
[143/174] Extracting php83-pcntl-8.3.23: ......... done
[144/174] Reinstalling ca_root_nss-3.108...
[144/174] Extracting ca_root_nss-3.108: ..... done
(...)
[173/174] Reinstalling py311-Jinja2-3.1.6...
[173/174] Extracting py311-Jinja2-3.1.6: .......... done
[174/174] Upgrading os-gdrive-backup from 0.1 to 1.0...
[174/174] Extracting os-gdrive-backup-1.0: .... done
[174/174] Installing opnsense-25.7...
[174/174] Extracting opnsense-25.7: .......... done
Creating group 'wwwonly' with gid '789'
Creating user 'wwwonly' with uid '789'
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh.sh'
Migrated OPNsense\Kea\KeaDhcpv4 from 1.0.3 to 1.0.4
Flushing all caches...done.
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: Modified 192 trust store links.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
Generating GIO modules cache
Compiling glib schemas
No schema files found: doing nothing.
You may need to manually remove /usr/local/openssl/openssl.cnf if it is no longer needed.
=====
Message from py311-urllib3-1.26.20,1:
--
Since version 1.25 HTTPS connections are now verified by default which is done
via "cert_reqs = 'CERT_REQUIRED'". While certificate verification can be
disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on.
Various consumers of net/py-urllib3 already have implemented routines that
either explicitly enable or disable HTTPS certificate verification (e.g. via
configuration settings, CLI arguments, etc.).
Yet it may happen that there are still some consumers which don't explicitly
enable/disable certificate verification for HTTPS connections which could then
lead to errors (as is often the case with self-signed certificates).
In case of an error one should try first to temporarily disable certificate
verification of the problematic urllib3 consumer to see if that approach will
remedy the issue.
=====
Message from oniguruma-6.9.10:
--
===> NOTICE:
This port is deprecated; you may wish to reconsider installing it:
Project archived upstream.
It is scheduled to be removed on or after 2026-12-01.
=====
Message from openvpn-2.6.14:
--
Note that OpenVPN now configures a separate user and group "openvpn",
which should be used instead of the NFS user "nobody"
when an unprivileged user account is desired.
It is advisable to review existing configuration files and
to consider adding/changing user openvpn and group openvpn.
You may need to manually remove /usr/local/etc/dnsmasq.conf if it is no longer needed.
=====
Message from dnsmasq-2.91_1,1:
--
To enable dnsmasq, edit /usr/local/etc/dnsmasq.conf and
set dnsmasq_enable="YES" in /etc/rc.conf[.local]
Further options and actions are documented inside
/usr/local/etc/rc.d/dnsmasq
NOTE: when using dnssec, inaccurate system clocks
can cause DNS resolution to fail
because DNSSEC signatures may then not validate.
SECURITY RECOMMENDATION
~~~~~~~~~~~~~~~~~~~~~~~
It is recommended to enable the wpad-related options
at the end of the configuration file (you may need to
copy them from the example file to yours) to fix
CERT Vulnerability VU#598349.
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/kea-ctrl-agent.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/kea-dhcp4.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/keactrl.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/ssh/sshd_config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/classification.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/reference.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/suricata.yaml if it is no longer needed.
=====
Message from strongswan-5.9.14:
--
The default strongSwan configuration interface have been updated to vici.
To use the stroke interface by default either compile the port without the vici option or
set 'strongswan_interface="stroke"' in your rc.conf file.
=====
Message from opnsense-25.7:
--
Some will win, some will lose, some are born to sing the blues
Checking all packages: .......... done
Thank you for any guidance on what to do (or nothing) with the above messages.
Kind regards.
Quote from: pseudonym3k on October 22, 2025, 06:36:46 PMThank you for any guidance on what to do (or nothing) with the above messages.
Nothing.
Because:
(https://forum.opnsense.org/index.php?action=dlattach;attach=48729;image)
Installed packages to be UPGRADED:
opnsense: 25.1.12 -> 25.7 [OPNsense]
opnsense-update: 25.1.11 -> 25.7 [OPNsense]
os-gdrive-backup: 0.1 -> 1.0 [OPNsense]
From 25.1.12 to 25.7 when we talk about 25.7.6? This looks like it broke earlier. Hopefully applying the update will fix all the inconsistencies.
Cheers,
Franco
Quote from: franco on October 22, 2025, 06:57:44 PMHopefully applying the update will fix all the inconsistencies.
This is the audit *after* applying the update today.
I spoke too soon, internet connectivity became sporadic then stopped just after I posted last. Could have nothing to do with OPNsense update and just a coincidence... I have powered all equipment off and powered back on, beginning with cable modem and waiting a few minutes, then each with same pause between.
All internet seems to be back up; however, intermittently pages are loading incompletely and require a browser refresh to get full page. This was not happening prior to the update this morning. Not sure how to determine cause.
Quote from: Patrick M. Hausen on October 22, 2025, 06:48:02 PMQuote from: pseudonym3k on October 22, 2025, 06:36:46 PMThank you for any guidance on what to do (or nothing) with the above messages.
Nothing.
Because:
(https://forum.opnsense.org/index.php?action=dlattach;attach=48729;image)
List was from Audit, not the list after update which has that message. Audit has no such message.
Quote from: pseudonym3k on October 22, 2025, 07:18:01 PMList was from Audit, not the list after update which has that message. Audit has no such message.
I mistook the whole lot of package messages for the installation log. Sorry.
> This is the audit *after* applying the update today.
The update 25.1.12 -> 25.7 is not from the audit and cannot and will not happen when you are on 25.7.x proper.
I would suggest a clean bootstrap...
# opnsense-bootstrap -r 25.7
But the file system could already be unreliable.
Cheers,
Franco
Yes it is, from the audit I just ran following the update this morning. Full copy attached, without my "clipping".
Also attached is a screensot of the upgrade changelog.
Quote from: Patrick M. Hausen on October 22, 2025, 07:45:55 PMI mistook the whole lot of package messages for the installation log. Sorry.
No worries, just wanted us on same page.
I have had no trouble with OPNsense since first installing a couple of years ago, having taken all the install defaults (including Unbound enabled by default), and changing only those things necessary to get connected to my ISP. I also switched the order of ports so WAN was first. I put my DNS servers in Unbound, and configured nothing else. This ran fine until upgrade to 25.7 earlier this year. I have another post about that, long story longer, after I disabled Unbound and put my DNS servers in general settings, all has again been fine. Until this morning and the reason for this post.
Just lost all connectivity here again. Cable modem appears fine (it did earlier, too, when connection dropped) at least based on blinky-lights. Rebooted just Protectli box with OPNsense this time (instead of all equipment) and internet is back online again.
After a lot of reading this summer, I have been wanting to try using ZFS for filesystem and perhaps even installing Proxmox. Maybe now would be a good time. Hoping not to have to wipe and reinstall OPNsense only because my time is really scarce next couple of weeks. But also can't deal with an unstable connection next couple of weeks either.
Ideas? Kind regards.
If your system is unstable with newer OpnSense revisions, then maybe look at this, #23 (https://forum.opnsense.org/index.php?topic=42985.0). There have been reports about instabilities with non-N Intel CPUs from the same generation.
I see, the 25.1.12->25.7 was from the upgrade log. It's all a bit too convoluted here posting every audit type and more.
I would suggest two things:
1. Run the health audit again to see you made progress WRT you original health audit post.
2. Consider the possibility that 25.7.x updates are not your apparent issue with stability.
Cheers,
Franco
We just went offline again. Unplugging Protectli box only again, waited 30 seconds, plugged back in, we are back online again.
Quote from: meyergru on October 22, 2025, 09:24:45 PMIf your system is unstable with newer OpnSense revisions, then maybe look at this, #23 (https://forum.opnsense.org/index.php?topic=42985.0). There have been reports about instabilities with non-N Intel CPUs from the same generation.
My hardware was bought new from Protectli, a Protectli Vault VP4630 - 6 Port Intel® i3 × 1 in February 2024. It doesn't say anything in the specs about "N" or "non-N" - how would I find out? ETA: I found a further detail on my invoice: Intel® i3-10110U Dual Core / 4 Thread at 2.1 GHz (Turbo up to 4 GHz) - is that useful?
Quote from: franco on October 22, 2025, 09:27:44 PM1. Run the health audit again to see you made progress WRT you original health audit post.
2. Consider the possibility that 25.7.x updates are not your apparent issue with stability.
I already wrote I ran the Health audit again after the update and it was fine. I only posted the full unclipped audit upgrade log because what you claimed was false. And I attached the full log in a text file to avoid the clutter you mention. I wish people wouldn't skim posts when they're trying to help, it makes me waste time on defense instead of learning what I can do.
My connection is very unstable right now. Three times now I have had to reset equipment to get back online since this mornings updates. It no longer seems coincidental, since I have had no issues since early summer when I had to disable Unbound after updating to 25.7.
I have so far concluded it is something connected to the updates but will investigate anything I can.
1. I had my house cabling checked a couple of years ago (before I had OPNsense) because I had an unstable connection. My cable modem would go on and offline repeatedly. Repairs were made and that solved it.
2. My modem is not going offline, at least not according to the "blinky lights". I checked my ISP's website and they have not reported any connection troubles in my area. I have run the ISP troubleshooter online and it reports no connection issues have been logged with my account. I do take all that with a grain of salt.
3. I am able to power cycle the Protectli box (only) to get a connection again. When the issue is external to my house (wiring, ISP), the modem always has to be power cycled to get a connection.
What else can I investigate, to determine it is NOT OPNsense update this morning causing the instability?
i3-10110U is Comet Lake (10th) series, whereas N100 is Alder Lake (12th) series. so that should not be a problem.
Quote from: meyergru on October 23, 2025, 09:08:01 AMso that should not be a problem.
Thank you so much for looking at that for me, I breathe easier.
For the record, I've just had the exact same issue now.
Same popup appeared during upgrade.
Same errors appear during audit.
If someone finds a fix, I would be glad to hear about it...
Update:
I think the audit errors have disappeared somehow, after a while.
It was scary though...
I had started jumping up and down like a real kangaroo...!
Quote from: Cangooroo7993 on October 26, 2025, 11:04:38 AMI think the audit errors have disappeared somehow, after a while.
Thanks for posting!
I just ran the audits again and still have errors.
Nothing changed on upgrade log since (I assume) there has been no further upgrade.
Connectivity errors are the same.
I have new errors though on Security log:
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 25.7.6 (amd64) at Sun Oct 26 07:41:54 PDT 2025
vulnxml file up-to-date
unbound-1.24.0 is vulnerable:
unbound -- Possible domain hijacking via promiscuous records in the authority section
CVE: CVE-2025-11411
WWW: https://vuxml.FreeBSD.org/freebsd/ea1c485f-b025-11f0-bce7-bc2411002f50.html
1 problem(s) in 1 package(s) found.
***DONE***
So I checked for updates and there aren't any. Will a patch for Unbound be coming? This made *me* jump like a real Kangaroo 😂
I think you are merely misunderstanding how the different types of audits work and that they do not necessarily interact with each other.
Cheers,
Franco
Quote from: franco on October 27, 2025, 04:35:01 PMyou are merely misunderstanding
If I run an audit and it says it has a vulnerability, does that not get patched? What am I misunderstanding about that?
Quote from: pseudonym3k on October 27, 2025, 07:40:42 PMIf I run an audit and it says it has a vulnerability, does that not get patched? What am I misunderstanding about that?
It will get patched. In due time.
This new issue is from 22./23. of October. The problem needs to get
- fixed upstream - by the Unbound project
- imported tested and released by the FreeBSD project
- imported tested and released by the OPNsense project
In the meantime it is your duty as an admin to read the CVE documentation and do your own assessment to judge if you are affected by the bug, how severe the impact might be, etc.
I am confident there will be a fix in 25.7.7. Sometimes the OPNsense team even goes out of their way to provide their own fixes if upstream takes too long.
HTH,
Patrick
Sorry, I am completely lost. I don't know who is this admin. I don't know what it is I'm allegedly getting mixed up, according to Franco.
Back to the beginning. I made this post with the error from my latest update, and that I have an unstable internet connection following the update.
I referenced another post that was similar. That OP was advised to run audits, so I did same.
From there this thread has gone off the rails. Instead of me getting help with my unstable internet, I'm spending my time answering every question, accusation, assumption while trying to get my issue back on the rails and not having any luck.
I'm not interested in any blame game of who or what. I'm only interested in getting a stable internet again, and posted for help trying to figure out what went wrong.
For the record I'm just a home user with a tiny network who wants a stable internet.
I had simple consumer routers running DD-WRT for years, very satisfied. When my last router was very old, before it died I set about replacing it. That's when I learned everything in the consumer space has taken all control away from the user, over config, over updates, no more recovery/rollback, data in the cloud. I started looking for what else was out there. I found Firewalla, then pfSense, then OPNsense. I decided OPNsense would work for me. I bought a Protectli 4630 vault, installed OPNsense on it with the defaults (and changed little else, since). I have been "fat dumb and happy" with OPNsense for a few years, until the 25.7 upgrade destablized my internet. I finally realized it was Unbound (whatever that is), learned I didn't need it and could disable it, and all was fine again. Until this error message and this post.
All I want to do is get my internet stable again. I don't know where/what the issues are, but I thought this forum was a place where I could get help toward figuring it out. If I have to become a network professional to continue using OPNsense, I'll have to start looking for a replacement that doesn't have that requirement, because I can't meet it.
That vulnerability is with almost certainty not the cause of your stability issues. I just explained how vulnerabilities are treated.
Things to check:
- power state - if available in the BIOS disable all power savings
- do you have the microcode update installed?
- is there a BIOS update available from Protectli?
Quote from: Patrick M. Hausen on October 28, 2025, 05:52:37 AMThat vulnerability is with almost certainty not the cause of your stability issues
Thanks, I didn't say it was. I merely ran the audits per the post I linked and Franco said I'm misunderstanding what the audits are for, so I asked what is it about that audit I'm misunderstanding. It went down the rabbit hole from there. I'm just responding - if what's being said isn't relevant to solving my issue I don't know how to distinguish that.
Thank you for offering some items to check. I don't know the answers so I will look into them and get back.
I didn't know anything about anything when I bought the box and put up OPNsense. I've since learned of ZFS filesystem and also Proxmox VM (I've had both VMWare and Virtualbox VMs for many years, so learning Proxmox I hope won't be too far from that). Anyway, as soon as I can devote the time and be without internet a bit I will start again with Protectli and use ZFS and also Proxmox then install OPNsense from scratch, there's virtually nothing to configure so I'll do everything manually. (I want to do this so I can quickly roll back and see if an update in some way contributed to any issues.)
(Both items will be a bit of time, we've just had an unexpected death in the family, I don't have much time available nor can I be without internet right now. Please bear with me. And thank you again for trying to help.)
I'd use just OPNsense and ZFS on a Protectli. Proxmox introduces yet another level of complexity. Do you have a console on that box?
Quote from: Patrick M. Hausen on October 28, 2025, 04:39:48 PMDo you have a console on that box?
I'm not sure what you mean, do mean how do I access it? IIRC it's a little awkward (it's been a couple of years since install, that's the last time I was interacting with box itself). I believe they sent a special cable I used to connect to my monitor, and I could only plug in a keyboard or a mouse but not both. (Monitor/keyboard/mouse are normally hooked up to my KVMP 4-port switch but the special connector for the Protectli isn't compatible with mine.)
If that's not what you're asking, can you clarify? Thanks.
That's what I meant. VGA plus keyboard or serial console. It would be interesting to have one and use it when your Internet connectivity breaks instead of just power cycling the device.
It might be interesting for somebody, but I wouldn't know what to do with that.
ssh into the device, option 8, then "pkg upgrade". see how that goes. Post up any errs.
Quote from: BrandyWine on October 29, 2025, 04:35:39 AMssh into the device, o
Hi, thanks for jumping in, what will that command do? I don't have SSH access set up (I don't think?) - how do I do that?
In the gui turn it on. The OPNsense docs tell how to do this.
The command will go lookup what packages needs updating. The web gui is just the mouse end of the commands ran at OS level, perhaps with some middleware python scripts. Doing updates from CLI (ssh) takes out the gui end from the mystery, etc.
Quote from: BrandyWine on October 29, 2025, 07:07:23 PMIn the gui turn it on. The OPNsense docs tell how to do this.
I searched OPNsense documentation for "SSH" and got back 61 pages. I typed ssh in the (upper right) search box within my gui and got nothing. I don't know what to do.
You need to look more.
Create a fw LAN rule that allows your admin host or network ALLOW SSH TCP-22 to the FW device IP or object.
Step 2: Enable Secure Shell
Navigate to System > Settings > Administration.
In the Secure Shell section, check the following options:
Enable Secure Shell: Yes
Permit root user login: Yes (optional, but not recommended for security)
Permit password login: Yes (optional, consider using SSH keys instead)
Listen Interfaces: Select "All" or specify an interface.
Click Save to apply the changes.
That went right over my head. It's OK. Thanks for trying to help.