Messages

update from 25.7 to 25.7.1, went well, no errors, with intel microcode plugin installed.

Upgrade went well,
 however i've some problem of packet loss on the gateway of wireguard vpn.
 Unistalled microcode plugin, no more "loss" on wireguard vpn gateway.

i investigated the anomaly of the lost packages, it was due to vpn server side causes and not the opnsense router.

[*** OPNsense\Kea\KeaDhcpv4 migration failed from 1.0.3 to 1.0.4, check log for details]

As I am stubborn, I re-upgraded my system to version 25.7 (uninstalling the microcode-intel plugin first).
By reinstalling the microcode-intel plugin at the end of the update (successfully passed), I find the following output in the GUI:

Code Select Expand

The following 6 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    cpu-microcode-intel: 20250512 [OPNsense]
    cpu-microcode-rc: 1.0_2 [OPNsense]
    libpci: 3.14.0 [OPNsense]
    os-cpu-microcode-intel: 1.1 [OPNsense]
    pciids: 20250621 [OPNsense]
    x86info: 1.31.s03_1 [OPNsense]

Number of packages to be installed: 6

The process will require 29 MiB more space.
21 MiB to be downloaded.
[1/6] Fetching x86info-1.31.s03_1.pkg: ......... done
[2/6] Fetching pciids-20250621.pkg: .......... done
[3/6] Fetching cpu-microcode-rc-1.0_2.pkg: . done
[4/6] Fetching libpci-3.14.0.pkg: ......... done
[5/6] Fetching cpu-microcode-intel-20250512.pkg: .......... done
[6/6] Fetching os-cpu-microcode-intel-1.1.pkg: . done
Checking integrity... done (0 conflicting)
[1/6] Installing pciids-20250621...
[1/6] Extracting pciids-20250621: ..... done
[2/6] Installing cpu-microcode-rc-1.0_2...
[2/6] Extracting cpu-microcode-rc-1.0_2: .... done
[3/6] Installing libpci-3.14.0...
[3/6] Extracting libpci-3.14.0: .......... done
[4/6] Installing x86info-1.31.s03_1...
[4/6] Extracting x86info-1.31.s03_1: ....... done
[5/6] Installing cpu-microcode-intel-20250512...
[5/6] Extracting cpu-microcode-intel-20250512: .......... done
[6/6] Installing os-cpu-microcode-intel-1.1...
[6/6] Extracting os-cpu-microcode-intel-1.1: .. done
Reloading firmware configuration
*** OPNsense\Kea\KeaDhcpv4 migration failed from 1.0.3 to 1.0.4, check log for details
Flushing all caches...done.
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
=====
Message from cpu-microcode-rc-1.0_2:

--
This port includes an RC script, which is one of two methods to update
the CPU microcode on a FreeBSD system.
What does that mean?
*** OPNsense\Kea\KeaDhcpv4 migration failed from 1.0.3 to 1.0.4, check log for details

Why does it show up right after this line:
Reloading firmware configuration

which is the last line of text i can see on video before it crashes, when i try to upgrade from 25.1.12 to 25.7 with microcode plugin installed.

is there a correlation between the two situations or is it just random?




addendum:
i used kea in the past. In KEA DHCPv4 - Reservation was populated with reservation for the router ip. Deleted this line, the installation of the plugin didn't encour the error

Code Select Expand

......
[4/6] Extracting x86info-1.31.s03_1: ....... done
[5/6] Installing cpu-microcode-intel-20250512...
[5/6] Extracting cpu-microcode-intel-20250512: .......... done
[6/6] Installing os-cpu-microcode-intel-1.1...
[6/6] Extracting os-cpu-microcode-intel-1.1: .. done
Reloading firmware configuration
Flushing all caches...done.
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
=====
Message from cpu-microcode-rc-1.0_2:

i tried to delete this line in the backup router and then perform the upgrade from 21.1.12 to 25.7, but it hungs always at Reloading firmware configuration

[not]

Here are the details:

Code Select Expand

Reloading firmware configuration
Flushing all caches...done.
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
=====
Message from cpu-microcode-rc-1.0_2:

--
This port includes an RC script, which is one of two methods to update
the CPU microcode on a FreeBSD system.

1. Early loading.
   This method does not use the RC script included here.
   This is the preferred method, because it ensures that any CPU features
   added or removed by a microcode update are visible to the kernel by
   applying the update before the kernel performs CPU feature detection.

   To enable updates using early loading, add the following lines to
   /boot/loader.conf:

   cpu_microcode_load="YES"

   and the appropriate one of these lines:

   cpu_microcode_name="/boot/firmware/intel-ucode.bin"
   cpu_microcode_name="/boot/firmware/amd-ucode.bin"

   The microcode update will be loaded when the system is rebooted.

   AMD systems running FreeBSD prior to 2024-02-22 snapshot
   34467bd76 only support late loading.


2. Late loading.
   This method, which does use the RC script included here, is enabled by
   adding the following line to /etc/rc.conf:

   microcode_update_enable="YES"

   The microcode update is then applied upon reboot or when the microcode
   update service is run via:

   # service microcode_update start

   If the CPU requires a microcode update, a console message such as the
   following will appear:

   Updating CPU Microcode...
   /usr/local/share/cpucontrol/m32306c3_00000022.fw: updating cpu /dev/cpuctl0 from rev 0x17 to rev 0x22... done.
   /usr/local/share/cpucontrol/m32306c3_00000022.fw: updating cpu /dev/cpuctl2 from rev 0x17 to rev 0x22... done.
   /usr/local/share/cpucontrol/m32306c3_00000022.fw: updating cpu /dev/cpuctl4 from rev 0x17 to rev 0x22... done.
   /usr/local/share/cpucontrol/m32306c3_00000022.fw: updating cpu /dev/cpuctl6 from rev 0x17 to rev 0x22... done.
   Done.

It is safe to enable both methods.
=====
Message from x86info-1.31.s03_1:

--
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

Abandoned upstream, fails to identify anything remotely new according to upstream issue reports.

It is scheduled to be removed on or after 2025-06-30.
=====
Message from cpu-microcode-amd-20241121:

--
Refer to the cpu-microcode-rc installation notes to enable AMD microcode
updates.
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***

And as you can see, the notice pertains only to the x86info package, which installs alongside the microcode update in order to be able to actually query which microcode is loaded, not to the microcode package itself.

thanks for the clarification, i misread the output

i tried update the backup router, topton with intel j6413, also with microcode plugin installed, also with ami bios (but different version/type from qotom one on my primary router); upgrade stuck with the same error.
I also tried to contact vendor to upgrade bios, qotom answered, i've upgraded to last firmware, but upgrade still stuck with same error.

i'm consider to remove the plugin and then upgrade to 25.7.

Is there a downside to run opnsense without microcode plugin installed (are there security risk?).
If the plugin wil be deprecated, why bothering about it?
Thanks

Thanks @nbca2

This info certainly helps a lot. Thus I'll uninstall the microcode plugin before the upgrade and won't install it afterwards.

P.S.: I don't know how to mention a user in this forum.

remember i'm not a tech guy, but a tech enthusiast
i don't understand if microcode is necessary for system security.
I have the concept of the microcode update and why I installed it.
However, I don't know why it conflicts with this version of opnsense and I don't know what it means by uninstalling the plugin (in addition to not have the CPU microcode updated).

My experience:
Qotom Q355G4 ugrade to 25.7 with microcode installed, upgrade hung on reload firwmare.
Reinstalled 25.1, reload backup and other settings/plugins/etc, updated to last version, unistalled microcode plugin, reboot, upgrade to 25.7, reinstalled microcode, reboot.

Upgrade went well,
however i've some problem of packet loss on the gateway of wireguard vpn.
Unistalled microcode plugin, no more "loss" on wireguard vpn gateway.
(post scriptum:
i investigated the anomaly of the lost packages, it was due to vpn server side causes and not the opnsense router)

We all make mistakes.

Glad you got it resolved.

...me then many :)

We all make mistakes.

In a future update you will be able to set the domain to the interface of a range as well, e.g. thats needed for partial IPv6 dns registration.

https://github.com/opnsense/core/pull/8814

very cool feature

anyway thanks for the help!

reading your answer I realized that the assigned IP was not in the dhcp range (since in other configurations I kept it outside the dhcp range) while in the opnsnese guide/manual it says "The reservation can also be outside the dynamic range, but it is not recommended for simple setups as the dynamic dns registration with dhcp-fqdn will not work correctly."

Modified accordingly (dhcp range include ip in host reservation) , everything works perfectly.
My mistake of superficiality.
Thanks for the support and attention!

already done, and it's not working as i intended.



I think that putting it in the range is still valid for leases that are assigned via dhcp and not via host reservation (what i'm triyng to achieve).

thanks for your quick reply.
However, what I would like to achieve is to leave only the device name blank, setting a domain with a nomenclature such as vlan.internal (in this case iot.internal).
I know it is complicating life, that there is a way to make the name resolution work, as you suggest.
However, mine is an exercise in style and I can't understand why it can't work in this way.
Perhaps I might lack the cultural basis to understand it.

I followed the guide on how to set dnsmasq correctly to resolve local addresses ( dns unbound -->> dnsmasq ).

However I encounter this problem:
if I set dhcp reservation, in dnsmasq, leaving the host field empty but filling in the domain field:




I can't resolve the addresses correctly, (nslookup 192.168.34.15) :


The name "OTGW" is obtained from the device.

if I set dhcp reservation, in dnsmasq, filling either the host field and the domain field:


in this case everything is as I expect


the name "otgw" is given by me.


what I would like to achieve is to give custom domain names to the various subnets (VLAN) leaving the hostname field free, so that the device can provide its own hostname, however, providing domain name but not explicitly stating the hostname, something doesn't work to me.

Everything works without giving custom domains and without giving device hostname (using only "internal") or filling in both custom domain and hostname;
Am I wrong in using these settings?
Could someone give me an hint.
Thanks for your attention

Hi, I also experienced this difference: virtualized OPNsense consumes about 6w, bare metal OPN consumes about 8w.
The hardware system to virtualize OPNsense or use it bare metal was the same fanless mini pc (i5-5200u, 8GB ram).
The greatest efficiency I currently found using powerD "Minimum", the frequency is almost always "fixed" at 500mhz and the temperatures at 39°C (vs 44°C with other settings, 55°C under load); however, this system decreases the system performance by halving the speeds (from 1000Mbps symmetric to about 500Mbps symmetric).

This CPU is very power efficient as it has Configurable TDP-down Base Frequency 600 MHz and Configurable TDP-down 7.5 W (from intel spec).

i have an i5-5200u CPU, this cpu has only speedstep tecnology available.
Without turning ON powerD, the cpu didn't scale its frequency.