Topics

Hy!

Upgraded to 25.1.7 and got:

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.1.6_4 (amd64) at Wed May 21 16:50:49 CEST 2025
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (31 candidates): .......... done
Processing candidates (31 candidates): .......... done
The following 31 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
dhcp6c: 20241008 -> 20250513
monit: 5.35.1 -> 5.35.2
mpdecimal: 4.0.0 -> 4.0.1
nss: 3.110 -> 3.111
opnsense: 25.1.6_4 -> 25.1.7_2
perl5: 5.36.3_3 -> 5.40.2_2
pftop: 0.12 -> 0.13
php83: 8.3.20 -> 8.3.21
php83-ctype: 8.3.20 -> 8.3.21
php83-curl: 8.3.20 -> 8.3.21
php83-dom: 8.3.20 -> 8.3.21
php83-filter: 8.3.20 -> 8.3.21
php83-gettext: 8.3.20 -> 8.3.21
php83-ldap: 8.3.20 -> 8.3.21
php83-mbstring: 8.3.20 -> 8.3.21
php83-pcntl: 8.3.20 -> 8.3.21
php83-pdo: 8.3.20 -> 8.3.21
php83-session: 8.3.20 -> 8.3.21
php83-simplexml: 8.3.20 -> 8.3.21
php83-sockets: 8.3.20 -> 8.3.21
php83-sqlite3: 8.3.20 -> 8.3.21
php83-xml: 8.3.20 -> 8.3.21
php83-zlib: 8.3.20 -> 8.3.21
py311-pytz: 2024.2_1,1 -> 2025.2_1,1
smartmontools: 7.4_2 -> 7.5
syslog-ng: 4.8.1_5 -> 4.8.2

Installed packages to be REINSTALLED:
ddclient-3.11.2_2 (direct dependency changed: perl5)
ntp-4.2.8p18_4 (direct dependency changed: perl5)
p5-Data-Validate-IP-0.27 (direct dependency changed: perl5)
p5-NetAddr-IP-4.079 (direct dependency changed: perl5)
rrdtool-1.9.0 (direct dependency changed: perl5)

Number of packages to be upgraded: 26
Number of packages to be reinstalled: 5

The process will require 3 MiB more space.
30 MiB to be downloaded.
[1/31] Fetching mpdecimal-4.0.1.pkg: .......... done
[2/31] Fetching php83-filter-8.3.21.pkg: ... done
[3/31] Fetching php83-curl-8.3.21.pkg: ...... done
[4/31] Fetching p5-Data-Validate-IP-0.27.pkg: ... done
[5/31] Fetching monit-5.35.2.pkg: .......... done
[6/31] Fetching nss-3.111.pkg: .......... done
[7/31] Fetching p5-NetAddr-IP-4.079.pkg: .......... done
[8/31] Fetching ddclient-3.11.2_2.pkg: ........ done
[9/31] Fetching php83-ldap-8.3.21.pkg: ..... done
[10/31] Fetching php83-simplexml-8.3.21.pkg: ... done
[11/31] Fetching php83-pdo-8.3.21.pkg: ....... done
[12/31] Fetching rrdtool-1.9.0.pkg: .......... done
[13/31] Fetching dhcp6c-20250513.pkg: ......... done
[14/31] Fetching py311-pytz-2025.2_1,1.pkg: .......... done
[15/31] Fetching ntp-4.2.8p18_4.pkg: .......... done
[16/31] Fetching syslog-ng-4.8.2.pkg: .......... done
[17/31] Fetching php83-sockets-8.3.21.pkg: ...... done
[18/31] Fetching php83-pcntl-8.3.21.pkg: ... done
[19/31] Fetching php83-sqlite3-8.3.21.pkg: .... done
[20/31] Fetching php83-session-8.3.21.pkg: ..... done
[21/31] Fetching php83-mbstring-8.3.21.pkg: .......... done
[22/31] Fetching php83-gettext-8.3.21.pkg: . done
[23/31] Fetching php83-zlib-8.3.21.pkg: ... done
[24/31] Fetching php83-ctype-8.3.21.pkg: . done
[25/31] Fetching php83-8.3.21.pkg: .......... done
[26/31] Fetching php83-xml-8.3.21.pkg: ... done
[27/31] Fetching php83-dom-8.3.21.pkg: .......... done
[28/31] Fetching perl5-5.40.2_2.pkg: .......... done
[29/31] Fetching opnsense-25.1.7_2.pkg: .......... done
[30/31] Fetching smartmontools-7.5.pkg: .......... done
[31/31] Fetching pftop-0.13.pkg: ........ done
Checking integrity... done (0 conflicting)
[1/31] Upgrading mpdecimal from 4.0.0 to 4.0.1...
[1/31] Extracting mpdecimal-4.0.1: .......... done
[2/31] Upgrading php83 from 8.3.20 to 8.3.21...
[2/31] Extracting php83-8.3.21: .......... done
[3/31] Upgrading py311-pytz from 2024.2_1,1 to 2025.2_1,1...
[3/31] Extracting py311-pytz-2025.2_1,1: .......... done
[4/31] Upgrading php83-zlib from 8.3.20 to 8.3.21...
[4/31] Extracting php83-zlib-8.3.21: ........ done
[5/31] Upgrading php83-xml from 8.3.20 to 8.3.21...
[5/31] Extracting php83-xml-8.3.21: ......... done
[6/31] Upgrading perl5 from 5.36.3_3 to 5.40.2_2...
[6/31] Extracting perl5-5.40.2_2: .......... done
[7/31] Upgrading nss from 3.110 to 3.111...
[7/31] Extracting nss-3.111: .......... done
[8/31] Reinstalling p5-NetAddr-IP-4.079...
[8/31] Extracting p5-NetAddr-IP-4.079: .......... done
[9/31] Upgrading php83-pdo from 8.3.20 to 8.3.21...
[9/31] Extracting php83-pdo-8.3.21: .......... done
[10/31] Upgrading php83-session from 8.3.20 to 8.3.21...
[10/31] Extracting php83-session-8.3.21: .......... done
[11/31] Upgrading php83-mbstring from 8.3.20 to 8.3.21...
[11/31] Extracting php83-mbstring-8.3.21: .......... done
[12/31] Upgrading php83-filter from 8.3.20 to 8.3.21...
[12/31] Extracting php83-filter-8.3.21: ......... done
[13/31] Upgrading php83-curl from 8.3.20 to 8.3.21...
[13/31] Extracting php83-curl-8.3.21: .......... done
[14/31] Reinstalling p5-Data-Validate-IP-0.27...
[14/31] Extracting p5-Data-Validate-IP-0.27: ....... done
[15/31] Upgrading monit from 5.35.1 to 5.35.2...
[15/31] Extracting monit-5.35.2: ....... done
[16/31] Upgrading php83-ldap from 8.3.20 to 8.3.21...
[16/31] Extracting php83-ldap-8.3.21: ........ done
[17/31] Upgrading php83-simplexml from 8.3.20 to 8.3.21...
[17/31] Extracting php83-simplexml-8.3.21: ......... done
[18/31] Reinstalling rrdtool-1.9.0...
[18/31] Extracting rrdtool-1.9.0: .......... done
[19/31] Upgrading dhcp6c from 20241008 to 20250513...
[19/31] Extracting dhcp6c-20250513: ........ done
[20/31] Reinstalling ntp-4.2.8p18_4...
[20/31] Extracting ntp-4.2.8p18_4: .......... done
[21/31] Upgrading syslog-ng from 4.8.1_5 to 4.8.2...
[21/31] Extracting syslog-ng-4.8.2: .......... done
[22/31] Upgrading php83-sockets from 8.3.20 to 8.3.21...
[22/31] Extracting php83-sockets-8.3.21: .......... done
[23/31] Upgrading php83-pcntl from 8.3.20 to 8.3.21...
[23/31] Extracting php83-pcntl-8.3.21: ......... done
[24/31] Upgrading php83-sqlite3 from 8.3.20 to 8.3.21...
[24/31] Extracting php83-sqlite3-8.3.21: ......... done
[25/31] Upgrading php83-gettext from 8.3.20 to 8.3.21...
[25/31] Extracting php83-gettext-8.3.21: ........ done
[26/31] Upgrading php83-ctype from 8.3.20 to 8.3.21...
[26/31] Extracting php83-ctype-8.3.21: ........ done
[27/31] Upgrading php83-dom from 8.3.20 to 8.3.21...
[27/31] Extracting php83-dom-8.3.21: .......... done
[28/31] Upgrading pftop from 0.12 to 0.13...
[28/31] Extracting pftop-0.13: ..... done
[29/31] Reinstalling ddclient-3.11.2_2...
[29/31] Extracting ddclient-3.11.2_2: ....... done
[30/31] Upgrading opnsense from 25.1.6_4 to 25.1.7_2...
[30/31] Extracting opnsense-25.1.7_2: .......... done
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh.sh'
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
[31/31] Upgrading smartmontools from 7.4_2 to 7.5...
[31/31] Extracting smartmontools-7.5: .......... done
pkg-static: Fail to rename /usr/local/etc/periodic/daily/.pkgtemp.smart.aDdfeKctdUED -> /usr/local/etc/periodic/daily/smart:No such file or directory
Starting web GUI...done.
***DONE***
Is this "Fail to rename..." a problem of any kind?

Hy!

Needed fresh device, so I bought a used Optiplex SFF 7070 and updated the BIOS to latest. Switched to legacy boot in BIOS (needed for OPNsense, right?) and tried to boot from internal SSD. No luck.

In BIOS I found the bad news: No legacy boot from internal SSD/HDD/M2 whatever. Only UEFI. So I will have to use a SATA-USB3 adapter to run my OPNsense? Really?

Any work-around known? Downgrading BIOS maybe?

Desperate....

Hy!

Was out to do some weekend shopping, when I came back I had an email from monit, that it had restarted.

Code Select Expand

Monit instance changed Service OPN0518....

Date:        Fri, 07 Mar 2025 10:19:49
Action:      start
Host:        OPN0518....
Description: Monit 5.34.4 started

Your faithful employee,
Monit

Strange.

Had a look in the logs, and as expected, the box had rebooted, but no hint of any kind why:

Code Select Expand

...
2025-03-07T10:17:27 Notice kernel CPU: Intel(R) Core(TM) i3-4150 CPU @ 3.50GHz (3492.12-MHz K8-class CPU)
2025-03-07T10:17:27 Notice kernel VT(efifb): resolution 1024x768
2025-03-07T10:17:27 Notice kernel FreeBSD clang version 18.1.6 (https://github.com/llvm/llvm-project.git llvmorg-18.1.6-0-g1118c2e05e67)
2025-03-07T10:17:27 Notice kernel FreeBSD 14.2-RELEASE-p1 stable/25.1-n269632-cc316253c68 SMP amd64
2025-03-07T10:17:27 Notice kernel FreeBSD is a registered trademark of The FreeBSD Foundation.
2025-03-07T10:17:27 Notice kernel The Regents of the University of California. All rights reserved.
2025-03-07T10:17:27 Notice kernel Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
2025-03-07T10:17:27 Notice kernel Copyright (c) 1992-2023 The FreeBSD Project.
2025-03-07T10:17:27 Notice kernel ---<<BOOT>>---
2025-03-07T10:16:00 Notice root syslog-ng starting up; version='4.8.1'
2025-03-07T10:01:00 Notice root reload filter for configured schedules
2025-03-07T09:46:00 Notice root reload filter for configured schedules
2025-03-07T09:31:00 Notice root reload filter for configured schedules
2025-03-07T09:01:00 Notice root reload filter for configured schedules
2025-03-07T08:46:00 Notice root reload filter for configured schedules
2025-03-07T08:31:00 Notice root reload filter for configured schedules
....
Any way to further debug this.

And: Yes, I upgraded to 25.1.2 now... ;-)

https://www.heise.de/news/APNIC-Chefwissenschaftler-IPv6-Einfuehrung-wohl-obsolet-9995140.html

***party***

https://www.heise.de/news/Neue-OpenSSL-Luecke-ist-gefaehrlich-aber-sehr-schwer-auszunutzen-9992067.html

un-be-lievable

Hy again!

Have here a problem that started after updating Virtualbox to 7.1.4 on a host in one of my networks on an OPNsense (24.7.6, bare metal), topology give in graph below post.

The VBox HOST (10.0.0.29) is an opensuse Tumbleweed (kernel 6.11.3.2-default).

Problem: No GUEST whatsowever (Win7, Win10, Opensuse Leap 15.6...) on the VBox with NAT has functional network in the setup shown in the graph. The GUEST always gets an IP of 10.0.2.15, the HOST has 10.0.2.2.

There is no functional DNS (set to 10.0.2.3 in the GUEST via DHCP) in the GUEST, there is no ping to 10.0.2.1 or 10.0.2.2, although I'm unsure the HOST has 10.0.2.1 or 10.0.2.2 from this here:

https://www.nakivo.com/blog/virtualbox-network-setting-guide/

Hint: There is a 10.0.2.0/27 on the OPNsense. But normally that should not matter, as there is NAT in between, or?

However the VBox HOST has access via firewall rules on the OPNsense to some machines in the native 10.0.2.0/27 network.

What resolves the problem:

- On another HOST in another OPNsense install that has NO 10.0.2.0/x network, the GUESTS on VBox have functional networking.

- Setting Network on the VBOX configuration to "NAT network" (instead of "NAT") hands out IPs in a different IP range and the networking works just fine for VBox GUESTs.

What I don't understand is, why is there a problem at all with networking in the GUESTs. Is it because the HOST (10.0.0.29) knows the VBox network (10.0.2.0/x) AND the native 10.0.2.0/27 on the OPNsense? And therefore doesn't know where to route the traffic to (or always routes it to the OPNsense)?

I have tried to change the IP range for the VBox NAT, but to no avail.

Along the line:

Code Select Expand

VBoxManage modifyvm leap153_25042021 \
--natnet1 "10.121.34.0/28"


But that results in nonfunctional networking.

https://freebsdfoundation.org/blog/sovereign-tech-fund-to-invest-e686400-in-freebsd-infrastructure-modernization/

Hy!

Have here a Dell Optiplex box (doing fine for years) that failed some weeks ago after an update (new SSD installed some weeks before). As a result I reinstalled another fresh SSD and ZFS some weeks ago. Afterwards box was stable.

About 1 week ago I upgraded to 24.7.1 and today all of a sudden one LAN client was unreachable, a reboot resulted in no IP via DHCP. Moreover I could not reach the OPNsense via GUI or serial console. Rebooting (hard reset) brought the OPNsense back, but I want to learn what is failing here.

Where to start looking? Which logs might help?

Hy!

Read the release notes for 24.7.RC1 and found this gem:

o The dashboard has been replaced. Widgets from the old format are no longer supported and need to be rewritten by the respective authors.

Is there an overview, which widgets are available as of now? Who are the maintainers of the remaining widgets and are there any re-writes to be expected? Timelines, maybe, at least preliminary? ;-)

Hy!

On latest community release here. Have IPS configured and running for years, but due to a change in Linux repos on some machines, a rule for TOR endpoints (co-located on repo IP?) is firing for some time now.

At first I disabled the rule individually, but after 1-4 days the disabled rule turned to enabled again. Several times, for weeks now.

Btw this happenz on TWO installs of OPNsense.

I tried "Policy" and chose the rule set tor.rules (from alerts) and "Action" as "Disabled". Applied. Works for some hours, then the alerts/blocks are back.

What is the way to disable this specific rule/rule set? It's spamming my alert email account.

Hi again!

Want to move settings

- Interface config
- DHCP 4 (ISC)
- Aliases
- FW-rules
(- forgot something important?)

from one OPNsense to another one (both 24.1.7).

Is there a way other than text editor + config.xml of both OPNsenses?

Many thanks in advance

Hi!

No 24.1 board yet, so posting in 23.7 forums.

I read in the release notes for 24.1 RC1:

Code Select Expand

ISC DHCP functionality is slowly being deprecated with the introduction of Kea as an alternative.  The work to replace the tooling of ISC DHCP is ongoing, but feature sets will likely differ for a long time therefore.

Would be quite helpful to know which problems might araise from this, which use cases might not be covered when moving to 24.1. Is a new installation recommended for 24.1 due to this?

Hy!

I upgraded 2 systems today to 23.7.11, without rebooting. Now all logs (System, Services) are completely empty in the GUI, see attached.

Any ideas?

Hi!

Installed a fresh 23.7, all up-to-date and imported my working config for DNS-over-TLS with unbound. All fine.

I configured a new interface, DHCP works, set up firewall rules (including block to HTPPS of opnsense and allowing ipv4 UDP to port 53 of opnsense) and added the new interface to unbound in the GUI and applied. Rebooted. According to resolve.conf on the only host attached to the new interface, the DNS ist set to the interface address of the opnsense.

With package capture on port 53 of the new opnsense interface I see the requests of the host, but there is no reply at all from unbound.

With "inspect" on the FW-rules page of the new interface I see no evaluation of the FW-rule allowing UDP to port 53 of the opnsense?!?! The only rule hit is the first on the page, no matter which rule this is...


Any ideas?

https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc

...anything to be done/known on this?

Hi!

Have here a "Service" interface on a OPNsense (yesterday updated from 22.7.7_1 to 22.7.8 btw) which is only used from time to time (as the name might insinuate). Today I plugged in a client to interface and got a

Code Select Expand

2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt3(igb1)

...which reset all my other interfaces, interrupting traffic, due to flapping interface some seconds later:

Code Select Expand

2022-11-26T11:03:41 Notice flowd_aggregate.py vacuum done
2022-11-26T11:01:00 Notice root reload filter for configured schedules
2022-11-26T11:00:48 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: 10.100.10.99) (interface: Service[opt3]) (real interface: igb1).
2022-11-26T11:00:48 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1'
2022-11-26T11:00:48 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt3(igb1)
2022-11-26T11:00:46 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt3(igb1)
2022-11-26T11:00:11 Notice opnsense plugins_configure newwanip (execute task : webgui_configure_do(,opt3))
2022-11-26T11:00:11 Notice opnsense plugins_configure newwanip (execute task : vxlan_configure_do())
2022-11-26T11:00:10 Error opnsense /usr/local/etc/rc.newwanip: warning: ignoring missing default tunable request: debug.pfftpproxy
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : unbound_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : openssh_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : opendns_configure_do())
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : ntpd_configure_do())
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : dyndns_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : dnsmasq_configure_do())
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (,opt3)
2022-11-26T11:00:10 Error opnsense /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface Service.
2022-11-26T11:00:10 Notice opnsense plugins_configure vpn (execute task : openvpn_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure vpn (execute task : ipsec_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure vpn (,opt3)
2022-11-26T11:00:10 Error opnsense /usr/local/etc/rc.newwanip: IP address renew, killing all previous states
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: Adding static route for monitor 1.1.1.1 via xx.xxxx.xxx.xxx
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: Removing static route for monitor 1.1.1.1 via 83.248.112.1
2022-11-26T11:00:09 Notice opnsense plugins_configure monitor (execute task : dpinger_configure_do(,))
2022-11-26T11:00:09 Notice opnsense plugins_configure monitor (,)
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: skipping IPv4 default route
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'opt3'
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: 10.0.1.199) (interface: Service[opt3]) (real interface: igb1).
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1'
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt3(igb1)

Annoying... :-(

https://www.computerweekly.com/news/252526709/Prepare-today-for-potentially-high-impact-OpenSSL-bug

...?

Hy!

As an extenstion to this here:

https://forum.opnsense.org/index.php?topic=26446.299

In "custom" (GUI)  there is absolutely no way to add a single update URL-Username-PW-Domain provided by the DynDNS service of my choice?

Can anybody help out on this?

Is it possible to install both old and new plugin at the same time and use both?

Hy!

I was on LibreSSL 22.1.10 and wanted to switch to openSSL from GUI, but something failed:

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.1.10 (amd64/LibreSSL) at Sun Jul 10 10:49:15 CEST 2022
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (45 candidates): .......... done
Processing candidates (45 candidates): ...... done
The following 27 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
openssl: 1.1.1q,1

Installed packages to be REINSTALLED:
cpdup-1.22 (direct dependency changed: openssl)
curl-7.84.0 (direct dependency changed: openssl)
cyrus-sasl-2.1.28 (direct dependency changed: openssl)
cyrus-sasl-gssapi-2.1.28 (direct dependency changed: openssl)
hostapd-2.10_5 (direct dependency changed: openssl)
isc-dhcp44-server-4.4.2P1_1 (direct dependency changed: openssl)
krb5-1.20 (direct dependency changed: openssl)
ldns-1.8.1 (direct dependency changed: openssl)
libevent-2.1.12 (direct dependency changed: openssl)
libfido2-1.11.0 (direct dependency changed: openssl)
lighttpd-1.4.65 (direct dependency changed: openssl)
monit-5.32.0 (direct dependency changed: openssl)
mpd5-5.9_9 (direct dependency changed: openssl)
ntp-4.2.8p15_5 (direct dependency changed: openssl)
openldap24-client-2.4.59_4 (direct dependency changed: openssl)
openssh-portable-8.9.p1_4,1 (direct dependency changed: openssl)
openvpn-2.5.7 (direct dependency changed: openssl)
opnsense-update-22.1.9 (direct dependency changed: openssl)
php74-openssl-7.4.30 (direct dependency changed: openssl)
py39-cryptography-3.4.8 (direct dependency changed: openssl)
python39-3.9.13 (direct dependency changed: openssl)
squid-4.15 (direct dependency changed: openssl)
strongswan-5.9.6_2 (direct dependency changed: openssl)
syslog-ng-3.37.1 (direct dependency changed: openssl)
unbound-1.16.0 (direct dependency changed: openssl)
wpa_supplicant-2.10_6 (direct dependency changed: openssl)

Number of packages to be installed: 1
Number of packages to be reinstalled: 26

The process will require 14 MiB more space.
36 MiB to be downloaded.
[1/27] Fetching wpa_supplicant-2.10_6.pkg: .......... done
[2/27] Fetching unbound-1.16.0.pkg: .......... done
[3/27] Fetching syslog-ng-3.37.1.pkg: .......... done
[4/27] Fetching strongswan-5.9.6_2.pkg: .......... done
[5/27] Fetching squid-4.15.pkg: .......... done
[6/27] Fetching python39-3.9.13.pkg: .......... done
[7/27] Fetching py39-cryptography-3.4.8.pkg: .......... done
[8/27] Fetching php74-openssl-7.4.30.pkg: ........ done
[9/27] Fetching opnsense-update-22.1.9.pkg: ..... done
[10/27] Fetching openvpn-2.5.7.pkg: .......... done
[11/27] Fetching openssh-portable-8.9.p1_4,1.pkg: .......... done
[12/27] Fetching openldap24-client-2.4.59_4.pkg: .......... done
[13/27] Fetching ntp-4.2.8p15_5.pkg: .......... done
[14/27] Fetching mpd5-5.9_9.pkg: .......... done
[15/27] Fetching monit-5.32.0.pkg: .......... done
[16/27] Fetching lighttpd-1.4.65.pkg: .......... done
[17/27] Fetching libfido2-1.11.0.pkg: .......... done
[18/27] Fetching libevent-2.1.12.pkg: .......... done
[19/27] Fetching ldns-1.8.1.pkg: .......... done
[20/27] Fetching krb5-1.20.pkg: .......... done
[21/27] Fetching isc-dhcp44-server-4.4.2P1_1.pkg: .......... done
[22/27] Fetching hostapd-2.10_5.pkg: .......... done
[23/27] Fetching cyrus-sasl-gssapi-2.1.28.pkg: .... done
[24/27] Fetching cyrus-sasl-2.1.28.pkg: .......... done
[25/27] Fetching curl-7.84.0.pkg: .......... done
[26/27] Fetching cpdup-1.22.pkg: .... done
[27/27] Fetching openssl-1.1.1q,1.pkg: .......... done
Checking integrity... done (1 conflicting)
  - openssl-1.1.1q,1 conflicts with libressl-3.3.6 on /usr/local/bin/openssl
Checking integrity... done (0 conflicting)
Conflicts with the existing packages have been found.
One more solver iteration is needed to resolve them.
The following 28 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
libressl: 3.3.6

New packages to be INSTALLED:
openssl: 1.1.1q,1

Installed packages to be REINSTALLED:
cpdup-1.22 (direct dependency changed: openssl)
curl-7.84.0 (direct dependency changed: openssl)
cyrus-sasl-2.1.28 (direct dependency changed: openssl)
cyrus-sasl-gssapi-2.1.28 (direct dependency changed: openssl)
hostapd-2.10_5 (direct dependency changed: openssl)
isc-dhcp44-server-4.4.2P1_1 (direct dependency changed: openssl)
krb5-1.20 (direct dependency changed: openssl)
ldns-1.8.1 (direct dependency changed: openssl)
libevent-2.1.12 (direct dependency changed: openssl)
libfido2-1.11.0 (direct dependency changed: openssl)
lighttpd-1.4.65 (direct dependency changed: openssl)
monit-5.32.0 (direct dependency changed: openssl)
mpd5-5.9_9 (direct dependency changed: openssl)
ntp-4.2.8p15_5 (direct dependency changed: openssl)
openldap24-client-2.4.59_4 (direct dependency changed: openssl)
openssh-portable-8.9.p1_4,1 (direct dependency changed: openssl)
openvpn-2.5.7 (direct dependency changed: openssl)
opnsense-update-22.1.9 (direct dependency changed: openssl)
php74-openssl-7.4.30 (direct dependency changed: openssl)
py39-cryptography-3.4.8 (direct dependency changed: openssl)
python39-3.9.13 (direct dependency changed: openssl)
squid-4.15 (direct dependency changed: openssl)
strongswan-5.9.6_2 (direct dependency changed: openssl)
syslog-ng-3.37.1 (direct dependency changed: openssl)
unbound-1.16.0 (direct dependency changed: openssl)
wpa_supplicant-2.10_6 (direct dependency changed: openssl)

Number of packages to be removed: 1
Number of packages to be installed: 1
Number of packages to be reinstalled: 26

The operation will free 5 MiB.
[1/28] Deinstalling libressl-3.3.6...
[1/28] Deleting files for libressl-3.3.6: .......... done
[2/28] Installing openssl-1.1.1q,1...
[2/28] Extracting openssl-1.1.1q,1: .......... done
[3/28] Reinstalling cyrus-sasl-2.1.28...
*** Updated user `cyrus'.
[3/28] Extracting cyrus-sasl-2.1.28: .......... done
ld-elf.so.1: Shared object "libcrypto.so.46" not found, required by "libsasl2.so.3"
WARNING: Users SASL passwords are in /usr/local/etc/sasldb2.db, keeping this file
[4/28] Reinstalling krb5-1.20...
[4/28] Extracting krb5-1.20: .......... done
[5/28] Reinstalling cyrus-sasl-gssapi-2.1.28...
[5/28] Extracting cyrus-sasl-gssapi-2.1.28: .......... done
[6/28] Reinstalling python39-3.9.13...
[6/28] Extracting python39-3.9.13: .......... done
[7/28] Reinstalling openldap24-client-2.4.59_4...
[7/28] Extracting openldap24-client-2.4.59_4: .......... done
[8/28] Reinstalling libfido2-1.11.0...
[8/28] Extracting libfido2-1.11.0: .......... done
[9/28] Reinstalling libevent-2.1.12...
[9/28] Extracting libevent-2.1.12: .......... done
[10/28] Reinstalling ldns-1.8.1...
[10/28] Extracting ldns-1.8.1: .......... done
[11/28] Reinstalling curl-7.84.0...
[11/28] Extracting curl-7.84.0: .......... done
[12/28] Reinstalling wpa_supplicant-2.10_6...
[12/28] Extracting wpa_supplicant-2.10_6: ....... done
[13/28] Reinstalling unbound-1.16.0...
===> Creating groups.
Using existing group 'unbound'.
===> Creating users
Using existing user 'unbound'.
[13/28] Extracting unbound-1.16.0: .......... done
[14/28] Reinstalling syslog-ng-3.37.1...
[14/28] Extracting syslog-ng-3.37.1: .......... done
[15/28] Reinstalling strongswan-5.9.6_2...
[15/28] Extracting strongswan-5.9.6_2: .......... done
[16/28] Reinstalling squid-4.15...
===> Creating groups.
Using existing group 'squid'.
===> Creating users
Using existing user 'squid'.
===> Creating homedir(s)
===> Pre-installation configuration for squid-4.15
[16/28] Extracting squid-4.15: .......... done
[17/28] Reinstalling py39-cryptography-3.4.8...
[17/28] Extracting py39-cryptography-3.4.8: .......... done
[18/28] Reinstalling php74-openssl-7.4.30...
[18/28] Extracting php74-openssl-7.4.30: ....... done
[19/28] Reinstalling opnsense-update-22.1.9...
[19/28] Extracting opnsense-update-22.1.9: .......... done
[20/28] Reinstalling openvpn-2.5.7...
===> Creating groups.
Using existing group 'openvpn'.
===> Creating users
Using existing user 'openvpn'.
[20/28] Extracting openvpn-2.5.7: .......... done
[21/28] Reinstalling openssh-portable-8.9.p1_4,1...
[21/28] Extracting openssh-portable-8.9.p1_4,1: .......... done
[22/28] Reinstalling ntp-4.2.8p15_5...
[22/28] Extracting ntp-4.2.8p15_5: .......... done
[23/28] Reinstalling mpd5-5.9_9...
[23/28] Extracting mpd5-5.9_9: .......... done
[24/28] Reinstalling monit-5.32.0...
[24/28] Extracting monit-5.32.0: ....... done
[25/28] Reinstalling lighttpd-1.4.65...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
[25/28] Extracting lighttpd-1.4.65: .......... done
[26/28] Reinstalling isc-dhcp44-server-4.4.2P1_1...
===> Creating groups.
Using existing group 'dhcpd'.
===> Creating users
Using existing user 'dhcpd'.
[26/28] Extracting isc-dhcp44-server-4.4.2P1_1: .......... done
[27/28] Reinstalling hostapd-2.10_5...
[27/28] Extracting hostapd-2.10_5: ....... done
[28/28] Reinstalling cpdup-1.22...
[28/28] Extracting cpdup-1.22: ..... done
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
=====
Message from strongswan-5.9.6_2:

--
The default strongSwan configuration interface have been updated to vici.
To use the stroke interface by default either compile the port without the vici option or
set 'strongswan_interface="stroke"' in your rc.conf file.
You may need to manually remove /usr/local/etc/squid/squid.conf if it is no longer needed.
=====
Message from php74-openssl-7.4.30:

--
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

Upstream Security Support ends on 2022-11-28.

It is scheduled to be removed on or after 2022-11-29.
=====
Message from openvpn-2.5.7:

--
Note that OpenVPN now configures a separate user and group "openvpn",
which should be used instead of the NFS user "nobody"
when an unprivileged user account is desired.

It is advisable to review existing configuration files and
to consider adding/changing user openvpn and group openvpn.
You may need to manually remove /usr/local/etc/ssh/sshd_config if it is no longer needed.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
The following package files will be deleted:
/var/cache/pkg/wpa_supplicant-2.10_6~e6514d9294.pkg
/var/cache/pkg/unbound-1.16.0~b0ce98a62f.pkg
/var/cache/pkg/wpa_supplicant-2.10_6.pkg
/var/cache/pkg/syslog-ng-3.37.1.pkg
/var/cache/pkg/unbound-1.16.0.pkg
/var/cache/pkg/syslog-ng-3.37.1~98768026d4.pkg
/var/cache/pkg/strongswan-5.9.6_2~6260112c56.pkg
/var/cache/pkg/squid-4.15~c27086003b.pkg
/var/cache/pkg/strongswan-5.9.6_2.pkg
/var/cache/pkg/python39-3.9.13.pkg
/var/cache/pkg/squid-4.15.pkg
/var/cache/pkg/python39-3.9.13~b5d0f3716f.pkg
/var/cache/pkg/py39-cryptography-3.4.8~6ddce83b0d.pkg
/var/cache/pkg/openvpn-2.5.7~01aca630fd.pkg
/var/cache/pkg/py39-cryptography-3.4.8.pkg
/var/cache/pkg/php74-openssl-7.4.30~9669450425.pkg
/var/cache/pkg/php74-openssl-7.4.30.pkg
/var/cache/pkg/opnsense-update-22.1.9~8c1dd641be.pkg
/var/cache/pkg/opnsense-update-22.1.9.pkg
/var/cache/pkg/openvpn-2.5.7.pkg
/var/cache/pkg/openssh-portable-8.9.p1_4,1~fdb7116663.pkg
/var/cache/pkg/ntp-4.2.8p15_5~719fdd4cdd.pkg
/var/cache/pkg/openssh-portable-8.9.p1_4,1.pkg
/var/cache/pkg/openldap24-client-2.4.59_4~ecb33470b6.pkg
/var/cache/pkg/openldap24-client-2.4.59_4.pkg
/var/cache/pkg/cyrus-sasl-2.1.28.pkg
/var/cache/pkg/ntp-4.2.8p15_5.pkg
/var/cache/pkg/mpd5-5.9_9~de33bbccee.pkg
/var/cache/pkg/mpd5-5.9_9.pkg
/var/cache/pkg/monit-5.32.0~a3aefc50bd.pkg
/var/cache/pkg/monit-5.32.0.pkg
/var/cache/pkg/lighttpd-1.4.65~3e4378e989.pkg
/var/cache/pkg/lighttpd-1.4.65.pkg
/var/cache/pkg/libfido2-1.11.0~f3c0e296a0.pkg
/var/cache/pkg/libfido2-1.11.0.pkg
/var/cache/pkg/libevent-2.1.12~fa7d00b681.pkg
/var/cache/pkg/libevent-2.1.12.pkg
/var/cache/pkg/ldns-1.8.1~aab843e76a.pkg
/var/cache/pkg/ldns-1.8.1.pkg
/var/cache/pkg/krb5-1.20~db1413ee8e.pkg
/var/cache/pkg/krb5-1.20.pkg
/var/cache/pkg/isc-dhcp44-server-4.4.2P1_1~5ce4420159.pkg
/var/cache/pkg/hostapd-2.10_5~883681eac4.pkg
/var/cache/pkg/isc-dhcp44-server-4.4.2P1_1.pkg
/var/cache/pkg/hostapd-2.10_5.pkg
/var/cache/pkg/cyrus-sasl-gssapi-2.1.28~d91ea901ff.pkg
/var/cache/pkg/cyrus-sasl-2.1.28~6c510e1dc7.pkg
/var/cache/pkg/cyrus-sasl-gssapi-2.1.28.pkg
/var/cache/pkg/curl-7.84.0~69faf323b5.pkg
/var/cache/pkg/curl-7.84.0.pkg
/var/cache/pkg/cpdup-1.22~60e1aeeb9f.pkg
/var/cache/pkg/cpdup-1.22.pkg
/var/cache/pkg/openssl-1.1.1q,1~9c143ff4ad.pkg
/var/cache/pkg/openssl-1.1.1q,1.pkg
The cleanup will free 36 MiB
Deleting files: ........


I waited 15 min, went in via serial and rebooted. Comes back, but
- tunnels work only in one direction
- "starting webGUI.... failed" (no acces to GUI)
etc pp

I tried

Code Select Expand

opnsense-revert -r 22.1.9 opnsense

rebooted and afterwards updated from console again, reboot, same difference, starting webGUI fails and FW not fully functional.

Is there any way to validate all packages from serial and re-install if necessary?

...what a nightmare.