Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - franco

#2
https://github.com/opnsense/tools/commit/a631e759f7

I republished the netdata package with the option enabled in 25.1.11.

All feedback welcome.


Cheers,
Franco
#3
Thanks, subscribed. Looks like adding the "DASHBOARD" option could fix it so I'll try to do that.


Cheers,
Franco
#4
I think the reboot did it. The rest is configuration. Maybe you stopped ISC manually to let Dnsmasq run.


Cheers,
Franco
#5
Announcements / OPNsense 25.1.11 released
Today at 11:13:23 AM
Oh, hi!

This maintenance release will also be the EoL version for the 25.1 series.
It ships the latest FreeBSD SA/EN patches plus other third party security
updates and a few minor fixes.

We did see issues with the "e2fsprogs-libuuid" dependency lately obsoleted
by FreeBSD ports and while packages such as "netdata" may refuse updating
in the first update it should eventually reinstall correctly using the new
"libuuid" package.  If you see related issues make sure you are not using
multi-repo setups that still provide the obsoleted dependency.

That being said, 25.7-RC1 is already out, but RC2 likely follows tomorrow.
We are still set for a final release date of July 23.  See you on the other
side!

Here are the full patch notes:

o system: fix passing "arguments" as parameters for cron jobs
o dnsmasq: fix DomainIPField to allow IP address to be emptied
o dnsmasq: register DHCPv6 firewall rules as well
o dnsmasq: fix empty dhcp option value spawning stray comma
o firmware: remove unbound/duckdb migration script
o lang: further updates
o openvpn: validate group membership after authentication
o unbound: ignore TXT records for wildcard host entries
o plugins: os-stunnel 1.0.6 adds LDAP and NNTP to supported STARTTLS protocols (contributed by Patrick M. Hausen)
o plugins: os-zabbix-agent 1.16[1]
o plugins: os-zabbix-proxy1.13[2]
o src: ifconfig: optimise non-listing case with netlink
o src: xz: fix use-after-free in multi-threaded xz decoder[3]
o src: ena: fix misconfiguration when requesting regular LLQ[4]
o src: zfs: fix corruption in ZFS replication streams from encrypted datasets[5]
o src: libc: allow __cxa_atexit handlers to be added during __cxa_finalize[6]
o ports: libxml 2.14.4[7]
o ports: nss 3.113.1[8]
o ports: openssl 3.0.17[9]
o ports: php 8.3.23[10]
o ports: sqlite 3.50.2[11]
o ports: sudo 1.9.17p1[12]
o ports: suricata 7.0.11[13]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.1/net-mgmt/zabbix-agent/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.1/net-mgmt/zabbix-proxy/pkg-descr
[3] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:06.xz.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-25:11.ena.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-25:10.zfs.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-25:09.libc.asc
[7] https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS
[8] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_113_1.html
[9] https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md
[10] https://www.php.net/ChangeLog-8.php#8.3.23
[11] https://sqlite.org/releaselog/3_50_2.html
[12] https://www.sudo.ws/stable.html#1.9.17p1
[13] https://suricata.io/2025/07/08/suricata-7-0-11-released/
#6
Yep, you are right. I found a few more also:

# opnsense-patch https://github.com/opnsense/core/commit/b90f72c5258

I expect the Tabulator experience to receive further improvements in 25.7.1 and 25.7.2 but I don't think this will be a early-new-dashboard type of experience for most people this time.  ;)


Cheers,
Franco
#7
Hey and thanks for taking a look!

I think you are looking for:

# opnsense-patch https://github.com/opnsense/core/commit/ffdea7f2bb2

If you find other pages with issues let us know :)


Cheers,
Franco
#8
> future release

25.7 to be precise.


Cheers,
Franco
#9
ERROR: ctfconvert: bwiphy.o doesn't have type data to con

ERROR: ctfconvert: ichss.o doesn't have type data to conv ERROR: ctfconvert: pnphy.o doesn't have type data to conv

ERROR: ctfconvert: efidev.o doesn't have type data to com

ERROR: ctfconvert: dcphy.o doesn't have type data to conv

ERROR: ctfconvert: efirtc.o doesn't have type data to com

ERROR: ctfconvert: bwirf.o doesn't have type data to conv ERROR: ctfconvert

: efirt.o doesn't have type data to conv ERROR: ctfconvert: if_bwi.o doesn't have type data to con

^C*** Error code 2

That's non-fatal "ERROR"s from the kernel build process.  It's a question for FreeBSD why these are necessary to appear on stderr.

The fact that you pressed CTRL-C makes me wonder why you did not wait for the build to finish?


Cheers,
Fraco
#10
Can someone provide the real rub-in here vs. skipping to the change that is technically correct?

At least one person was using multiple aliases in the same rule which is a recent addition which does a different thing on invert, which is documented: https://docs.opnsense.org/manual/firewall.html#basic-settings "You can only invert single sources"

We're either looking at a pf bug or a configuration issue IMO. But still it only appears to affect a fraction of people, so it points to how aliases/rules are being used in conjunction, because I don't believe a flat table that it still is will have issues out of the box.

If you are using the bogons alias to write your own aliases or rules please let us know...


Cheers,
Franco
#11
Announcements / OPNsense 25.7-RC1 released
July 14, 2025, 03:47:44 PM
Hey all,

After a small struggle to finish the release candidate last week, it is
here now with FreeBSD 14.3 and lots of other highlights.  We will promise
to deliver full release notes once 25.7 is released, but for now we need
to get this going.

Keep in mind this is mostly an image-based pre-production test release.
Upgrades from the 25.1.11 development version will be available as soon as
that is out later this week.  An online-only RC2 will probably follow as
well.  The final release date for 25.7 is July 23.

https://pkg.opnsense.org/releases/25.7/

Here are the development highlights since version 25.1 came out:

o Replace the setup wizard with a modern MVC/API variant
o Switch to reusable frontend code
o ChartJS 4 update and related functionality migrations
o User manager CSV export and import option
o New plugin for SFTP configuration backups
o Move frontend grid from Bootgrid to Tabulator
o Optional privilege separation for the web GUI (running as non-root)
o User/group manager adds optional source network constraint
o JSON container support for aliases
o Firewall automation GUI revamp
o Performance improvements when using large amounts of aliases
o Dnsmasq DHCP support for small and medium sized setups
o Support advanced (manual) configurations in Kea
o Add IPv6 support (including prefix delegation) to Kea
o Bridges MVC migration
o Migrate IPsec mobile page to MVC
o Greek as a new language
o FreeBSD 14.3

A more detailed change log will follow!

Migration notes, known issues and limitations:

o Deprecated Google Drive backups due to upstream policy changes and moved to plugins for existing users.
o API URLs registered in the default ACLs have been switched from "camleCase" to "snake_case".
o Reverted tunables "hw.ibrs_disable" and "vm.pmap.pti" to FreeBSD defaults.
o The new wizard still has bugs relating to diabling LAN configuration.
o Moved OpenVPN legacy to plugins as a first step to deprecation.
o Moved IPsec legacy to plugins as a first step to deprecation.

The public key for the 25.7 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn9lXekbm5KcktbiWpmQf
drRC8LmAOTV9Cbdd3em6iDFFcw8vmRS7Rbo2/exxYiPCqEPxxPtUsW+g/a6fqPJp
pof5D1EHWqzPfkjRQV6ipQjm+ocJGkfbeHsp5I77L+w7om5TbPYBkOjg+iMd442d
VYxgqXmMZy+6v78ofVM+wyba0GkRymFt0qf5k5uk3Auztcfanc2Ymsc+PDdjGHQd
c9H8T0T6To8Z0xrbEXzY00IqSRkLto9Cl+xEmEAz/AiEu2WtEadOqSpDy9dsJfQg
HpBQVlGQdphj5zmkqG6JSL1Uw+02OeIXOfFWRtqgW7vMyU0IbER3hLpvh6BlsqNJ
LCPfD7F/dzDPU5LniDRRb4MrTlVpJk2h8pk7GbmJCqAyWJJZ6n3a+InPtUfl9gP5
T0d15N7myh8RLssP+TIy8hiBHtc/yK89dUahGei1xDuh0HdytRLLLWVXqgWwgXhd
9it8l8AJ/D2BtuyExpJOWx3sYvmhJiPN8phCaR2G2E+QRA2X5nHGyUw5jYpKI8Om
Q2khz1PBYcA/T5lKhM3HRFCu2HZsPKT5CEevZfUuPDXIqwx+LMFs6qqbzbGrdn1F
H6ZSlG0BWuokeyjhN2mB0Fr6kdLobmfVgZHUS7KOwcI9BdftSDbEk8kMxrQlwugh
4I1hTrAycMERbjeUKg1plx8CAwEAAQ==
-----END PUBLIC KEY-----

Please let us know about your experience!


Stay safe,
Your OPNsense team

--
SHA256 (OPNsense-25.7.r1-dvd-amd64.iso.bz2) = 1e8e874942f6b7293f345e854afcae62baa0b699b09c0dd49d1942f34eadfbfe
SHA256 (OPNsense-25.7.r1-nano-amd64.img.bz2) = f93eacc72c7f75ccfdd2189e4d414fff523f2204c5e11f6ad9c57c55a6c60568
SHA256 (OPNsense-25.7.r1-serial-amd64.img.bz2) = 89602b42f7631dff10cef4303753f9377c0995a0ac3966ef8564fe0414ac6cff
SHA256 (OPNsense-25.7.r1-vga-amd64.img.bz2) = 77e2aeb3acacd7d9d252e30d09463c793ae641cf2938ddd90819529043b5e3e8
#12
do-ip6 is tied to the global IPv6 off switch Interfaces: Settings: Allow IPv6


Cheers,
Franco
#13
You have to understand DHCPv6 cannot control the link-local of the client nor does it care about it so it's a bit tricky to get it to route there without knowing.

However, you can add the link-local as a static mapping and that should make it work...

https://github.com/opnsense/core/commit/3582242d0fe


Cheers,
Franco
#14
This seems ironic, because that page is one of the oldest in the project not having been fundamentally changed for at least a decade.


Cheers,
Franco
#15
/0 effectively means 0.0.0.0/0 which means you merely set a default route for your traffic


Cheers,
Franco