Topics

Hello,
I just successfully upgraded my OPNsense installation to 25.7. Before upgrading I read about people having issues when os-cpu-microcode-intel was installed. As I had not installed said plugin before for some reason I installed it after the upgrade. During installation I saw the following output:

This port is deprecated; you may wish to reconsider installing it:

Abandoned upstream, fails to identify anything remotely new according to upstream issue reports.

It is scheduled to be removed on or after 2025-06-30.
=====
Message from cpu-microcode-intel-20250512:

--
Refer to the cpu-microcode-rc installation notes to enable Intel
microcode updates.

Is it still recommended to install? Will there be a replacement? I do not have any issues with my cpu but I do not want to be missing any security updates provided by the microcode. I would think that even when the port is removed the existing microcode updates would still be better to have than none at all.

Upgrade from 23.1.7_3 to 23.1.8 appeared to be stuck at:

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 23.1.7_3 at Thu May 25 15:04:32 CEST 2023
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (82 candidates): .......... done
Processing candidates (82 candidates): .... done
The following 33 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
py39-tzdata: 2023.3_1

Installed packages to be UPGRADED:
ca_root_nss: 3.89 -> 3.89.1
crowdsec: 1.4.6_2 -> 1.5.1
crowdsec-firewall-bouncer: 0.0.23.r2_12 -> 0.0.27
curl: 8.0.1 -> 8.1.0
dhcp6c: 20200512_1 -> 20230523
easy-rsa: 3.1.2 -> 3.1.3
lighttpd: 1.4.69 -> 1.4.70
mpd5: 5.9_14 -> 5.9_16
nss: 3.89 -> 3.89.1
openvpn: 2.6.3 -> 2.6.4
opnsense: 23.1.7_3 -> 23.1.8
opnsense-update: 23.1.6 -> 23.1.8
os-crowdsec: 1.0.4 -> 1.0.5
php81: 8.1.18 -> 8.1.19
php81-ctype: 8.1.18 -> 8.1.19
php81-curl: 8.1.18 -> 8.1.19
php81-dom: 8.1.18 -> 8.1.19
php81-filter: 8.1.18 -> 8.1.19
php81-gettext: 8.1.18 -> 8.1.19
php81-ldap: 8.1.18 -> 8.1.19
php81-mbstring: 8.1.18 -> 8.1.19
php81-pdo: 8.1.18 -> 8.1.19
php81-session: 8.1.18 -> 8.1.19
php81-simplexml: 8.1.18 -> 8.1.19
php81-sockets: 8.1.18 -> 8.1.19
php81-sqlite3: 8.1.18 -> 8.1.19
php81-xml: 8.1.18 -> 8.1.19
php81-zlib: 8.1.18 -> 8.1.19
py39-numpy: 1.24.1_1,1 -> 1.24.1_4,1
py39-pandas: 1.5.3_1,1 -> 2.0.1_1,1
py39-requests: 2.29.0 -> 2.30.0
suricata: 6.0.11_1 -> 6.0.12

Number of packages to be installed: 1
Number of packages to be upgraded: 32

The process will require 31 MiB more space.
71 MiB to be downloaded.
[1/33] Fetching php81-sqlite3-8.1.19.pkg: ... done
[2/33] Fetching php81-sockets-8.1.19.pkg: ..... done
[3/33] Fetching lighttpd-1.4.70.pkg: .......... done
[4/33] Fetching opnsense-update-23.1.8.pkg: ..... done
[5/33] Fetching os-crowdsec-1.0.5.pkg: ... done
[6/33] Fetching nss-3.89.1.pkg: .......... done
[7/33] Fetching py39-numpy-1.24.1_4,1.pkg: .......... done
[8/33] Fetching easy-rsa-3.1.3.pkg: ....... done
[9/33] Fetching crowdsec-1.5.1.pkg: .......... done
[10/33] Fetching openvpn-2.6.4.pkg: .......... done
[11/33] Fetching php81-filter-8.1.19.pkg: ... done
[12/33] Fetching php81-8.1.19.pkg: .......... done
[13/33] Fetching py39-pandas-2.0.1_1,1.pkg: .......... done
[14/33] Fetching dhcp6c-20230523.pkg: ......... done
[15/33] Fetching py39-requests-2.30.0.pkg: .......... done
[16/33] Fetching crowdsec-firewall-bouncer-0.0.27.pkg: .......... done
[17/33] Fetching py39-tzdata-2023.3_1.pkg: .......... done
[18/33] Fetching ca_root_nss-3.89.1.pkg: .......... done
[19/33] Fetching php81-ctype-8.1.19.pkg: . done
[20/33] Fetching php81-simplexml-8.1.19.pkg: ... done
[21/33] Fetching php81-session-8.1.19.pkg: ..... done
[22/33] Fetching curl-8.1.0.pkg: .......... done
[23/33] Fetching php81-zlib-8.1.19.pkg: ... done
[24/33] Fetching php81-dom-8.1.19.pkg: ........ done
[25/33] Fetching suricata-6.0.12.pkg: .......... done
[26/33] Fetching mpd5-5.9_16.pkg: .......... done
[27/33] Fetching php81-ldap-8.1.19.pkg: ..... done
[28/33] Fetching php81-xml-8.1.19.pkg: ... done
[29/33] Fetching php81-pdo-8.1.19.pkg: ....... done
[30/33] Fetching php81-curl-8.1.19.pkg: ..... done
[31/33] Fetching php81-mbstring-8.1.19.pkg: .......... done
[32/33] Fetching opnsense-23.1.8.pkg: .......... done
[33/33] Fetching php81-gettext-8.1.19.pkg: . done
Checking integrity... done (0 conflicting)
[1/33] Upgrading py39-numpy from 1.24.1_1,1 to 1.24.1_4,1...
[1/33] Extracting py39-numpy-1.24.1_4,1: .......... done
[2/33] Upgrading php81 from 8.1.18 to 8.1.19...
[2/33] Extracting php81-8.1.19: .......... done
[3/33] Installing py39-tzdata-2023.3_1...
[3/33] Extracting py39-tzdata-2023.3_1: .......... done
[4/33] Upgrading ca_root_nss from 3.89 to 3.89.1...
[4/33] Extracting ca_root_nss-3.89.1: ...... done
[5/33] Upgrading nss from 3.89 to 3.89.1...
[5/33] Extracting nss-3.89.1: .......... done
[6/33] Upgrading easy-rsa from 3.1.2 to 3.1.3...
[6/33] Extracting easy-rsa-3.1.3: .......... done
[7/33] Upgrading py39-pandas from 1.5.3_1,1 to 2.0.1_1,1...
[7/33] Extracting py39-pandas-2.0.1_1,1: .......... done
[8/33] Upgrading crowdsec-firewall-bouncer from 0.0.23.r2_12 to 0.0.27...
[8/33] Extracting crowdsec-firewall-bouncer-0.0.27: ...... done
crowdsec_firewall is running as pid 39371.
Stopping crowdsec_firewall.
Waiting for PIDS: 39371.
[9/33] Upgrading php81-session from 8.1.18 to 8.1.19...
[9/33] Extracting php81-session-8.1.19: .......... done
[10/33] Upgrading curl from 8.0.1 to 8.1.0...
[10/33] Extracting curl-8.1.0: .......... done
[11/33] Upgrading php81-pdo from 8.1.18 to 8.1.19...
[11/33] Extracting php81-pdo-8.1.19: .......... done
[12/33] Upgrading php81-mbstring from 8.1.18 to 8.1.19...
[12/33] Extracting php81-mbstring-8.1.19: .......... done
[13/33] Upgrading php81-sqlite3 from 8.1.18 to 8.1.19...
[13/33] Extracting php81-sqlite3-8.1.19: ......... done
[14/33] Upgrading php81-sockets from 8.1.18 to 8.1.19...
[14/33] Extracting php81-sockets-8.1.19: .......... done
[15/33] Upgrading lighttpd from 1.4.69 to 1.4.70...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
[15/33] Extracting lighttpd-1.4.70: .......... done
[16/33] Upgrading opnsense-update from 23.1.6 to 23.1.8...
[16/33] Extracting opnsense-update-23.1.8: .......... done
[17/33] Upgrading crowdsec from 1.4.6_2 to 1.5.1...
[17/33] Extracting crowdsec-1.5.1: .......... done
crowdsec is running as pid 66369.
Stopping crowdsec.
Waiting for PIDS: 66369.
[18/33] Upgrading openvpn from 2.6.3 to 2.6.4...
===> Creating groups.
Using existing group 'openvpn'.
===> Creating users
Using existing user 'openvpn'.
[18/33] Extracting openvpn-2.6.4: .......... done
[19/33] Upgrading php81-filter from 8.1.18 to 8.1.19...
[19/33] Extracting php81-filter-8.1.19: ......... done
[20/33] Upgrading dhcp6c from 20200512_1 to 20230523...
[20/33] Extracting dhcp6c-20230523: ........ done
[21/33] Upgrading py39-requests from 2.29.0 to 2.30.0...
[21/33] Extracting py39-requests-2.30.0: .......... done
[22/33] Upgrading php81-ctype from 8.1.18 to 8.1.19...
[22/33] Extracting php81-ctype-8.1.19: ........ done
[23/33] Upgrading php81-simplexml from 8.1.18 to 8.1.19...
[23/33] Extracting php81-simplexml-8.1.19: ......... done
[24/33] Upgrading php81-zlib from 8.1.18 to 8.1.19...
[24/33] Extracting php81-zlib-8.1.19: ........ done
[25/33] Upgrading php81-dom from 8.1.18 to 8.1.19...
[25/33] Extracting php81-dom-8.1.19: .......... done
[26/33] Upgrading suricata from 6.0.11_1 to 6.0.12...
[26/33] Extracting suricata-6.0.12: .......... done
[27/33] Upgrading mpd5 from 5.9_14 to 5.9_16...
[27/33] Extracting mpd5-5.9_16: .......... done
[28/33] Upgrading php81-ldap from 8.1.18 to 8.1.19...
[28/33] Extracting php81-ldap-8.1.19: ........ done
[29/33] Upgrading php81-xml from 8.1.18 to 8.1.19...
[29/33] Extracting php81-xml-8.1.19: ......... done
[30/33] Upgrading php81-curl from 8.1.18 to 8.1.19...
[30/33] Extracting php81-curl-8.1.19: .......... done
[31/33] Upgrading php81-gettext from 8.1.18 to 8.1.19...
[31/33] Extracting php81-gettext-8.1.19: ........ done
[32/33] Upgrading os-crowdsec from 1.0.4 to 1.0.5...
[32/33] Extracting os-crowdsec-1.0.5: .......... done

I checked my crowdsec processes:

Code Select Expand

root@opnsense01:~ # ps aux | grep crowdsec
root    43578   0.0  0.0   13504   2768  -  I    15:05       0:00.00 /bin/sh -c set -- os-crowdsec-1.0.4\n#!/bin/sh\n\n# need to temporarily stop the bouncer to remove all the rules\nservice crowdsec_firewall stop >/dev/nul
root    43757   0.0  0.0   13504   3140  -  I    15:05       0:00.01 /bin/sh /usr/local/etc/rc.d/crowdsec_firewall stop
root    88726   0.0  0.7  914324 121868  -  I    15:04       0:03.12 /usr/local/bin/crowdsec -c /usr/local/etc/crowdsec/config.yaml
root    90891   0.0  0.2  722256  28864  -  I    15:04       0:00.19 /usr/local/bin/crowdsec-firewall-bouncer -c /usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml (crowdsec-firewall-b)


and manually did a 'kill -9 90891' after which the update immediately proceeded and finished successfully.

Not sure when this started but my WAN_DHCP6 gateway appears to not get configured correctly:

My WAN is configured with DHCPv6 and I set a Prefix delegation size of 59 in its options.
Interface Overview shows an address (/128), a link-local address (/64), a delegated prefix (/59) and 2 IPv6 DNS servers but no IPv6 gateway.

The "IP address" field in the default created WAN_DHCP6 gateway is set to "dynamic" but the gateway field stays empty.

The log file shows the following:

Code Select Expand


/system_gateways.php: ROUTING: not a valid default gateway address: ''
/system_gateways.php: ROUTING: configuring inet6 default gateway on wan


Not sure if this is an issue with my ISP (Vodafone Cable Germany) who did some non-standard IPv6 in the past.

For now I check my WAN's neighbors via NDP and use the listed CMTS IP (fe80:...) as a manually added IPv6 gateway which works but I am wondering why it is not detected/used by DHCP6.

Any suggestions how to better debug this? Thank you.

Just updated from 21.1.9_1 to 21.7 and ran into an issue.
The first time 21.7 got downloaded, extracted and the server rebooted. Upon reboot current version is still
OPNsense 21.1.9_1-amd64 according to the dashboard widget.
If I check for updates again it says 21.7 is installed but can be "upgraded" to 21.1.8 (new version).
If I run this upgrade the current version shown by the dashboard is still 21.1.9_1-amd64 but this time "check for update" shows 21.7 as available (and 21.1.8) as installed


Not sure if this is a display bug.