"
If you add a ticket on GitHub that's something to consider for improvement. I agree that it shouldn't differ but we need to isolate the code bits responsible first to make a meaningful plan forward.
Thanks,
Franco
Thanks,
Franco
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
26.1 Series / Re: Upgrade from 25.7.10 all the way to 26.1.5 = GREAT SUCCESS !!!
March 28, 2026, 07:56:37 AM
Thanks for your feedback.. it's appreciated :)
> Luckily nothing weird happened and I hope it stays that way! :)
There was one issue with Python 3.13 as regex module strings needed proper escaping now otherwise scripts would fail with SyntaxWarning trace but it was rather limited impact so overall it went smooth. We're also a bit ahead of FreeBSD ports here now.
Cheers,
Franco
> Luckily nothing weird happened and I hope it stays that way! :)
There was one issue with Python 3.13 as regex module strings needed proper escaping now otherwise scripts would fail with SyntaxWarning trace but it was rather limited impact so overall it went smooth. We're also a bit ahead of FreeBSD ports here now.
Cheers,
Franco
#3
26.1 Series / Re: [KEA DHCP Error] Interface usbus0 has no index
March 28, 2026, 07:53:45 AM
Huh, is "usbus0" even in /usr/local/etc/kea/kea-dhcp4.conf?
Cheers,
Franco
Cheers,
Franco
#4
Announcements / Re: OPNsense 25.10.2 business edition released
March 26, 2026, 02:54:40 PM
A hotfix release was issued as 25.10.2_8:
o interfaces: fix static neighbor apply button (contributed by Konstantinos Spartalis)
o firewall: one-to-one NAT rendered rule missed "log" statement
o ipsec: fix delete selected for SPD and SAD
o mvc: ConfigMaintenance: when constructing class names use a safer way to strip .php extension
o src: remote code execution via RPCSEC_GSS packet validation[24]
o src: tcp: remotely exploitable DoS vector[25]
--
[24] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc
[25] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:06.tcp.asc
o interfaces: fix static neighbor apply button (contributed by Konstantinos Spartalis)
o firewall: one-to-one NAT rendered rule missed "log" statement
o ipsec: fix delete selected for SPD and SAD
o mvc: ConfigMaintenance: when constructing class names use a safer way to strip .php extension
o src: remote code execution via RPCSEC_GSS packet validation[24]
o src: tcp: remotely exploitable DoS vector[25]
--
[24] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc
[25] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:06.tcp.asc
#5
General Discussion / Re: What is The Purpose of Setting The Sysctl `debug.debugger_on_panic=1`?
March 26, 2026, 01:50:03 PMQuote from: Patrick M. Hausen on March 26, 2026, 08:42:52 AMWhy don't you set it to 0, then? You can add arbitrary tunables from the UI.
According to the source code it's CTLFLAG_RWTUN which means tunable in GUI will put it in loader.conf and it's active on bootup. But I still think this will prevent crash reports from panics and there is no best of both worlds.
Quote from: trasz@ on March 26, 2026, 11:40:47 AMThe argument it should be set to 0 in production releases is sound though. I wonder if you could file a FreeBSD PR to suggest that change, probably by adding KDB_UNATTENDED when branching a release, bit like we do with MALLOC_PRODUCTION?
I think that's fair and changed locally easy enough. The only repercussion are perpetual boot loops and the question what type of crashes happen during early boot before init takes over as we cannot record them using a ddb.conf setup and the fact that disabling debugger will also defang the ability to store the crash report (textdump, not a full kernel dump).
Cheers,
Franco
#6
General Discussion / Re: Why I am retiring from contributing to FreeBSD
March 26, 2026, 01:01:31 PM
Reading more about the purpose of the core team I've never had the pleasure to deal with them for their main purpose of wrangling commit rights ever. I'll be honest that dch@ was dangling them in 2024 Dublin but it was rather clear this wasn't really happening so there was no mutual approach to this ever and someone else confirmed to me that he appeared to not tell me the truth back then. I fundamentally disagree to leadership styles I've witnessed. Programmers rarely make good managers. Managers also not always make good managers. The problem isn't managing commit bits. The problem starts when attempting to manage people on the matter of commit bits and coming down only on either side ever and no willingness to do better.
From what I've seen in over a decade pass by on Bugzilla and mailing lists... some people have commit bits for short, small commit histories and in one instance multiple core team members could/would not answer me how a particular src-only committer would appear to commit to ports as well, ignoring maintainer timeout procedure and adding port plist issues in that same process. Luckily that person stopped committing altogether, which made that person the oddest choice to begin with. Furthermore, committers would neglect contributions, engagement and not extend trust or expertise. A "who are you" directed at an external contributor is really a question of "don't you know who I am" and the process of contributing falls flat on its face as people set up their egos to fail in the technical discussions never to be responded again. But I digress.
The core team seemed to find some bite in recent years for auxiliary topics, but that's largely directed at easy victims to cement status quo and avoid addressing structural issues. To me it seems the whole concept of the team is becoming a problem in itself with re-cycling members and declining committer pool growth. I think the protectionism is a bit misplaced which in part is a human condition although that would still not justify keeping things as they are if FreeBSD wants to start a new growth phase. The work of the core team is not boiling down to a chain of "not everyone will always like what we do" decisions. If that's the internal MO then yes we're scraping the bottom of the barrel with governance and things should really change rather than go on like this.
Between core team and foundation there has always been a lack of entity that works on cooperation and motivation or general engagement with the user side. Some would call this a "community manager". Not that one is needed, but there's also lack of FreeBSD culture around that principle also in part due to said protectionism and strict enforcement of committer/user relationships and pushing away side projects as "being on their own". None of this helps users and release quality, but I'm sure the people who feel this is necessary know the implications, but would still not change anything because that's easier for them (to have a productive year without dealing with code of conduct complaints, huh).
Cheers,
Franco
From what I've seen in over a decade pass by on Bugzilla and mailing lists... some people have commit bits for short, small commit histories and in one instance multiple core team members could/would not answer me how a particular src-only committer would appear to commit to ports as well, ignoring maintainer timeout procedure and adding port plist issues in that same process. Luckily that person stopped committing altogether, which made that person the oddest choice to begin with. Furthermore, committers would neglect contributions, engagement and not extend trust or expertise. A "who are you" directed at an external contributor is really a question of "don't you know who I am" and the process of contributing falls flat on its face as people set up their egos to fail in the technical discussions never to be responded again. But I digress.
The core team seemed to find some bite in recent years for auxiliary topics, but that's largely directed at easy victims to cement status quo and avoid addressing structural issues. To me it seems the whole concept of the team is becoming a problem in itself with re-cycling members and declining committer pool growth. I think the protectionism is a bit misplaced which in part is a human condition although that would still not justify keeping things as they are if FreeBSD wants to start a new growth phase. The work of the core team is not boiling down to a chain of "not everyone will always like what we do" decisions. If that's the internal MO then yes we're scraping the bottom of the barrel with governance and things should really change rather than go on like this.
Between core team and foundation there has always been a lack of entity that works on cooperation and motivation or general engagement with the user side. Some would call this a "community manager". Not that one is needed, but there's also lack of FreeBSD culture around that principle also in part due to said protectionism and strict enforcement of committer/user relationships and pushing away side projects as "being on their own". None of this helps users and release quality, but I'm sure the people who feel this is necessary know the implications, but would still not change anything because that's easier for them (to have a productive year without dealing with code of conduct complaints, huh).
Cheers,
Franco
#7
26.1 Series / Re: IPv6 prefix modifcation crashing OPNsense 26.1
March 26, 2026, 11:49:57 AM
We're still in tcp_default_output() but as you can see it went further. I told you it's an uphill battle:
> This may not be the only fix [required] since the problem is systemic]
Adding multiple checks in the hot-path isn't really great and likely the reason FreeBSD decided to do nothing on existing versions.
Cheers,
Franco
> This may not be the only fix [required] since the problem is systemic]
Adding multiple checks in the hot-path isn't really great and likely the reason FreeBSD decided to do nothing on existing versions.
Cheers,
Franco
#8
26.1 Series / Re: Is latest OPNSesne 26.1.x affected by CVE-2026-4247 if no service face public?
March 26, 2026, 11:44:33 AM
Or here's a snapshot kernel that includes all advisories:
# opnsense-update -zkr 26.1.3-next
(reboot)
It will yield to a known kernel the next time the box is updated (e.g. to 26.1.6).
Cheers,
Franco
# opnsense-update -zkr 26.1.3-next
(reboot)
It will yield to a known kernel the next time the box is updated (e.g. to 26.1.6).
Cheers,
Franco
#9
26.1 Series / Re: Is latest OPNSesne 26.1.x affected by CVE-2026-4247 if no service face public?
March 26, 2026, 09:31:58 AM
The timing is unfortunate. We decided to hotfix this for business users later today. The full batch of SA's includes more changes to pf than necessary (or even relevant to us) so this it has to wait for 26.1.6 or you can build a kernel from https://github.com/opnsense/src/commits/stable/26.1/ directly which has all the commits.
Cheers,
Franco
Cheers,
Franco
#10
26.1 Series / Re: Upgrade Failed, signature invalid
March 25, 2026, 09:28:29 PM
kernel is the smallest one. Sounds like larger downloads are likely to corrupt on that link although I still think there is an issue with libfetch here. Does the same happen when using curl to download?
Cheers,
Franco
Cheers,
Franco
#11
26.1 Series / Re: New Rules Performance
March 25, 2026, 10:45:27 AM
Not sure what the goalpost is here without reliable metrics regarding API calls... we have customers with thousands of rules in the new GUI because they couldn't use the old GUI due to taking minutes to load and here we talk about 200 rules and unbearable delays?
Cheers,
Franco
Cheers,
Franco
#12
General Discussion / Re: Please help. Lots of "dhcp6c Sending Solicit on pppoe0" logs.
March 24, 2026, 07:07:24 PM
One thing to note here is that the default logging in 26.1 was changed to info level so we only have a checkbox for debug mode and the fact that it makes it easier to see problems initially as the default log level really didn't log anything it did or issues it encountered.
Cheers,
Franco
Cheers,
Franco
#13
26.1 Series / Re: Can the GUI levels stay expanded?
March 24, 2026, 07:06:09 PM
You don't have to adjust the existing Menu.xml files since they are pluggable (just add one under OPNsense/MyChanges/Menu/Menu.xml for example) and you can add duplicate entries with the visibility="delete" override.
Has been the case since 2016: https://github.com/opnsense/core/commit/d53780856a58f
Cheers,
Franco
Has been the case since 2016: https://github.com/opnsense/core/commit/d53780856a58f
Cheers,
Franco
#14
26.1 Series / Re: Grid cleanups for cells with list items looking good
March 24, 2026, 05:09:16 PM
Won't be long... 26.4 on April 15.
Cheers,
Franco
Cheers,
Franco
#15
Announcements / OPNsense 26.1.5 released
March 24, 2026, 02:59:05 PM
Howdy,
This updates ships a few third party updates, assorted core fixes and
improvements of which Kea DDNS and options support may be the most
sought-after.
The captive portal IPv6 changes are ready for wider testing on the
development version and over there the grids will now auto-resize as
the limits of the Tabulator UI are pushed farther and further. ;)
Here are the full patch notes:
o system: cleanup and simplify certificate deployment and remove legacy config import
o system: validate monitor uniqueness based on the host route presence
o system: simplify user/group sync scripts using config_read_array()
o interfaces: clean up overview UI code and fix CARP badge alignment
o interfaces: fix static neighbor apply button (contributed by Konstantinos Spartalis)
o interfaces: simplify CARP scripts using config_read_array()
o interfaces: automatic dhclient recovery
o interfaces: settings page use cases for config_read_array()
o firewall: fix regression in alias summary not shown in new rules GUI
o firewall: invalidate database when last updated time is in the future
o firewall: add missing "static port" option in source NAT
o firewall: add semantic groups coloring option in dashboard widget (contributed by Gunnar Lieb)
o firewall: one-to-one NAT rendered rule missed "log" statement
o firewall: add missing alias rename rule targets
o firewall: add alias GeoIP database update button and move bogons one to the same tab
o firewall: fix port handling in registered NAT rule
o firewall: fix MVC code vs. legacy rules display issues
o firewall: outbound NAT page use case for config_read_array()
o captive portal: cleanup and simplify certificate deployment and remove legacy config import
o captive portal: enforce POST-only on logoffAction() (contributed by Oliver Jueguen)
o dnsmasq: add "no-ping" option (contributed by Konstantinos Spartalis)
o dnsmasq: remove a too-strict validation for suffix IPv6 addresses without constructor use
o dnsmasq: ensure the lease view handles client-id correctly
o ipsec: fix delete selected for SPD and SAD
o kea: add DDNS and DHCP option support
o network time: add pool property for time servers (contributed by Konstantinos Spartalis)
o network time: remove stale symlink when PPS is disabled
o unbound: only emit warning when "addptr" was requested
o unbound: use expand formatter for blocklist URLs and DNSBL types
o unbound: include blocklist length in state change logic
o backend: more fixes for re-bound SyntaxWarning throws in Python 3.13
o backend: use config_read_array() non-insert mode mode iteration of virtual IPs
o mvc: BaseListField: merge remaining use of shared implementation of static options
o mvc: File: add file_update_contents() helper
o mvc: Shell: rewrite exec_safe() to avoid vsprintf() complications
o rc: speed up maintenance file deletes
o ui: bootgrid: require selection to be enabled for delete-selected
o ui: bootgrid: introduce 'expand' formatter to cap lists of data
o plugins: os-frr 1.51[1]
o plugins: os-tayga 1.5[2]
o ports: openldap 2.6.13[3]
o ports: perl 5.42.1[4]
o ports: phpseclib 3.0.50[5]
o ports: py-duckdb 1.5.0[6]
o ports: suricata 8.0.4[7]
Stay safe,
Your OPNsense team
--
[1] https://github.com/opnsense/plugins/blob/stable/26.1/net/frr/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/26.1/net/tayga/pkg-descr
[3] https://www.openldap.org/software/release/changes_lts.html
[4] https://perldoc.perl.org/5.42.1/perldelta
[5] https://github.com/phpseclib/phpseclib/releases/tag/3.0.50
[6] https://github.com/duckdb/duckdb/releases/tag/v1.5.0
[7] https://suricata.io/2026/03/17/suricata-8-0-4-and-7-0-15-released/
This updates ships a few third party updates, assorted core fixes and
improvements of which Kea DDNS and options support may be the most
sought-after.
The captive portal IPv6 changes are ready for wider testing on the
development version and over there the grids will now auto-resize as
the limits of the Tabulator UI are pushed farther and further. ;)
Here are the full patch notes:
o system: cleanup and simplify certificate deployment and remove legacy config import
o system: validate monitor uniqueness based on the host route presence
o system: simplify user/group sync scripts using config_read_array()
o interfaces: clean up overview UI code and fix CARP badge alignment
o interfaces: fix static neighbor apply button (contributed by Konstantinos Spartalis)
o interfaces: simplify CARP scripts using config_read_array()
o interfaces: automatic dhclient recovery
o interfaces: settings page use cases for config_read_array()
o firewall: fix regression in alias summary not shown in new rules GUI
o firewall: invalidate database when last updated time is in the future
o firewall: add missing "static port" option in source NAT
o firewall: add semantic groups coloring option in dashboard widget (contributed by Gunnar Lieb)
o firewall: one-to-one NAT rendered rule missed "log" statement
o firewall: add missing alias rename rule targets
o firewall: add alias GeoIP database update button and move bogons one to the same tab
o firewall: fix port handling in registered NAT rule
o firewall: fix MVC code vs. legacy rules display issues
o firewall: outbound NAT page use case for config_read_array()
o captive portal: cleanup and simplify certificate deployment and remove legacy config import
o captive portal: enforce POST-only on logoffAction() (contributed by Oliver Jueguen)
o dnsmasq: add "no-ping" option (contributed by Konstantinos Spartalis)
o dnsmasq: remove a too-strict validation for suffix IPv6 addresses without constructor use
o dnsmasq: ensure the lease view handles client-id correctly
o ipsec: fix delete selected for SPD and SAD
o kea: add DDNS and DHCP option support
o network time: add pool property for time servers (contributed by Konstantinos Spartalis)
o network time: remove stale symlink when PPS is disabled
o unbound: only emit warning when "addptr" was requested
o unbound: use expand formatter for blocklist URLs and DNSBL types
o unbound: include blocklist length in state change logic
o backend: more fixes for re-bound SyntaxWarning throws in Python 3.13
o backend: use config_read_array() non-insert mode mode iteration of virtual IPs
o mvc: BaseListField: merge remaining use of shared implementation of static options
o mvc: File: add file_update_contents() helper
o mvc: Shell: rewrite exec_safe() to avoid vsprintf() complications
o rc: speed up maintenance file deletes
o ui: bootgrid: require selection to be enabled for delete-selected
o ui: bootgrid: introduce 'expand' formatter to cap lists of data
o plugins: os-frr 1.51[1]
o plugins: os-tayga 1.5[2]
o ports: openldap 2.6.13[3]
o ports: perl 5.42.1[4]
o ports: phpseclib 3.0.50[5]
o ports: py-duckdb 1.5.0[6]
o ports: suricata 8.0.4[7]
Stay safe,
Your OPNsense team
--
[1] https://github.com/opnsense/plugins/blob/stable/26.1/net/frr/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/26.1/net/tayga/pkg-descr
[3] https://www.openldap.org/software/release/changes_lts.html
[4] https://perldoc.perl.org/5.42.1/perldelta
[5] https://github.com/phpseclib/phpseclib/releases/tag/3.0.50
[6] https://github.com/duckdb/duckdb/releases/tag/v1.5.0
[7] https://suricata.io/2026/03/17/suricata-8-0-4-and-7-0-15-released/
