Messages

@Patrick M. Hausen I would feel less safe, if I get compromised e.g. by a RAT the outbound list could potentially block the connection to its C&C server.

@Q-Feeds thanks for the tip, I now added the full list from here https://www.dan.me.uk/tornodes as a firewall rule using an "URL Table (IPs)" alias as a whitelist.

Obviously the Q-Feeds IP blacklist blocks IPs that belong to the Tor network, therefore a connection is not possible.

Only if you enable the obfs4/Snowflake/meek bridge you can connect again with the Tor Browser. Which is much slower than a normal connection.

Maybe an option "Don't block TOR IPs" would be possible in the options, although it's probably hard to differentiate those IPs from other ones.

Just documenting this error, don't know if it's just my system.

First try:

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.7.9_7 (amd64) at Thu Jan  8 20:49:46 CET 2026
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (76 candidates): .......... done
Processing candidates (76 candidates): .. done
The following 14 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
dnscrypt-proxy2: 2.1.5_19 -> 2.1.5_20
dpinger: 3.3 -> 3.4
gettext-runtime: 0.23.1 -> 0.26
glib: 2.84.1_3,2 -> 2.84.4,2
libucl: 0.9.2_2 -> 0.9.3
nss: 3.118.1 -> 3.119.1
opnsense: 25.7.9_7 -> 25.7.10
opnsense-update: 25.7.8 -> 25.7.10
php83-phpseclib: 3.0.47 -> 3.0.48
py311-anyio: 4.11.0 -> 4.12.0
py311-certifi: 2025.10.5 -> 2025.11.12
py311-numpy: 1.26.4_10,1 -> 1.26.4_11,1
py311-tzdata: 2025.2 -> 2025.3
py311-urllib3: 2.5.0,1 -> 2.6.0,1

Number of packages to be upgraded: 14

25 MiB to be downloaded.
[1/14] Fetching py311-anyio-4.12.0.pkg: .......... done
[2/14] Fetching dpinger-3.4.pkg: .. done
[3/14] Fetching opnsense-update-25.7.10.pkg: ..... done
[4/14] Fetching py311-numpy-1.26.4_11,1.pkg: .......... done
[5/14] Fetching nss-3.119.1.pkg: .......... done
[6/14] Fetching dnscrypt-proxy2-2.1.5_20.pkg: .......... done
[7/14] Fetching php83-phpseclib-3.0.48.pkg: .......... done
[8/14] Fetching py311-certifi-2025.11.12.pkg: .......... done
[9/14] Fetching py311-tzdata-2025.3.pkg: .......... done
[10/14] Fetching gettext-runtime-0.26.pkg: .......... done
[11/14] Fetching py311-urllib3-2.6.0,1.pkg: .......... done
[12/14] Fetching glib-2.84.4,2.pkg: .......... done
[13/14] Fetching libucl-0.9.3.pkg: .......... done
[14/14] Fetching opnsense-25.7.10.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/14] Upgrading dnscrypt-proxy2 from 2.1.5_19 to 2.1.5_20...
===> Creating groups
Using existing group '_dnscrypt-proxy'
===> Creating users
Using existing user '_dnscrypt-proxy'
[1/14] Extracting dnscrypt-proxy2-2.1.5_20: ....... done
[2/14] Upgrading dpinger from 3.3 to 3.4...
[2/14] Extracting dpinger-3.4: .... done
[3/14] Upgrading gettext-runtime from 0.23.1 to 0.26...
[3/14] Extracting gettext-runtime-0.26: .......... done
[4/14] Upgrading glib from 2.84.1_3,2 to 2.84.4,2...
[4/14] Extracting glib-2.84.4,2: .......... done
[5/14] Upgrading libucl from 0.9.2_2 to 0.9.3...
[5/14] Extracting libucl-0.9.3: .......... done
[6/14] Upgrading nss from 3.118.1 to 3.119.1...
[6/14] Extracting nss-3.119.1: .......... done
[7/14] Upgrading opnsense-update from 25.7.8 to 25.7.10...
[7/14] Extracting opnsense-update-25.7.10: .......... done
[8/14] Upgrading php83-phpseclib from 3.0.47 to 3.0.48...
[8/14] Extracting php83-phpseclib-3.0.48: ......... done
[9/14] Upgrading py311-anyio from 4.11.0 to 4.12.0...
[9/14] Extracting py311-anyio-4.12.0: .......... done
[10/14] Upgrading py311-certifi from 2025.10.5 to 2025.11.12...
[10/14] Extracting py311-certifi-2025.11.12: .......... done
[11/14] Upgrading py311-numpy from 1.26.4_10,1 to 1.26.4_11,1...
[11/14] Extracting py311-numpy-1.26.4_11,1: .......... done
[12/14] Upgrading opnsense from 25.7.9_7 to 25.7.10...
[12/14] Extracting opnsense-25.7.10: .......... done
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh.sh'
Flushing all caches...done.
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
[13/14] Upgrading py311-tzdata from 2025.2 to 2025.3...
[13/14] Extracting py311-tzdata-2025.3: .......... done
pkg-static: Fail to rename /usr/local/lib/python3.11/site-packages/tzdata/zoneinfo/.pkgtemp.Factory.xFcsyJuky7kf -> /usr/local/lib/python3.11/site-packages/tzdata/zoneinfo/Factory:No such file or directory
Starting web GUI...done.
Partial update failure detected: attempting automatic cleanup.
No further actions will be taken. Please restart the update now.
***DONE***
Second try:

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.7.10 (amd64) at Thu Jan  8 20:52:59 CET 2026
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (64 candidates): .......... done
Processing candidates (64 candidates): . done
Checking integrity... done (0 conflicting)
The following 2 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
py311-tzdata: 2025.2 -> 2025.3
py311-urllib3: 2.5.0,1 -> 2.6.0,1

Number of packages to be upgraded: 2
[1/2] Upgrading py311-tzdata from 2025.2 to 2025.3...
[1/2] Extracting py311-tzdata-2025.3: .......... done
py311-tzdata-2025.2: missing file /usr/local/lib/python3.11/site-packages/tzdata-2025.2.dist-info/LICENSE
py311-tzdata-2025.2: missing file /usr/local/lib/python3.11/site-packages/tzdata-2025.2.dist-info/LICENSE_APACHE
py311-tzdata-2025.2: missing file /usr/local/lib/python3.11/site-packages/tzdata-2025.2.dist-info/METADATA
py311-tzdata-2025.2: missing file /usr/local/lib/python3.11/site-packages/tzdata-2025.2.dist-info/RECORD
py311-tzdata-2025.2: missing file /usr/local/lib/python3.11/site-packages/tzdata-2025.2.dist-info/WHEEL
py311-tzdata-2025.2: missing file /usr/local/lib/python3.11/site-packages/tzdata-2025.2.dist-info/top_level.txt
py311-tzdata-2025.2: missing file /usr/local/share/licenses/py311-tzdata-2025.2/APACHE20
py311-tzdata-2025.2: missing file /usr/local/share/licenses/py311-tzdata-2025.2/LICENSE
py311-tzdata-2025.2: missing file /usr/local/share/licenses/py311-tzdata-2025.2/catalog.mk
[2/2] Upgrading py311-urllib3 from 2.5.0,1 to 2.6.0,1...
[2/2] Extracting py311-urllib3-2.6.0,1: .......... done
=====
Message from py311-urllib3-2.6.0,1:

--
Since version 1.25 HTTPS connections are now verified by default which is done
via "cert_reqs = 'CERT_REQUIRED'".  While certificate verification can be
disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on.

Various consumers of net/py-urllib3 already have implemented routines that
either explicitly enable or disable HTTPS certificate verification (e.g. via
configuration settings, CLI arguments, etc.).

Yet it may happen that there are still some consumers which don't explicitly
enable/disable certificate verification for HTTPS connections which could then
lead to errors (as is often the case with self-signed certificates).

In case of an error one should try first to temporarily disable certificate
verification of the problematic urllib3 consumer to see if that approach will
remedy the issue.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
The following package files will be deleted:
/var/cache/pkg/nss-3.119.1.pkg
/var/cache/pkg/opnsense-update-25.7.10~87bc1e1d0a.pkg
/var/cache/pkg/py311-certifi-2025.11.12~215272b159.pkg
/var/cache/pkg/py311-anyio-4.12.0~f3781d8bca.pkg
/var/cache/pkg/dnscrypt-proxy2-2.1.5_20.pkg
/var/cache/pkg/opnsense-25.7.10~e8fe778b04.pkg
/var/cache/pkg/php83-phpseclib-3.0.48~5bf8d63581.pkg
/var/cache/pkg/glib-2.84.4,2~6b60e61d06.pkg
/var/cache/pkg/py311-numpy-1.26.4_11,1~d5a615882f.pkg
/var/cache/pkg/nss-3.119.1~4b1fda0aab.pkg
/var/cache/pkg/py311-certifi-2025.11.12.pkg
/var/cache/pkg/dpinger-3.4~276601a0c0.pkg
/var/cache/pkg/gettext-runtime-0.26~dadd59a075.pkg
/var/cache/pkg/py311-tzdata-2025.3~fa615f73d6.pkg
/var/cache/pkg/py311-urllib3-2.6.0,1.pkg
/var/cache/pkg/opnsense-25.7.10.pkg
/var/cache/pkg/dnscrypt-proxy2-2.1.5_20~49cbf483a0.pkg
/var/cache/pkg/dpinger-3.4.pkg
/var/cache/pkg/py311-anyio-4.12.0.pkg
/var/cache/pkg/py311-urllib3-2.6.0,1~c0b1f10e54.pkg
/var/cache/pkg/py311-numpy-1.26.4_11,1.pkg
/var/cache/pkg/glib-2.84.4,2.pkg
/var/cache/pkg/py311-tzdata-2025.3.pkg
/var/cache/pkg/php83-phpseclib-3.0.48.pkg
/var/cache/pkg/libucl-0.9.3~417cf27395.pkg
/var/cache/pkg/gettext-runtime-0.26.pkg
/var/cache/pkg/opnsense-update-25.7.10.pkg
/var/cache/pkg/libucl-0.9.3.pkg
The cleanup will free 25 MiB
Deleting files: .......... done
Nothing to do.
Starting web GUI...done.
Fetching base-25.7.10-amd64.txz: ......................... done
Fetching kernel-25.7.10-amd64.txz: ......... done
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Installing kernel-25.7.10-amd64.txz... done
Installing base-25.7.10-amd64.txz... done
Cleaning obsolete files... done
Please reboot.
***REBOOT***

I just got this error message when updating from 25.7.5 to 25.7.8, but everything seems to be running fine.

This error also came first and I had to press update again, I guess because of the new pkg: https://forum.opnsense.org/index.php?topic=49409.0

I got this strange message in the Backend log (configd):

Code Select Expand

2025-12-03T21:43:05 Error configd.py [1658a939-02b7-4e32-9ec6-163af174f6bb] Script action failed with Command '/usr/local/opnsense/scripts/firmware/read.sh ' died with <Signals.SIGBUS: 10>. at Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/actions/script_output.py", line 89, in execute     subprocess.run(script_command, env=self.config_environment, shell=True,   File "/usr/local/lib/python3.11/subprocess.py", line 571, in run     raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/firmware/read.sh ' died with <Signals.SIGBUS: 10>.
   
Obviously after the reboot but I don't know if it is related.

Health audit shows no problems:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.7.8 (amd64) at Wed Dec  3 21:54:18 CET 2025
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 25.7.8 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7.8 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
os-dnscrypt-proxy 1.16
os-realtek-re 1.0
os-smart 2.4
os-wol 2.5_3
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 25.7.8 has 67 dependencies to check.
Checking packages: .................................................................... done
***DONE***
By the way why can't you see the full update log in "System: Firmware: Log File" which is shown during the update? It just looks like this (Debug):

Code Select Expand

2025-12-03T21:41:46 Notice pkg-static opnsense-25.7.8 installed
2025-12-03T21:41:32 Notice pkg-static unbound upgraded: 1.24.0 -> 1.24.1
2025-12-03T21:41:32 Notice pkg-static syslog-ng upgraded: 4.8.2_4 -> 4.10.2
2025-12-03T21:41:31 Notice pkg-static suricata upgraded: 7.0.12 -> 8.0.2
2025-12-03T21:41:30 Notice pkg-static rrdtool reinstalled: 1.9.0_1 -> 1.9.0_1
2025-12-03T21:41:30 Notice pkg-static py311-vici upgraded: 5.9.11_1 -> 6.0.3
2025-12-03T21:41:30 Notice pkg-static py311-urllib3 upgraded: 1.26.20,1 -> 2.5.0,1
2025-12-03T21:41:29 Notice pkg-static py311-dnspython-2.8.0_1,1 installed
2025-12-03T21:41:29 Notice pkg-static py311-trio upgraded: 0.31.0 -> 0.32.0
2025-12-03T21:41:29 Notice pkg-static py311-sqlite3 upgraded: 3.11.13_11 -> 3.11.14_11
2025-12-03T21:41:29 Notice pkg-static py311-pyyaml upgraded: 6.0.2 -> 6.0.3
2025-12-03T21:41:29 Notice pkg-static py311-aioquic-1.3.0_1 installed
2025-12-03T21:41:29 Notice pkg-static py311-pyopenssl-25.3.0_1,1 installed
2025-12-03T21:41:29 Notice pkg-static py311-pylsqpack upgraded: 0.3.22 -> 0.3.23
2025-12-03T21:41:29 Notice pkg-static py311-pycparser upgraded: 2.22 -> 2.23
2025-12-03T21:41:29 Notice pkg-static py311-numexpr upgraded: 2.11.0 -> 2.14.1
2025-12-03T21:41:29 Notice pkg-static py311-numpy upgraded: 1.26.4_7,1 -> 1.26.4_10,1
2025-12-03T21:41:27 Notice pkg-static py311-markupsafe upgraded: 3.0.2 -> 3.0.3
2025-12-03T21:41:27 Notice pkg-static py311-anyio upgraded: 4.10.0 -> 4.11.0
2025-12-03T21:41:27 Notice pkg-static py311-idna upgraded: 3.10 -> 3.11
2025-12-03T21:41:26 Notice pkg-static py311-cryptography upgraded: 44.0.3_4,1 -> 45.0.7_1,1
2025-12-03T21:41:26 Notice pkg-static py311-charset-normalizer upgraded: 3.4.3 -> 3.4.4
2025-12-03T21:41:26 Notice pkg-static py311-certifi upgraded: 2025.8.3 -> 2025.10.5
2025-12-03T21:41:26 Notice pkg-static py311-attrs upgraded: 25.3.0 -> 25.4.0
2025-12-03T21:41:26 Notice pkg-static kea upgraded: 3.0.1_1 -> 3.0.2
2025-12-03T21:41:25 Notice pkg-static glib reinstalled: 2.84.1_3,2 -> 2.84.1_3,2
2025-12-03T21:41:24 Notice pkg-static python311 upgraded: 3.11.13_1 -> 3.11.14
2025-12-03T21:41:16 Notice pkg-static py311-openssl-25.0.0_1,1 deinstalled
2025-12-03T21:41:16 Notice pkg-static py311-aioquic-1.2.0 deinstalled
2025-12-03T21:41:16 Notice pkg-static py311-dnspython-2.8.0,1 deinstalled
2025-12-03T21:41:16 Notice pkg-static wpa_supplicant upgraded: 2.11_5 -> 2.11_7
2025-12-03T21:41:16 Notice pkg-static sudo upgraded: 1.9.17p2 -> 1.9.17p2_2
2025-12-03T21:41:16 Notice pkg-static strongswan upgraded: 6.0.1 -> 6.0.3_1
2025-12-03T21:41:12 Notice pkg-static php83-pear upgraded: 1.10.13 -> 1.10.16
2025-12-03T21:41:11 Notice pkg-static php83-zlib upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:41:11 Notice pkg-static php83-xml upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:41:11 Notice pkg-static php83-sqlite3 upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:41:11 Notice pkg-static php83-sockets upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:41:11 Notice pkg-static php83-simplexml upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:41:11 Notice pkg-static php83-session upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:41:11 Notice pkg-static php83-pdo upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:41:10 Notice pkg-static php83-pcntl upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:41:10 Notice pkg-static php83-ldap upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:41:10 Notice pkg-static php83-gettext upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:41:10 Notice pkg-static php83-filter upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:41:10 Notice pkg-static php83-dom upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:41:10 Notice pkg-static php83-curl upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:41:10 Notice pkg-static php83-ctype upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:41:10 Notice pkg-static opnsense-update upgraded: 25.7.5 -> 25.7.8
2025-12-03T21:41:10 Notice pkg-static openvpn upgraded: 2.6.15 -> 2.6.16
2025-12-03T21:41:10 Notice pkg-static openssh-portable upgraded: 10.0.p1_2,1 -> 10.2.p1_1,1
2025-12-03T21:41:09 Notice pkg-static ntp upgraded: 4.2.8p18_4 -> 4.2.8p18_5
2025-12-03T21:41:09 Notice pkg-static dnsmasq reinstalled: 2.91_1,1 -> 2.91_1,1
2025-12-03T21:41:09 Notice pkg-static dnscrypt-proxy2 upgraded: 2.1.5_16 -> 2.1.5_19
2025-12-03T21:41:09 Notice pkg-static ca_root_nss upgraded: 3.115_3 -> 3.117_2
2025-12-03T21:41:08 Notice pkg-static opnsense-25.7.5 deinstalled
2025-12-03T21:41:07 Notice pkg-static liblz4 upgraded: 1.10.0,1 -> 1.10.0_2,1
2025-12-03T21:41:07 Notice pkg-static curl upgraded: 8.16.0 -> 8.17.0
2025-12-03T21:41:07 Notice pkg-static boost-libs upgraded: 1.88.0_2 -> 1.89.0_1
2025-12-03T21:40:52 Notice pkg-static zstd upgraded: 1.5.7 -> 1.5.7_1
2025-12-03T21:40:52 Notice pkg-static nss upgraded: 3.117 -> 3.118.1
2025-12-03T21:40:51 Notice pkg-static sqlite3 upgraded: 3.50.2_1,1 -> 3.50.4_2,1
2025-12-03T21:40:51 Notice pkg-static smartmontools upgraded: 7.5 -> 7.5_1
2025-12-03T21:40:51 Notice pkg-static realtek-re-kmod upgraded: 1100.00.1403000_1 -> 1101.00.1403000
2025-12-03T21:40:51 Notice pkg-static php83-mbstring upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:40:51 Notice pkg-static php83 upgraded: 8.3.26 -> 8.3.28
2025-12-03T21:40:50 Notice pkg-static openldap26-client reinstalled: 2.6.10 -> 2.6.10
2025-12-03T21:40:50 Notice pkg-static libxml2 upgraded: 2.14.5 -> 2.14.6
2025-12-03T21:40:49 Notice pkg-static cyrus-sasl-gssapi reinstalled: 2.1.28 -> 2.1.28
2025-12-03T21:40:49 Notice pkg-static krb5 reinstalled: 1.22.1 -> 1.22.1
2025-12-03T21:40:49 Notice pkg-static readline upgraded: 8.2.13_2 -> 8.3.1
2025-12-03T21:40:49 Notice pkg-static pkcs11-helper upgraded: 1.29.0_3 -> 1.31.0
2025-12-03T21:40:49 Notice pkg-static pcre2 upgraded: 10.46 -> 10.47
2025-12-03T21:40:48 Notice pkg-static nspr upgraded: 4.37 -> 4.38.2
2025-12-03T21:40:48 Notice pkg-static libunistring upgraded: 1.4 -> 1.4.1
2025-12-03T21:40:48 Notice pkg-static libnghttp2 upgraded: 1.67.0 -> 1.68.0
2025-12-03T21:40:48 Notice pkg-static libiconv upgraded: 1.17_1 -> 1.18_1
2025-12-03T21:40:48 Notice pkg-static libedit upgraded: 3.1.20250104,1 -> 3.1.20251016,1
2025-12-03T21:40:48 Notice pkg-static cyrus-sasl reinstalled: 2.1.28_5 -> 2.1.28_5
2025-12-03T21:40:47 Notice pkg-static brotli upgraded: 1.1.0,1 -> 1.2.0,1
2025-12-03T21:40:16 Notice pkg-static gethostby*.getanswer: asked for "pkg.opnsense.org IN AAAA", got type "HINFO"
2025-12-03T21:40:16 Notice pkg-static gethostby*.getanswer: asked for "pkg.opnsense.org IN AAAA", got type "HINFO"
2025-12-03T21:39:36 Notice pkg gethostby*.getanswer: asked for "pkg.opnsense.org IN AAAA", got type "HINFO"
2025-12-03T21:39:35 Notice pkg gethostby*.getanswer: asked for "pkg.opnsense.org IN AAAA", got type "HINFO"
2025-12-03T21:39:35 Notice pkg gethostby*.getanswer: asked for "pkg.opnsense.org IN AAAA", got type "HINFO"
2025-12-03T21:39:34 Notice pkg gethostby*.getanswer: asked for "pkg.opnsense.org IN AAAA", got type "HINFO"
2025-12-03T21:39:30 Notice pkg gethostby*.getanswer: asked for "pkg.opnsense.org IN AAAA", got type "HINFO"
2025-12-03T21:39:28 Notice pkg gethostby*.getanswer: asked for "pkg.opnsense.org IN AAAA", got type "HINFO"
2025-12-03T21:23:52 Notice pkg gethostby*.getanswer: asked for "pkg.opnsense.org IN AAAA", got type "HINFO"
2025-12-03T21:23:52 Notice pkg gethostby*.getanswer: asked for "pkg.opnsense.org IN AAAA", got type "HINFO"
2025-12-03T21:23:51 Notice pkg gethostby*.getanswer: asked for "pkg.opnsense.org IN AAAA", got type "HINFO"
2025-12-03T21:23:50 Notice pkg pkg upgraded: 1.19.2_6 -> 2.3.1_1

Farewell little button, you were always a loyal companion. 🥲

Not many seem to have to noticed this button disappeared in the 25.1 release, just a little mention in the release notes:

o system: remove the old manual LDAP importer

https://forum.opnsense.org/index.php?topic=45460

Now you have 2 options to import users from LDAP:

1. Use the new "Import csv"-button to import a CSV file.

2. In "System: Access: Servers" enable the options "Read properties" + "Synchronize groups" + "Constraint groups" + "Automatic user creation" in your LDAP server.

But I haven't tested any of these options now, feel free to post your experiences. ☺️


GitHub references:

#7904
#8065
#8340
#8446 (screenshot of the button)
#9303

Edit: Was curious, what encryption protocol does this use between OPNsense and the ODoH relay?

This is explained here: ODoH Message Flow

ODoH creates and end-to-end encryption (EEE) from client to target using Hybrid Public Key Encryption (HPKE). The transport encryption between client and relay and between relay and target is regular TLS/HTTPS. So even after the relay decrypts the transport encryption the query will still be encrypted. And the target doesn't know the real source IP. So the EEE protects the query from the relay and the relay protects the source IP from the target (under the premise that relay and target don't collude).

Your second question is answered here: Anonymized DNS vs. ODOH? #2617

Prompt: Does the AMD PSP have access to the NIC?

GGAI: The AMD Platform Security Processor (PSP) is an integrated security coprocessor in AMD CPUs. It does not have direct access to the network interface card (NIC) or the ability to control network traffic in the way that some other management engines do. Instead, the PSP primarily handles tasks like DRAM initialization, HDCP handling, boot process supervision, and firmware updates.
While the PSP's firmware runs before the main CPU and has unrestricted access to memory, it is not designed to interact with the network. Its access is primarily focused on the CPU itself and the hardware it manages. This means that a malicious actor with access to the PSP would be limited to manipulating the CPU and its related hardware, rather than being able to directly interfere with network traffic.

Prompt: Does a CPU have access to a NIC?

GGAI: Yes, a CPU (Central Processing Unit) has access to a NIC (Network Interface Card) through a PCIe (Peripheral Component Interconnect Express) link. The CPU uses this link to communicate with the NIC, allowing data to be sent and received across the network.

Prompt: Answer these 2 questions separately: "Does the AMD PSP have access to the NIC?" and "Does a CPU have access to a NIC?" and analyze if its outputs are contradictory.

GGAI: The answers to the two questions are generally not contradictory, but they can be nuanced depending on the specific context.

Question 1: Does the AMD PSP have access to the NIC?
The AMD Platform Security Processor (PSP) is primarily responsible for hardware-level security and trust. It does not typically have direct access to the Network Interface Card (NIC) for general network operations. The PSP primarily focuses on functions like security, encryption, and authentication, and its role is more about securing the system as a whole rather than interacting with network devices directly.

Question 2: Does a CPU have access to a NIC?
Yes, a CPU (Central Processing Unit) absolutely does have access to the NIC. The NIC, as a peripheral device, is connected to the CPU through various buses or interfaces. The CPU uses these connections to send and receive data to and from the NIC, allowing it to manage network traffic, control the connection, and interact with the network.
Analysis: Are the answers contradictory?
No, the answers are not contradictory. They describe different aspects of the hardware and their roles. The PSP has access to the system and its components for security purposes, but its access to the NIC is not a primary function. The CPU, on the other hand, is the main controller and has direct access to the NIC to manage network operations.
In essence:

PSP:
Focused on security and trust, with a secondary role in managing specific hardware access.
CPU:
The primary processing unit that has direct control and access to all peripherals, including the NIC.

Mir ist gerade eingefallen, dass der Benutzer den ich im Verbindungsstatus gesehen hatte, gar nicht in der Gruppe war, habe mich testweise hinzugefügt und man sieht tatsächlich nur die interne Pool-IP.

Ich meine das OpenVPN-Interface in der Firewall, es funktioniert ja in der Praxis mit manuell gepflegten Hosts (öffentliche IPs), nur halt nicht benutzerbasiert über die OpenVPN-Benutzer.

Ja, erstmal blockiere ich z. B. für OpenVPN per GeoIP alle Länder außer Deutschland. Jetzt will ich alle OpenVPN-Benutzer in der Gruppe "external" zusätzlich über ihre öffentliche IP freigeben. Das funktioniert aber nicht, deshalb müssen mir die Benutzer im Ausland ihre IP mitteilen und ich trage sie manuell ein.

Das könnte ja automatisch und benutzerbasiert passieren, da OPNsense ja die externe IP des OpenVPN-Benutzers bekannt ist, wie man im Dashboard sieht.

When I look at the tutorial again I see why I did the mistake with the bind address.

https://docs.opnsense.org/manual/how-tos/sslvpn_instance_roadwarrior.html

The bind address is 10.10.8.1 (WAN), which is very similar to the VPN pool network address 10.1.8.0, so I misread that as 10.1.8.1.

By the way there is a mistake in the schema, the road warrior IP shows 10.2.8.2 when it should read 10.0.8.2.

I think I also understand now why there is not a migration assistant because the encryption algorithm (--cipher) is deprecated since server version 2.4.0. It's probably hidden to discourage its use.

If you want to do a 1:1 migration to save distributing the configs to the clients again you have to activate the "advanced mode" in the new instance and change "Auth" and "Data Ciphers" to match the legacy configuration.

Also according to the OpenVPN reference manual the default auth digest algorithm is SHA1 which differs from the old legacy tutorial where it is SHA512, isn't that contradicting the own recommendations from the previous tutorial? Or is "OpenVPN default" in OPNsense an own definition?

Yeah, I got that now. But isn't it a step backwards. Before you could provide multiple system aliases like LAN1, WAN2 etc.

Now you can only provide a single IP which is not dynamically updated like the previous system aliases.

Edit: Sorry, I just checked again and the old "Interface" field was just a single-select field, not a multi-select field.

So every night I shut down my PC, then I shut down OPNsense via a single press on the power button, then I turn of my switched power strips of the PC and my hi-fi system and at last I turn off the PSU switches off my cable router and the OPNsense box.

But once in a blue moon OPNsense doesn't shut down but reboots.

Here are the general logs of two shutdowns, the second one (Jan. 14th) had that behavior, the other one (Jan. 13th) didn't have it.

Code Select Expand

2025-01-14T16:47:21 Notice kernel Copyright (c) 1992-2023 The FreeBSD Project.
2025-01-14T16:47:21 Notice kernel ---<<BOOT>>---
2025-01-14T16:47:21 Notice syslog-ng syslog-ng starting up; version='4.8.1'
2025-01-13T22:46:46 Notice kernel <118>>>> Invoking stop script 'config'
2025-01-13T22:46:46 Notice syslog-ng syslog-ng shutting down; version='4.8.1'
2025-01-13T22:46:46 Notice kernel <118>>>> Invoking backup script 'rrd'
2025-01-13T22:46:46 Notice kernel <118>>>> Invoking backup script 'netflow'
2025-01-13T22:46:46 Notice kernel <118>>>> Invoking backup script 'duid'
2025-01-13T22:46:46 Notice kernel <118>>>> Invoking backup script 'dhcpleases'
2025-01-13T22:46:46 Notice kernel <118>>>> Invoking backup script 'captiveportal'
2025-01-13T22:46:46 Notice kernel <118>>>> Invoking stop script 'backup'
2025-01-13T22:46:45 Notice kernel <118>Waiting for PIDS: 9752.
2025-01-13T22:46:45 Notice kernel <118>Stopping dnscrypt_proxy.
2025-01-13T22:46:44 Notice kernel <118>>>> Invoking stop script 'freebsd'
2025-01-13T22:46:43 Notice kernel <118>>>> Invoking stop script 'beep'


2025-01-15T17:16:45 Notice kernel Copyright (c) 1992-2023 The FreeBSD Project.
2025-01-15T17:16:45 Notice kernel ---<<BOOT>>---
2025-01-15T17:16:45 Notice syslog-ng syslog-ng starting up; version='4.8.1'
2025-01-14T22:52:39 Notice syslog-ng syslog-ng shutting down; version='4.8.1'
2025-01-14T22:52:39 Notice kernel <118>>>> Invoking stop script 'config'
2025-01-14T22:52:39 Notice kernel <118>>>> Invoking backup script 'rrd'
2025-01-14T22:52:39 Notice kernel <118>>>> Invoking backup script 'netflow'
2025-01-14T22:52:39 Notice kernel <118>>>> Invoking backup script 'duid'
2025-01-14T22:52:39 Notice kernel <118>>>> Invoking backup script 'dhcpleases'
2025-01-14T22:52:38 Notice kernel <118>>>> Invoking backup script 'captiveportal'
2025-01-14T22:52:38 Notice kernel <118>>>> Invoking stop script 'backup'
2025-01-14T22:52:37 Notice kernel <118>Waiting for PIDS: 37745.
2025-01-14T22:52:37 Notice kernel <118>Stopping dnscrypt_proxy.
2025-01-14T22:52:36 Notice kernel <118>>>> Invoking stop script 'freebsd'
2025-01-14T22:52:35 Notice kernel <118>>>> Invoking stop script 'beep'
But the strange thing is there is nothing in the general log between 22:52:39 and 17:16:45 when I heard the boot sound of OPNsense.

A normal shutdown is no more possible then. I then have to do a hard shutdown of the OPNsense box (holding down the power button for some seconds).

So how can I find the issue here? And by the way why is the boot log only starting from the last boot?

Thanks, after updating my OPNsense I noticed this bug too. My clock was running 22 seconds in advance. Was fixed after updating the time.

Anybody else noticed weird behaviour of Windows 11 23H2 after the KB5048685 update?

After the login screen I get a black screen for some seconds and the loading of the taskbar is very delayed.

Also high CPU from "Service host DCOM server process launcher" and wsappx. I locked my Windows 11 to 23H2 because of all the AI crap in 24H2 like Copilot and Recall but maybe I have to switch to FreeBSD sooner than I planned. :)

The installed transceiver supports 1 Gbps, while the motherboard supports 10 Gbps. Could this be a problem?

Yes, that could be the problem, see here: https://www.reddit.com/r/PFSENSE/comments/t317nv/no_link_on_sfps_with_supermicro_server_ubiquiti/