Hello!
We use OPNsense Community Edition within the GlobaLeaks (https://www.globaleaks.org/) project, and we are opening this questions because we believe these questions are relevant not only to us but also to many users whose OPNsense appliances are managed by external organizations.
Clear guidance can help reduce operational costs and avoid the risks of updating too early from a stable setup, or staying too long on a version that is no longer adequately supported.
Our questions:
- Does OPNsense have a formal LTS or extended-support policy, or is only the latest major CE release supported with security updates? For example, if 25.12 is the last release of the 25.x series and is presumably more stable than an early 26.1 release, when should users consider upgrading to 26.x?
- Is a "security-only" or frozen-stable branch available, or are all CE users expected to follow the regular feature + security update cycle? We understand the latter is currently the case. From an end-user perspective, it would be helpful if each release clearly indicated whether it includes security fixes, for example via a "security-update" tag.
- What update cadence or version-selection strategy do you recommend for CE users seeking maximum security and stability, while avoiding premature upgrades or outdated releases? We hope the answers will help both our project and the wider OPNsense community adopt safer, more predictable deployment practices.
Thank you!
This is not an official answer, only my observations:
1. I never saw any updates for older CE branches after the next release has come out, so I guess, if you do not apply the latest updates, you potentially risk to have unfixed vulnerabilities.
2. Deciso offers the business edition for exactly the purpose you aim at. It is usually 3 months behind the community edition feature-wise (i.e. it has ripened a little), but is updated for vulnerabilities regularly. This version is the one to use if you want production quality. The CE version is free, but you have to be able to cope with problems induced by feature upgrades that come along with new releases. Short story is: YOu can use the CE version for free if you volunteer for testing it - otherwise, buy the business license.
3. Since the "major" updates for CE come out twice a year with YY.1 in January and YY.7 in July, they tend to have more new features in them. The minor updates that follow (e.g. YY.7.x) usually have less new features included - which is not to say that they cannot break.
If you can cope with not always having the "latest" and greatest, you should probably skip YY.X.0 versions or at least wait a few days after a release has been announced to see if there were neccessary fixes (YY.X.Z_n).
Quote from: evilaliv3 on December 05, 2025, 06:35:26 PMWhat update cadence or version-selection strategy do you recommend for CE users seeking maximum security and stability, while avoiding premature upgrades or outdated releases? We hope the answers will help both our project and the wider OPNsense community adopt safer, more predictable deployment practices.
My take: always update to the latest release when it is published.
But do it in a phased rollout. Have a lab system that is for test purposes only. Update that first. If no problems arise check the forum for any problems you might not have noticed.
Once lab is fine and 2-3 work days have passed after release update less critical, single node systems.
Once they are fine update more critical dual node HA systems.
And of course: install with ZFS and prepare snapshots before updating.
That procedure works for us so far. As @meyergru noted, there is the business edition.
HTH,
Patrick