Messages

it seems to be ok now but i had to run /usr/local/opnsense/scripts/firmware/check.sh
without that it wouldn't do update check.


edit: spoke too soon. Now i can't run any command on firmware status page

rerun the command:

Code Select Expand

sudo opnsense-update -p
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: 100%    179 B   0.2kB/s    00:01
mimugmail repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: 100%    179 B   0.2kB/s    00:01
mimugmail repository is up to date.
All repositories are up to date.
Checking for upgrades (17 candidates): 100%
Processing candidates (17 candidates):   5%
pkg-static: glib has a missing dependency: python311
Processing candidates (17 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: 100%
Nothing to do.
Flushing temporary package files... done
When i try to reinstall glib it goes to the update tab but the content of the screen is the result of the update.
It doesn't do anything from gui.

Code Select Expand

Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: 100%    179 B   0.2kB/s    00:01
mimugmail repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: 100%    179 B   0.2kB/s    00:01
mimugmail repository is up to date.
All repositories are up to date.
Checking for upgrades (33 candidates): 100%
Processing candidates (33 candidates):   6%
pkg-static: glib-bootstrap has a missing dependency: python311
pkg-static: glib has a missing dependency: python311
pkg-static: glib-bootstrap has a missing dependency: python311
Processing candidates (33 candidates):  36%
pkg-static: glib-bootstrap has a missing dependency: python311
pkg-static: glib-bootstrap has a missing dependency: python311
Processing candidates (33 candidates): 100%
The following 17 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
colordiff: 1.0.22 [OPNsense]

Installed packages to be UPGRADED:
bind-tools: 9.20.19 -> 9.20.20 [OPNsense]
caddy-custom: 2.11.1.0.0.4.5.9 -> 2.11.2.0.0.4.5.10 [OPNsense]
crowdsec: 1.7.6_1 -> 1.7.6_2 [OPNsense]
crowdsec-firewall-bouncer: 0.0.32_12 -> 0.0.34 [OPNsense]
groff: 1.23.0_5 -> 1.24.0_1 [OPNsense]
libunistring: 1.4.1 -> 1.4.2 [OPNsense]
libxml2: 2.15.1_1 -> 2.15.2 [OPNsense]
opnsense: 26.1.3 -> 26.1.4 [OPNsense]
opnsense-lang: 26.1.1 -> 26.1.4 [OPNsense]
os-ddclient: 1.30 -> 1.30_1 [OPNsense]
os-q-feeds-connector: 1.5 -> 1.5_1 [OPNsense]
py313-filelock: 3.20.1 -> 3.25.0 [OPNsense]
strongswan: 6.0.3_1 -> 6.0.4 [OPNsense]
suricata: 8.0.3_1 -> 8.0.3_2 [OPNsense]
syslog-ng: 4.10.2 -> 4.11.0 [OPNsense]

Installed packages to be REINSTALLED:
net-snmp-5.9.5.2,1 [OPNsense] (options changed)

Number of packages to be installed: 1
Number of packages to be upgraded: 15
Number of packages to be reinstalled: 1

The operation will free 9 MiB.
112 MiB to be downloaded.
[1/17] Fetching groff-1.24.0_1.pkg: 100%    3 MiB   2.7MB/s    00:01
[2/17] Fetching libunistring-1.4.2.pkg: 100%  705 KiB 721.7kB/s    00:01
[3/17] Fetching crowdsec-1.7.6_2.pkg: 100%   62 MiB  65.0MB/s    00:01
[4/17] Fetching syslog-ng-4.11.0.pkg: 100%    1 MiB   1.1MB/s    00:01
[5/17] Fetching colordiff-1.0.22.pkg: 100%   16 KiB  16.3kB/s    00:01
[6/17] Fetching os-ddclient-1.30_1.pkg: 100%   33 KiB  33.4kB/s    00:01
[7/17] Fetching caddy-custom-2.11.2.0.0.4.5.10.pkg: 100%   14 MiB  15.0MB/s    00:01
[8/17] Fetching net-snmp-5.9.5.2,1.pkg: 100%    2 MiB   2.5MB/s    00:01
[9/17] Fetching libxml2-2.15.2.pkg: 100%  902 KiB 923.3kB/s    00:01
[10/17] Fetching bind-tools-9.20.20.pkg: 100%    2 MiB   1.6MB/s    00:01
[11/17] Fetching crowdsec-firewall-bouncer-0.0.34.pkg: 100%    4 MiB   4.6MB/s    00:01
[12/17] Fetching os-q-feeds-connector-1.5_1.pkg: 100%   29 KiB  30.2kB/s    00:01
[13/17] Fetching py313-filelock-3.25.0.pkg: 100%   46 KiB  47.4kB/s    00:01
[14/17] Fetching suricata-8.0.3_2.pkg: 100%   12 MiB  12.6MB/s    00:01
[15/17] Fetching opnsense-26.1.4.pkg: 100%    6 MiB   6.1MB/s    00:01
[16/17] Fetching strongswan-6.0.4.pkg: 100%  893 KiB 914.7kB/s    00:01
[17/17] Fetching opnsense-lang-26.1.4.pkg: 100%    3 MiB   3.4MB/s    00:01
Checking integrity... done (0 conflicting)
[1/17] Upgrading bind-tools from 9.20.19 to 9.20.20...
[1/17] Extracting bind-tools-9.20.20: 100%
[2/17] Upgrading caddy-custom from 2.11.1.0.0.4.5.9 to 2.11.2.0.0.4.5.10...
[2/17] Extracting caddy-custom-2.11.2.0.0.4.5.10: 100%
[3/17] Installing colordiff-1.0.22...
[3/17] Extracting colordiff-1.0.22: 100%
[4/17] Upgrading crowdsec-firewall-bouncer from 0.0.32_12 to 0.0.34...
[4/17] Extracting crowdsec-firewall-bouncer-0.0.34: 100%
crowdsec_firewall is running as pid 70614.
Stopping crowdsec_firewall.
[5/17] Upgrading crowdsec from 1.7.6_1 to 1.7.6_2...
[5/17] Extracting crowdsec-1.7.6_2: 100%
crowdsec is running as pid 66897.
Stopping crowdsec.
Waiting for PIDS: 66897.
Updating crowdsec hub data
Loaded: 161 parsers, 11 postoverflows, 777 scenarios, 9 contexts, 5 appsec-configs, 196 appsec-rules, 161 collections
Unmanaged items: 1 local, 0 tainted
Starting crowdsec.
[6/17] Upgrading groff from 1.23.0_5 to 1.24.0_1...
[6/17] Extracting groff-1.24.0_1: 100%
[7/17] Upgrading libunistring from 1.4.1 to 1.4.2...
[7/17] Extracting libunistring-1.4.2: 100%
[8/17] Upgrading libxml2 from 2.15.1_1 to 2.15.2...
[8/17] Extracting libxml2-2.15.2: 100%
[9/17] Reinstalling net-snmp-5.9.5.2,1...
===> Creating groups
Using existing group 'snmpd'
===> Creating users
Using existing user 'snmpd'
[9/17] Extracting net-snmp-5.9.5.2,1: 100%
[10/17] Upgrading opnsense-lang from 26.1.1 to 26.1.4...
[10/17] Extracting opnsense-lang-26.1.4: 100%
[11/17] Upgrading os-ddclient from 1.30 to 1.30_1...
[11/17] Extracting os-ddclient-1.30_1: 100%
Stopping configd...done
Starting configd.
Reloading plugin configuration
Flushing all caches...done.
Configuring system logging...done.
Reloading template OPNsense/Syslog: OK
Reloading template OPNsense/ddclient: OK
[12/17] Upgrading os-q-feeds-connector from 1.5 to 1.5_1...
[12/17] Extracting os-q-feeds-connector-1.5_1: 100%
Stopping configd...done
Starting configd.
Reloading plugin configuration
Flushing all caches...done.
Configuring system logging...done.
Reloading template OPNsense/QFeeds: OK
Service `cron' has been restarted.
[13/17] Upgrading py313-filelock from 3.20.1 to 3.25.0...
[13/17] Extracting py313-filelock-3.25.0: 100%
[14/17] Upgrading strongswan from 6.0.3_1 to 6.0.4...
[14/17] Extracting strongswan-6.0.4: 100%
[15/17] Upgrading suricata from 8.0.3_1 to 8.0.3_2...
[15/17] Extracting suricata-8.0.3_2: 100%
[16/17] Upgrading syslog-ng from 4.10.2 to 4.11.0...
[16/17] Extracting syslog-ng-4.11.0: 100%
[17/17] Upgrading opnsense from 26.1.3 to 26.1.4...
[17/17] Extracting opnsense-26.1.4: 100%
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh.sh'
Flushing all caches...done.
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: Modified 192 trust store links.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
You may need to manually remove /usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/config.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/local_api_credentials.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/online_api_credentials.yaml if it is no longer needed.
=====
Message from net-snmp-5.9.5.2,1:

--
snmpd now drops privileges by default after initialization is completed.
Ensure that any extension commands defined in your snmpd.conf can be executed
by the snmpd user.

It is possible to start and run snmpd entirely as a non-root user with the
following steps:

1. Add the following lines to /etc/rc.conf:

snmpd_user="snmpd"
snmpd_group="snmpd"
snmpd_pidfile="/var/net-snmp/snmpd.pid"

2. Configure the mac_portacl(4) kernel module:

   a. Load mac_portacl.ko at boot time by adding the following line to
      /etc/rc.conf:

kld_list="mac_portacl"

   b. Configure the following sysctls in sysctl.conf(5):

      net.inet.ip.portrange.reservedhigh=0
      security.mac.portacl.rules=gid:344:udp:161,gid:344:tcp:161,gid:344:tcp:199,gid:344:tcp:705

   This allows snmpd to bind to these privileged ports without holding
   special privileges.

3. Make sure that the snmpd user has read/write or read-only access to the
   following:

RW - /var/log/snmpd.log
RW - /var/net-snmp/*
RO - /usr/local/share/snmp/*

   Note that snmpd creates the /var/net-snmp directory upon its initial
   startup, and this cannot be done by the snmpd user.

4. Ensure that any and all extension commands defined in snmpd.conf can be
   executed by the snmpd user.
=====
Message from strongswan-6.0.4:

--
The default strongSwan configuration interface have been updated to vici.
To use the stroke interface by default either compile the port without the vici option or
set 'strongswan_interface="stroke"' in your rc.conf file.
You may need to manually remove /usr/local/etc/suricata/classification.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/reference.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/suricata.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
=====
Message from opnsense-26.1.4:

--
One step ahead, one step behind it, now you gotta run to get even
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: 100%
The following package files will be deleted:
/var/cache/pkg/strongswan-6.0.4~ed94b06ef3.pkg
/var/cache/pkg/crowdsec-firewall-bouncer-0.0.34.pkg
/var/cache/pkg/libxml2-2.15.2~4af2bc4b58.pkg
/var/cache/pkg/caddy-custom-2.11.2.0.0.4.5.10~2dcf099933.pkg
/var/cache/pkg/caddy-custom-2.11.2.0.0.4.5.10.pkg
/var/cache/pkg/groff-1.24.0_1~22d230794f.pkg
/var/cache/pkg/libunistring-1.4.2.pkg
/var/cache/pkg/os-q-feeds-connector-1.5_1.pkg
/var/cache/pkg/suricata-8.0.3_2~dd572055ee.pkg
/var/cache/pkg/syslog-ng-4.11.0~82419d7eef.pkg
/var/cache/pkg/py313-filelock-3.25.0~da88d7097b.pkg
/var/cache/pkg/suricata-8.0.3_2.pkg
/var/cache/pkg/net-snmp-5.9.5.2,1.pkg
/var/cache/pkg/groff-1.24.0_1.pkg
/var/cache/pkg/colordiff-1.0.22~3aad2bc5c6.pkg
/var/cache/pkg/os-q-feeds-connector-1.5_1~9b52641aec.pkg
/var/cache/pkg/syslog-ng-4.11.0.pkg
/var/cache/pkg/crowdsec-1.7.6_2~0d51523a18.pkg
/var/cache/pkg/opnsense-26.1.4~a301052b11.pkg
/var/cache/pkg/opnsense-26.1.4.pkg
/var/cache/pkg/os-ddclient-1.30_1~8edee5f3a6.pkg
/var/cache/pkg/libunistring-1.4.2~5e8f30955c.pkg
/var/cache/pkg/crowdsec-1.7.6_2.pkg
/var/cache/pkg/net-snmp-5.9.5.2,1~ea5bfcfec1.pkg
/var/cache/pkg/crowdsec-firewall-bouncer-0.0.34~d9a17cf6a6.pkg
/var/cache/pkg/py313-filelock-3.25.0.pkg
/var/cache/pkg/bind-tools-9.20.20.pkg
/var/cache/pkg/opnsense-lang-26.1.4.pkg
/var/cache/pkg/strongswan-6.0.4.pkg
/var/cache/pkg/os-ddclient-1.30_1.pkg
/var/cache/pkg/colordiff-1.0.22.pkg
/var/cache/pkg/opnsense-lang-26.1.4~7577f137d2.pkg
/var/cache/pkg/bind-tools-9.20.20~75d18e9d99.pkg
/var/cache/pkg/libxml2-2.15.2.pkg
The cleanup will free 112 MiB
Deleting files: 100%
Flushing temporary package files... done

Finally i could run it by disabling password for sudo:

Code Select Expand

sudo  /usr/local/opnsense/scripts/firmware/health.sh
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 26.1.3 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 26.1.3 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
mimugmail (Priority: 5)
>>> Check installed plugins
os-acme-client 4.14
os-apcupsd 1.2_3
os-caddy 2.1.0
os-cpu-microcode-intel 1.1
os-crowdsec 1.0.12
os-ddclient 1.30
os-freeradius 1.10.1
os-igmp-proxy 1.5_6
os-iperf 1.0_2
os-isc-dhcp 1.0_4
os-mdns-repeater 1.2
os-net-snmp 1.6_1
os-opnarp-maxit 1.0_4
os-q-feeds-connector 1.5
os-unifi9-maxit 1.4
os-wol 2.5_3
os-zabbix74-agent 1.18
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .
isc-dhcp44-server-4.4.3P1_2: missing file /usr/local/share/licenses/isc-dhcp44-server-4.4.3P1_2/LICENSE
Checking all packages............ done
>>> Check for core packages consistency
Core package "opnsense" at 26.1.3 has 67 dependencies to check.
Checking packages: .......................
opnsense-26.1.3 version mismatch, expected 26.1.4
Checking packages: ..
opnsense-lang-26.1.1 version mismatch, expected 26.1.4
Checking packages: .....................................
strongswan-6.0.3_1 version mismatch, expected 6.0.4
Checking packages: ..
suricata-8.0.3_1 version mismatch, expected 8.0.3_2
Checking packages: .
syslog-ng-4.10.2 version mismatch, expected 4.11.0
Checking packages: ... done
should i reinstall all listed mismatch packages? It sounds weird as for now i haven't get a chance to upgrade to 26.1.4 so why is it expecting 26.1.4 packages?

when i connect with ssh i have no option to choose. and if i execute health.sh i have:

Code Select Expand

/usr/local/opnsense/scripts/firmware/health.sh
/usr/local/opnsense/scripts/firmware/config.sh: cannot create /tmp/pkg_upgrade.progress: Permission denied
if i execute it with sudo it won't take my password.

Hello,

Few days ago i upgraded from 26.1.2.5 to 26.1.3 and my router was acting normal.

Today i want to upgrade to 26.1.4 but as soon as i go to firmware page router says it will reboot to complete 26.1.3 update.

There is no possibility to run health or security audit. The only thing i can access  in firmware menu is log and there is only one message:

Code Select Expand

2026-03-05T11:27:18Noticepkg-staticpython311-3.11.14_2 deinstalled
Is there something i can do apart from restoring snapshot ?

I made a config similar to yours:
1 port for LAN. On the switch it's an access port with native vlan 1
1 lagg of 2 ports (port channel) for vlans
I had to make port channel on the switch as a trunk port with tagged vlans and native vlan as a dummy vlan

interesting i certainly will move my sonos speaker to the iot vlan. Thanks.
Do you know what would be needed to do the same thing for a harmony hub and particularly for it to be able to communicate with a home assistant integration (emulated hue)?

For the time being i left my home assistant in my trusted network. But i want to move it in iot vlan and still be able to control devices with my phone in trusted vlan.

I ordered a new mini machine to experiment. I still have not received it.
3 or 4 weeks ago i ordered a 96Gb ram kit and 2x4Tb samsung ssd to throw in this new machine.
Yesterday i had second thoughts and wanted to order a 2nd ram kit but price is now almost triple of what i pay 3 weeks ago.

I have updated to 25.7.8
Freeradius version is 1.9.28
My wifi clients connect just fine on the right vlan.
wifi : unifi with radius mac authentication
If it can help.

Thank you for your answers.
I have only one docker host; but now when i create a bridge network for a stack i bind it to a particular subinterface of the host as per default docker listen to all interfaces. For compose stacks i put the webserver in a macvlan (if it's more convenient) or a bridge in the dmz vlan and the others containers in another vlan network.

My authentik stack authenticates apps for lan or internet users and also apps only accessible from lan. For now its listening interface is in the lan but i wonder if i should move it to dmz. I'm also trying to force all apps through caddy and authentik to have an authentication and use the same hostname to access it whether i'm inside or outside.

The same goes for caddy. If i understood correctly caddy process is listening on all interfaces. But i think i don't really get the path of a packet.
Caddy listen on ports 80&443.
If the request comme from outside, it arrives on wan interface which caddy listens to. Then it processes the request to upstream server or forward the request to authenticating server depending on the authentication type (oauth or proxy).
For this request to be actually effective you need a firewall rule on wan interface to pass the pack to "this firewall".
If the request comes from the inside on the interface (LAN for now) where the user is. Then the request is processed as in the first case.
For this request to be actually effective you need a firewall rule on lan interface (or the interface on vlan where users resides) to pass the pack to "this firewall".
So if i'm correct when the reverse proxy is on the firewall itself you can't really put it in the dmz. The only thing i can do is move authentik to dmz and eventually change my users vlan from lan to another one.
Another thing i need to take care of is that the app with oidc provider need to contact the authentik server. For now as authentik is in the lan i have a firewall rule passing request from apps in the dmz with oidc provider to authentik server (not sure about that one as i don't which container of the stack actually makes the request).
For example i have a jellyfin docker in dmz which can't authenticate without such a rule (it's only one container).
But i have a nextcloud-aio (13 containers in a vlan bridge and the apache one in dmz bridge) which can authenticate without the rule.

Forget about that my authentik stack is still in a bridge network that is not bound to a particular interface so it listens to all. I consider this as a security hole and i have to modify my authentik bridge network so that it listens to only one interface.
I guess it's the danger to have a docker host with several interfaces.

When i setup opnsense i created several vlans.
My main server is unraid. It has its interface eth0 on lan and subinterfaces in vlans.
I host several applications (immich, nextcloud, authentik, homeassistant and many others).
The majority of these applications are installed through portainer stacks.
Some are accessible from outside, others are restricted to lan ip.
I connect to these apps through caddy plugin.
When i first setup caddy (previously i was using npm docker on unraid) i followed the documentation: (firewall wan+lan rule destination: this firewall dst ports: 80&443) 
I placed devices in according vlans when i setup dnsmasq dhcp but I never took the time to move the apps on another vlan.
Should i really do that knowing all apps are behind caddy?
 
Should i change the firewall lan rule to dmz vlan ? afaik the best practice is to put the reverse proxy in dmz.
Authentik is used to give access to almost all my apps (through oidc, ladp or proxy provider) should i move it to dmz ?
I think you would guess i'm a little confused.

 

Did you see the device actually reboot when you did the nvram update? It may have soft rebooted (re-booting just the OS)?
IIRC, The eeupdate util does not work on freeBSD.

Your device is the 1st reported one of such issue.

From all the util commands you posted, the devices do appear to be there, and not sure why one or more may have moved locations on PCI bus. Maybe perhaps you have other issue with that hardware. A bad solder joint can create the gremlin, etc.

I will suggest that the update procedure include removing power for 1min after a device shutdown. Then power it back up. But noted, you should not need to do this as long as the device actually is rebooted.

Now that you mention it, all my reboots (and there have been at least 5) prior to unplugging the power cord to move the device were done with the webgui and as i was not in the same room i didn't see it rebooting. Does a reboot initiated from the gui is a hard reboot ?

From what i posted you clearly see that device with @mac ending in 32:00 is igc5 but when i had the problem it became igc4. And at this time device with @mac ending in 31:ff was not detected (it's normally igc4).
All came back in order after power reset.
I mentionned eeupdate as it was part of the firmware package i found. I first intended to use it in EFI shell which i didn't managed to do. I am still struggling to make a bootable efi usb media with my mac.

Finally i managed to flash all the devices.
I guess a reboot is not enough despite what the nvmupdate manual says.
I went to the basement and took my appliance to try a bios update.
When i plugged it the missing interface was back.

For the record i didn't managed to do the update. Making bootable usb with efi shell for flashing with a mac is really a pain in the ...
I remember having struggled for flashing an hba.
Anyway in the iso file provided with firmware there was also eeupdate utility (like nvmupdate but for efi) and the bin files for the i226v devices (type 125c version 2.32)

Code Select Expand

dmesg | grep EEPROM
[1] igc0: EEPROM V2.32-0 eTrack 0x80000422
[1] igc1: EEPROM V2.32-0 eTrack 0x80000422
[1] igc2: EEPROM V2.32-0 eTrack 0x80000422
[1] igc3: EEPROM V2.32-0 eTrack 0x80000422
[1] igc4: EEPROM V2.32-0 eTrack 0x80000422
[1] igc5: EEPROM V2.32-0 eTrack 0x80000422

i have no more pci0:7:0:0 device.
previously it was igc5

Code Select Expand

pciconf -l igc5
igc5@pci0:7:0:0:    class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000

sudo pciconf -lbcv ix1@pci0:7:0:0
Password:
igc5@pci0:7:0:0:    class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000
    vendor    = 'Intel Corporation'
    device    = 'Ethernet Controller I226-V'
    class      = network
    subclass  = ethernet
    bar  [10] = type Memory, range 32, base 0x80500000, size 1048576, enabled
    bar  [1c] = type Memory, range 32, base 0x80600000, size 16384, enabled
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 5 messages, enabled
                Table in map 0x1c[0x0], PBA in map 0x1c[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 256(512) FLR RO NS
                max read 512
                link x1(x1) speed 5.0(5.0) ASPM disabled(L1)
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 1 corrected
    ecap 0003[140] = Serial 1 a8b8e0ffff063200
    ecap 0018[1c0] = LTR 1
    ecap 001f[1f0] = Precision Time Measurement 1
    ecap 001e[1e0] = L1 PM Substates 1

i installed pciutils.

Code Select Expand

sudo lspci | grep 226
01:00.0 Ethernet controller: Intel Corporation Ethernet Controller I226-V (rev 04)
02:00.0 Ethernet controller: Intel Corporation Ethernet Controller I226-V (rev 04)
03:00.0 Ethernet controller: Intel Corporation Ethernet Controller I226-V (rev 04)
04:00.0 Ethernet controller: Intel Corporation Ethernet Controller I226-V (rev 04)
05:00.0 Non-Volatile memory controller: Silicon Motion, Inc. SM2263EN/SM2263XT (DRAM-less) NVMe SSD Controllers (rev 03)
06:00.0 Ethernet controller: Intel Corporation Ethernet Controller I226-V (rev 04)

Yes the switch led lights on.
I initially had only 1 switch near my router and not enough free ports. So i decided to use 1 port fort lan and a lagg to 5 vlans. The first switch is 8 sfp ports switch with both fiber modules and rj45 ones. The RJ45 ones are 2,5G (to match my router)
I added another switch i had lying around but i want to replace it (unifi 48 port poe) it's hungry and noisy and only 1Gbps ports (except 2 sfp+)
i'm running opnsense 25.7.6. I think the igc5 update has been made within 25.7.5 version.

lspci : i suppose i need to install a package.

Code Select Expand

pciconf -lbv | grep -A 4 device=0x125c
igc0@pci0:1:0:0: class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Controller I226-V'
    class      = network
    subclass   = ethernet
--
igc1@pci0:2:0:0: class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Controller I226-V'
    class      = network
    subclass   = ethernet
--
igc2@pci0:3:0:0: class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Controller I226-V'
    class      = network
    subclass   = ethernet
--
igc3@pci0:4:0:0: class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Controller I226-V'
    class      = network
    subclass   = ethernet
--
igc4@pci0:6:0:0: class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Controller I226-V'
    class      = network
    subclass   = ethernet

Code Select Expand

ifconfig | grep igc
igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
igc1: flags=1008a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
igc2: flags=1008b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
igc3: flags=1008b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
igc4: flags=1008802<BROADCAST,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
laggport: igc2 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: igc3 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
vlan: 35 vlanproto: 802.1q vlanpcp: 0 parent interface: igc0
None of igc4 or 5 is actually not plugged.

Code Select Expand

cat nvm.cfg
CURRENT FAMILY: 1.0.0
CONFIG VERSION: 1.20.0

; NIC device
BEGIN DEVICE
DEVICENAME: Intel(R) Ethernet Controller I226-V
VENDOR: 8086
DEVICE: 125C
SUBVENDOR: 8086
SUBDEVICE: 0000
NVM IMAGE: FXVL_125C_V_2MB_2.32.bin
EEPID: 80000422
RESET TYPE: REBOOT
REPLACES: 80000284
i used this file for flashing both igc 5 and igc 4

For igc4 here is the .rollback.cfg:

Code Select Expand

sudo cat A8B8E00631FF/.rollback.cfg
;File generated automatically by NVMUpdate tool
CONFIG VERSION: 1.26.0

BEGIN DEVICE
DEVICENAME: Intel(R) Ethernet Controller I226-V
VENDOR: 8086
DEVICE: 125C
REPLACES: 80000422
EEPID: 80000284
NVM IMAGE: A8B8E00631FF/A8B8E00631FF.bin
IMAGE DOWNGRADE: TRUE
RESET TYPE: POWER
END DEVICE
and the flash log

Code Select Expand

cat flash_igc4.log
Intel(R) Ethernet NVM Update Tool
NVMUpdate version 1.43.20.0
Copyright(C) 2013 - 2025 Intel Corporation.

./nvmupdate64e -b -l igc4.log -m a8b8e00631ff -u -c nvm.cfg

Config file read.
Inventory
[00:005:00:00]: Intel(R) Ethernet Controller I226-V
Alternate MAC address is not set.
Flash inventory started.
Shadow RAM inventory started.
Shadow RAM inventory finished.
Flash inventory finished.
OROM inventory started.
OROM inventory finished.
Update
[00:005:00:00]: Intel(R) Ethernet Controller I226-V
Creating backup images in directory: A8B8E00631FF.
Backup images created.
Flash update started.
NVM verification started.
Shadow RAM verification started.
Shadow RAM verification finished.
Flash verification started.
Flash verification finished.
NVM verification finished.
Flash update successful.
Device update successful.
Update security revisions
[00:005:00:00]: Intel(R) Ethernet Controller I226-V
Skipping update minimum security revisions.
Update VPD with VPD template
[00:005:00:00]: Intel(R) Ethernet Controller I226-V
Skipping VPD update with VPD template.
Checking update availability for next tool run.
A reboot is required to complete the update process.
the same for igc5:

Code Select Expand

sudo cat A8B8E0063200/.rollback.cfg
;File generated automatically by NVMUpdate tool
CONFIG VERSION: 1.26.0

BEGIN DEVICE
DEVICENAME: Intel(R) Ethernet Controller I226-V
VENDOR: 8086
DEVICE: 125C
REPLACES: 80000422
EEPID: 80000284
NVM IMAGE: A8B8E0063200/A8B8E0063200.bin
IMAGE DOWNGRADE: TRUE
RESET TYPE: POWER
END DEVICE
and the log from flash:

Code Select Expand

cat flash_igc5.log
Intel(R) Ethernet NVM Update Tool
NVMUpdate version 1.43.20.0
Copyright(C) 2013 - 2025 Intel Corporation.

./nvmupdate64e -b -l flash_igc5.log -m a8b8e0063200 -u -c nvm.cfg

Config file read.
Inventory
[00:007:00:00]: Intel(R) Ethernet Controller I226-V
Alternate MAC address is not set.
Flash inventory started.
Shadow RAM inventory started.
Shadow RAM inventory finished.
Flash inventory finished.
OROM inventory started.
OROM inventory finished.
Update
[00:007:00:00]: Intel(R) Ethernet Controller I226-V
Creating backup images in directory: A8B8E0063200.
Backup images created.
Flash update started.
NVM verification started.
Shadow RAM verification started.
Shadow RAM verification finished.
Flash verification started.
Flash verification finished.
NVM verification finished.
Flash update successful.
Device update successful.
Update security revisions
[00:007:00:00]: Intel(R) Ethernet Controller I226-V
Skipping update minimum security revisions.
Update VPD with VPD template
[00:007:00:00]: Intel(R) Ethernet Controller I226-V
Skipping VPD update with VPD template.
Checking update availability for next tool run.
A reboot is required to complete the update process.

I didn't pay attention pci devices changed. So i guess after the reboot the appliance didn't list the same pci devices.