Messages

Hi Franco,

that did the trick!

Thank you very much!!!

Cheers,
Jochen

Hi Franco,

I assume it could be sensei, this is the output:

***GOT REQUEST TO UPDATE***
Currently running OPNsense 26.1.3 (amd64) at Wed Mar 11 23:49:44 CET 2026
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
Fetching meta.conf: . done
SunnyValley repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
Fetching meta.conf: . done
SunnyValley repository is up to date.
All repositories are up to date.
Checking for upgrades (184 candidates): .......... done
Processing candidates (184 candidates): . done
The following 11 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
   colordiff: 1.0.22 [OPNsense]

Installed packages to be UPGRADED:
   crowdsec: 1.7.6_1 -> 1.7.6_2 [OPNsense]
   crowdsec-firewall-bouncer: 0.0.32_12 -> 0.0.34 [OPNsense]
   libunistring: 1.4.1 -> 1.4.2 [OPNsense]
   libxml2: 2.15.1_1 -> 2.15.2 [OPNsense]
   opnsense: 26.1.3 -> 26.1.4 [OPNsense]
   opnsense-lang: 26.1.1 -> 26.1.4 [OPNsense]
   os-sensei: 2.4 -> 2.4.1 [SunnyValley]
   strongswan: 6.0.3_1 -> 6.0.4 [OPNsense]
   suricata: 8.0.3_1 -> 8.0.3_2 [OPNsense]
   syslog-ng: 4.10.2 -> 4.11.0 [OPNsense]

Number of packages to be installed: 1
Number of packages to be upgraded: 10

203 MiB to be downloaded.
[ 1/11] Fetching libunistring-1.4.2: .......... done
[ 2/11] Fetching crowdsec-1.7.6_2: .......... done
[ 3/11] Fetching libxml2-2.15.2: .......... done
[ 4/11] Fetching crowdsec-firewall-bouncer-0.0.34: .......... done
[ 5/11] Fetching syslog-ng-4.11.0: .......... done
[ 6/11] Fetching colordiff-1.0.22: .. done
[ 7/11] Fetching os-sensei-2.4.1: .......... done
[ 8/11] Fetching suricata-8.0.3_2: .......... done
[ 9/11] Fetching opnsense-26.1.4: .......... done
[10/11] Fetching strongswan-6.0.4: .......... done
[11/11] Fetching opnsense-lang-26.1.4: .......... done
Checking integrity... done (0 conflicting)
[ 1/11] Installing colordiff-1.0.22...
[ 1/11] Extracting colordiff-1.0.22: ...... done
[ 2/11] Upgrading crowdsec-firewall-bouncer from 0.0.32_12 to 0.0.34...
[ 2/11] Extracting crowdsec-firewall-bouncer-0.0.34: ...... done
crowdsec_firewall is running as pid 39530.
Stopping crowdsec_firewall.
[ 3/11] Upgrading crowdsec from 1.7.6_1 to 1.7.6_2...
[ 3/11] Extracting crowdsec-1.7.6_2: .......... done
crowdsec is running as pid 31617.
Stopping crowdsec.
Waiting for PIDS: 31617.
Updating crowdsec hub data
Downloading /usr/local/etc/crowdsec/hub/.index.json
update for collection crowdsecurity/freebsd available (currently:0.4, latest:0.5)
update for collection crowdsecurity/opnsense available (currently:0.4, latest:0.5)
update for collection crowdsecurity/whitelist-good-actors available (currently:0.2, latest:0.3)
update for collection crowdsecurity/opnsense-gui available (currently:0.1, latest:0.2)
update for collection crowdsecurity/sshd available (currently:0.8, latest:0.9)
update for collection firewallservices/pf available (currently:0.2, latest:0.3)
downloading collections:crowdsecurity/sshd
downloading collections:crowdsecurity/whitelist-good-actors
downloading collections:crowdsecurity/freebsd
downloading collections:crowdsecurity/opnsense-gui
downloading collections:firewallservices/pf
downloading collections:crowdsecurity/opnsense

Run 'sudo service crowdsec reload' for the new configuration to be effective.
Loaded: 160 parsers, 11 postoverflows, 774 scenarios, 9 contexts, 5 appsec-configs, 193 appsec-rules, 160 collections
Starting crowdsec.
[ 4/11] Upgrading libunistring from 1.4.1 to 1.4.2...
[ 4/11] Extracting libunistring-1.4.2: .......... done
[ 5/11] Upgrading libxml2 from 2.15.1_1 to 2.15.2...
[ 5/11] Extracting libxml2-2.15.2: .......... done
[ 6/11] Upgrading opnsense-lang from 26.1.1 to 26.1.4...
[ 6/11] Extracting opnsense-lang-26.1.4: .......... done
[ 7/11] Upgrading os-sensei from 2.4 to 2.4.1...
[ 7/11] Extracting os-sensei-2.4.1: .......... done
Zenarmor service is running, saving state to resume after upgrade...
Removing Zenarmor cron jobs...
CLI crons: Info: Cron jobs deleted: 1
CLI crons: Success
Local path is : /usr/local/opnsense/service
total 61
-rw-r--r--  1 root wheel    0B Sep  6  2025 .fixed-security-categories
-rw-r-----  1 root wheel   32B Sep  6  2025 serial
-rw-r-----  1 root wheel    7B Oct 10 00:22 sensei_cpu_score
-rw-r-----  1 root wheel   32B Oct 10 00:28 token
-rw-r-----  1 root wheel    4B Oct 10 00:29 .configdone
-rw-r-----  1 root wheel  113B Oct 10 00:29 overlay.conf.templ
-rw-r-----  1 root wheel  236B Mar  4 23:58 workers.map
-rw-r--r--  1 root wheel  113B Mar  4 23:58 overlay.conf
-rw-r--r--  1 root wheel    0B Mar  4 23:58 .mustrestart
-rw-r--r--  1 root wheel  6.2K Mar  5 00:01 eastpect.cfg
-rwxr-xr-x  1 root wheel  136B Mar  5 08:14 workers.map.default
-rwxr-xr-x  1 root wheel   40B Mar  5 08:14 .buildtime
-rwxr-xr-x  1 root wheel  5.5K Mar  5 08:14 eastpect.cfg.default
create link for python in virtualenv...Create link python3 to /usr/local/zenarmor/py_venv/bin/python....
Create link python3 to /usr/local/zenarmor/py_venv/bin/python3....
done
Restarting configd service...done
Activating features for Freemium Edition...
Clearing OPNsense menu cache...done
Invalidating OPNsense cache...done
Invalidating Zenarmor cache...done
Running Zenarmor post-install scripts...
Check python version
Wed Mar 11 22:50:23 UTC 2026
Removing Zenarmor cron jobs...
CLI crons: Info: Cron jobs deleted: 0
CLI crons: Success
Preparing Settings Db...
Backup configurations...
Configuration Migration .....
License Migration.....
Node.csv Migration.....
Certification Migration.....
Token Migration.....
Userpin Migration.....
Serial Migration.....
Userenricher Tokens Migration.....
Hostmap Cache Database migration.....
Creating user_device_cache.db...
Creating hostmap_cache.db...
Creating settings.db...
Application database base path is /usr/local/zenarmor//db/
12 web 2.0 categories added.
Prepared Default Policy
Checking Schedule Reports...
Preparing Userenrich Db...
Checking Cloud Nodes...Setting new cloud nodes...done
ASAN LIBRARY CHECK....
Generating Zenarmor configuration files...done
Menu.xml template copied
StaticConfig template copied
CLI generate-static-file: OK
CLI setretireafter:
CLI setretireafter: DB Type: SQ
SqLite Retire After: 2
CLI setretireafter: Skipped:
CLI setflavor:
CLI setflavor: Warning: Not settings flavor size in eastpect.cfg
CLI settimestamp: Success
CLI migrate: Info: Report Mail Configuration Checking
CLI migrate: Info: done
CLI migrate: Info: Web category migration ...
CLI migrate: Info: done
CLI migrate: Info: Custom web category migration ...
CLI migrate: Info: done
CLI migrate: Info: Applications category migration ...
CLI migrate: Success
CLI migratewebcat: Success
CLI bufsysctl (ring): skipped dev.netmap.ring_num: 1024
CLI bufsysctl: skipped  mem: 8589934592 buf: 1000000
CLI setdefaultswap: Info: Swap Rate: 60
CLI setdefaultswap: Success
CLI fillscheduledreportchart
CLI fillscheduledreportchart: Success
CLI setlicensesize: Success: Warning: License is not premium
CLI check-fix-websites skipped
CLI check-fix... 
CLI check-fix done


It hangs at this point, even after reboot.
What could I do? Stop / uninstall Zenarmor?

Thanks and best regards,
Jochen

Hi all,

Update from 26.1.3 to .4 hangs at
CLI check-fix done
and nothing more happens.
Any idea?

Thanks and best regards,
Jochen

Hey guys,

thanks for the hints!
New installation from scratch, restore config, install plugins and after that upgrading to 25.7.2 worked like charm!

Thank you very much and best regards,
cibomato

Thanks for all these tipps but none of them helped me.
So, my question is:
can I just do a configuration backup of my running 25.7 , install the latest 25.7.2 from scratch and after that just restore from my backup or do I have to first install all plugins, that I'm using and then restore from backup? Or first restore and the install the plugins? What's the process?

BTW: the latest downloadable version is 25.7 (not 25.7.2!?) Will I have the same problems after new installation?

Thanks and best regards,
cibomato

Installed microcode plugin parallel in both ways /boot/loader.conf and /etc/rc.conf but still no upgrade possible. UI said the microcode plugin was misconfigured so i removed it.

Hi Franco,

Since the issue is sort of elusive on the CPU level chances are this affects stability in other ways than ZFS in particular (or any FS generally) so I think the recommendation for the tunable is something to consider for all relevant installs:

vm.pmap.pcid_enabled=0

I've also come to believe that moving way from our previous defaults hw.ibrs_disable=0 and vm.pmap.pti=1 back to FreeBSD's defaults (1 and 0 respectively) may cause some of the currently seen instabilities. Feel free to double check by setting these again on 25.7 and up:

hw.ibrs_disable=0
vm.pmap.pti=1

Sorry that I've captured this thread, don't know how to delete this post...
I've added vm.pmap.pcid_enabled=0 and corrected vm.pmap.pti=1 (was 0) but still it won't upgrade to 25.7.1.1_1
I also tried to install the intel-microcode-plugin (which I hadn't installed yet) but it claims that it'd need upgrade to 25.7.1_1 first, which doesn't work...
Trying to upgrade fails with:

Checking integrity...Assertion failed: (strcmp(uid, p->uid) != 0), function pkg_conflicts_check_local_path, file pkg_jobs_conflicts.c, line 315.
Child process pid=62294 terminated abnormally: Abort trap
Starting web GUI...done.
***DONE***

Any more iedaes?

Thanks and best regards,
Jochen

Also N100 here...

Hi Franco,

thanks for help! Now it downloads the needed packages but says:

Code Select Expand

...
[12/14] Fetching opnsense-25.7.1_1.pkg: .......... done
[13/14] Fetching py311-duckdb-1.3.2.pkg: .......... done
[14/14] Fetching sudo-1.9.17p2.pkg: .......... done
Checking integrity...Assertion failed: (strcmp(uid, p->uid) != 0), function pkg_conflicts_check_local_path, file pkg_jobs_conflicts.c, line 315.
Child process pid=97817 terminated abnormally: Abort trap
Starting web GUI...done.
***DONE***
What does that mean?
Could there be a problem with my SSD since some time ago I've read about an input/output error?

Edit:
Huh, seems to be the same error like here: https://forum.opnsense.org/index.php?topic=48340.0

Thanks and best regards,
Jochen

Hi all,

update from 25.7 to 25.7.1 fails with this error:

Code Select Expand

Number of packages to be upgraded: 17

The operation will free 62 MiB.
[1/17] Upgrading abseil from 20250127.0 to 20250127.1...
[1/17] Extracting abseil-20250127.1: .
pkg-static: Fail to set time on /usr/local/include/absl/debugging/.pkgtemp.symbolize_elf.inc.o11NKNgumlh4:No such file or directory
[1/17] Extracting abseil-20250127.1... done
Starting web GUI...done.
***DONE***
Any idea what went wrong?

Thanks and best regards,
Jochen

Hallo zusammen,

ich suche nach einer OPNsense-Hardware für mein Heimnetz. Sollte lüfterlos = leise bzw. lautlos sein, mind. 2*NICs, halbwegs aktuelle CPU m AES-NI, 8-16GB RAM haben und insg. entsprechend energieeffizient sein.

Bin da u.a. auf die Zotac CI331 als Barebone gestoßen. Macht von Specs und Preis her nen guten Eindruck, nur mit den Realtek-NICs scheinen manche Probleme zu haben. Andere aber nicht!?
Soll Wireguard machen, Zenarmor wäre nett (3 Familienmitglieder), ist das realistisch?

Könnt Ihr da was dazu sagen? Wird das mit OPNsense 22.7 prinzipiell besser/schlechter werden?

Vielleicht werde ich aus Gesamtkosten- und Energiegründen OPNsense auch auf einem ebenfalls neu zu planenden Home-Server virtualisieren.

Danke und Gruß,
cibomato

Hi all,

for our school campus (3 big schools) we'll get a new fiber-broadband connection. Additionally we'll keep our existing broadband-cable connection from Unitymedia (Germany).
Loadbalancing between these two connections would be nice to have but isn't subject of this thread. Main connection will be the fiber, because it's 1 Gbit/s symmetric.
But in case that one of the two connections will fail (fibercut or something else), I'd like to achieve automatic WAN-Failover. I'm wondering, how you would do that?

From inside to the internet, this could be done with OPNSense or - since the different schools use different firewalls - with a common used router in front, that does the WAN-failover, right?

But what about the other way: external access from the internet!?
Each school does have some fix IP addresses for different services (OWA, selfhosted clouds etc.). These IPs won't be transmitted from one (the broken) ISP to the other!
Is DNS-failover the right thing here? To have 2 IPs configured for each domain in the responsible nameserver?
I've read, that there are some obstacles with this setup because some clients would get obsolete IPs from caching DNS-servers and/or because some DNS-Providers won't take care of TTLs...!?
Besides that, one should decrease TTL in this scenario to achieve fast IP-switching but then the nameservers would be quite heavily loaded!?

Or am I completely wrong and one can achieve this on a completely different way?

Any thoughts or experiences?

Many thanks in advance and best regards,
cibomato

Reached 8000! And climbing! Keep up this great work!

Jetzt ist das gerade neu in OPNsense und nun das:
https://www.heise.de/newsticker/meldung/Schutz-durch-Speicherverwuerfelung-ASLR-geknackt-3627176.html


Was ist davon zu halten?

Viele Grüße,

Jochen

Hallo liebe Entwickler,

beim Stöbern durch das WebUI bin ich auf ein kleines kosmetisches Problem gestoßen:
die Installation von Plugins findet sich unter 'System - Firmware - Aktualisierungen - Plugins', sofern ich ein Plugin noch gar nicht installiert habe, hätte ich es intuitiv nicht unter Aktualisierungen gesucht, sondern unter 'System - Plugins' erwartet.
Keine große Hürde aber falls da sowieso evtl. noch was dran geändert werden sollte als kleine Idee..

Viele Grüße,
cibomato