Messages

Hi,

- @RutgerDiehard, Concerning the interrupted update issue, could you please share a report using the "Have Feedback" option located in the bottom-left corner of the UI? 

Shared report as requested.

Can confirm this also; update from 2.4.1 to 2.4.2 gets stuck.

Refreshing OPNsense UI and checking Zenarmor shows that the the packet filter has been upgraded and a restart works successfully, but the upgrade is still running.

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 26.1.5 (amd64) at Fri Mar 27 07:06:15 GMT 2026
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: . done
mimugmail repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: . done
mimugmail repository is up to date.
All repositories are up to date.
Checking for upgrades (4 candidates): .... done
Processing candidates (4 candidates): .. done
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
os-sensei: 2.4.1 -> 2.4.2 [SunnyValley]

Number of packages to be upgraded: 1

112 MiB to be downloaded.
[1/1] Fetching os-sensei-2.4.2.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/1] Upgrading os-sensei from 2.4.1 to 2.4.2...
[1/1] Extracting os-sensei-2.4.2: .......... done
Zenarmor service is running, saving state to resume after upgrade...
Removing Zenarmor cron jobs...
CLI crons: Info: Cron jobs deleted: 1
CLI crons: Success
Local path is : /usr/local/opnsense/service
total 43
-rw-r--r--  1 root wheel    0B Jan 13  2025 .fixed-security-categories
-rw-r-----  1 root wheel   32B Jan 13  2025 serial
-rw-r-----  1 root wheel    7B Jan 13  2025 sensei_cpu_score
-rw-r-----  1 root wheel    4B Jan 13  2025 .configdone
-rw-r-----  1 root wheel  824B Jun 17  2025 license.data
-rw-r--r--  1 root wheel    0B Mar  5 15:06 .mustrestart
-rwxr-xr-x  1 root wheel  136B Mar 26 12:49 workers.map.default
-rwxr-xr-x  1 root wheel  5.5K Mar 26 12:49 eastpect.cfg.default
-rwxr-xr-x  1 root wheel   40B Mar 26 12:49 .buildtime
-rw-r--r--  1 root wheel  6.7K Mar 26 16:55 eastpect.cfg
-rw-r-----  1 root wheel  377B Mar 26 16:55 workers.map
create link for python in virtualenv...Create link python3 to /usr/local/zenarmor/py_venv/bin/python....
Create link python3 to /usr/local/zenarmor/py_venv/bin/python3....
done
Restarting configd service...done
Activating features for Business Edition...
Clearing OPNsense menu cache...done
Invalidating OPNsense cache...done
Invalidating Zenarmor cache...done
Running Zenarmor post-install scripts...
Check python version
Fri Mar 27 07:06:26 UTC 2026
Removing Zenarmor cron jobs...
CLI crons: Info: Cron jobs deleted: 0
CLI crons: Success
Preparing Settings Db...
Backup configurations...
Configuration Migration .....
License Migration.....
Node.csv Migration.....
Certification Migration.....
Token Migration.....
Userpin Migration.....
Serial Migration.....
Userenricher Tokens Migration.....
Hostmap Cache Database migration.....
Creating user_device_cache.db...
Creating hostmap_cache.db...
Creating settings.db...
Application database base path is /usr/local/zenarmor//db/
12 web 2.0 categories added.
Prepared Default Policy
Checking Schedule Reports...
Preparing Userenrich Db...
Checking Cloud Nodes...ASAN LIBRARY CHECK....
Generating Zenarmor configuration files...done
Menu.xml template copied
StaticConfig template copied
CLI generate-static-file: OK
CLI setretireafter:
CLI setretireafter: DB Type: ES
CLI setretireafter: (Elasticsearch) 28
CLI setretireafter: Skipped:
CLI setflavor:
CLI setflavor: Warning: Not settings flavor size in eastpect.cfg
CLI settimestamp: Success
CLI migrate: Info: Report Mail Configuration Checking
CLI migrate: Info: done
CLI migrate: Info: Web category migration ...
CLI migrate: Info: done
CLI migrate: Info: Custom web category migration ...
CLI migrate: Info: done
CLI migrate: Info: Applications category migration ...
CLI migrate: Success
CLI migratewebcat: Success
CLI bufsysctl (ring): skipped dev.netmap.ring_num: 1024
CLI bufsysctl: skipped  mem: 34358689792 buf: 1000000
CLI setClusterUUID: Success
CLI setdefaultswap: Info: Swap Rate: 60
CLI setdefaultswap: Success
CLI fillscheduledreportchart
CLI fillscheduledreportchart: Success
CLI setlicensesize: Success: Success
CLI check-fix-websites skipped
CLI check-fix... 
CLI check-fix done

That makes a lot of sense, thanks for the explanation. As I mentioned, there wasn't a lot of information about setting this up. The only post I could find that mentioned returning traffic on the ONT interface was in 2015!

By doing that a lot of the "My IGMP Proxy crashed again!" users _{(of I believe mainly pfSense at the time)} were able to avoid having to restart IGMP Proxy/reboot their Router from time to time just because IPTV did not work...

It's a Routed IPTV setup but you could convert it to your Bridged IPTV setup too :)

I've not experienced any IGMP Proxy crashes - I'm sure I would be the first to hear about it though - but would definitely have tried adapting this to resolve.

Unfortunately, our foray into EE TV was very short lived and the boxes are packed up and waiting to be returned. Let's just say, what they replaced - Sky TV - has a much better interface, ability to watch what you've recorded in another room, and I am able to adjust the volume of the home theatre system its connected to by the same remote. So absolutely not worth the £30/month less which the wife has spoken very loudly about.

It was fun getting it to work though and I hope it helps others!

[Set Up Your WAN (PPPoE)]

After wrestling with this for several hours , I finally have EE TV IPTV running smoothly through OPNsense on EE TV Pro and EE TV Edge boxes without relying on the EE Broadband router. There really isn't an awful lot of information about this out there, so I've consolidated what I've done into a walkthrough of what worked for me. Hopefully it saves you a few evenings of trial and error.

You'll need an EE Broadband subscription for this as EE TV won't work on others.

1️⃣ Set Up Your WAN (PPPoE) - I assume you already have done this and the PPPoE link is working correctly, but listed here for completeness.
EE uses PPPoE for broadband.

WAN Interface Settings (Interfaces → Devices → Point-to-Point)

Code Select Expand

Link type: PPPoE

Link interface: The port that's connected to your ONT

Description: EE Broadband

Username: bthomehub@btbroadband.com

Password: bt
I would recommend following @meyergru's excellent guide on properly configuring PPPoE here.

2️⃣ Create a Dedicated IPTV Interface
EE sends IPTV traffic to the ONT physical interface and NOT returning over the PPPoE link. This is the part that is missing from all other instructions.

Add the IPTV Interface
Go to Interfaces → Assignments → Add a new interface

Code Select Expand

Device: your physical WAN NIC - the same as the PPPoE interface is bound to

Description: IPTV
Click Add and Save.

Enable the Interface
Click the IPTV interface in "Interfaces"

Code Select Expand

Tick Enable

IPv4 Configuration: Static IPv4

Static IPv4 configuration

IPv4 address: 10.20.30.1/24 (this can be anything private but make sure that it's a subnet not currently in use)

IPv6 Configuration: None
This interface is purely for passing multicast traffic.

3️⃣ Enable IGMP Proxy
EE TV relies on multicast. Without IGMP Proxy, the box won't get channel streams.

Install IGMP Proxy

System → Firmware → Plugins

Tick "Show community plugins"

Find os-igmp-proxy and click "+" to install

Configure IGMP Proxy

Refresh the OPNsense page

Go to Services → IGMP Proxy

Add an Upstream interface:

Code Select Expand

Interface: IPTV

Network: 224.0.0.0/4
Network: 109.159.247.0/24 - this is EE's source for IPTV
** Note, the OPNsense UI will not allow two different Network entries with different CIDR values. If you try to add using the CIDR dropdown, the next entry will have the same CIDR entry and you cannot change it. The workaround is to add the networks as above (including the /4 and /24) without choosing a CIDR value. When you save and edit the interface again, it will be listed correctly. **

Click save

Add a Downstream interface:

Code Select Expand

Interface: your LAN

Network: your LAN subnet (e.g., 192.168.1.0/24)
Apply changes.

If you have more subnets, add them and apply changes.

4️⃣ Firewall Rules
You need to allow UDP and IGMP traffic through.

In my testing, and for simplicity, I created an allow all rule for traffic flowing in to the LAN interface - if you have other subnets you added in the downstream interface in step 3, create firewall rules for those also. The critical setting here is you must allow options. Edit the rule, click advanced mode and tick "Allow options".

Once this is working for you, I would suggest restricting this to the traffic that you require.

On the IPTV interface, create two new firewall rules:

You cannot view this attachment.

For both, ensure "Allow options" is enabled.

5️⃣ Enable IGMP Snooping on Your Switch

IGMP Snooping allows the switch to restrict stream traffic to only the ports that have requested the stream, rather than every port on the switch.
This is very much vendor dependent and may be a simple setting change on the management page of your switch or through a console session. For my HP Procurve 3500yl, I enabled this through the management page of the switch.

If your switch supports it:

Code Select Expand

Turn on IGMP Snooping

If available, enable Fast Leave
Test your new EE TV boxes and you should have full live TV :-)

After monitoring outbound traffic whilst streaming channels using the firewall live view, note the ports and destinations in use and create allow rules for them to replace the LAN allow all rule used for testing.

Code Select Expand

root@OPNsense:~ # pluginctl -g OPNsense.Interfaces.settings
{
    "@attributes": {
        "version": "0.0.0",
        "persisted_at": "1769701369.97",
        "description": "Global interface settings"
    },
    "disablechecksumoffloading": "1",
    "disablesegmentationoffloading": "1",
    "disablelargereceiveoffloading": "1",
    "disablevlanhwfilter": "1",
    "disableipv6": "0",
    "dhcp6_norelease": "0",
    "dhcp6_debug": "0",
    "dhcp6_duid": "",
    "dhcp6_ratimeout": "10"
}
root@OPNsense:~ # pluginctl -m
*** OPNsense\Interfaces\Settings migration failed from 0.0.0 to 1.0.0, check log for details
I've checked the system logs for errors around the time of the upgrade and there is nothing relating to "migration".

Well that was quite a scary upgrade!

Luckily I had a snapshot but foolishly overwrote the snapshot with another attempt at an upgrade.

Franco, you are quite right, I do have Zenarmor installed but don't use Suricata.

The interfaces that netmap_transmit was flooding the logs alternate between igc3 and igc5. Just so happened to be the ones Zenarmor protect.

After the upgrade, I managed to access the UI from another interface and checked Zenarmor. It was complaining that I seem to have enabled hardware offload - I can guarantee I hadn't!

Anyway, what fixed everything was changing "VLAN Hardware Filtering" from "Leave default" to "Disable VLAN Hardware Filtering"

Continuous

netmap_transmit igc3 drop but that needs checksum

I've just completed the 26.1 upgrade from the last version of OPNsense.

I watched the first reboot by checking ping responses and then reconnected to the UI.

Shortly after I have lost all connectivity, even when sat on the same LAN. SSH is not responding.

I assume this is firewall rule related. How can I reset the rules from console to restore access?

I just got this rather scary message during the update to 25.7.6. The update appeared to stop.

I couldn't log in at the console, I got this error:

Password:
sh: /usr/local/libexec/opnsense-auth: not found
Login incorrect

The GUI then gave a 404 error.

After a couple of minutes it sprang back into life.

I've never seen this behaviour before - is it expected?

The update appears to have now completed successfully, as far as I can tell.

I had the same "Danger. Unexpected error, check log for details" error but when I refreshed the OPNsense main dashboard page, version updated to 25.7.6 and a check for updates came back with "There are no updates available on the selected mirror".

I am reluctant to reboot in case I'm left with a broken OPNsense.

Is there anything I can check to ensure a reboot will succeed?

Just checked the other way by configuring only "Register domain feeds" and unticking all in "Type of DNSBL".

Now the "Size of blocklist" number does change. I assume that this number should tally with the number reported on TIP?

E.g. with no other blocklists ticked, the size of blocklist number is 358,597. However, the previous count from TIP is 438,574 and current is 539,551 using the numbers from my current plan (free edition).

There seems to be an anomally.

Installed, registered and now have blocked information in the widget. Nice and slick :-)

One question though. I've ticked the box to register domain feeds after confirming Unbound has blocklists enabled. Am I supposed to see a q-feeds specific blocklist appear in the "Type of DNSBL" drop-down?

If so, there's nothing there for q-feeds, just the default. I've tried disable/enable blocklist, Unbound restart, and uncheck/check of "register domain feeds".

Hi RutgerDiehard,

No you're not supposed to see our list in that dropdown. If both are activated (in our plugin and blocklists in general in unbound) then the list is active. You can verify by checking the number of IOCs in the Unbound report. It might be something we will improve later on though ;)

Thanks for the quick reply :-)

I assume you mean by looking at the "Size of blocklist" in the Unbound DNS report?

If I untick "Register domain feeds" in q-feeds and recheck the "Size of blocklist" number, it does not change.

Is this correct or am I looking in the wrong place?

Installed, registered and now have blocked information in the widget. Nice and slick :-)

One question though. I've ticked the box to register domain feeds after confirming Unbound has blocklists enabled. Am I supposed to see a q-feeds specific blocklist appear in the "Type of DNSBL" drop-down?

If so, there's nothing there for q-feeds, just the default. I've tried disable/enable blocklist, Unbound restart, and uncheck/check of "register domain feeds".

I have OPNsense continuously open in a tab in my browser and regularly check logs, Zenarmor live sessions and dive in for general tweaking.

I also have my OS theme change depending on the time of day; dark at night, light during the day. Generally, all my sites will follow suite such as Facebook, Unifi, Portainer etc. etc. It would be awesome if OPNsense was able to follow the OS or browser theme automatically.

I imagine it would work by choosing a "Light" theme in Settings -> General and an opposing "Dark" theme. A toggle button would then allow "Automatic" adjustment based on system settings.

For me, this would complete an otherwise excellent product. Would love to hear others thoughts on this.

Yes, I see the same after upgrading to 25.7; nothing in Reporting -> Insight at all.

This is what worked for me:

Code Select Expand

ifctl -6pi pppoe0