Messages

For some reason (lib)fetch has issues with LTE connections. The package manager itself switched to libcurl. I assume your packages updated fine and you're left struggling with how to update the base/kernel? If so I can show you the manual commands to update (and downloading the sets with curl).


Cheers,
Franco

What is up everyone,

A bug snuck into the last release that did not properly disable the
caching of DNS entries when using multiple blocklists with different
network restrictions.  We have used the opportunity to polish the
notification code and apply behaviour during the migration of the
old blocklist to the new format.

The saga around safe command execution continues in this release
as well.  Otherwise it is a rather quiet release and 2025 is almost
over.  Happy holidays!

Here are the full patch notes:

o system: gateway monitor Shell class use et al
o system: no longer back up DUID but add compatibility glue to opnsense-importer
o system: replace exec() in config encrypt/decrypt
o system: replace history diff exec() with shell_safe()
o system: safe execution tweaks in rc.routing_configure
o system: fix log keyword search regression introduced in 25.7.7
o reporting: unbound: fix quick allow/blocklist actions by applying them to all blocklists
o firewall: run filterlog directly after rules apply and remove promiscous mode
o firewall: allow setting a custom authentication HTTP header for alias URL fetch (contributed by nox-404)
o firewall: for better IPv6 PMTU let "timex" and "paramprob" ICMP types through
o firewall: do not allow nesting in GeoIP aliases
o firewall: live log: restructure DOM layout to reduce wasted header space
o firewall: live log: revert static property, persistence is disabled for this grid
o firewall: safe execution changes in rules reloading code
o firewall: safe execution changes in rc.filter_synchronize
o dnsmasq: minor tweaks in lease commands
o firmware: Shell class replacements in scripting
o kea-dhcp: add lease commands, tabulator GroupBy, URL hashes
o kea-dhcp: add DNR option (contributed by schreibubi)
o network time: status: refactor to MVC/API
o ipsec: connections: prevent model caching when referring items within the same model
o ipsec: sessions: fix missing commands translation
o isc-dhcp: move syslog definitions to plugin file
o unbound: prevent caching of blocklist entries on overlapping subnet policies
o unbound: notify user if a blocklist reset is required
o unbound: reconfigure if marker file present
o unbound: missing lock in del_host_override action
o backend: minor shell execution changes and readability
o backend: use mwexecf(m) where possible
o backend: extend mwexecfb() with PID and log file support
o mvc: fix default sort order being ignored in fetchBindRequest()
o shell: rewite timeout() using safe execution functions
o ui: refresh notification status after default apply button is done
o ui: remove obsolete jQuery bootgrid files
o plugins: os-acme-client 4.11[1]
o plugins: os-ndp-proxy-go 1.1[2]
o plugins: os-tailscale 1.3[3]
o plugins: os-turnserver 1.1[4]
o plugins: os-upnp 1.8 features assorted improvements to plugin and daemon (contributed by Self-Hosting-Group)
o plugins: os-web-proxy-sso has been marked for removal in 26.1
o plugins: os-zabbix-agent 1.18[5]
o plugins: os-zabbix-proxy 1.16[6]
o ports: filterlog no longer uses unneeded promiscuous mode
o ports: openvpn 2.6.17[7]
o ports: unbound 1.24.2[8]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.7/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.7/net/ndp-proxy-go/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.7/security/tailscale/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.7/net/turnserver/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-agent/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-proxy/pkg-descr
[7] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.17
[8] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-2

LTE/mobile?


Cheers,
Franco

Let's call this the worst OPNsense bug of 2025 that never happened. Many thanks to patient0 for catching it in time!

Meanwhile we're not shipping the original fix that caused the issue in 25.7.9 (or any 25.7.x for that matter) and will eventually use this one instead:

https://github.com/opnsense/core/commit/2eb539d821e

Above all thanks for using the development version!  We need more of this. :)


Cheers,
Franco

Maybe if OpenWrt and OPNsense would push for that it would gain some traction, yet it's also a literal uphill battle while software authors try to keep their scope small at the price of some else dealing with all the consequences.


Cheers,
Franco

True, but it doesn't explain why e.g. Unbound or Kea do not have dynamic prefix support built in as of today.


Cheers,
Franco

Same problem with check_procs here (other commands work) and sudo did not help. I suspect a relation to "unbound: safe command execution changes" (from the release notes of 25.7.8)?!

Highly unlikely.

I have the ticket here as requested on reddit from michaelsage. Will look into it tomorrow.

https://github.com/opnsense/plugins/issues/5059

> I understand, but if the firewalls can't work with the RFCs or vice-versa, then something is broken.

This isn't about the RFCs. It's about asking a firewall/router/distro to reload everything while reconnecting the WAN to a new prefix.

I think to this day Unbound doesn't even have a proper reload. Dnsmasq is the only software I know that has a built in for a prefix matching. pf doesn't have it either but it would be so useful, but apparently not for the use cases it is written. Maybe that's the real issue here why home users are sidelined. They are not considered a use case.


Cheers,
Franco

[LAN/64]

is the same as

::123:0:0:0:0/64%lan

except that in the latter you can merge the prefix from LAN with a suffix for better targeting.

Though we were talking today about the possibility to design a simple "LAN" (per-interface) type setting that latches on to all networks currently present on the interface. I'm not saying it will happen, but it would be the simplest solution although in reality it will require a number of changes and additions to get it to the finish line in a pretty full schedule we already have.

> If not then, are we already at an impasse with IPv6 PD as a viable migration path from IPv4?

As long as ISPs will milk users for static prefixes or not offer them at all... yes.

We've been at the trying to handle end with DHCPv6, ISC, DHCP, Radvd and Unbound and it's spaghetti code that produced unnecessary bugs and reworks over the years. Even today we need a daemon to watch a modern software daemon like Kea writing a lease file so that we can extract a PD assignment to add a route. You'd think by now bindings would do that in modern software, but they don't do this in a consistent way.

I don't understand it actually... everyone is asking here to fix PD for users but we're not the ones who hand out PDs or write the actual software based on the RFCs to do it?!


Cheers,
Franco

Thanks :)

Hi allddd,

Nice work on this!  If you want we can work on including this in a future release as an optional binary package and see how it goes from there?


Cheers,
Franco

Can you add a ticket here? We agreed it's a good idea but would like an official issue for it.

https://github.com/opnsense/core/issues/new?template=feature_request.md


Thank you,
Franco

The alias support wouldn't help with Unbound, though. It's a situation where ISPs and software authors involved said: we don't care and the user or integrator can script it, wich leads to dissatisfaction as much as satisfaction.

For one you'd need to invent a suffix notation that includes the interface and the netmask:

::123:0:0:0:0/64%lan

And then you need to translate it all the time and support it seamlessly across a inhomogeneous software landscape?


Cheers,
Franco

I'd just reinstall boost-libs from the GUI. The reference to redis is likely coincidental.


Cheers,
Franco

Yes it was fixed more than half a year ago.


Cheers,
Franco