Messages

That depends on your security setup for Opnsense. HTTP or HTTPS access? From which [v]LANs? Quality of pass word or phrase? 2FA? SSH access? Password or passkey for that? Much of that is discussed here.

You can also run a security audit.

Reservations remain as you would expect.

Are your reservations outside your dynamic pools?

Did you miss an Apply somewhere along the line?

Do you mean an AP to attach to an interface on an existing Opnsense box?

At face value you are asking to run Opnsense on an ARM A53. How would you propose to do that with proven software?

There are no special considerations I have seen mentioned, use of ISC or Kea or DNSmasq being essentially independent from the upgrade. ISC changes to being a plugin but still transitions as expected, or so I read because I had switched to Kea prior. Use snapshots and upgrade stuff in the order that pleases you. If you are not already using ZFS then consider seriously a reinstallation to employ it, before other work.

I don't use everything in the menu, ... for example stuff like ... services->ISC DHCP ...
It would be great if it was possible to click a button to hide

Without detracting from your general point with which I agree, if you are on 26.1 and not using ISC DHCP then go to -->firmware-->plugins and bin it. The menu vanishes.

Migrated the main firewall and rules successfully, today. The new rules view is a structural improvement for me, making it easer to perceive and potentially change these configurations.

I have upgraded a test bed and an internal router, including successful migration of rules (yes Franco, we all charge in). I will probably do the critical edge firewall today. Being able to snapshot the working 25.7 and then the base 26.1 before rule migration provides nice security, or encourages diving in.

Just to mention, on one test box and two operational boxes, all bare metal Intel and AMD, hostwatch trots along quietly with no untoward CPU spikes or log writes. Three principal subnets (no vlans), all IPv4, around 25 devices.

So how can I rollback or switch to a point where the new firmware was not installed, if the operations are persisted

This is, in terms of my explanation, a configuration change. It is not part of the snapshot, so you can still roll back to the prior configuration.

This appears to be the question:

My problem of understanding is why and when will a snapshot in OPNsense start to persist data? When I make it active for the first time? If so, this means I cannot use (rollback to) a snapshot more than once. e.g. how do I rollback to Sept. 2025 when the "default" snapshot was created?
Somehow there is a disconnect I cannot reconcile.

and this is a lay answer from my use of snapshots: essentially, you do not roll back to a date but to a version.

If I take a snapshot then I am preserving a (presumably) stable version. All normal operations of the router will continue to be reflected in that snapshot version as well as in the active. That is, it continues to update for operations ... but not for configuration.

Any configuration changes will be reflected in the Active version but not in the Snapshot version. If you like the changes and they are stable, you can make that the master simply by continuing to use it while optionally deleting the Snapshot. If you do not like the changes then revert to the Snapshot in which case your configuration changes will vanish yet the router will be operationally up to date. If your changes crash the router then you can recover safely to your snapshot on boot.

Snapshots reflect a configuration point, not a time point.

I will be interested to see whether my understanding is confirmed.

Given the base is working software, not a development from scratch, I can understand that the release pattern does not follow a conventional cycle such as one might read in Wikipedia. I interpret development as a form of beta which is yet changing for reasons other than bugs. Community I accept as an advanced stable release which may yet have bugs which are fixed under _NN releases. Business is a supported stable release which might be called long term except that its term is not long.

Opnsense is not the only operation to follow a pattern like this, nor the only forum in which it is argued. I think that the conventional namings from alpha through gold, including the word beta, confuse the issue by their prior connotations.

We have a stable base product. On that there is a development offshoot. When that is feature-complete (for this phase) and stable it becomes Community, field testing more advanced features ahead of the low-risk business edition.

The clear implication is that there are three levels of risk for the consumers who must themselves share the risk management as discussed, firstly by selecting in which level they will join and secondly by their own testing and timing of upgrades on one or more of their own systems. Personally I use select Community then upgrade (always with snapshots) through "Does it work for a few hours?" on a reserve box to "Does it work for a few days?" on an internal production box to "Here we go" on the edge router.

Mikrotik offers WiFi6 devices such as the wAP and cAP but not mesh as plug and play. On the other hand, they give you absolute control of every other aspect of operation including nigh-endless vLans or virtual radios. Do you have ethernet between the levels?

Given you commented on the date and time, are you using the TOTP feature?

I currently have shaping turned off. I tried shaping as a troubleshooting step to limit the speed to 1gb but nothing changed.

The intel x550 NICs will not auto negotiate to 2.5gbps. Which is programmed into the firmware. Manual selection is required. This is why I have a 2.5gb usb nic order so I can test if the NIC is at fault.

I see. You mean like this comment which I found on the Intel site here?

The autonegotiation for 2.5 and 5Gb speeds for the X550 was changed in 2020.

Default autonegotiation excludes the 2.5 and 5Gb speeds.

If 2.5 or 5Gb is chosen in the dropdown, it will change autonegotiation to only advertise that speed. So it is not forcing to 2.5Gb or 5Gb when those options are chosen, it changes the advertised speed.

That may be an issue if the switch is configured as forced to 2.5Gb instead of autonegotiate.

If that still does not help, please make sure the ethernet updated to the latest NVM and drivers.

This comment and the prior discussion on the Intel site imply to me that the problem may lie with NIC configuration rather than with Opnsense config. Your proposed test may be informative ("may" because I lack complete confidence in USB-Ethernet adapters even though I sometimes use them in testing).

You are shaping the WAN-side speed? What was the preceding position, when using auto-negotiation?