Messages

Good day,

So I'm upgraded and fixed all the plugins up to 25.7.11_9.  Right now, I seem to be back to where I was.  I haven't tried the 26.1 update yet.  I want to sit on this a week and make sure everything is working right first.  Here is my health check.

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.7.11_9 (amd64) at Fri Mar 27 19:00:24 EDT 2026
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 25.7.11 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7.11 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
mimugmail (Priority: 5)
>>> Check installed plugins
os-homeassistant-maxit 1.0
os-theme-advanced 1.1
os-theme-cicada 1.40
os-theme-rebellion 1.9.4
os-theme-solarized-community 0.4_1
os-theme-tukan 1.30
os-theme-vicuna 1.50
os-tor 1.10
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 25.7.11_9 has 68 dependencies to check.
Checking packages: ..................................................................... done
***DONE***

Well right now, I'm on 25.7...  It's the only one that works.  My config restored, but I have those few plugins which show conflicts.

I spent all day reinstalling in various ways.  Anything to do with 26.1 and I have issues.  Even a fresh install.  I'm not sure if it's a rule not carrying over correctly, or a failure of the ISC-DHCP thing in some way.  I have a bunch of rules, NAT redirects, etc...  Alias based rules, DNS redirects to avoid things phoning home.  It all works until I plop it into 26.1, then... all hell breaks loose.  Some things work, some don't...  My routers appear offline (by the light indicators) and many things don't connect, but some random devices use the WiFi fine...  It's bizarre.  Most everything was static IP'd, with DHCP pools on all the interfaces for random connected things...  I like to tinker.  LOL

Tomorrow will be busy, but maybe tomorrow night I will take a snapshot and run the upgrade to 25.7.11 and see if it goes well. 

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.7 (amd64) at Wed Mar 25 22:42:16 EDT 2026
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 25.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
No plugins found.
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 25.7 has 68 dependencies to check.
Checking packages: ..
ca_root_nss-3.108 version mismatch, expected 3.117_2
Checking packages: ......
dpinger-3.3 version mismatch, expected 3.4
Checking packages: .
filterlog-0.7_1 version mismatch, expected 0.7_2
Checking packages: .......
kea-2.6.3_1 version mismatch, expected 3.0.2
Checking packages: .
lighttpd-1.4.79 version mismatch, expected 1.4.82
Checking packages: ...
ntp-4.2.8p18_4 version mismatch, expected 4.2.8p18_5
Checking packages: .
openssh-portable-10.0.p1_1,1 version mismatch, expected 10.2.p1_1,1
Checking packages: .
openvpn-2.6.14 version mismatch, expected 2.6.17
Checking packages: .
opnsense-25.7 version mismatch, expected 25.7.11_9
Checking packages: ..
opnsense-lang-25.1.11 version mismatch, expected 25.7.4
Checking packages: .
opnsense-update-25.7 version mismatch, expected 25.7.11
Checking packages: ...
php83-ctype-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-curl-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-dom-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-filter-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-gettext-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-ldap-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-pcntl-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-pdo-8.3.23 version mismatch, expected 8.3.28
Checking packages: ....
php83-phpseclib-3.0.46 version mismatch, expected 3.0.48
Checking packages: .
php83-session-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-simplexml-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-sockets-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-sqlite3-8.3.23_1 version mismatch, expected 8.3.28
Checking packages: .
php83-xml-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-zlib-8.3.23 version mismatch, expected 8.3.28
Checking packages: ...
py311-dnspython-2.7.0,1 version mismatch, expected 2.8.0_1,1
Checking packages: .
py311-duckdb-1.3.1_1 version mismatch, expected 1.3.2
Checking packages: .
py311-jq-1.8.0_1 version mismatch, expected 1.10.0
Checking packages: ...
py311-numpy-1.26.4_6,1 version mismatch, expected 1.26.4_11,1
Checking packages: .
py311-pandas-2.2.3_2,1 version mismatch, expected 2.3.3,1
Checking packages: .
py311-requests-2.32.4 version mismatch, expected 2.32.5
Checking packages: .
py311-sqlite3-3.11.13_11 version mismatch, expected 3.11.14_11
Checking packages: .
py311-ujson-5.10.0_1 version mismatch, expected 5.11.0
Checking packages: .
py311-vici-5.9.11_1 version mismatch, expected 6.0.3
Checking packages: ....
strongswan-5.9.14 version mismatch, expected 6.0.3_1
Checking packages: .
sudo-1.9.17p1 version mismatch, expected 1.9.17p2_2
Checking packages: .
suricata-7.0.11_1 version mismatch, expected 8.0.3
Checking packages: .
syslog-ng-4.8.2_3 version mismatch, expected 4.10.2
Checking packages: ..
wpa_supplicant-2.11_5 version mismatch, expected 2.11_7
Checking packages: . done
***DONE***
So what would be your first suggestion from here?  I'll try it tomorrow.  I can't handle more troubleshooting today.  I'm up and running for now.

> Any recommendations of where to start with this mess?

Anything else that happened in the past is pure speculation but it all boils down to user error for me - no proper troubleshooting, not asking for help on the forums, no snapshots and nuking everything and starting over from an older version than necessary-when 26.1 would have been enough.

So I started troubleshooting using 26.1, and got the same outcome whether I installed fresh and then restored config, or restored the config during install initially.  Running a fresh install of 26.1, using clean disks, and choosing to import a configuration during install had the same result.  I can't get any more clean of a chance than that.  I have a recent backup from 25.7.  That's what I have to work with, because I've been running this since before ZFS.  I don't have snapshots, I have "config.xml"...  What the developers said you need if you have a problem.

So I started with fresh partitions, reinstalled my 25.7 selecting my backup config to import during install, and installed to a ZFS disk this time.  I'm familiar with ZFS.  In my snapshots page I have one active (N)ow and (R)eboot.  I'm assuming that is the current one.  Will an upgrade make a snapshot first, or should I make one anyhow?

I still got the plugins which need repair at this point.  I haven't fixed plugin conflicts this time around yet.  I'm back to the working system (minus plugins) I had prior to upgrading.  I'm on 25.7 with 25.7.11 available.  There is this warning...

"The changes are otherwise clustered around preparation for the major upgrade which brings an number of fundamental changes with the ongoing removal of ISC-DHCP from core. A plugin is already available through the development version and should auto-install. If not make sure you install it before attempting a reboot there. For the stable version everything is as it was."

What's first?  And thank you...

Last night I made the mistake of trying to upgrade my system.

Upgrading is not the mistake. Lack of recovery methods is.

Next time, use snapshots at least.

This system has been running since before ZFS was an install option.  And this is the first upgrade that didn't work.  I had a backup "config.xml" like the developers told me...  And I clicked the little button to upgrade the developers told me to use. 

Then it seems the DHCP options got hosed, and I figured I'd reinstall the working version, using the backup from that version.  Now I'm here, asking for help, and getting none.

Hello,

My recent upgrade failed, and I suspect that the ISC-DHCP plugin may have been the issue.  I had connectivity problems, and I want to try again.

I have a backup of my 25.7 configuration.  Should I install 26.1 fresh and recover the config during install, then run 'pkg install os-isc-dhcp' to make sure the configuration carries over?  Or should I install clean, install the plugin, then restore the configuration?

If that package doesn't install, I suspect that is where my issue arises.   

Good day,

Last night I made the mistake of trying to upgrade my system.  I moved from 25.7 to the suggested 26.1 using the GUI.  Upon reboot, the first thing I noticed was that all of my WiFi nodes were showing offline lights, even though some WiFi devices could still browse fine.  None of my laptops could access the internet (limited connectivity notice), but a WiFi-only tablet was connected and browsing still.  I could no longer access the OPNSense GUI, except on a few small screen devices, which made troubleshooting nearly impossible.  Some things worked, some things didn't.

On OPNSense itself, the live logs showed traffic passing, I saw no errors if I rebooted the system, but the internet was completely in shambles.  I tried re-running upgrades from the shell in case something hadn't completed properly, no luck.  If I accessed the GUI from the one working tablet, I saw nothing resembling my old DHCP leases, etc... so I assume this was being caused by changes from ISC DHCP.  No idea, so I went into recovery mode.

I made a bootable USB with 25.7, and used the configuration importer to use the backup before the upgrade, and boom.  Everything came back online.  So now I'm back on 25.7, but I have a new problem.  I have some conflicting plugins which showed an error.  When I tried to reinstall them, I got an error saying I had to upgrade to the version that broke everything in order to reinstall those plugins. 

You cannot view this attachment.

With nothing else to try, I deregistered them, but I have this list that I need to recover.

You cannot view this attachment.

At this point, I need to first get my system back to where it was. 

1.  How can I get these plugins corrected and reinstalled?
2.  What likely happened, and why?
3.  How can I get back in business now that I know upgrading will break everything?

When I tried to upgrade again (before deregistering missing plugins), I got an "unknown error" and the upgrade to 26.1 simply failed.  I restored to 25.7 again, and all is back.  I haven't tried upgrading again since deregistering the plugins.  So right now, I'm left with a slightly broken 25.7 install I need to fix.  I have alias', rules around those alias', on a system with WAN and four separate subnets (LAN, OPT1, OPT2) using a four port NIC.  A fair amount of rules...  All works fine until the upgrade happens.

Any recommendations of where to start with this mess?

Thanks!

You cannot view this attachment.

Should all my redirect rules point to that port, (HTTP, HTTPS)?  I feel like I might have tried that.

EDIT:  I changed the DNS rule to 9053, and the HTTP/S rules to 9040.  Same behavior.  I have another port forward rule for DNS lower in the rules list for those devices that try to bypass my hardwired DNS, but that shouldn't be blocking anything from the TOR rules, as they are on top in the Port Forward rules.

Happy thanksgiving,

I've been wanting to mess with TOR for a while, but always get frustrated trying to set it up.  No matter what, it just never seems to work no matter what guide I follow, and I'm hoping someone can steer me to what I'm doing wrong.

Right now I have the TOR plugin installed, service is running, and the configuration for the plugin is listening on the LAN interface.  The transparent proxy is enabled, port 9040, DNS port 9053.

There is a VLAN called TOR as opt4 vlan01 with a static IP set of 172.16.200.1.

I created NAT port forward rules in the screenshot, and there are matching rules showing in the LAN rules.
You cannot view this attachment.

I'm probably just completely turned around on this, and trying to follow online guides, most of which are written for people with more understanding, and many are likely completely outdated.  Can someone point me to what is wrong here?  If I enable these rules, web pages don't open, they just time out.

Thanks!

There hasn't been any updates on this, but the problem persists.

Created a bug report.

https://github.com/opnsense/core/issues/9165

Also, I have completely disabled the IPv6 gateway so that only the IPv4 is active, and the internet works fine even though it's reporting 100% packet loss on that gateway.  As if I'm browsing offline with 100% packet loss. 

I tried the suggestion of setting the Monitor IP to the address of the modem itself, and it shows online again.  However that doesn't indicate the internet is working, so I switched back to 1.1.1.1 and it's offline again.  Tried 8.8.8.8 also, stays offline. 

It didn't hold up.  WAN shows 100% loss for days now, having never recovered again.  I show DHCP6 online for the last week.

Today, for no reason what-so-ever the IPv4 gateway now shows no packet loss, but the IPv6 gateway is still offline.  I haven't changed the configuration, but it just recovered all on its own.  I have no idea...  Let's see if it holds up.

Maybe some strange and obscure issue because of the Double NAT that cellular internet causes?  But it always worked until now, so I suspect something changed on the OPNSense side.