Topics

Hey,

We are getting close to 25.7.  In fact, the release date is July 23.
As such minimal changes are going into this stable release for the
usual reasons.

Expecting a quick release candidate in two weeks while we piece together
the individual changes that will make the next release series a distinct
step forward: privilege separation capability, latest and greatest FreeBSD
related updates, easier than ever MVC programming experience, a new UI
grid framework named Tabulator etc.

Here are the full patch notes:

o system: reduce future maintenance load in privilege separation efforts
o interfaces: remove unused "friendly" value from get_interface_list()
o interfaces: fix escaping in refactored bridge code
o interfaces: fix bridge SPAN support
o interfaces: add update mode to ifctl
o firewall: fix issue with event binding in rule automation page
o dnsmasq: implement domain type to select between adding domain to range or interface
o dnsmasq: dhcp-host are allowed to have duplicate partial IPv6 addresses
o unbound: improve the chroot mounting code to avoid excessive (un)mount calls
o lang: update language translations to their latest state
o mvc: eventually phase out getCurrentValue() in favour of getValue()
o plugins: os-caddy 2.0.2
o ports: libxml2 fixes for recent CVEs
o ports: nss 3.113
o ports: phpseclib 3.0.46
o ports: py-duckdb 1.3.1
o ports: sudo 1.9.17

Stay safe and cool,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr
[2] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_113.html
[3] https://github.com/duckdb/duckdb/releases/tag/v1.3.1
[4] https://www.sudo.ws/stable.html#1.9.17

Howdy,

This smallish update brings in more preparation for future features
and reworks and fixes a couple of bugs reported over the last weeks.

The patch size for 25.1.x will likely not increase in future updates
as 25.7 is near: July 23.  Save the date!

Here are the full patch notes:

o system: add minimalistic interface to support SSO authentication
o system: refactor a couple of existing empty() tests to isEmpty()
o system: refactor cache flush into system_cache_flush()
o system: add backend call for returning timezones
o system: fix "weight" default fallback causing non-string return in gateway status
o interfaces: refactor newwanip IPv4/v6 scripts to reduce differences between them
o interfaces: do not call a description a "dmesg"
o interfaces: relax regex for dmesg probing to seamlessly support dmesg timestamps
o firewall: improve address family validation for rule source and destination
o firewall: fix faulty ICMP type evaluation on NAT rules
o dnsmasq: allow AliasesField values to be cleared
o dnsmasq: allow host wildcards in domain overrides again
o ipsec: add aes256-sha1 ESP proposal
o ui: backwards-compatible merge of Tabulator grid replacement changes
o plugins: os-haproxy 4.6[1]
o ports: curl 8.14.1[2]
o ports: nss 3.112[3]
o ports: openldap 2.6.10[4]
o ports: php 8.3.22[5]
o ports: python 3.11.13[6]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/net/haproxy/pkg-descr
[2] https://curl.se/changes.html#8_14_1
[3] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_112.html
[4] https://www.openldap.org/software/release/changes.html
[5] https://www.php.net/ChangeLog-8.php#8.3.22
[6] https://docs.python.org/release/3.11.13/whatsnew/changelog.html

Hi!

This update addresses a few security issues in third party software,
but take note that libxml2 is currently stuck in an old release in
FreeBSD ports that was decided not to be fixed there for the time being.

Dnsmasq receives more improvements as you all explore the limits of the
current implementation and what the software can still offer beyond that.
Thank you for all the good feedback on this front!

The FreeBSD kernel was updated with a number of upstream stable commits
while we get closer to evaulating the jump to a newer FreeBSD release for
25.7.

Lastly, we are preparing for a historic moment: offering privilege separation
for the GUI meaning the web server can stop running as a root user.  This
may still be optional in the next major version, but it makes fixing the
remaining incompatibilities much easier.

Here are the full patch notes:

o system: fix regression in setGroupMembership()
o system: add "Source Networks" option to groups to restrict connectivity to web GUI
o system: remove defunct "sshlogingroup" OpenSSH option because non-admins are no longer permitted shell access
o system: reduce font size in thermal sensors widget tooltip (contributed by indeed-a-genius)
o system: allow access to cached watcher gateway status
o system: implement "force_down" failover support
o system: implement base_bootgrid_table in user, group and priv templates
o system: balance fastcgi servers a bit better
o system: check private key matches provided certificate data
o system: introduce a "wwwonly" user and group and related privilege separation preparations
o interfaces: convert bridge configuration to MVC/API
o interfaces: remove unused is_interface_assigned()
o firewall: use CIDR notation for specifying masks to dnctl (contributed by Daniel Tang)
o firewall: improve dummynet_stats.py parsing of mask descriptor lines (contributed by Daniel Tang)
o firewall: exclude interfaces with local links only when generating force gateway rules
o firewall: fix missing lock while refactoring config for group changes
o firewall: properly synchronize load order for shaper when reloading configuration
o firewall: add toggle log command in automation
o firewall: since bogons source writes a comment first prefix our exclusions too
o firewall: tighten address / range validation for aliases
o firewall: align alias tokenizer options with the ones in our base template
o captive portal: align accounting session timeout with API
o captive portal: balance fastcgi servers a bit better
o captive portal: do not share a fastcgi socket with web GUI
o dnsmasq: add missing constraint and fix template for boot options
o dnsmasq: reload filter on service reload
o dnsmasq: add command in leases view to create DHCP reservations
o dnsmasq: hide static mode in DHCP range in advanced mode
o dnsmasq: set default to empty lease time for DHCP hosts to allow for defaults
o dnsmasq: add "no-resolv" option to prevent use of system defined DNS servers
o dnsmasq: validate IP address usage for DHCP registrations
o dnsmasq: add validation preventing end address to be empty for IPV4 non-static ranges
o dnsmasq: when "dhcp-fqdn" is active, set all DHCP domains as local
o dnsmasq: add checkbox to hosts that can set domains as local
o dnsmasq: allow either empty IP or empty hostname for DHCP hosts
o dnsmasq: fix wildcard host handling
o dnsmasq: add overlay to conditionally remove values based on DHCP option type
o ipsec: add "cacert" option in remote auth section and allow spaces and wildcards in id fields
o ipsec: be more verbose when modifying SPDs
o isc-dhcp: show tracking interfaces when enabled and offer an explicit disable
o kea-dhcp: add static_routes validation (contributed by Dr. Uwe Meyer-Gruhl)
o openvpn: remove deprecated use of is_interface_assigned() in legacy client/server
o unbound: remove "inplace" in chained assignment (contributed by dstapa)
o mvc: deny whitespaces, asterisks and slashes in HostnameField
o mvc: support array response type in session->get()
o plugins: os-caddy 2.0.1[1]
o plugins: os-crowdsec 1.0.10[2]
o plugins: os-sunnyvalley 1.5 switches mirror domain
o src: pf: explicitly NULL state key pointers
o src: pf: fix panic in pf_return()
o src: pf: do not use state keys after pf_state_insert()
o src: netlink, socket, sctp, tcp, udp: assorted upstream stable changes
o src: in6_control_ioctl: correctly report errors from SIOCAIFADDR_IN6
o src: axgbe: add support for Yellow Carp Ethernet device
o src: dhclient: keep two clocks
o src: rtw88, rtw89: merge Realtek driver based on Linux v6.14
o src: iwlwififw: remove Intel iwlwifi firmware from src.git
o ports: curl 8.14.0[3]
o ports: kea 2.6.3[4]
o ports: python fix for CVE-2025-4516[5]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.1/security/crowdsec/pkg-descr
[3] https://curl.se/changes.html#8_14_0
[4] https://downloads.isc.org/isc/kea/2.6.3/Kea-2.6.3-ReleaseNotes.txt
[5] https://github.com/python/cpython/pull/134341

This business release is based on the OPNsense 25.1.6 community version
with additional reliability improvements, but without Dnsmasq DHCP support
and the recent captive portal backend switch.

Here are the full patch notes:

o system: extend XMLRPC "nosync" support to keep backup items for new cases
o system: use RADIUS Message Authenticator by default
o system: prevent recursion loop when CAs are cross-referencing each other
o system: fix off by one error due to line ending at the end of a log file
o system: offer config directory to store locations for external certificates and support it in the certificates widget
o system: allow multiple manual DNS search domains
o system: fix gateway watcher backoff
o system: minor code cleanups in auth.inc
o system: kill gateways states for failback scenario when a higher priority gateway goes back online
o system: update to latest tzdata content for time zones and ISO 3166 definitions
o system: clean up a number of unused functions
o system: refactor a VIP access in auth.inc
o system: add field "boottime" to api/system/systemTime (contributed by eopo)
o reporting: move NetFlow backend single_pass to command line parameters for easier debugging
o reporting: use client time in traffic dashboard widget
o reporting: replace insights totals chart with ChartJS variant
o reporting: minor style fixes and cleanups in health graphs
o interfaces: refactor bridge configuration backend
o interfaces: refactor wireless device assignment
o interfaces: allow literal comma by escape sequence in DHCP advanced option modifiers
o interfaces: fix refresh button in ARP page
o interfaces: fix "(de)select all" button in packet capture
o interfaces: rename ip_in_subnet() to reflect it is only for IPv4
o interfaces: remove unused get_vip_descr()
o dnsmasq: domain to host migration for hosts
o firewall: automation filter UI revamp
o firewall: fix regression in alias table in JSON format
o firewall: replace update_params for argparse in filter log reader
o firewall: prevent source/destination inversion when multiple nets are selected
o firewall: support comma separated alias targets in refactor() call
o firewall: added multi-select for ICMP type
o firewall: update user agent in alias URL fetch
o firmware: ignore dashboard check for updates link automation if user clicks check for updates too
o firmware: fix reboot flag handling due to changed BooleanField default in 25.1.4
o firmware: add cleanup audit script
o intrusion detection: fix a log reader regression in the alert view
o intrusion detection: fix alert info button
o ipsec: move mobile clients charon attributes to "Advanced settings"
o ipsec: fix auth server parsing regression
o ipsec: copy "Split DNS name" to undocumented "25" option
o ipsec: fix more ACLs related to individual IPsec page use
o ipsec: add DH Group 2 for basic Azure VPN gateway compatibility
o ipsec: fix trimming NULL values
o ipsec: attr 28673 previously rendered as 1 instead of strongswan default "yes"/"no" for a boolean
o isc-dhcp: use "lease_type" to key lease map in addition to "iaid_duid" (contributed by Alex Goodkind)
o isc-dhcp: fix invalid FQDN generation from DHCPv4 static map domains (contributed by Steven Zimmermann)
o kea-dhcp: allow manual configuration for advanced scenarios
o kea-dhcp: add DHCPv6 support
o kea-dhcp: split into multiple id-based services
o kea-dhcp: fix menu for overlapping leases links
o kea-dhcp: correct static mapping returns for IPv6 addresses
o kea-dhcp: translate reservation MAC address when dash is used
o openvpn: display virtual IPv6 addresses for clients in dashboard widget (contributed by cs-1 and lucaspalomodevelop)
o openvpn: simplify the VIP handling in legacy pages
o router advertisements: fix list of source addresses on overlapping link-locals (contributed by Robin Müller)
o unbound: add optional TTL field
o backend: support "errors:no" clause on actions
o mvc: prefer ui/user_portal above system_usermanager_passwordmg.php in ACLs
o mvc: implement "ignore" field type in forms
o mvc: allow referencing disabled interfaces in LinkAddressField
o mvc: fix scoping issue in CertificatesField
o mvc: BooleanField now defaults to "0" on creation
o mvc: add static $internalStaticChildren in classes extending ArrayField
o mvc: safeguard JsonKeyValueStoreField->setSourceField()
o ui: include "all" instead of only "solid" and "brands" Font Awesome styles
o ui: ensure fields stay aligned relatively to another when headers are used in forms
o ui: add fetch_options() which can build grouped selectpickers
o ui: improve and extend Bootgrid behaviour
o plugins: os-caddy 1.8.5[1]
o plugins: os-ndproxy 1.1[2]
o plugins: os-sftp-backup 1.1 adds hostname prefix and filedrop-only support (contributed by beposec)
o plugins: os-theme-rebellion 1.9.3 (contributed by Team Rebellion)
o plugins: os-turnserver 1.0 (contributed by Frank Wall)
o plugnis: os-squid 1.2[3]
o src: ifconfig: fix reporting optics on most 100g interfaces
o src: igc: fix attach for I226-K and LMVP devices
o src: inpcb: assorted changes for upcoming FIB support
o src: ipfw: fix dump_soptcodes() handler
o src: ixgbe: add support for 1000BASE-BX SFP modules
o src: ixgbe: fix mailbox ack handling
o src: netinet6: add the missing lock acquire to nd6_get_llentry
o src: netinet: fix getcred sysctl handlers to do nothing if no input is given
o src: netinet: if mb_unmapped_to_ext() failed, return directly
o src: netlink: fix getting route scope of interface IPv4 addresses
o src: ovpn: fix use-after-free of mbuf
o src: pf: improve pf_state_key_attach() error handling
o src: pfkey2: use correct value for a key length
o src: routing: do not allow PINNED routes to be overriden
o src: sctp: fix double unlock in case adding a remote address fails
o src: tcp: clear sendfile logging struct
o src: udp: do not recursively enter net epoch
o src: wg: remove overly-restrictive address family check
o src: caroot: update the root bundle
o src: openssl: import OpenSSL 3.0.16
o src: daemon: stop rebuilding the kqueue every restart of the child
o src: contrib/expat: update libexpat from 2.6.0 to 2.7.1
o src: contrib/tzdata: import tzdata 2025b
o src: pfctl: fix faulty rule anchor counter print
o src: pfctl: fix recursive printing of NAT rules
o src: pf: Use a macro to get the hash row in pf_find_state_byid()
o src: netinet6: work around synchronization issue in dying netgraph device
o src: wg: Improve wg_peer_alloc() to simplify the calling
o src: bnxt_en: Retrieve maximum of 128 APP TLVs
o src: Revert "amd64 GENERIC: Switch uart hints from isa to acpi"
o ports: curl 8.13.0[4]
o ports: expat 2.7.1[5]
o ports: kea 2.6.2[6]
o ports: lighttpd 1.4.79[7]
o ports: monit 5.35.2[8]
o ports: nss 3.110[9]
o ports: openssh 10.0p1[10]
o ports: phalcon 5.9.3[11]
o ports: php 8.3.20[12]
o ports: py-duckdb 1.2.2[13]
o ports: python 3.11.12[14]
o ports: syslog-ng 4.8.2[15]
o ports: unbound 1.23.0[16]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.1/net/ndproxy/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.1/www/squid/pkg-descr
[4] https://curl.se/changes.html#8_13_0
[5] https://github.com/libexpat/libexpat/blob/R_2_7_1/expat/Changes
[6] https://downloads.isc.org/isc/kea/2.6.2/Kea-2.6.2-ReleaseNotes.txt
[7] https://www.lighttpd.net/2025/4/4/1.4.79/
[8] https://mmonit.com/monit/changes/
[9] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_110.html
[10] https://www.openssh.com/txt/release-10.0
[11] https://github.com/phalcon/cphalcon/releases/tag/v5.9.3
[12] https://www.php.net/ChangeLog-8.php#8.3.20
[13] https://github.com/duckdb/duckdb/releases/tag/v1.2.2
[14] https://docs.python.org/release/3.11.12/whatsnew/changelog.html
[15] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.8.2
[16] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-23-0

SHA256 (OPNsense-business-25.4.1-dvd-amd64.iso.bz2) = 12aa36a2ce6743217e9714ac1ba16de6bc81ef2f8a4f3c7635215268a0944b18
SHA256 (OPNsense-business-25.4.1-nano-amd64.img.bz2) = 12361c910da612fe37cdec2814ff6d8363d9bee6171fe50de8cd58adb6a0e22d
SHA256 (OPNsense-business-25.4.1-serial-amd64.img.bz2) = 41283f6cf854608b56cb08f7960c5e0291c9ef1a32e6f0736f59f287cf2e9ba2
SHA256 (OPNsense-business-25.4.1-vga-amd64.img.bz2) = f20dd969784088eb1578df9c8dc5eb0a90502405027ab95b2b66277960803225

Hello there,

Dnsmasq DHCP is here and now it is going to be even better with multiple
fixes thanks to the swift feedback we received.  We are aware of the
complex topic of DHCP in the recent years so keep in mind we added Dnsmasq
to fill a specific need for smaller installations that other services cannot
offer.  There are still areas where Kea shines so having both options is
the best way forward.

Here are the full patch notes:

o system: safeguard local_group_set() since users may not exist for valid reasons
o interfaces: emulate device name return in ifconfig edge case for legacy_interface_create()
o interfaces: cleanup spurious functions regarding VIP access
o interfaces: interfaces: improve private and bogon network filters (contributed by Maurice Walker)
o interfaces: consider tracked interfaces linked devices on reload
o firewall: add ability to specify IPv6 pipe and queue masking using the src-ip6/dst-ipv6 specifiers (contributed by Daniel Tang)
o firewall: use shared base_bootgrid_table and base_apply_button in shaper
o captive portal: restore the logging of drop reasons
o captive portal: fix last_accessed being cached from previous entries if N/A
o captive portal: mark alias as type external for use in rules
o dnsmasq: offer all DHCP options via IANA specification
o dnsmasq: allow "static" setting on IPv6 ranges
o dnsmasq: do not create entries in dnsmasq-hosts file for dhcp-host entries
o dnsmasq: prefix length is required when a lease-time is set due to the parsing order
o dnsmasq: split up "hwaddr" and "iaid" for DHCPv6 leases and expose them in the leases overview
o dnsmasq: add missing dhcp-boot to template
o dnsmasq: add interface tag to dhcp-boot options
o dnsmasq: reverse rebind check
o dnsmasq: remove superfluous escape in conf-dir directive
o dnsmasq: allow lease time 0 to set "infinite"
o dnsmasq: add protocol selectpicker to leases view
o dnsmasq: domain to host migration for hosts
o dnsmasq: allow multiple tags per dhcp-boot
o kea-dhcp: fix parsing both address families in static mappings
o kea-dhcp: translate reservation MAC address when dash is used
o kea-dhcp: add advanced options (pd-)allocator in DHCPv6
o ipsec: attr 28673 previously rendered as 1 instead of strongswan default "yes"/"no" for a boolean
o openvpn: add port-share as advanced feature
o openvpn: add (push) block-ipv6 option
o backend: use the new errors:no instead of "exit 0" in actions
o mvc: add contribDir to app config (contributed by Freddie Sackur)
o mvc: show versions on migration failure for clarity
o mvc: saveguard JsonKeyValueStoreField->setSourceField()
o mvc: add static $internalStaticChildren in classes extending ArrayField
o plugins: os-beats 1.0 (contributed by Maxime Thiebaut)
o plugins: os-c-icap 1.8[1]
o plugins: os-caddy 2.0.0[2]
o plugins: os-postfix 1.24[3]
o plugins: os-radsecproxy 1.1[4]
o ports: dhcp6c 20250513 fixes spawning multiple instances
o ports: monit 5.35.2[5]
o ports: nss 3.111[6]
o ports: perl 5.40.2[7]
o ports: pftop 0.13
o ports: php 8.3.21[8]
o ports: syslog-ng 4.8.2[9]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.1/www/c-icap/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.1/mail/postfix/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.1/net/radsecproxy/pkg-descr
[5] https://mmonit.com/monit/changes/
[6] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_111.html
[7] https://perldoc.perl.org/5.40.2/perldelta
[8] https://www.php.net/ChangeLog-8.php#8.3.21
[9] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.8.2

Hello!

After some back and forth today we are rolling back a console default
change done in FreeBSD 14.2 that we do not think is necessary at this
particular point in time.  The bridge configuration code was also
refactored to introduce it to MVC/API in an upcoming stable release.

A few more problems with the new captive portal backend have also been
addressed in order to make it match the behaviour of the previous one.
It is now possible to disable the automatic rules to further refine
the desired captive portal behaviour.

Last but not least: Kea DHCPv6 is here.  And with it full DHCP and router
advertisement support in Dnsmasq to bridge the gap for ISC users who do not
need or want Kea.  We are going to make Dnsmasq DHCP the default in new
installations starting with 25.7, too.  ISC DHCP will still be around as
a core component in 25.7 but likely moves to plugins for 26.1 next year.

Here are the full patch notes:

o system: kill gateways states for failback scenario when a higher priority gateway goes back online
o system: update to latest tzdata content for time zones and ISO 3166 definitions
o system: clean up a number of unused functions
o system: refactor a VIP access in auth.inc
o system: add field "boottime" to api/system/systemTime (contributed by eopo)
o reporting: replace insights totals chart with ChartJS variant
o reporting: minor style fixes and cleanups in health graphs
o interfaces: refactor bridge configuration backend
o interfaces: refactor wireless device assignment
o interfaces: allow literal comma by escape sequence in DHCP advanced option modifiers
o interfaces: fix refresh button in ARP page
o interfaces: fix "(de)select all" button in packet capture
o interfaces: rename ip_in_subnet() to reflect it is only for IPv4
o interfaces: remove unused get_vip_descr()
o firewall: prevent source/destination inversion when multiple nets are selected
o firewall: support comma separated alias targets in refactor() call
o firewall: added multi-select for ICMP type
o firewall: update user agent in alias URL fetch
o captive portal: fix display issue for pass rule when client not in zone
o captive portal: allow disabling automatic firewall rules
o captive portal: exclude portal table in destination
o dnsmasq: add full DHCP/RA support
o intrusion detection: fix a log reader regression in the alert view
o ipsec: copy "Split DNS name" to undocumented "25" option
o ipsec: fix more ACLs related to individual IPsec page use
o ipsec: add DH Group 2 for basic Azure VPN gateway compatibility
o ipsec: fix trimming NULL values
o isc-dhcp: use "lease_type" to key lease map in addition to "iaid_duid" (contributed by Alex Goodkind)
o isc-dhcp: fix invalid FQDN generation from DHCPv4 static map domains (contributed by Steven Zimmermann)
o kea-dhcp: add DHCPv6 support
o openvpn: simplify the VIP handling in legacy pages
o backend: support "errors:no" clause on actions
o mvc: allow referencing disabled interfaces in LinkAddressField
o mvc: fix scoping issue in CertificatesField
o plugins: os-ndproxy 1.1[1]
o plugnis: os-squid 1.2[2]
o plugins: os-theme-rebellion 1.9.3 (contributed by Team Rebellion)
o plugins: os-turnserver 1.0 (contributed by Frank Wall)
o src: caroot: update the root bundle
o src: openssl: import OpenSSL 3.0.16
o src: daemon: stop rebuilding the kqueue every restart of the child
o src: contrib/expat: update libexpat from 2.6.0 to 2.7.1
o src: contrib/tzdata: import tzdata 2025b
o src: pfctl: fix faulty rule anchor counter print
o src: pfctl: fix recursive printing of NAT rules
o src: pf: Use a macro to get the hash row in pf_find_state_byid()
o src: netinet6: work around synchronization issue in dying netgraph device
o src: wg: Improve wg_peer_alloc() to simplify the calling
o src: bnxt_en: Retrieve maximum of 128 APP TLVs
o src: Revert "amd64 GENERIC: Switch uart hints from isa to acpi"
o ports: curl 8.13.0[3]
o ports: expat 2.7.1[4]
o ports: kea 2.6.2[5]
o ports: monit 5.35.1[6]
o ports: nss 3.110[7]
o ports: openssh 10.0p1[8]
o ports: php 8.3.20[9]
o ports: phalcon 5.9.3[10]
o ports: python 3.11.12[11]
o ports: unbound 1.23.0[12]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.1/net/ndproxy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.1/www/squid/pkg-descr
[3] https://curl.se/changes.html#8_13_0
[4] https://github.com/libexpat/libexpat/blob/R_2_7_1/expat/Changes
[5] https://downloads.isc.org/isc/kea/2.6.2/Kea-2.6.2-ReleaseNotes.txt
[6] https://mmonit.com/monit/changes/
[7] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_110.html
[8] https://www.openssh.com/txt/release-10.0
[9] https://www.php.net/ChangeLog-8.php#8.3.20
[10] https://github.com/phalcon/cphalcon/releases/tag/v5.9.3
[11] https://docs.python.org/release/3.11.12/whatsnew/changelog.html
[12] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-23-0

Howdy,

This release improves overall RADIUS support, moves the captive portal
from IPFW to PF, creates visibility of external certificate sources in
the system and offers a glimpse into the filter automation GUI revamp
which could one day replace the remaining static firewall rules edit pages.

Speaking of static pages: MVC/API conversions are almost 80% complete now
and we would really like to continue that trend.  Also brace for impact
as we crash-land Dnsmasq DHCP support in a stable release within the next
90 days!

Here are the full patch notes:

o system: extend XMLRPC "nosync" support to keep backup items for new cases
o system: improved RADIUS RFC alignment and use Message Authenticator by default
o system: prevent recursion loop when CAs are cross-referencing each other
o system: fix URL hash in certificate link so redirection shows the correct menu path
o system: fix off by one error due to line ending at the end of a log file
o system: offer config directory to store locations for external certificates and support it in the certificates widget
o system: allow multiple manual DNS search domains
o system: fix gateway watcher backoff
o system: minor code cleanups in auth.inc
o reporting: move NetFlow backend single_pass to command line parameters for easier debugging
o reporting: use client time in traffic dashboard widget
o firewall: automation filter UI revamp
o firewall: fix presentation when alias name overlaps group name
o firewall: fix regression in alias table in JSON format
o firewall: move pipe and queue configuration to "dnctl" service
o firewall: replace update_params for argparse in filter log reader
o captive portal: migrate backend from IPFW to PF
o firmware: ignore dashboard check for updates link automation if user clicks check for updates too
o firmware: fix reboot flag handling due to changed BooleanField default in 25.1.4
o firmware: add cleanup audit script
o ipsec: move mobile clients charon attributes to "Advanced settings"
o ipsec: pre-shared key permission fix
o kea-dhcp: add missing ACL privileges
o kea-dhcp: allow manual configuration for advanced scenarios
o openvpn: add "Enable static challenge (OTP)" option in client export
o openvpn: display virtual IPv6 addresses for clients in dashboard widget (contributed by cs-1 and lucaspalomodevelop)
o router advertisements: fix list of source addresses on overlapping link-locals (contributed by Robin Müller)
o unbound: drop "exclude" phrase from plugin log entry
o unbound: add optional TTL field
o mvc: prefer ui/user_portal above system_usermanager_passwordmg.php in ACLs
o mvc: implement "ignore" field type in forms
o ui: include "all" instead of only "solid" and "brands" Font Awesome styles
o ui: ensure fields stay aligned relatively to another when headers are used in forms
o ui: add fetch_options() which can build grouped selectpickers
o ui: improve and extend Bootgrid behaviour
o plugins: os-caddy 1.8.5[1]
o plugins: os-sftp-backup 1.1 adds hostname prefix and filedrop-only support (contributed by beposec)
o src: ifconfig: fix reporting optics on most 100g interfaces
o src: igc: fix attach for I226-K and LMVP devices
o src: inpcb: assorted changes for upcoming FIB support
o src: ipfw: fix dump_soptcodes() handler
o src: ixgbe: add support for 1000BASE-BX SFP modules
o src: ixgbe: fix mailbox ack handling
o src: netinet6: add the missing lock acquire to nd6_get_llentry
o src: netinet: fix getcred sysctl handlers to do nothing if no input is given
o src: netinet: if mb_unmapped_to_ext() failed, return directly
o src: netlink: fix getting route scope of interface IPv4 addresses
o src: ovpn: fix use-after-free of mbuf
o src: pf: improve pf_state_key_attach() error handling
o src: pf: only force state failure logging if logging was requested
o src: pfkey2: use correct value for a key length
o src: routing: do not allow PINNED routes to be overriden
o src: sctp: fix double unlock in case adding a remote address fails
o src: tcp: clear sendfile logging struct
o src: udp: do not recursively enter net epoch
o src: wg: remove overly-restrictive address family check
o ports: lighttpd 1.4.79[2]
o ports: openvpn 2.6.14[3]
o ports: phalcon 5.9.2[4]
o ports: py-duckdb 1.2.2[5]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr
[2] https://www.lighttpd.net/2025/4/4/1.4.79/
[3] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.14
[4] https://github.com/phalcon/cphalcon/releases/tag/v5.9.2
[5] https://github.com/duckdb/duckdb/releases/tag/v1.2.2

The OPNsense business edition transitions to this 25.4 release including
numerous MVC/API conversions, a new user self-service portal, user CSV
import/export, improved security zones support and documentation, a new UI
look with a light and dark theme, PHP 8.3, FreeBSD 14.2 plus much more.

Please make sure to read the migration notes before upgrading.

Download link is as follows.  An installation guide[1] and the checksums for
the images can be found below as well.

https://downloads.opnsense.com/

This business release is based on the OPNsense 25.1.4 community version
with additional reliability improvements.

Here are the full patch notes against version 24.10.2:

o system: migrate user, group and privilege management to MVC/API
o system: remove the "disable integrated authentication" feature
o system: add "Default groups" option to add standard groups when a LDAP/RADIUS user logs in
o system: remove the old manual LDAP importer
o system: migrate HA status page to MVC/API
o system: allow custom additions to sshd_config (contributed by Neil Greatorex)
o system: increase max-request-field-size for web GUI
o system: set tunable default for checksum offloading of the vtnet(4) driver to disabled (contributed by Patrick M. Hausen)
o system: add support for RFC 5549 routes and refactor static route creation code
o system: improve notification support to also allow persistent notifications and static banners
o system: add notifications for low disk space and OpenSSH file override use
o system: migrate tunables page to MVC/API
o system: switch to temperature sensor caching
o system: add certificate widget to track expiration dates and allow quick renewal
o system: remove deprecated "page-getserviceprovider", "page-dashboard-all" and "page-system-groupmanager-addprivs" privileges
o system: replace file_get_contents() with curl implementation in XMLRPC sync and add verifypeer option
o system: add item edit links to several dashboard widgets
o system: prioritize index page and prevent redirection to a /api page on login
o system: mute disk space status in case of live install media
o system: optimize system status collection
o system: exclude pchtherm thresholds temperature thresholds
o system: update button wording on new HA status page
o system: adjust gateway widget to use the intended caching mechanism
o system: thermal sensors widget can now select individual sensors to display plus UX changes
o system: handle dev.pchtherm temperatures in the thermal dashboard widget (contributed by Joe Roback)
o system: use new apply button partial in tunables page
o system: move high availability option "disable preempt" to advanced mode
o system: straighten out syslog-ng rc.d scripting
o system: implement user CSV import/export functionality (sponsored by: m.a.x. it)
o system: switch boot logo and MOTD to the new-style logo (contributed by Gavin Chappell)
o system: migrate "default" tunable value to empty one and improve UX
o system: replace legacy service widget hook with a proper configd call
o system: add "Kill states when down" option to gatways
o system: stop pushing "nextuid" and "nextgid" during XMLRPC
o system: migrate tunables to implicit defaults
o system: secure access to sysctl configuration node
o system: fix RADIUS error check
o system: rewire system_usermanager_passwordmg.php to /ui/user_portal for cooperation with the next business edition
o system: default "net.inet.carp.senderr_demotion_factor" tunable to "0"
o system: opnsense-beep: serialize access to /dev/speaker (contributed by Leonid Evdokimov)
o system: fix URL hash in certificate link so redirection shows the correct menu path
o system: add a user portal for self-servicing OTP and OpenVPN profiles[2]
o reporting: fix missing typecast in epoch range for DNS statistics
o reporting: switch health graphs to ChartJS
o reporting: minor code cleanups in insight backend
o interfaces: adhere to DAD during VIP recreation in rc.newwanipv6
o interfaces: remove non-functional features from bridges
o interfaces: remove PPP edit in interfaces settings
o interfaces: batched device type creation under "Devices" submenu
o interfaces: move PPP and wireless logs to system log
o interfaces: remove "Use IPv4 connectivity" setting as it will be set by default
o interfaces: fix undefined array key warnings in DHCP client setup (contributed by Ben Smithurst)
o interfaces: add "nosync" option to VIPs and fix sync conditional
o interfaces: use shared base_bootgrid_table and base_apply_button where possible
o interfaces: remove obsolete code in get_real_interfaces() to match getRealInterface()
o interfaces: improve validation for CARP/proxy ARP VIP
o interfaces: remove defunct "other" VIP type
o interfaces: skip "nosync" processing on VIPs
o interfaces: move "(de)select all" button to the same row on packet capture page
o interfaces: add ARP address family option to packet capture
o interfaces: fix advanced mode visibility in VIPs
o firewall: use "skip lo0" instead of policing lo0 explicitly following OpenBSD best practice
o firewall: remove duplicate table definition and make sure bogonsv6 table always exists
o firewall: cleanup of CARP and IPv6 rules behaviour
o firewall: filter feature parity in automation rules
o firewall: offer multi-select on source and destination addresses
o firewall: add experimental inline shaper support to filter rules
o firewall: add missing columns on one-to-one NAT page
o firewall: fix anti-lockout and "allow access to DHCP failover" automatic rules
o firewall: add optional authorization for URL type aliases
o firewall: add "URL Table in JSON format (IPs)" alias type
o firewall: properly unpack multiple source/destination items in the rules page
o firewall: hide internal aliases to align with previous legacy_list_aliases() function
o firewall: support partial alias exports
o firewall: performance improvement by using pf overall table stats instead of dumping each table
o firewall: offer better plug-ability for dynamic alias type
o firewall: alias rename action ignored due to missing lock
o firewall: support "jq" processing syntax for JSON-based URL table aliases
o firewall: fix presentation when alias name overlaps group name
o captive portal: fix missing class import
o captive portal: partially revert new lighttpd TLS defaults
o captive portal: urlencode() selector items in voucher group list
o dhcrelay: integrate layout_partials bootgrid/apply
o dnsmasq: migrate existing frontend to MVC/API
o firmware: fix "r" abbreviation vs. version_compare();
o firmware: opnsense-update: fix failure to clean up the working directory
o firmware: opnsense-update: support -B and -K with -c option check
o firmware: opnsense-update: let -u skip already installed packages set
o firmware: kernel may not be pending so be sure to check on upgrade attempt
o firmware: add an upgrade test for wrong pkg repository
o firmware: revoke 24.7 fingerprint
o installer: fixed missing prompt and help text in ZFS disk selection
o installer: warn on low RAM for ZFS as well
o installer: added a power off option
o intrusion detection: policy content dropdown missing data-container
o ipsec: add log search button in sessions
o ipsec: add banner message when using custom configuration files
o ipsec: fix glob pattern for advanced configuration banner
o ipsec: add deprecation notices for legacy components (will move to plugins)
o ipsec: pre-shared key permission fix
o kea-dhcp: add "v6-only-preferred" option (contributed by darses)
o kea-dhcp: use shared base_bootgrid_table and base_apply_button
o kea-dhcp: add missing ACL privileges
o lang: update available translations
o monit: flag file overwrites when they exist
o network time: take IPv6 addresses into account
o network time: remove support for explicit VIP selection
o network time: move XMLRPC definition to correct file
o openvpn: add validation pertaining to auth-gen-token and reneg-sec combinations
o openvpn: add deprecation notices for legacy components (will move to plugins)
o openvpn: add DCO validation for fragment size
o openvpn: use shared base_bootgrid_table and base_apply_button
o openvpn: add support for assorted options[3] (contributed by Marius Halden)
o openvpn: add basic HTTP client option
o openvpn: add "Enable static challenge (OTP)" option in client export
o router advertisements: move plugin code to its own space
o unbound: cleanup available blocklists and add hagezi blocklists
o unbound: fix root.hits permission on copy
o unbound: flag file overwrites when they exist
o unbound: add support for forward-first when configuring forwarders (contributed by Nigel Jones)
o unbound: use shared base_bootgrid_table and base_apply_button
o unbound: move whitelist (passlist) handling to Unbound plugin
o unbound: drop "exclude" phrase from plugin log entry
o wireguard: change tracking of peer status, improve widget and diagnostic
o wireguard: use shared base_bootgrid_table and base_apply_button
o backend: -m option is unused so remove its complication
o backend: add an "import" rc.syshook facility
o backend: change the "monitor" rc.syshook facility and de-deprecate its use
o backend: remove unused functions and move once-used functions to their call script
o backend: allow pluginctl to filter on -x/-X option
o mvc: implement reusable grid template using form definitions
o mvc: add Default() method to reset a model to its factory defaults
o mvc: fix LegacyMapper when the mount point is not the XML root
o mvc: move explicit cast in BaseModel when calling field->setValue()
o mvc: fields should implement getCurrentValue() rather than __toString()
o mvc: fix value lookup in LinkAddressField
o mvc: memory preservation fix in BaseListField
o mvc: support lazy loading on alias models and use it in NetworkAliasField
o mvc: wrap locks around updates and perform some minor cleanups in ApiMutableModelControllerBase
o mvc: move "lazy loading" option to base model implementation and force usage on run_migrations.php
o mvc: safeguard checkToken() to prevent fetching an non existing POST item
o mvc: decode HTML tags in menu items
o mvc: fix unit tests for model relation fields
o mvc: merge NetworkValidator into NetworkField to ease extensibility and add unit test
o mvc: send audit messages emitted in the authentication sequence to proper channel
o ui: upgrade Font Awesome icons to version 6
o ui: push search/edit logic towards bootgrid implementation
o ui: improved links with automatic edit and/or search
o ui: rewritten default theme for a light look and new logo
o ui: added default theme variant with a dark look
o ui: header image scaling fixes in default light theme
o ui: remove right border from "aside" element in default dark theme
o ui: upgrade ChartJS to v4
o ui: change backdrop background color to black in dark theme
o ui: create a unified layout partial for the apply button
o plugins: adjust all themes for ChartJS 4 use
o plugins: os-OPNBEcore 1.5
o plugins: os-OPNWAF 1.8
o plugins: os-OPNcentral 1.11
o plugins: os-acme-client 4.9[4]
o plugins: os-caddy 1.8.4[5]
o plugins: os-cpu-microcode 1.1 removes unneeded late loading code
o plugins: os-crowdsec 1.0.9[6]
o plugins: os-ddclient 1.27[7]
o plugins: os-dmidecode 1.2 adds new dashboard widget (contributed by Neil Merchant)
o plugins: os-frr 1.44[8]
o plugins: os-haproxy 4.5[9]
o plugins: os-intrusion-detection-content-pt-open 1.0 (contributed by kulikov-a)
o plugins: os-sftp-backup 1.0 allows configuration backups over SFTP
o plugins: os-tailscale 1.2[10]
o plugins: os-theme-cicada 1.39 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.29 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.49 (contributed by Team Rebellion)
o plugins: os-zabbix-agent 1.15[11]
o plugins: os-zabbix-proxy 1.12[12]
o src: FreeBSD 14.2-RELEASE[13]
o src: bpf: fix potential race conditions
o src: carp: fix checking IPv4 multicast address
o src: e1000: fix vlan PCP/DEI on lem(4)
o src: icmp: use per rate limit randomized jitter
o src: if_vxlan: invoke vxlan_stop event handler only when the interface is configured
o src: if_vxlan: prefer SYSCTL_INT over TUNABLE_INT
o src: if_vxlan: use static initializers
o src: ifconfig: make -vht work
o src: ifnet: detach BPF descriptors on interface vmove event
o src: igc: remove unused register IGC_RXD_SPC_VLAN_MASK
o src: ipfw: add missing initializer for 'limit' table value
o src: ipfw: make 'ipfw show' output compatible with 'ipfw add' command
o src: iwlwifi: update Intel iwlwifi/mvm driver et al
o src: ixgbe: add ixgbe_dev_from_hw() back
o src: ixgbe: fix a logic error in ixgbe_read_mailbox_vf()
o src: ktrace: fix uninitialized memory disclosure]
o src: libkern: add ilog2 macro et al
o src: net80211: 11ac: add options to manage VHT STBC
o src: net: if_media for 100BASE-BX
o src: netinet6: do not forward to the unspecified address
o src: netinet: do not forward or ICMP response to INADDR_ANY
o src: netinet: ipsec and ktls cannot coexists
o src: pf: add 'allow-related' to always allow SCTP multihome extra connections
o src: pf: add extra SCTP multihoming probe points
o src: pf: align sanity checks for pfrw_free
o src: pf: allow ICMP messages related to an SCTP state to pass
o src: pf: allow all forms of neighbor advertisements in either direction
o src: pf: cleanup leftover PF_ICMP_MULTI_* code that is not needed anymore
o src: pf: do not keep state when dropping overlapping IPv6 fragments
o src: pf: drop IPv6 packets built from overlapping fragments in pf reassembly
o src: pf: fix fragment hole count
o src: pf: force logging if pf_create_state() fails
o src: pf: only force state failure logging if logging was requested
o src: pf: send ICMP destination unreachable fragmentation needed when appropriate
o src: pf: stop using net_epoch to synchronize access to eth rules
o src: pf: verify SCTP v_tag before updating connection state
o src: pf: verify that ABORT chunks are not mixed with DATA chunks
o src: pfil: set PFIL_FWD for IPv4 forwarding
o src: rtw89: update Realtek rtw88/rtw89 driver et al
o src: sysctl: enable vnet sysctl variables to be loader tunable
o src: tzdata: import tzdata 2025a
o ports: ca_root_nss 3.108[14]
o ports: curl 8.12.1[15]
o ports: dnsmasq 2.91[16]
o ports: expat 2.7.0[17]
o ports: lighttpd 1.4.78[18]
o ports: monit 5.34.4[19]
o ports: nss 3.109[20]
o ports: openssl 3.0.16[21]
o ports: openvpn 2.6.14[22]
o ports: pcre2 10.45[23]
o ports: pecl-radius now offers message authenticator support (scheduled to be enabled with 25.4.2)
o ports: pftop 0.12
o ports: phalcon 5.9.0[24]
o ports: php 8.3.19[25]
o ports: py-duckdb 1.2.1[26]
o ports: py-jq 1.8.0[27]
o ports: radvd 2.20[28]
o ports: suricata 7.0.10[29]

Migration notes, known issues and limitations:

o The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. The integrated authentication via PAM has been the default for a long time so the option to disable it has been removed. The manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option. The "page-system-groupmanager-addprivs" privilege was removed since the page does not exist anymore. A multi-purpose privilege editor has been added under the existing "page-system-usermanager-addprivs" instead.
o PPP devices can no longer be configured on the interface settings page. To edit the device settings use the native PPP device edit page instead.

The public key for the 25.4 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsnbyFjWXvUcUC4BqnQ9w
uH3yiaG7AY8UzwepXf2TqqOYt5Y0USbse3OBjxYnRs0iW5EHtdKSRcmelup374Hp
XDDeQ/mjmhhnvXryfQL57gyVpYeL5gRVhf/2DwEZELLCFUFhMNh52QPaJ5zTvdws
m1Q+OwI1WfTDR7ytm+0Too2tVerG3mM3XataZ+XOKwHp2xP0Mr8E4F+PZdR4hWbb
yC2elIzICXDWWpcEEg4JT48TIYZJPGnE2IJAzWRntrqVU2eLcEn5MffwTawXNoCZ
mvLYqguYskmeR/dAL7ZmZcPeMeibXMtld8xIZp49g7DPq7PqxCY1wxcgeuZPFOHv
kbYzL3BHbyni3K/qdLXKzy8oZeUUvlbUgaj8Xx14DSiNzJDknNf0Xg/eby7MkzgP
eUXgtB0MRQMih85BfaiH5r+uQMgPKnjutVWR8qUWglxDKIc4s69b8PXylfu2FwiP
iKMBdO8xnVvNFKOkuaUtI31cqxauw2hBAlILFvltM+adUz2rfB3Ch0bjfjDE5Hxq
En4fEUVHgQCu+Ojyyy3/8RwUpsRZq05fObypyeL3E/MvlwpaOVjwvw2ozVPGi2zi
xmXemn5CbgjD3vPR9XERXrFkHTwPnIiqz53znqn34P+NGEgD1veMhZPE6OGZRu/h
IfceSaxJ/An5SUh0zr7YgOsCAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://docs.opnsense.org/vendor/deciso/userportal.html
[3] https://github.com/opnsense/core/pull/8396
[4] https://github.com/opnsense/plugins/blob/stable/25.1/security/acme-client/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/25.1/security/crowdsec/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/25.1/dns/ddclient/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/25.1/net/frr/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/25.1/net/haproxy/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/25.1/security/tailscale/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/25.1/net-mgmt/zabbix-agent/pkg-descr
[12] https://github.com/opnsense/plugins/blob/stable/25.1/net-mgmt/zabbix-proxy/pkg-descr
[13] https://www.freebsd.org/releases/14.2R/relnotes/
[14] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_108.html
[15] https://curl.se/changes.html#8_12_1
[16] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[17] https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes
[18] https://www.lighttpd.net/2025/3/22/1.4.78/
[19] https://mmonit.com/monit/changes/
[20] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_109.html
[21] https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md
[22] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.14
[23] https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.45
[24] https://github.com/phalcon/cphalcon/releases/tag/v5.9.0
[25] https://www.php.net/ChangeLog-8.php#8.3.19
[26] https://github.com/duckdb/duckdb/releases/tag/v1.2.1
[27] https://github.com/mwilliamson/jq.py/blob/master/CHANGELOG.rst
[28] https://radvd.litech.org/
[29] https://suricata.io/2025/03/25/suricata-7-0-10-released/

SHA256 (OPNsense-business-25.4-dvd-amd64.iso.bz2) = 6b99523d8b8f166ea6fc1e30de3206da8f5184fc36f646d3cefd3b2409930f49
SHA256 (OPNsense-business-25.4-nano-amd64.img.bz2) = 1aa61b516ea61491c3b5c438c7d003d6f0812cc4638ddd767f4fe0e2f89ad0ea
SHA256 (OPNsense-business-25.4-serial-amd64.img.bz2) = d54c59bbfb89282cc5dc7a40b1c0b42b0c616e23f70700c2d2aeb32ab9474509
SHA256 (OPNsense-business-25.4-vga-amd64.img.bz2) = cb95d7cc0ef9c8875173bbaf4bd852c477ff1e1d529387fdb6f08be38041eda6

Hi there,

This update offers support for "jq" syntax in JSON-based URL table
aliases, new OpenVPN instance features and the mandatory batch of
stability improvements in numerous parts of the GUI and backend.

Upcoming in 25.1.5 are better RADIUS integration and enabling message
authentication.  We are also replacing the captive portal implementation
by moving from ipfw(4) to pf(4).  Last but not least the firewall automation
filter rules GUI received a generous revamp for a far better UX than before.
You can preview these changes by switching to the development release type
and let us know about any remaining bug that you may encounter.

Here are the full patch notes:

o system: add "Kill states when down" option to gatways
o system: stop pushing "nextuid" and "nextgid" during XMLRPC
o system: migrate tunables to implicit defaults
o system: secure access to sysctl configuration node
o system: fix RADIUS error check
o system: add "pwd_changed_at" field previously missing in user model
o system: rewire system_usermanager_passwordmg.php to /ui/user_portal for cooperation with the next business edition
o system: default "net.inet.carp.senderr_demotion_factor" tunable to "0"
o system: opnsense-beep: serialize access to /dev/speaker (contributed by Leonid Evdokimov)
o reporting: minor code cleanups in insight backend
o interfaces: move "(de)select all" button to the same row on packet capture page
o interfaces: add ARP address family option to packet capture
o interfaces: fix advanced mode visibility in VIPs
o firewall: performance improvement by using pf overall table stats instead of dumping each table
o firewall: offer better plug-ability for dynamic alias type
o firewall: alias rename action ignored due to missing lock
o firewall: support "jq" processing syntax for JSON-based URL table aliases
o openvpn: use shared base_bootgrid_table and base_apply_button
o openvpn: add support for assorted options[1] (contributed by Marius Halden)
o openvpn: add basic HTTP client option
o router advertisements: move plugin code to its own space
o unbound: move whitelist (passlist) handling to Unbound plugin
o mvc: merge NetworkValidator into NetworkField to ease extensibility and add unit test
o mvc: send audit messages emitted in the authentication sequence to proper channel
o mvc: BooleanField now defaults to "0" on creation
o plugins: os-caddy 1.8.4[2]
o plugins: os-frr 1.44[3]
o plugins: os-theme-cicada 1.39 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.29 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.49 (contributed by Team Rebellion)
o ports: dnsmasq 2.91[4]
o ports: expat 2.7.0[5]
o ports: lighttpd 1.4.78[6]
o ports: pecl-radius now offers message authenticator support (scheduled to be enabled with 25.1.5)
o ports: phalcon 5.9.0[7]
o ports: php 8.3.19[8]
o ports: py-duckdb 1.2.1[9]
o ports: py-jq 1.8.0[10]
o ports: suricata 7.0.10[11]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/core/pull/8396
[2] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.1/net/frr/pkg-descr
[4] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[5] https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes
[6] https://www.lighttpd.net/2025/3/22/1.4.78/
[7] https://github.com/phalcon/cphalcon/releases/tag/v5.9.0
[8] https://www.php.net/ChangeLog-8.php#8.3.19
[9] https://github.com/duckdb/duckdb/releases/tag/v1.2.1
[10] https://github.com/mwilliamson/jq.py/blob/master/CHANGELOG.rst
[11] https://suricata.io/2025/03/25/suricata-7-0-10-released/

Short time no see!

This time around a patch from OpenBSD has been added that fixes the
state tracking for ICMPv6 neighbour discovery packets through pf.  The
user management gained a CSV import/export.  Also, the bug of the missing
PPP logs has been fixed in the upstream MPD package.

Please note that the FRR plugin now uses the new configuration file
layout mandated by upstream and also gained reload support.

Since Google Drive is being phased out by Google, a new plugin now
covers backups via SFTP.  The old Google Drive backup functionality
will move to plugins in 25.7 since it will only be useful for existing
installs.

Here are the full patch notes:

o system: implement user CSV import/export functionality (sponsored by: m.a.x. it)
o system: switch boot logo and MOTD to the new-style logo (contributed by Gavin Chappell)
o system: migrate 'default' tunable value to empty one and improve UX
o system: bring back user/group audit messages lost in MVC conversion
o system: replace legacy service widget hook with a proper configd call
o interface: use shared base_bootgrid_table and base_apply_button where possible
o interfaces: remove obsolete code in get_real_interfaces() to match getRealInterface()
o interfaces: improve validation for CARP/proxy ARP VIP
o interfaces: remove defunct "other" VIP type
o interfaces: skip "nosync" processing on VIPs
o firewall: support partial alias exports
o kea-dhcp: use shared base_bootgrid_table and base_apply_button
o network time: move XMLRPC definition to correct file
o openvpn: add DCO validation for fragment size
o unbound: use shared base_bootgrid_table and base_apply_button
o unbound: fix model migration pertaining to "dots" model changes
o wireguard: use shared base_bootgrid_table and base_apply_button
o backend: allow pluginctl to filter on -x/-X option
o mvc: decode HTML tags in menu items
o mvc: fix unit tests for model relation fields
o plugins: os-caddy 1.8.3[1]
o plugins: os-dmidecode 1.2 adds new dashboard widget (contributed by Neil Merchant)
o plugins: os-frr 1.43[2]
o plugins: os-intrusion-detection-content-pt-open 1.0 (contributed by kulikov-a)
o plugins: os-sftp-backup 1.0 allows configuration backups over SFTP
o plugins: os-zabbix-agent 1.15[3]
o plugins: os-zabbix-proxy 1.12[4]
o src: carp: fix checking IPv4 multicast address
o src: icmp: use per rate limit randomized jitter
o src: ixgbe: Fix a logic error in ixgbe_read_mailbox_vf()
o src: netinet6: do not forward to the unspecified address
o src: netinet: do not forward or ICMP response to INADDR_ANY
o src: netinet: ipsec and ktls cannot coexists
o src: pf: align sanity checks for pfrw_free
o src: pf: allow all forms of neighbor advertisements in either direction
o src: pf: cleanup leftover PF_ICMP_MULTI_* code that is not needed anymore
o src: pf: do not keep state when dropping overlapping IPv6 fragments
o src: pf: drop IPv6 packets built from overlapping fragments in pf reassembly
o src: pf: fix fragment hole count
o src: sysctl: enable vnet sysctl variables to be loader tunable
o ports: mpd default logging level increased to LOG_NOTICE
o ports: nss 3.109[5]
o ports: pftop 0.12
o ports: py-jinja 3.1.6[6]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.1/net/frr/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.1/net-mgmt/zabbix-agent/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.1/net-mgmt/zabbix-proxy/pkg-descr
[5] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_109.html
[6] https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

Hey all,

This was supposed to hit earlier this week, but some weeks are like this
one now where QA takes more time than usual.  Of note is the move of Dnsmasq
to MVC and the ChartJS update to version 4 which is bundled with nice updates
for widgets and the system health graphs.

The roadmap for 25.7 was also published[1].  The IPsec and OpenVPN legacy
parts will move to the plugins so that the functionality can live there
in community support tier.  Since Kea remains a bit of an odd choice we will
be offering DHCP support via Dnsmasq as a new standard feature which also
offers seamless DHCP lease registration some people keep looking for.

Here are the full patch notes:

o system: adjust gateway widget to use the intended caching mechanism
o system: thermal sensors widget can now select individual sensors to display plus UX changes
o system: handle dev.pchtherm temperatures in the thermal dashboard widget (contributed by Joe Roback)
o system: use new apply button partial in tunables page
o system: move high availability option "disable preempt" to advanced mode
o system: straighten out syslog-ng rc.d scripting
o reporting: switch health graphs to ChartJS
o interfaces: add "nosync" option to VIPs and fix sync conditional
o interfaces: exclude automatic radvd like we do for manual
o firewall: properly unpack multiple source/destination items in the rules page
o firewall: hide internal aliases to align with previous legacy_list_aliases() function
o firewall: add missing "persist" on bogonsv6
o captive portal: urlencode() selector items in voucher group list
o dhcrelay: integrate layout_partials bootgrid/apply
o dnsmasq: migrate existing frontend to MVC/API
o ipsec: add deprecation notices for legacy components (will move to plugins)
o kea-dhcp: add "v6-only-preferred" option (contributed by darses)
o openvpn: add deprecation notices for legacy components (will move to plugins)
o openvpn: support "password first" for static-challenges
o unbound: add support for forward-first when configuring forwarders (contributed by Nigel Jones)
o wireguard: change tracking of peer status, improve widget and diagnostic
o backend: add an "import" rc.syshook facility
o backend: change the "monitor" rc.syshook facility and de-deprecate its use
o backend: remove unused functions and move once-used functions to their call script
o mvc: wrap locks around updates and perform some minor cleanups in ApiMutableModelControllerBase
o mvc: move "lazy loading" option to base model implementation and force usage on run_migrations.php
o mvc: safeguard checkToken() to prevent fetching an non existing POST item
o ui: upgrade ChartJS to v4
o ui: change backdrop background color to black in dark theme
o ui: create a unified layout partial for the apply button
o plugins: adjust all themes for ChartJS 4 use
o plugins: treat empty string like null on argument map
o plugins: os-acme-client 4.9[2]
o src: ipfw: make 'ipfw show' output compatible with 'ipfw add' command
o src: pf: stop using net_epoch to synchronize access to eth rules
o src: e1000: fix vlan PCP/DEI on lem(4)
o src: igc: remove unused register IGC_RXD_SPC_VLAN_MASK
o src: ifnet: detach BPF descriptors on interface vmove event
o src: libkern: add ilog2 macro et al
o src: ipfw: add missing initializer for 'limit' table value
o src: pf: add extra SCTP multihoming probe points
o src: pf: verify SCTP v_tag before updating connection state
o src: pf: verify that ABORT chunks are not mixed with DATA chunks
o src: pf: allow ICMP messages related to an SCTP state to pass
o src: pf: add 'allow-related' to always allow SCTP multihome extra connections
o src: bpf: fix potential race conditions
o src: net: if_media for 100BASE-BX
o src: rtw89: update Realtek rtw88/rtw89 driver et al
o src: net80211: 11ac: add options to manage VHT STBC
o src: ifconfig: make -vht work
o src: iwlwifi: update Intel iwlwifi/mvm driver et al
o src: ixgbe: Add ixgbe_dev_from_hw() back
o ports: ca_root_nss / nss 3.108[3]
o ports: curl 8.12.1[4]
o ports: openssh-portable 9.9p2[5]
o ports: php83 8.3.17[6]
o ports: py-duckdb 1.2.0[7]


Stay safe,
Your OPNsense team
--

[1] https://opnsense.org/about/road-map/
[2] https://github.com/opnsense/plugins/blob/stable/25.1/security/acme-client/pkg-descr
[3] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_108.html
[4] https://curl.se/changes.html#8_12_1
[5] https://www.openssh.com/txt/release-9.9p2
[6] https://www.php.net/ChangeLog-8.php#8.3.17
[7] https://github.com/duckdb/duckdb/releases/tag/v1.2.0

Hello,

Here we are with further refinements to 25.1 and it is looking
pretty well so far.  Included are the recent FreeBSD security
advisories and the OpenSSL 3.0.16 which came out just yesterday.

The roadmap for 25.7 is being worked on at the moment and should
be ready for publication next week / release.

Here are the full patch notes:

o system: exclude pchtherm thresholds temperature thresholds
o system: regression in groupAllowed() as values are now comma-separated
o system: update button wording on new HA status page
o reporting: fix missing typecast in epoch range for DNS statistics
o interfaces: fix undefined array key warnings in DHCP client setup (contributed by Ben Smithurst)
o interfaces: remove "hellotime" configuration leftover of recent bridge cleanup
o firmware: opnsense-update: fix failure to clean up the working directory
o firmware: opnsense-update: support -B and -K with -c option check
o firmware: opnsense-update: let -u skip already installed packages set
o firmware: kernel may not be pending so be sure to check on upgrade attempt
o firmware: add an upgrade test for wrong pkg repository
o firmware: revoke 24.7 fingerprint
o captive portal: fix missing class import
o captive portal: partially revert new lighttpd TLS defaults
o ipsec: fix glob pattern for advanced configuration banner
o monit: revert "wrap exec in double quotes to allow arguments"
o ui: reverted style changes only relevant for the development version
o ui: header image scaling fixes in default light theme
o ui: remove right border from "aside" element in default dark theme
o plugins: os-caddy 1.8.2[1]
o plugins: os-crowdsec 1.0.9[2]
o plugins: os-ddclient 1.27[3]
o src: pf: send ICMP destination unreachable fragmentation needed when appropriate
o src: pfil: set PFIL_FWD for IPv4 forwarding
o src: if_vxlan: use static initializers
o src: if_vxlan: prefer SYSCTL_INT over TUNABLE_INT
o src: if_vxlan: Invoke vxlan_stop event handler only when the interface is configured
o src: pf: force logging if pf_create_state() fails
o src: tarfs: fix the size of struct tarfs_fid and add a static assert
o src: ext2fs: fix the size of struct ufid and add a static assert
o src: cd9660: make sure that struct ifid fits in generic filehandle structure
o src: tzdata: import tzdata 2025a
o src: audit: fix short-circuiting in syscallenter()
o src: ktrace: fix uninitialized memory disclosure]
o src: netinet: enter epoch in garp_rexmit()
o ports: curl 8.12.0[4]
o ports: monit 5.34.4[5]
o ports: openssl 3.0.16[6]
o ports: pcre2 10.45[7]
o ports: php 8.3.16[8]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.1/security/crowdsec/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.1/dns/ddclient/pkg-descr
[4] https://curl.se/changes.html#8_12_0
[5] https://mmonit.com/monit/changes/
[6] https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md
[7] https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.45
[8] https://www.php.net/ChangeLog-8.php#8.3.16

This business release is based on the OPNsense 24.7.12 community version
with additional reliability improvements.

Here are the full patch notes:

o system: add a "time-loop" around authentication for failed attempts
o system: remove the SSL bundles in default locations
o system: prevent JS crashing out when dashboard widget title is not set
o system: use system instead of sample defaults when reverting tunables
o system: report actual LAN address being used after factory reset
o system: fix TOTP regression when used with LDAP
o system: show multiple SAN entries when supplied by the certificate
o system: traffic dashboard widget should persist interface identifiers
o system: reset dashboard widget options to the default if none of the options match
o system: mismatch in returned "change" attribute for route toggle
o system: suppress XML parse errors in announcement widget when forum is unreachable
o system: catch PHP errors for Google Drive backups
o system: ignore plugins_interfaces() errors in write_config()
o system: fix snapshot ACL
o system: re-enable support for subjectAltName when creating CSRs
o system: remove spurious backup() during config revert
o reporting: add daemon -f parameter to close file descriptors for NetFlow local capture (contributed by Ben Smithurst)
o interfaces: use Autoconf class to avoid raw ifctl file access
o interfaces: remove ancient MAC address trickery to unbreak hostapd
o interfaces: add missing neighbor and DNS lookup page ACL entries
o interfaces: PPP device page ACL missed getserviceproviders.php
o interfaces: reload GUI in the background
o dhcp: allow radvd to use /128 CARP VIP as source
o firewall: remove faulty PPP exclusion in scrubbing rule creation
o firmware: improved output helpers and associated cleanup in audit scripts
o firmware: opnsense-update: add support for regression tests set
o firmware: add "configctl firmware changelog current" backend command
o firmware: refactor lock/unlock scripts using new output helpers
o firmware: opnsense-code: support for origin selection during upgrade mode
o firmware: opnsense-patch: improve patch behaviour for non-default account/repositories combinations
o firmware: fix the return value handling in the firmware option of the console menu
o firmware: use output_cmd/output_txt helpers in remaining scripts
o firmware: disable duckdb migration for stable transition again
o intrusion detection: limit stats.log logging (contributed by doktornotor)
o ipsec: remove hashing algorithm from null cipher
o ipsec: fix mobile clients reload missing system.inc
o isc-dhcp: IPv6 prefixes script can fail to restart (contributed by Ben Smithurst)
o kea-dhcp: add dhcp-socket-type option (contributed by Till Niederauer)
o kea-dhcp: add MAC formatter to leases page (contributed by cpalv)
o kea-dhcp: align hostname validation with manual host entries
o kea-dhcp: add "match-client-id" in subnet definitions
o openvpn: support case-insensitive strict user CN matching for instances
o unbound: move domain overrides to query forwarding
o unbound: use tls-cert-bundle to point to remaining valid bundle
o unbound: fixup permission on copy
o mvc: let JsonKeyValueStoreField cache configd call for the duration of the session
o mvc: another batch of sessionClose() cleanups in controllers
o mvc: cleanup in ApiMutableServiceControllerBase
o mvc: fix hint display for "0"
o mvc: last batch of sessionClose() cleanups in controllers
o mvc: call initialize() after authentication
o mvc: normalize multiple slashes in paths
o mvc: fix a regression in "normalize multiple slashes in paths"
o mvc: add serialNumber and issuer in Store::parseX509()
o mvc: restore support for JSON input data without configd callout in JsonKeyValueStoreField
o mvc: fix NetworkValidator for IPv4-mapped addresses with netmask (contributed by John Fieber)
o ui: restore right tab border in standard theme
o ui: add classes to system history diff content so themes can override the defaults
o ui: load CSV as text to prevent encoding issues in SimpleFileUploadDlg()
o plugins: turning binary data into JSON may fail globally
o plugins: os-acme-client 4.7[1]
o plugins: os-caddy 1.8.0[2]
o plugins: os-ddclient 1.26[3]
o plugins: os-debug 1.7[4]
o plugins: os-freeradius 1.9.27[5]
o plugins: os-haproxy 4.4[6]
o plugins: os-mdns-repeater 1.2[7]
o plugins: os-nut 1.9[8]
o plugins: os-qemu-guest-agent 1.3[9]
o plugins: os-squid 1.1[10]
o plugins: os-tailscale 1.1[11] (contributed by Sheridan Computers)
o plugins: os-telegraf 1.12.12[12]
o plugins: os-theme-rebellion 1.9.2 (contributed by Team Rebellion)
o src: atf/kyua: ship regression tests runtime support
o src: if_bridge: mask MEXTPG if some members do not support it
o src: if_tuntap: enable MEXTPG support
o src: ice: update to 1.43.2-k et al
o src: ipsec: fix IPv6 over IPv4 tunneling
o src: ixgbe: add support for 1Gbit (active) DAC links
o src: ixgbe: sysctl for TCP flag handling during TSO
o src: jail: expose children.max and children.cur via sysctl
o src: libfetch: add the error number to verify callback failure case
o src: netlink: assorted stable backports
o src: pf: prevent SCTP-based NULL dereference in pfi_kkif_match()
o src: pf: let rdr rules modify the src port if doing so would avoid a conflict
o src: pf: make pf_get_translation() more expressive
o src: pf: let pf_state_insert() handle redirect state conflicts
o src: pf: fix wrong pflog action in NAT rule
o src: rc: ignore INSYDE BIOS placeholder UUID for /etc/hostid
o src: route: fix failure to add an interface prefix route when route with the same prefix is already presented in the routing table
o src: route: route: avoid overlapping strcpy
o src: sfxge: defer ether_ifattach to when ifmedia_init is done
o src: netlink: allow force remove on pinned delete from route binary
o src: if_ovpn: improve reconnect handling
o src: iflib: set the NUMA domain in receive packet headers
o src: ip: defer checks for an unspecified dstaddr until after pfil hooks
o src: ice_ddp: update to 1.3.41.0
o src: p9fs: add an implementation of the 9P filesystem
o src: tarfs: fix the size of struct tarfs_fid and add a static assert
o src: ext2fs: fix the size of struct ufid and add a static assert
o src: cd9660: make sure that struct ifid fits in generic filehandle structure
o src: audit: fix short-circuiting in syscallenter()
o src: svc.c: check for a non-NULL xp_socket
o src: carp: do npt unintentionally revert to multicast mode
o src: netinet: enter epoch in garp_rexmit()
o ports: curl 8.11.1[13]
o ports: expat 2.6.4[14]
o ports: libpfctl 0.15
o ports: monit 5.34.3[15]
o ports: nss 3.107[16]
o ports: openldap 2.6.9[17]
o ports: openvpn 2.6.13[18]
o ports: php 8.2.27[19]
o ports: python 3.11.11[20]
o ports: sudo 1.9.16p2[21]
o ports: suricata 7.0.8[22]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/24.7/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/24.7/dns/ddclient/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/24.7/devel/debug/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/24.7/net/freeradius/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/24.7/net/haproxy/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/24.7/net/mdns-repeater/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/24.7/sysutils/nut/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/24.7/emulators/qemu-guest-agent/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/24.7/www/squid/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/24.7/security/tailscale/pkg-descr
[12] https://github.com/opnsense/plugins/blob/stable/24.7/net-mgmt/telegraf/pkg-descr
[13] https://curl.se/changes.html#8_11_1
[14] https://github.com/libexpat/libexpat/blob/R_2_6_4/expat/Changes
[15] https://mmonit.com/monit/changes/
[16] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_107.html
[17] https://www.openldap.org/software/release/changes.html
[18] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.13
[19] https://www.php.net/ChangeLog-8.php#8.2.27
[20] https://docs.python.org/release/3.11.11/whatsnew/changelog.html
[21] https://www.sudo.ws/stable.html#1.9.16p2
[22] https://suricata.io/2024/12/12/suricata-7-0-8-released/

Hi there,

For an entire decade now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.

25.1, nicknamed "Ultimate Unicorn", features numerous MVC/API conversions,
improved security zones support and documentation, ZFS snapshot support,
a new UI look with a light and dark theme, PHP 8.3, FreeBSD 14.2 plus much
more.

Download links, an installation guide[1] and the checksums for the images
can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/25.1/
o US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.1/
o South America: http://mirror.ueb.edu.ec/opnsense/releases/25.1/
o East Asia: https://mirror.ntct.edu.tw/opnsense/releases/25.1/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against version 24.7.12:

o system: migrate user, group and privilege management to MVC/API
o system: remove the "disable integrated authentication" feature
o system: add "Default groups" option to add standard groups when a LDAP/RADIUS user logs in
o system: remove the old manual LDAP importer
o system: migrate HA status page to MVC/API
o system: allow custom additions to sshd_config (contributed by Neil Greatorex)
o system: increase max-request-field-size for web GUI
o system: set tunable default for checksum offloading of the vtnet(4) driver to disabled (contributed by Patrick M. Hausen)
o system: add support for RFC 5549 routes and refactor static route creation code
o system: improve notification support to also allow persistent notifications and static banners
o system: add notifications for low disk space and OpenSSH file override use
o system: migrate tunables page to MVC/API
o system: switch to temperature sensor caching
o system: add certificate widget to track expiration dates and allow quick renewal
o system: remove deprecated "page-getserviceprovider", "page-dashboard-all" and "page-system-groupmanager-addprivs" privileges
o system: replace file_get_contents() with curl implementation in XMLRPC sync and add verifypeer option
o system: add item edit links to several dashboard widgets
o system: prioritize index page and prevent redirection to a /api page on login
o system: mute disk space status in case of live install media
o system: optimize system status collection
o interfaces: adhere to DAD during VIP recreation in rc.newwanipv6
o interfaces: remove non-functional features from bridges
o interfaces: remove PPP edit in interfaces settings
o interfaces: batched device type creation under "devices" submenu
o interfaces: move PPP and wireless logs to system log
o interfaces: remove "Use IPv4 connectivity" setting as it will be set by default
o firewall: use "skip lo0" instead of policing lo0 explicitly following OpenBSD best practice
o firewall: remove duplicate table definition and make sure bogonsv6 table always exists
o firewall: cleanup of CARP and IPv6 rules behaviour
o firewall: filter feature parity in automation rules
o firewall: offer multi-select on source and destination addresses
o firewall: add experimental inline shaper support to filter rules
o firewall: add missing columns on one-to-one NAT page
o firewall: fix unassociated rule creation
o firewall: fix anti-lockout and "allow access to DHCP failover" automatic rules
o firewall: add optional authorization for URL type aliases
o firewall: add "URL Table in JSON format (IPs)" alias type
o dnsmasq: update ICANN Trust Anchor (contributed by Loganaden Velvindron)
o firmware: fix "r" abbreviation vs. version_compare();
o installer: fixed missing prompt and help text in ZFS disk selection
o installer: warn on low RAM for ZFS as well
o installer: added a power off option
o intrusion detection: policy content dropdown missing data-container
o intrusion detection: cleanse metadata for brackets
o ipsec: add log search button in sessions
o ipsec: add banner message when using custom configuration files
o kea-dhcp: add "match-client-id" in subnet definitions
o lang: update available translations
o monit: wrap exec in double quotes to allow arguments (contributed by Nikita Uvarov)
o monit: flag file overwrites when they exist
o network time: take IPv6 addresses into account
o network time: remove support for explicit VIP selection
o openvpn: add validation pertaining to auth-gen-token and reneg-sec combinations
o unbound: cleanup available blocklists and add hagezi blocklists
o unbound: fix root.hits permission on copy
o unbound: flag file overwrites when they exist
o backend: -m option is unused so remove its complication
o mvc: implement reusable grid template using form definitions
o mvc: add Default() method to reset a model to its factory defaults
o mvc: fix LegacyMapper when the mount point is not the XML root
o mvc: move explicit cast in BaseModel when calling field->setValue()
o mvc: fields should implement getCurrentValue() rather than __toString()
o mvc: fix value lookup in LinkAddressField
o mvc: memory preservation fix in BaseListField
o mvc: support lazy loading on alias models and use it in NetworkAliasField
o mvc: fix NetworkValidator for IPv4-mapped addresses with netmask (contributed by John Fieber)
o ui: upgrade Font Awesome icons to version 6
o ui: push search/edit logic towards bootgrid implementation
o ui: improved links with automatic edit and/or search
o ui: rewritten default theme for a light look and new logo
o ui: added default theme variant with a dark look
o plugins: turning binary data into JSON may fail globally
o plugins: os-acme-client 4.8[2]
o plugins: os-caddy 1.8.1[3]
o plugins: os-cpu-microcode 1.1 removes unneeded late loading code
o plugins: os-haproxy 4.5[4]
o pluginsL os-tailscale 1.2[5]
o src: FreeBSD 14.2-RELEASE[6]
o src: p9fs: add an implementation of the 9P filesystem
o ports: lighttpd 1.4.77[7]
o ports: openvpn 2.6.13[8]
o ports: php 8.3.15[9]
o ports: radvd 2.20[10]

Migration notes, known issues and limitations:

o The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. The integrated authentication via PAM has been the default for a long time so the option to disable it has been removed. The manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option. The "page-system-groupmanager-addprivs" privilege was removed since the page does not exist anymore. A multi-purpose privilege editor has been added under the existing "page-system-usermanager-addprivs" instead.
o PPP devices can no longer be configured on the interface settings page. To edit the device settings use the native PPP device edit page instead.
o FreeBSD 14.2 comes with the stock pf(4) behaviour regarding ICMPv6 neighbour discovery state tracking which was avoided so far in 24.7.x.
o Let's Encrypt ends support for the OCSP Must Staple extension on 30.01.2025. Issuance requests will fail if this option is still enabled past this date.

The public key for the 25.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsnbyFjWXvUcUC4BqnQ9w
uH3yiaG7AY8UzwepXf2TqqOYt5Y0USbse3OBjxYnRs0iW5EHtdKSRcmelup374Hp
XDDeQ/mjmhhnvXryfQL57gyVpYeL5gRVhf/2DwEZELLCFUFhMNh52QPaJ5zTvdws
m1Q+OwI1WfTDR7ytm+0Too2tVerG3mM3XataZ+XOKwHp2xP0Mr8E4F+PZdR4hWbb
yC2elIzICXDWWpcEEg4JT48TIYZJPGnE2IJAzWRntrqVU2eLcEn5MffwTawXNoCZ
mvLYqguYskmeR/dAL7ZmZcPeMeibXMtld8xIZp49g7DPq7PqxCY1wxcgeuZPFOHv
kbYzL3BHbyni3K/qdLXKzy8oZeUUvlbUgaj8Xx14DSiNzJDknNf0Xg/eby7MkzgP
eUXgtB0MRQMih85BfaiH5r+uQMgPKnjutVWR8qUWglxDKIc4s69b8PXylfu2FwiP
iKMBdO8xnVvNFKOkuaUtI31cqxauw2hBAlILFvltM+adUz2rfB3Ch0bjfjDE5Hxq
En4fEUVHgQCu+Ojyyy3/8RwUpsRZq05fObypyeL3E/MvlwpaOVjwvw2ozVPGi2zi
xmXemn5CbgjD3vPR9XERXrFkHTwPnIiqz53znqn34P+NGEgD1veMhZPE6OGZRu/h
IfceSaxJ/An5SUh0zr7YgOsCAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
SHA256 (OPNsense-25.1-dvd-amd64.iso.bz2) = 68efe0e5c20bd5fbe42918f000685ec10a1756126e37ca28f187b2ad7e5889ca
SHA256 (OPNsense-25.1-nano-amd64.img.bz2) = a51e4499df6394042ad804daa8e376c291e8475860343a0a44d93d8c8cf4636e
SHA256 (OPNsense-25.1-serial-amd64.img.bz2) = 57c05e935790f9b2b800a19374948284889988741cfbaf6fae7600f7a4451022
SHA256 (OPNsense-25.1-vga-amd64.img.bz2) = 89fcf5bdb1d2ea2ea6ba4cdc1268ea0a1e22b944330d7bee0711c8630cc905af

[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/blob/stable/25.1/security/acme-client/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.1/net/haproxy/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.1/security/tailscale/pkg-descr
[6] https://www.freebsd.org/releases/14.2R/relnotes/
[7] https://www.lighttpd.net/2025/1/10/1.4.77/
[8] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.13
[9] https://www.php.net/ChangeLog-8.php#8.3.15
[10] https://radvd.litech.org/

What up!

Just a small update to ship the latest changes and fixes.  The anti-lockout
not working was finally addressed.  Thanks for all the valuable feedback on
the forum!

Here are the full patch notes against version 25.1-RC1:

o system: prioritize index page and prevent redirection to a /api page on login
o system: mute disk space status in case of live install media
o system: optimize system status collection
o firewall: add experimental inline shaper support to filter rules
o firewall: add missing columns on one-to-one NAT page
o firewall: fix unassociated rule creation
o firewall: fix anti-lockout and "allow access to DHCP failover" automatic rules
o firewall: add optional authorization for URL type aliases
o installer: fixed missing prompt and help text in ZFS disk selection
o installer: warn on low RAM for ZFS as well
o installer: added a power off option
o intrusion detection: policy content dropdown missing data-container
o intrusion detection: cleanse metadata for brackets
o ipsec: add banner message when using custom configuration files
o monit: flag file overwrites when they exist
o openvpn: add validation pertaining to auth-gen-token and reneg-sec combinations
o unbound: cleanup available blocklists and add hagezi blocklists
o unbound: flag file overwrites when they exist
o mvc: fix NetworkValidator for IPv4-mapped addresses with netmask (contributed by John Fieber)
o plugins: turning binary data into JSON may fail globally
o plugins: os-caddy 1.8.1[1]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr

Hey all,

The 25.1 series is nigh!  This offers images based on an RC1 state with
stable packages and online upgrades for the development version of 24.7.
We will likely release a small RC2 online update in the near future.
The final release date for 25.1 is January 29.

https://pkg.opnsense.org/releases/25.1/

Here are the full patch notes against version 24.7.12:

o system: migrate user, group and privilege management to MVC/API
o system: remove the "disable integrated authentication" feature
o system: add "Default groups" option to add standard groups when a LDAP/RADIUS user logs in
o system: remove the old manual LDAP importer
o system: migrate HA status page to MVC/API
o system: allow custom additions to sshd_config (contributed by Neil Greatorex)
o system: increase max-request-field-size for web GUI
o system: set tunable default for checksum offloading of the vtnet(4) driver to disabled (contributed by Patrick M. Hausen)
o system: add support for RFC 5549 routes and refactor static route creation code
o system: improve notification support to also allow persistent notifications and static banners
o system: add notifications for low disk space and OpenSSH file override use
o system: migrate tunables page to MVC/API
o system: switch to temperature sensor caching
o system: add certificate widget to track expiration dates and allow quick renewal
o system: remove deprecated "page-getserviceprovider", "page-dashboard-all" and "page-system-groupmanager-addprivs" privileges
o system: replace file_get_contents() with curl implementation in XMLRPC sync and add verifypeer option
o system: add item edit links to several dashboard widgets
o interfaces: adhere to DAD during VIP recreation in rc.newwanipv6
o interfaces: remove non-functional features from bridges
o interfaces: remove PPP edit in interfaces settings
o interfaces: batched device type creation under "devices" submenu
o interfaces: move PPP and wireless logs to system log
o interfaces: remove "Use IPv4 connectivity" setting
o firewall: use "skip lo0" instead of policing lo0 explicitly following OpenBSD best practice
o firewall: remove duplicate table definition and make sure bogonsv6 table always exists
o firewall: cleanup of CARP and IPv6 rules behaviour
o firewall: filter feature parity in automation rules
o firewall: experimental dummynet support in rules
o firewall: offer multi-select on source and destination addresses
o dnsmasq: update ICANN Trust Anchor (contributed by Loganaden Velvindron)
o ipsec: add log search button in sessions
o kea-dhcp: add 'match-client-id' in subnet definitions
o lang: update available translations
o monit: wrap exec in double quotes to allow arguments (contributed by Nikita Uvarov)
o network time: take IPv6 addresses into account
o network time: remove support for explicit VIP selection
o unbound: fix root.hits permission on copy
o backend: -m option is unused so remove its complication
o mvc: implement reusable grid template using form definitions
o mvc: add Default() method to reset a model to its factory defaults
o mvc: fix LegacyMapper when the mount point is not the XML root
o mvc: move explicit cast in BaseModel when calling field->setValue()
o mvc: fields should implement getCurrentValue() rather than __toString()
o mvc: fix value lookup in LinkAddressField
o mvc: memory preservation fix in BaseListField
o mvc: support lazy loading on alias models and use it in NetworkAliasField
o ui: upgrade Font Awesome icons to version 6
o ui: push search/edit logic towards bootgrid implementation
o ui: improved links with automatic edit and/or search
o ui: rewritten default theme for a light look and new logo
o ui: added default theme variant with a dark look
o plugins: os-acme-client 4.8[1]
o plugins: os-cpu-microcode 1.1 removes unneeded late loading code
o plugins: os-haproxy 4.5[2]
o src: FreeBSD 14.2-RELEASE[3]
o src: p9fs: add an implementation of the 9P filesystem
o ports: lighttpd 1.4.77[4]
o ports: openvpn 2.6.13[5]
o ports: php 8.3.15[6]
o ports: radvd 2.20[7]

Migration notes, known issues and limitations:

o The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. The integrated authentication via PAM has been the default for a long time so the option to disable it has been removed. The manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option. The "page-system-groupmanager-addprivs" privilege was removed since the page does not exist anymore. A multi-purpose privilege editor has been added under the existing "page-system-usermanager-addprivs" instead.
o PPP devices can no longer be configured on the interface settings page. To edit the device settings use the native PPP device edit page instead.
o FreeBSD 14.2 comes with the stock pf(4) behaviour regarding ICMPv6 neighbour discovery state tracking which was avoided so far in 24.7.x.
o Instead of using stateful tracking on lo0 the system changes to not filter lo0 anymore as is considered best practice. The change is equivalent in concept, but may interfere with local connectivity in edge cases.
o Let's Encrypt ends support for the OCSP Must Staple extension on 30.01.2025. Issuance requests will fail if this option is still enabled past this date.

The public key for the 25.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsnbyFjWXvUcUC4BqnQ9w
uH3yiaG7AY8UzwepXf2TqqOYt5Y0USbse3OBjxYnRs0iW5EHtdKSRcmelup374Hp
XDDeQ/mjmhhnvXryfQL57gyVpYeL5gRVhf/2DwEZELLCFUFhMNh52QPaJ5zTvdws
m1Q+OwI1WfTDR7ytm+0Too2tVerG3mM3XataZ+XOKwHp2xP0Mr8E4F+PZdR4hWbb
yC2elIzICXDWWpcEEg4JT48TIYZJPGnE2IJAzWRntrqVU2eLcEn5MffwTawXNoCZ
mvLYqguYskmeR/dAL7ZmZcPeMeibXMtld8xIZp49g7DPq7PqxCY1wxcgeuZPFOHv
kbYzL3BHbyni3K/qdLXKzy8oZeUUvlbUgaj8Xx14DSiNzJDknNf0Xg/eby7MkzgP
eUXgtB0MRQMih85BfaiH5r+uQMgPKnjutVWR8qUWglxDKIc4s69b8PXylfu2FwiP
iKMBdO8xnVvNFKOkuaUtI31cqxauw2hBAlILFvltM+adUz2rfB3Ch0bjfjDE5Hxq
En4fEUVHgQCu+Ojyyy3/8RwUpsRZq05fObypyeL3E/MvlwpaOVjwvw2ozVPGi2zi
xmXemn5CbgjD3vPR9XERXrFkHTwPnIiqz53znqn34P+NGEgD1veMhZPE6OGZRu/h
IfceSaxJ/An5SUh0zr7YgOsCAwEAAQ==
-----END PUBLIC KEY-----

Please let us know about your experience!


Stay safe,
Your OPNsense team

--
SHA256 (OPNsense-25.1.r1-dvd-amd64.iso.bz2) = dbd65194b02dfda2abe0542c8660c5a8d5311719448fbacf8e7e08b260c90e15
SHA256 (OPNsense-25.1.r1-nano-amd64.img.bz2) = 1600a1b26114aec1e99653efed1dddf1869bddfa422d8e85ad34a1acf2e3e4fc
SHA256 (OPNsense-25.1.r1-serial-amd64.img.bz2) = ff709c926bd097bb52726944cde2c3363386d5062765bd4a75cce9009353f853
SHA256 (OPNsense-25.1.r1-vga-amd64.img.bz2) = 9cdb74c9f43f9ee6eb66fbe3ad8b4050938273e053872e063b1bc73cedcd6410

[1] https://github.com/opnsense/plugins/blob/stable/25.1/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.1/net/haproxy/pkg-descr
[3] https://www.freebsd.org/releases/14.2R/relnotes/
[4] https://www.lighttpd.net/2025/1/10/1.4.77/
[5] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.13
[6] https://www.php.net/ChangeLog-8.php#8.3.15
[7] https://radvd.litech.org/

Howdy!

One last stable update before the switch to the 25.1 series.
Security-wise it has bee rather quiet over the past few weeks.
A new kernel is included with a number of smaller reliability
fixes and amendments.

The 25.1-RC1 images follow next week based on a full build
using FreeBSD 14.2.  Thanks all for testing the beta version so
far!  The release date for the final 25.1 version is January 29.

Here are the full patch notes:

o system: re-enable support for subjectAltName when creating CSRs
o system: remove spurious backup() during config revert
o reporting: add daemon -f parameter to close file descriptors for NetFlow local capture (contributed by Ben Smithurst)
o firmware: use output_cmd/output_txt helpers in remaining scripts
o ipsec: fix mobile clients reload missing system.inc
o isc-dhcp: IPv6 prefixes script can fail to restart (contributed by Ben Smithurst)
o kea-dhcp: align hostname validation with manual host entries
o mvc: add serialNumber and issuer in Store::parseX509()
o mvc: restore support for JSON input data without configd callout in JsonKeyValueStoreField
o ui: add classes to system history diff content so themes can override the defaults
o ui: load CSV as text to prevent encoding issues in SimpleFileUploadDlg()
o plugins: os-acme-client 4.7[1]
o plugins: os-caddy 1.8.0[2]
o plugins: os-freeradius 1.9.27[3]
o plugins: os-haproxy 4.4[4]
o plugins: os-mdns-repeater 1.2[5]
o plugins: os-squid 1.1[6]
o plugins: os-tailscale 1.1[7]
o plugins: os-theme-rebellion 1.9.2 (contributed by Team Rebellion)
o src: if_ovpn: improve reconnect handling
o src: iflib: set the NUMA domain in receive packet headers
o src: ip: defer checks for an unspecified dstaddr until after pfil hooks
o src: ice_ddp: update to 1.3.41.0
o ports: curl 8.11.1[8]
o ports: libpfctl 0.15
o ports: php 8.2.27[9]
o ports: python 3.11.11[10]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/24.7/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/24.7/net/freeradius/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/24.7/net/haproxy/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/24.7/net/mdns-repeater/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/24.7/www/squid/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/24.7/security/tailscale/pkg-descr
[8] https://curl.se/changes.html#8_11_1
[9] https://www.php.net/ChangeLog-8.php#8.2.27
[10] https://docs.python.org/release/3.11.11/whatsnew/changelog.html

Hey all,

The 25.1 series will include FreeBSD 14.2 so we are putting this BETA
version out based on the latest development state.  This is not meant
for production use but all plugins are provided and future updates of
installations based on these images will be possible.

https://pkg.opnsense.org/releases/25.1/

There is a bit more work to be done yet most of the milestones have
already been reached.  If you have a test deployment or would like to
check out some of the new features these images are for you.  Together
we can make OPNsense better than it ever was.

The final release date for 25.1 is January 29.  A release candidate
will follow in early January.

Highlights over version 24.7 include:

o system: restructure PPP to accomodate IPv6-only deployments
o system: implement persistent notifications banner
o system: dashboard widget for certificate expiry and renew
o system: high availablilty status MVC/API conversion
o system: users and groups MVC/API conversion
o system: advanced trust settings page
o system: ZFS snapshot GUI
o reporting: RRD health graph refactoring
o firewall: improved security zones support and documentation
o ipsec: advanced settings MVC/API conversion
o unbound: merge domain overrides into query forwarding
o ui: theme update with new styling and add official dark theme
o src: FreeBSD 14.2

The public key for the 25.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsnbyFjWXvUcUC4BqnQ9w
uH3yiaG7AY8UzwepXf2TqqOYt5Y0USbse3OBjxYnRs0iW5EHtdKSRcmelup374Hp
XDDeQ/mjmhhnvXryfQL57gyVpYeL5gRVhf/2DwEZELLCFUFhMNh52QPaJ5zTvdws
m1Q+OwI1WfTDR7ytm+0Too2tVerG3mM3XataZ+XOKwHp2xP0Mr8E4F+PZdR4hWbb
yC2elIzICXDWWpcEEg4JT48TIYZJPGnE2IJAzWRntrqVU2eLcEn5MffwTawXNoCZ
mvLYqguYskmeR/dAL7ZmZcPeMeibXMtld8xIZp49g7DPq7PqxCY1wxcgeuZPFOHv
kbYzL3BHbyni3K/qdLXKzy8oZeUUvlbUgaj8Xx14DSiNzJDknNf0Xg/eby7MkzgP
eUXgtB0MRQMih85BfaiH5r+uQMgPKnjutVWR8qUWglxDKIc4s69b8PXylfu2FwiP
iKMBdO8xnVvNFKOkuaUtI31cqxauw2hBAlILFvltM+adUz2rfB3Ch0bjfjDE5Hxq
En4fEUVHgQCu+Ojyyy3/8RwUpsRZq05fObypyeL3E/MvlwpaOVjwvw2ozVPGi2zi
xmXemn5CbgjD3vPR9XERXrFkHTwPnIiqz53znqn34P+NGEgD1veMhZPE6OGZRu/h
IfceSaxJ/An5SUh0zr7YgOsCAwEAAQ==
-----END PUBLIC KEY-----

Please let us know about your experience!


Stay safe,
Your OPNsense team

--
SHA256 (OPNsense-devel-25.1.b-dvd-amd64.iso.bz2) = 7a9a5eacc65f7128273558c7e5f4cf63e555004d4d938fb827280cf691fc1cfd
SHA256 (OPNsense-devel-25.1.b-nano-amd64.img.bz2) = 83b3a9b599477773b8f4877bf8c4a38436895477fef91a0dbfabdbfdbb7be2c3
SHA256 (OPNsense-devel-25.1.b-serial-amd64.img.bz2) = 57d087cf66d168338de4a611871c31813b3e42bb71d7b71be75aa20521c6d8a1
SHA256 (OPNsense-devel-25.1.b-vga-amd64.img.bz2) = 5bc51cc93bc64cc15d6fa68611d3cee4cf45b70b85e713cbdd3c0c8d2ebd4137

A happy holiday season to you all,

This is a minor update all things considered, but it does bring you
the long sought after Tailscale plugin courtesy of Sheridan Computers.
Suricata is also updated to its latest version to fix a couple of CVEs.

In other news, 25.1 will contain FreeBSD 14.2 which will be available
for BETA preview using images later this week as well.  The 25.1-BETA
will also include a rewritten theme (light and dark) using the new
OPNsense logo already being used in the documentation.  It also has
MVC/API support for the user and group management plus more you can
always find on the roadmap[1] in detail.

Here are the full patch notes:

o system: show multiple SAN entries when supplied by the certificate
o system: traffic dashboard widget should persist interface identifiers
o system: reset dashboard widget options to the default if none of the options match
o system: mismatch in returned "change" attribute for route toggle
o system: suppress XML parse errors in announcement widget when forum is unreachable
o system: catch PHP errors for Google Drive backups
o system: ignore plugins_interfaces() errors in write_config()
o system: fix snapshot ACL
o interfaces: reload GUI in the background
o firewall: remove faulty PPP exclusion in scrubbing rule creation
o dhcp: allow radvd to use /128 CARP VIP as source
o firmware: add "configctl firmware changelog current" backend command
o firmware: refactor lock/unlock scripts using new output helpers
o firmware: opnsense-code: support for origin selection during upgrade mode
o firmware: opnsense-patch: improve patch behaviour for non-default account/repositories combinations
o ipsec: remove hashing algorithm from null cipher
o unbound: make OpenSSL bundle workaround permanent
o mvc: last batch of sessionClose() cleanups in controllers
o mvc: call initialize() after authentication
o mvc: normalize multiple slashes in paths
o plugins: os-caddy 1.7.6[2]
o plugins: os-ddclient 1.26[3]
o plugins: os-nut 1.9[4]
o plugins: os-qemu-guest-agent 1.3[5]
o plugins: os-tailscale 1.0 (contributed by Sheridan Computers)
o plugins: os-telegraf 1.12.12[6]
o ports: monit 5.34.3[7]
o ports: suricata 7.0.8[8]

Stay safe,
Your OPNsense team

--
[1] https://opnsense.org/about/road-map/
[2] https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/24.7/dns/ddclient/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/24.7/sysutils/nut/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/24.7/emulators/qemu-guest-agent/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/24.7/net-mgmt/telegraf/pkg-descr
[7] https://mmonit.com/monit/changes/
[8] https://suricata.io/2024/12/12/suricata-7-0-8-released/

Hi there,

This ships a number of base system changes, kernel fixes and driver
updates.  The time-loop authentication change is back with the fixed
TOTP case and the Unbound domain overrides are now found in query
forwarding since this offers the same functionality anyway.

With the year almost over we are shifting focus to finishing the items
on the roadmap and it is nice to note that the MVC/API conversions are
already over 75% complete.  That means it will not take another decade
to migrate the other 25%.  ;)

Here are the full patch notes:

o system: readd a "time-loop" around authentication for failed attempts
o system: remove the SSL bundles in default locations
o system: prevent JS crashing out when dashboard widget title is not set
o system: use system instead of sample defaults when reverting tunables
o system: report actual LAN address being used after factory reset
o interfaces: use Autoconf class to avoid raw ifctl file access
o interfaces: remove ancient MAC address trickery to unbreak hostapd
o interfaces: add missing neighbor and DNS lookup page ACL entries
o interfaces: PPP device page ACL missed getserviceproviders.php
o firmware: force CRL check on development deployment
o firmware: use REQUEST to print a TLS/CRL usage hint
o firmware: improved output helpers and associated cleanup in audit scripts
o firmware: opnsense-update: add support for regression tests set
o intrusion detection: limit stats.log logging (contributed by doktornotor)
o kea-dhcp: add dhcp-socket-type option (contributed by Till Niederauer)
o kea-dhcp: add MAC formatter to leases page (contributed by cpalv)
o openvpn: support case-insensitive strict user CN matching for instances
o unbound: move domain overrides to query forwarding
o mvc: let JsonKeyValueStoreField cache configd call for the duration of the session
o mvc: another batch of sessionClose() cleanups in controllers
o mvc: cleanup in ApiMutableServiceControllerBase
o mvc: fix hint display for "0"
o ui: restore right tab border in standard theme
o plugins: os-caddy 1.7.5[1]
o plugins: os-debug 1.7[2]
o src: atf/kyua: ship regression tests runtime support
o src: if_bridge: mask MEXTPG if some members do not support it
o src: if_tuntap: enable MEXTPG support
o src: ice: update to 1.43.2-k et al
o src: ipsec: fix IPv6 over IPv4 tunneling
o src: ixgbe: add support for 1Gbit (active) DAC links
o src: ixgbe: sysctl for TCP flag handling during TSO
o src: jail: expose children.max and children.cur via sysctl
o src: libfetch: add the error number to verify callback failure case
o src: netlink: assorted stable backports
o src: pf: prevent SCTP-based NULL dereference in pfi_kkif_match()
o src: pf: let rdr rules modify the src port if doing so would avoid a conflict
o src: pf: make pf_get_translation() more expressive
o src: pf: let pf_state_insert() handle redirect state conflicts
o src: pf: fix wrong pflog action in NAT rule
o src: pf: fix potential state key leak
o src: rc: ignore INSYDE BIOS placeholder UUID for /etc/hostid
o src: route: fix failure to add an interface prefix route when route with the same prefix is already presented in the routing table
o src: route: route: avoid overlapping strcpy
o src: sfxge: defer ether_ifattach to when ifmedia_init is done
o ports: curl 8.11.0[3]
o ports: expat 2.6.4[4]
o ports: nss 3.107[5]
o ports: openldap 2.6.9[6]
o ports: php 8.2.26[7]
o ports: sudo 1.9.16p2[8]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/24.7/devel/debug/pkg-descr
[3] https://curl.se/changes.html#8_11_0
[4] https://github.com/libexpat/libexpat/blob/R_2_6_4/expat/Changes
[5] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_107.html
[6] https://www.openldap.org/software/release/changes.html
[7] https://www.php.net/ChangeLog-8.php#8.2.26
[8] https://www.sudo.ws/stable.html#1.9.16p2