Messages

I have fixed the problem.

I used the Cloud console link in the UI to register the instance and I was able to get to the UI from the cloud console. I ran through the on-boarding wizard which synchronised the policies and one of them failed. The sync error mentioned an interface "em0". I checked the policy settings and there was no em0 interface. So I deselected the interface that was configured for the policy (igc3 in this case) and then re-selected it again. This allowed the policy synchronisation to succeed. I was curious as to whether this was the local UI issue and after a refresh, the local console UI leaped into life again. Hope this helps others who will be waiting for Zenarmor to respond on Monday.

Had a message to update packet engine to 2.6 so proceeded. Now the Zenarmor dashboard won't load and shows message "Unable to prepare statement: no such column: enabled".

Restarted OPNsense but still the same; no working dashboard.

That seems to have completed now:

Code Select Expand

root@OPNsense:~ # pkg lock -y pkg
Locking pkg-2.6.2_1
root@OPNsense:~ # opnsense-revert pkg
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
Fetching meta.conf:   0%
Fetching data:   0%
SunnyValley repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: 100%     179 B   0.2 kB/s    00:01   
mimugmail repository is up to date.
All repositories are up to date.

No packages are required to be fetched.
Integrity check was successful.
Unlocking pkg-2.6.2_1
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
Fetching meta.conf:   0%
Fetching data:   0%
SunnyValley repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: 100%     179 B   0.2 kB/s    00:01   
mimugmail repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be DOWNGRADED:
        pkg: 2.6.2_1 -> 2.3.1_1 [OPNsense]

Number of packages to be downgraded: 1

The process will require 2 MiB more space.
[1/1] Downgrading pkg from 2.6.2_1 to 2.3.1_1...
[1/1] Extracting pkg-2.3.1_1: 100%
pkg-static: warning: database version 38 is newer than libpkg(3) version 36, but still compatible
root@OPNsense:~ #

And another run of the healthcheck:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 26.1.8_5 (amd64) at Wed May 13 12:58:29 BST 2026
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 26.1.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 26.1.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
mimugmail (Priority: 5)
SunnyValley (Priority: 7)
OPNsense (Priority: 11)
>>> Check installed plugins
pkg: warning: database version 38 is newer than libpkg(3) version 36, but still compatible
os-acme-client 4.16_1
os-adguardhome-maxit 1.16
os-apcupsd 1.2_3
os-caddy 2.1.0
os-cpu-microcode-intel 1.1
os-crowdsec 1.0.12
os-ddclient 1.31
os-etpro-telemetry 1.8_1
os-gdrive-backup 1.0_1
os-maltrail 1.10_1
os-mdns-repeater 1.2
os-net-snmp 1.6_1
os-netdata 1.2_1
os-q-feeds-connector 1.6
os-sensei 2.5
os-sensei-agent 2.5
os-sensei-updater 2.0
os-sftp-backup 1.1_2
os-smart 2.4
os-sunnyvalley 1.5_2
os-telegraf 1.12.14
os-theme-advanced 1.1
os-theme-cicada 1.41_1
os-theme-dracula 0.7
os-theme-rebellion 1.9.4
os-theme-vicuna 1.51
os-zabbix72-agent 1.18
>>> Check locked packages
pkg: warning: database version 38 is newer than libpkg(3) version 36, but still compatible
>>> Check for missing package dependencies
pkg: warning: database version 38 is newer than libpkg(3) version 36, but still compatible
Checking all packages: .......... done
>>> Check for missing or altered package files
pkg: warning: database version 38 is newer than libpkg(3) version 36, but still compatible
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 26.1.8_5 has 68 dependencies to check.
Checking packages: ........
dnsmasq-2.92_3,1 version mismatch, expected 2.92rel2,1
Checking packages: ............................................................. done
***DONE***
I then attempted another update from the UI which updated dnsmasq with no errors or UI crash. A further update shows everything up-to-date!

Thanks Franco

Thanks Franco,

I'm not sure that's done anything:

Code Select Expand

root@OPNsense:~ # opnsense-revert pkg
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
Fetching meta.conf:   0%
Fetching data:   0%
SunnyValley repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: 100%     179 B   0.2 kB/s    00:01   
mimugmail repository is up to date.
All repositories are up to date.
The following packages will be fetched:

New packages to be FETCHED:
        pkg: 2.3.1_1 (6 MiB: 100.00% of the 6 MiB to download)

Number of packages to be fetched: 1

The process will require 6 MiB more space.
6 MiB to be downloaded.
Fetching pkg-2.3.1_1: 100%  6397 KiB   6.6 MB/s    00:01   
pkg-2.6.2_1: already unlocked
root@OPNsense:~ #

Running another healthcheck just gives me the same as before:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 26.1.8_5 (amd64) at Wed May 13 12:00:50 BST 2026
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 26.1.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 26.1.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
mimugmail (Priority: 5)
SunnyValley (Priority: 7)
OPNsense (Priority: 11)
>>> Check installed plugins
os-acme-client 4.16_1
os-adguardhome-maxit 1.16
os-apcupsd 1.2_3
os-caddy 2.1.0
os-cpu-microcode-intel 1.1
os-crowdsec 1.0.12
os-ddclient 1.31
os-etpro-telemetry 1.8_1
os-gdrive-backup 1.0_1
os-maltrail 1.10_1
os-mdns-repeater 1.2
os-net-snmp 1.6_1
os-netdata 1.2_1
os-q-feeds-connector 1.6
os-sensei 2.5
os-sensei-agent 2.5
os-sensei-updater 2.0
os-sftp-backup 1.1_2
os-smart 2.4
os-sunnyvalley 1.5_2
os-telegraf 1.12.14
os-theme-advanced 1.1
os-theme-cicada 1.41_1
os-theme-dracula 0.7
os-theme-rebellion 1.9.4
os-theme-vicuna 1.51
os-zabbix72-agent 1.18
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 26.1.8_5 has 68 dependencies to check.
Checking packages: ........
dnsmasq-2.92_3,1 version mismatch, expected 2.92rel2,1
Checking packages: ........................................
pkg-2.6.2_1 repository mismatch: FreeBSD
pkg-2.6.2_1 version mismatch, expected 2.3.1_1
Checking packages: ..................... done
***DONE***

I didn't know there was a health check! Anyway, here's the output:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 26.1.8_5 (amd64) at Wed May 13 11:38:01 BST 2026
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 26.1.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 26.1.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
mimugmail (Priority: 5)
SunnyValley (Priority: 7)
OPNsense (Priority: 11)
>>> Check installed plugins
os-acme-client 4.16_1
os-adguardhome-maxit 1.16
os-apcupsd 1.2_3
os-caddy 2.1.0
os-cpu-microcode-intel 1.1
os-crowdsec 1.0.12
os-ddclient 1.31
os-etpro-telemetry 1.8_1
os-gdrive-backup 1.0_1
os-maltrail 1.10_1
os-mdns-repeater 1.2
os-net-snmp 1.6_1
os-netdata 1.2_1
os-q-feeds-connector 1.6
os-sensei 2.5
os-sensei-agent 2.5
os-sensei-updater 2.0
os-sftp-backup 1.1_2
os-smart 2.4
os-sunnyvalley 1.5_2
os-telegraf 1.12.14
os-theme-advanced 1.1
os-theme-cicada 1.41_1
os-theme-dracula 0.7
os-theme-rebellion 1.9.4
os-theme-vicuna 1.51
os-zabbix72-agent 1.18
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 26.1.8_5 has 68 dependencies to check.
Checking packages: ........
dnsmasq-2.92_3,1 version mismatch, expected 2.92rel2,1
Checking packages: ........................................
pkg-2.6.2_1 repository mismatch: FreeBSD
pkg-2.6.2_1 version mismatch, expected 2.3.1_1
Checking packages: ..................... done
***DONE***

I installed OPNsense 26.1.8 update last night and didn't reboot as the update didn't require one.

This morning, I attempted to access the UI and got a blank page with 503 Service Unavailable. I SSH into the box and attempted an upgrade to the newly-released OPNsense 26.1.8_5 which hangs. So I reboot the box again, login to the UI and attempt the update. This hangs again with the UI unresponsive.

Are there any logs I can retrieve that would help? The UI is fine unless I attempt another update.

Hi,

- @RutgerDiehard, Concerning the interrupted update issue, could you please share a report using the "Have Feedback" option located in the bottom-left corner of the UI? 

Shared report as requested.

Can confirm this also; update from 2.4.1 to 2.4.2 gets stuck.

Refreshing OPNsense UI and checking Zenarmor shows that the the packet filter has been upgraded and a restart works successfully, but the upgrade is still running.

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 26.1.5 (amd64) at Fri Mar 27 07:06:15 GMT 2026
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: . done
mimugmail repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: . done
mimugmail repository is up to date.
All repositories are up to date.
Checking for upgrades (4 candidates): .... done
Processing candidates (4 candidates): .. done
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
os-sensei: 2.4.1 -> 2.4.2 [SunnyValley]

Number of packages to be upgraded: 1

112 MiB to be downloaded.
[1/1] Fetching os-sensei-2.4.2.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/1] Upgrading os-sensei from 2.4.1 to 2.4.2...
[1/1] Extracting os-sensei-2.4.2: .......... done
Zenarmor service is running, saving state to resume after upgrade...
Removing Zenarmor cron jobs...
CLI crons: Info: Cron jobs deleted: 1
CLI crons: Success
Local path is : /usr/local/opnsense/service
total 43
-rw-r--r--  1 root wheel    0B Jan 13  2025 .fixed-security-categories
-rw-r-----  1 root wheel   32B Jan 13  2025 serial
-rw-r-----  1 root wheel    7B Jan 13  2025 sensei_cpu_score
-rw-r-----  1 root wheel    4B Jan 13  2025 .configdone
-rw-r-----  1 root wheel  824B Jun 17  2025 license.data
-rw-r--r--  1 root wheel    0B Mar  5 15:06 .mustrestart
-rwxr-xr-x  1 root wheel  136B Mar 26 12:49 workers.map.default
-rwxr-xr-x  1 root wheel  5.5K Mar 26 12:49 eastpect.cfg.default
-rwxr-xr-x  1 root wheel   40B Mar 26 12:49 .buildtime
-rw-r--r--  1 root wheel  6.7K Mar 26 16:55 eastpect.cfg
-rw-r-----  1 root wheel  377B Mar 26 16:55 workers.map
create link for python in virtualenv...Create link python3 to /usr/local/zenarmor/py_venv/bin/python....
Create link python3 to /usr/local/zenarmor/py_venv/bin/python3....
done
Restarting configd service...done
Activating features for Business Edition...
Clearing OPNsense menu cache...done
Invalidating OPNsense cache...done
Invalidating Zenarmor cache...done
Running Zenarmor post-install scripts...
Check python version
Fri Mar 27 07:06:26 UTC 2026
Removing Zenarmor cron jobs...
CLI crons: Info: Cron jobs deleted: 0
CLI crons: Success
Preparing Settings Db...
Backup configurations...
Configuration Migration .....
License Migration.....
Node.csv Migration.....
Certification Migration.....
Token Migration.....
Userpin Migration.....
Serial Migration.....
Userenricher Tokens Migration.....
Hostmap Cache Database migration.....
Creating user_device_cache.db...
Creating hostmap_cache.db...
Creating settings.db...
Application database base path is /usr/local/zenarmor//db/
12 web 2.0 categories added.
Prepared Default Policy
Checking Schedule Reports...
Preparing Userenrich Db...
Checking Cloud Nodes...ASAN LIBRARY CHECK....
Generating Zenarmor configuration files...done
Menu.xml template copied
StaticConfig template copied
CLI generate-static-file: OK
CLI setretireafter:
CLI setretireafter: DB Type: ES
CLI setretireafter: (Elasticsearch) 28
CLI setretireafter: Skipped:
CLI setflavor:
CLI setflavor: Warning: Not settings flavor size in eastpect.cfg
CLI settimestamp: Success
CLI migrate: Info: Report Mail Configuration Checking
CLI migrate: Info: done
CLI migrate: Info: Web category migration ...
CLI migrate: Info: done
CLI migrate: Info: Custom web category migration ...
CLI migrate: Info: done
CLI migrate: Info: Applications category migration ...
CLI migrate: Success
CLI migratewebcat: Success
CLI bufsysctl (ring): skipped dev.netmap.ring_num: 1024
CLI bufsysctl: skipped  mem: 34358689792 buf: 1000000
CLI setClusterUUID: Success
CLI setdefaultswap: Info: Swap Rate: 60
CLI setdefaultswap: Success
CLI fillscheduledreportchart
CLI fillscheduledreportchart: Success
CLI setlicensesize: Success: Success
CLI check-fix-websites skipped
CLI check-fix... 
CLI check-fix done

That makes a lot of sense, thanks for the explanation. As I mentioned, there wasn't a lot of information about setting this up. The only post I could find that mentioned returning traffic on the ONT interface was in 2015!

By doing that a lot of the "My IGMP Proxy crashed again!" users _{(of I believe mainly pfSense at the time)} were able to avoid having to restart IGMP Proxy/reboot their Router from time to time just because IPTV did not work...

It's a Routed IPTV setup but you could convert it to your Bridged IPTV setup too :)

I've not experienced any IGMP Proxy crashes - I'm sure I would be the first to hear about it though - but would definitely have tried adapting this to resolve.

Unfortunately, our foray into EE TV was very short lived and the boxes are packed up and waiting to be returned. Let's just say, what they replaced - Sky TV - has a much better interface, ability to watch what you've recorded in another room, and I am able to adjust the volume of the home theatre system its connected to by the same remote. So absolutely not worth the £30/month less which the wife has spoken very loudly about.

It was fun getting it to work though and I hope it helps others!

[Set Up Your WAN (PPPoE)]

After wrestling with this for several hours , I finally have EE TV IPTV running smoothly through OPNsense on EE TV Pro and EE TV Edge boxes without relying on the EE Broadband router. There really isn't an awful lot of information about this out there, so I've consolidated what I've done into a walkthrough of what worked for me. Hopefully it saves you a few evenings of trial and error.

You'll need an EE Broadband subscription for this as EE TV won't work on others.

1️⃣ Set Up Your WAN (PPPoE) - I assume you already have done this and the PPPoE link is working correctly, but listed here for completeness.
EE uses PPPoE for broadband.

WAN Interface Settings (Interfaces → Devices → Point-to-Point)

Code Select Expand

Link type: PPPoE

Link interface: The port that's connected to your ONT

Description: EE Broadband

Username: bthomehub@btbroadband.com

Password: bt
I would recommend following @meyergru's excellent guide on properly configuring PPPoE here.

2️⃣ Create a Dedicated IPTV Interface
EE sends IPTV traffic to the ONT physical interface and NOT returning over the PPPoE link. This is the part that is missing from all other instructions.

Add the IPTV Interface
Go to Interfaces → Assignments → Add a new interface

Code Select Expand

Device: your physical WAN NIC - the same as the PPPoE interface is bound to

Description: IPTV
Click Add and Save.

Enable the Interface
Click the IPTV interface in "Interfaces"

Code Select Expand

Tick Enable

IPv4 Configuration: Static IPv4

Static IPv4 configuration

IPv4 address: 10.20.30.1/24 (this can be anything private but make sure that it's a subnet not currently in use)

IPv6 Configuration: None
This interface is purely for passing multicast traffic.

3️⃣ Enable IGMP Proxy
EE TV relies on multicast. Without IGMP Proxy, the box won't get channel streams.

Install IGMP Proxy

System → Firmware → Plugins

Tick "Show community plugins"

Find os-igmp-proxy and click "+" to install

Configure IGMP Proxy

Refresh the OPNsense page

Go to Services → IGMP Proxy

Add an Upstream interface:

Code Select Expand

Interface: IPTV

Network: 224.0.0.0/4
Network: 109.159.247.0/24 - this is EE's source for IPTV
** Note, the OPNsense UI will not allow two different Network entries with different CIDR values. If you try to add using the CIDR dropdown, the next entry will have the same CIDR entry and you cannot change it. The workaround is to add the networks as above (including the /4 and /24) without choosing a CIDR value. When you save and edit the interface again, it will be listed correctly. **

Click save

Add a Downstream interface:

Code Select Expand

Interface: your LAN

Network: your LAN subnet (e.g., 192.168.1.0/24)
Apply changes.

If you have more subnets, add them and apply changes.

4️⃣ Firewall Rules
You need to allow UDP and IGMP traffic through.

In my testing, and for simplicity, I created an allow all rule for traffic flowing in to the LAN interface - if you have other subnets you added in the downstream interface in step 3, create firewall rules for those also. The critical setting here is you must allow options. Edit the rule, click advanced mode and tick "Allow options".

Once this is working for you, I would suggest restricting this to the traffic that you require.

On the IPTV interface, create two new firewall rules:

You cannot view this attachment.

For both, ensure "Allow options" is enabled.

5️⃣ Enable IGMP Snooping on Your Switch

IGMP Snooping allows the switch to restrict stream traffic to only the ports that have requested the stream, rather than every port on the switch.
This is very much vendor dependent and may be a simple setting change on the management page of your switch or through a console session. For my HP Procurve 3500yl, I enabled this through the management page of the switch.

If your switch supports it:

Code Select Expand

Turn on IGMP Snooping

If available, enable Fast Leave
Test your new EE TV boxes and you should have full live TV :-)

After monitoring outbound traffic whilst streaming channels using the firewall live view, note the ports and destinations in use and create allow rules for them to replace the LAN allow all rule used for testing.

Code Select Expand

root@OPNsense:~ # pluginctl -g OPNsense.Interfaces.settings
{
    "@attributes": {
        "version": "0.0.0",
        "persisted_at": "1769701369.97",
        "description": "Global interface settings"
    },
    "disablechecksumoffloading": "1",
    "disablesegmentationoffloading": "1",
    "disablelargereceiveoffloading": "1",
    "disablevlanhwfilter": "1",
    "disableipv6": "0",
    "dhcp6_norelease": "0",
    "dhcp6_debug": "0",
    "dhcp6_duid": "",
    "dhcp6_ratimeout": "10"
}
root@OPNsense:~ # pluginctl -m
*** OPNsense\Interfaces\Settings migration failed from 0.0.0 to 1.0.0, check log for details
I've checked the system logs for errors around the time of the upgrade and there is nothing relating to "migration".

Well that was quite a scary upgrade!

Luckily I had a snapshot but foolishly overwrote the snapshot with another attempt at an upgrade.

Franco, you are quite right, I do have Zenarmor installed but don't use Suricata.

The interfaces that netmap_transmit was flooding the logs alternate between igc3 and igc5. Just so happened to be the ones Zenarmor protect.

After the upgrade, I managed to access the UI from another interface and checked Zenarmor. It was complaining that I seem to have enabled hardware offload - I can guarantee I hadn't!

Anyway, what fixed everything was changing "VLAN Hardware Filtering" from "Leave default" to "Disable VLAN Hardware Filtering"

Continuous

netmap_transmit igc3 drop but that needs checksum

I've just completed the 26.1 upgrade from the last version of OPNsense.

I watched the first reboot by checking ping responses and then reconnected to the UI.

Shortly after I have lost all connectivity, even when sat on the same LAN. SSH is not responding.

I assume this is firewall rule related. How can I reset the rules from console to restore access?

I just got this rather scary message during the update to 25.7.6. The update appeared to stop.

I couldn't log in at the console, I got this error:

Password:
sh: /usr/local/libexec/opnsense-auth: not found
Login incorrect

The GUI then gave a 404 error.

After a couple of minutes it sprang back into life.

I've never seen this behaviour before - is it expected?

The update appears to have now completed successfully, as far as I can tell.

I had the same "Danger. Unexpected error, check log for details" error but when I refreshed the OPNsense main dashboard page, version updated to 25.7.6 and a check for updates came back with "There are no updates available on the selected mirror".

I am reluctant to reboot in case I'm left with a broken OPNsense.

Is there anything I can check to ensure a reboot will succeed?