Messages

Hey all,

After a small struggle to finish the release candidate last week, it is
here now with FreeBSD 14.3 and lots of other highlights.  We will promise
to deliver full release notes once 25.7 is released, but for now we need
to get this going.

Keep in mind this is mostly an image-based pre-production test release.
Upgrades from the 25.1.11 development version will be available as soon as
that is out later this week.  An online-only RC2 will probably follow as
well.  The final release date for 25.7 is July 23.

https://pkg.opnsense.org/releases/25.7/

Here are the development highlights since version 25.1 came out:

o Replace the setup wizard with a modern MVC/API variant
o Switch to reusable frontend code
o ChartJS 4 update and related functionality migrations
o User manager CSV export and import option
o New plugin for SFTP configuration backups
o Move frontend grid from Bootgrid to Tabulator
o Optional privilege separation for the web GUI (running as non-root)
o User/group manager adds optional source network constraint
o JSON container support for aliases
o Firewall automation GUI revamp
o Performance improvements when using large amounts of aliases
o Dnsmasq DHCP support for small and medium sized setups
o Support advanced (manual) configurations in Kea
o Add IPv6 support (including prefix delegation) to Kea
o Bridges MVC migration
o Migrate IPsec mobile page to MVC
o Greek as a new language
o FreeBSD 14.3

A more detailed change log will follow!

Migration notes, known issues and limitations:

o Deprecated Google Drive backups due to upstream policy changes and moved to plugins for existing users.
o API URLs registered in the default ACLs have been switched from "camleCase" to "snake_case".
o Reverted tunables "hw.ibrs_disable" and "vm.pmap.pti" to FreeBSD defaults.
o The new wizard still has bugs relating to diabling LAN configuration.
o Moved OpenVPN legacy to plugins as a first step to deprecation.
o Moved IPsec legacy to plugins as a first step to deprecation.

The public key for the 25.7 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn9lXekbm5KcktbiWpmQf
drRC8LmAOTV9Cbdd3em6iDFFcw8vmRS7Rbo2/exxYiPCqEPxxPtUsW+g/a6fqPJp
pof5D1EHWqzPfkjRQV6ipQjm+ocJGkfbeHsp5I77L+w7om5TbPYBkOjg+iMd442d
VYxgqXmMZy+6v78ofVM+wyba0GkRymFt0qf5k5uk3Auztcfanc2Ymsc+PDdjGHQd
c9H8T0T6To8Z0xrbEXzY00IqSRkLto9Cl+xEmEAz/AiEu2WtEadOqSpDy9dsJfQg
HpBQVlGQdphj5zmkqG6JSL1Uw+02OeIXOfFWRtqgW7vMyU0IbER3hLpvh6BlsqNJ
LCPfD7F/dzDPU5LniDRRb4MrTlVpJk2h8pk7GbmJCqAyWJJZ6n3a+InPtUfl9gP5
T0d15N7myh8RLssP+TIy8hiBHtc/yK89dUahGei1xDuh0HdytRLLLWVXqgWwgXhd
9it8l8AJ/D2BtuyExpJOWx3sYvmhJiPN8phCaR2G2E+QRA2X5nHGyUw5jYpKI8Om
Q2khz1PBYcA/T5lKhM3HRFCu2HZsPKT5CEevZfUuPDXIqwx+LMFs6qqbzbGrdn1F
H6ZSlG0BWuokeyjhN2mB0Fr6kdLobmfVgZHUS7KOwcI9BdftSDbEk8kMxrQlwugh
4I1hTrAycMERbjeUKg1plx8CAwEAAQ==
-----END PUBLIC KEY-----

Please let us know about your experience!


Stay safe,
Your OPNsense team

--
SHA256 (OPNsense-25.7.r1-dvd-amd64.iso.bz2) = 1e8e874942f6b7293f345e854afcae62baa0b699b09c0dd49d1942f34eadfbfe
SHA256 (OPNsense-25.7.r1-nano-amd64.img.bz2) = f93eacc72c7f75ccfdd2189e4d414fff523f2204c5e11f6ad9c57c55a6c60568
SHA256 (OPNsense-25.7.r1-serial-amd64.img.bz2) = 89602b42f7631dff10cef4303753f9377c0995a0ac3966ef8564fe0414ac6cff
SHA256 (OPNsense-25.7.r1-vga-amd64.img.bz2) = 77e2aeb3acacd7d9d252e30d09463c793ae641cf2938ddd90819529043b5e3e8

do-ip6 is tied to the global IPv6 off switch Interfaces: Settings: Allow IPv6


Cheers,
Franco

You have to understand DHCPv6 cannot control the link-local of the client nor does it care about it so it's a bit tricky to get it to route there without knowing.

However, you can add the link-local as a static mapping and that should make it work...

https://github.com/opnsense/core/commit/3582242d0fe


Cheers,
Franco

This seems ironic, because that page is one of the oldest in the project not having been fundamentally changed for at least a decade.


Cheers,
Franco

/0 effectively means 0.0.0.0/0 which means you merely set a default route for your traffic


Cheers,
Franco

How about this then:

# opnsense-patch https://github.com/opnsense/plugins/commit/2d22b81af


Cheers,
Franco

>  telegraf that is installed with 25.1.10 considers it a config error and stops config from loading

We have entered the software era of make it and break it for no reason other than annoying users? I mean ignoring the setting is out of the question? Geez.


Cheers,
Franco

Hey and welcome,

Haven't had any complaints on 6RD for a while now so this is a bit unexpected.

Not sure why LAN would have a default route. Easiest first check is System: Gateways: Configuration and see the auto-generated gateway for 6RD which needs to be marked as "Upstream Gateway".

Does a LAN gateway exist there?


Cheers,
Franco

https://docs.opnsense.org/manual/how-tos/multiwan.html#failover-and-failback-states

Hey,

We are getting close to 25.7.  In fact, the release date is July 23.
As such minimal changes are going into this stable release for the
usual reasons.

Expecting a quick release candidate in two weeks while we piece together
the individual changes that will make the next release series a distinct
step forward: privilege separation capability, latest and greatest FreeBSD
related updates, easier than ever MVC programming experience, a new UI
grid framework named Tabulator etc.

Here are the full patch notes:

o system: reduce future maintenance load in privilege separation efforts
o interfaces: remove unused "friendly" value from get_interface_list()
o interfaces: fix escaping in refactored bridge code
o interfaces: fix bridge SPAN support
o interfaces: add update mode to ifctl
o firewall: fix issue with event binding in rule automation page
o dnsmasq: implement domain type to select between adding domain to range or interface
o dnsmasq: dhcp-host are allowed to have duplicate partial IPv6 addresses
o unbound: improve the chroot mounting code to avoid excessive (un)mount calls
o lang: update language translations to their latest state
o mvc: eventually phase out getCurrentValue() in favour of getValue()
o plugins: os-caddy 2.0.2
o ports: libxml2 fixes for recent CVEs
o ports: nss 3.113
o ports: phpseclib 3.0.46
o ports: py-duckdb 1.3.1
o ports: sudo 1.9.17

Stay safe and cool,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr
[2] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_113.html
[3] https://github.com/duckdb/duckdb/releases/tag/v1.3.1
[4] https://www.sudo.ws/stable.html#1.9.17

Given the fact that OpenVPN has always been very pedantic about that particular input I think all there is left to do here is add the correct validation?


Cheers,
Franco

It's a bug we're fixing today in 25.1.10.


Cheers,
Franco

The base isn't the problem. The real problem is that your packages are stuck at 24.1 while the base and kernel successfully upgraded to 24.7.

You can try this instead:

# opnsense-bootstrap -r 24.7


Given the critical nature of a major OS upgrade underneath from FreeBSD 13 to 14 consider the possibility that may not be successful since the first attempt also failed. Likely for reasons of third party plugins installed or manual ports installs. Unfortunately these things get complicated quickly.


Cheers,
Franco

Hi,

At the moment it's not planned, but it's not set in stone either. The plugin hooks are open so contributions to community edition for other SSOs are also possible.


Cheers,
Franco

OIDC will be supported starting with the 25.10 business edition.


Cheers,
Franco