"Recent posts
#1
25.7, 25.10 Series / Re: 25.10.1 not affected by Fr...
Last post by rola - Today at 03:23:41 PMQuote from: franco on Today at 02:58:04 PM24 hours is not that much to ask for IMO.
.
.
.
It's out now.
Thank you! Unlike other vendors it's quite fast ;)
#2
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by Monviech (Cedrik) - Today at 03:18:10 PMWe use almost the exact same template.
Only major difference is that mpm-event is used, and not mpm-prefork.
Yet in early tests it did not make a difference, it really did work like a year ago.
Since in my tests now, caddy has also issues, it paints an interesting picture.
Maybe the issue is found outside of apache. Since it always works on linux (ubuntu, sophos UTM), yet not on freebsd (opnsense) anymore, it could be an interaction with pf, or the TCP network stack.
Only major difference is that mpm-event is used, and not mpm-prefork.
Yet in early tests it did not make a difference, it really did work like a year ago.
Since in my tests now, caddy has also issues, it paints an interesting picture.
Maybe the issue is found outside of apache. Since it always works on linux (ubuntu, sophos UTM), yet not on freebsd (opnsense) anymore, it could be an interaction with pf, or the TCP network stack.
#3
25.7, 25.10 Series / Re: 25.10.1 not affected by Fr...
Last post by DEC670airp414user - Today at 03:03:22 PM@franco and opnsense team, thank you for keeping us secured
#4
25.7, 25.10 Series / Re: 25.10.1 not affected by Fr...
Last post by franco - Today at 02:58:04 PMIt's out now.
Cheers,
Franco
Cheers,
Franco
#5
Announcements / Re: OPNsense 25.10.1 business ...
Last post by franco - Today at 02:57:14 PMA hotfix release was issued as 25.10.1_2:
o firewall: clean up rules edit cancel button
o firmware: opnsense-update: remove architecture pinning for -X option
o mvc: FilterBaseController: move shared automation rule logic here
o src: e1000: do not enable ASPM L1 without L0s
o src: e1000: bump 82574/82583 PBA to 32K
o src: if_ovpn: use IFT_TUNNEL
o src: ifconfig: bring back -L for netlink
o src: igb: fix VLAN support on VFs
o src: irdma: fix potential memory leak on qhash cqp operation
o src: ix: add support for debug dump for E610 adapters
o src: netmap: fix error handling in nm_os_extmem_create()
o src: pf: reading rules with a read lock on ioctl
o src: pf: relax sctp v_tag verification
o src: pf: handle divert packets
o src: pfsync: fix incorrect unlock during destroy
o src: rtsold: remote code execution via ND6 router advertisements[27]
[27] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc
o firewall: clean up rules edit cancel button
o firmware: opnsense-update: remove architecture pinning for -X option
o mvc: FilterBaseController: move shared automation rule logic here
o src: e1000: do not enable ASPM L1 without L0s
o src: e1000: bump 82574/82583 PBA to 32K
o src: if_ovpn: use IFT_TUNNEL
o src: ifconfig: bring back -L for netlink
o src: igb: fix VLAN support on VFs
o src: irdma: fix potential memory leak on qhash cqp operation
o src: ix: add support for debug dump for E610 adapters
o src: netmap: fix error handling in nm_os_extmem_create()
o src: pf: reading rules with a read lock on ioctl
o src: pf: relax sctp v_tag verification
o src: pf: handle divert packets
o src: pfsync: fix incorrect unlock during destroy
o src: rtsold: remote code execution via ND6 router advertisements[27]
[27] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc
#6
25.7, 25.10 Series / Re: Version 25.7.9 did not cha...
Last post by kozistan - Today at 02:52:54 PMSystem is aware about the update as you na see the pic.
health audit:
and GUI update:
@sarkyscouser looks is a different issue here
health audit:
Code Select
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.7.9 (amd64) at Fri Dec 19 14:45:56 CET 2025
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 25.7.8 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7.8 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
SunnyValley (Priority: 7)
>>> Check installed plugins
pkg: warning: database version 37 is newer than libpkg(3) version 36, but still compatible
os-acme-client 4.11
os-cpu-microcode-intel 1.1
os-ddclient 1.28
os-etpro-telemetry 1.8
os-freeradius 1.9.28_1
os-haproxy 4.6_1
os-node_exporter 1.2
os-sensei 2.2.2
os-sensei-agent 2.2.1
os-sensei-updater 1.18
os-sftp-backup 1.1_2
os-sunnyvalley 1.5_1
os-theme-advanced 1.1
os-theme-rebellion 1.9.4
os-theme-vicuna 1.50
os-zerotier 1.3.2_6
>>> Check locked packages
pkg: warning: database version 37 is newer than libpkg(3) version 36, but still compatible
>>> Check for missing package dependencies
pkg: warning: database version 37 is newer than libpkg(3) version 36, but still compatible
Checking all packages: .......... done
>>> Check for missing or altered package files
pkg: warning: database version 37 is newer than libpkg(3) version 36, but still compatible
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" not known to package database.
***DONE***and GUI update:
Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.7.9 (amd64) at Fri Dec 19 14:49:38 CET 2025
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 928 packages processed.
Updating SunnyValley repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: ....... done
Processing entries: ..... done
SunnyValley repository update completed. 49 packages processed.
All repositories are up to date.
pkg: warning: database version 37 is newer than libpkg(3) version 36, but still compatible
Checking for upgrades (4 candidates): .... done
Processing candidates (4 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***@sarkyscouser looks is a different issue here
#7
25.7, 25.10 Series / Re: NDP proxy in an HA setup?
Last post by Monviech (Cedrik) - Today at 02:48:45 PMWell with a depend on CARP option (which does not need any changes to the proxy binary itself) and with eventual Base6Interface radvd, it could work. Yet the scope was never HA setups in the first place, it's a different problem domain that needs the help of radvd to work correctly.
#8
German - Deutsch / Wireguard Peer generator Allow...
Last post by MBatOS - Today at 02:42:56 PMIch hätte da mal eine Anfängerfrage:
Warum merkt sich der "Peer generator" nicht die Daten für "Allowed IPs" und "Keepalive interval" für die nächste Sitzung wenn ich "Apply" betätige?
Oder auch, wo kann man die Default-Werte festlegen?
Danke für eure Hilfe.
Warum merkt sich der "Peer generator" nicht die Daten für "Allowed IPs" und "Keepalive interval" für die nächste Sitzung wenn ich "Apply" betätige?
Oder auch, wo kann man die Default-Werte festlegen?
Danke für eure Hilfe.
#9
25.7, 25.10 Series / Re: NDP proxy in an HA setup?
Last post by Patrick M. Hausen - Today at 02:42:37 PMThat's bad. Hetzner will only assign a public /64 to our external vSwitch. No routing of prefixes is possible.
So we are stuck with port forwarding or Caddy. Not really "the v6 way" ;-)
So we are stuck with port forwarding or Caddy. Not really "the v6 way" ;-)
#10
25.7, 25.10 Series / Re: NDP proxy in an HA setup?
Last post by Monviech (Cedrik) - Today at 02:29:40 PMThe NDP proxy cannot be used inside a HA environment at the moment.
To become HA capable, it would need to exchange data between multiple running instances via a network socket, most likely in the scope of KEAs implementation. Though that would imply the proxy is stateful, which it isn't, and there are no plans to create such a data socket for it.
Another way would be a depend on CARP option that starts and stops it depending on CARP status. That could work theoretically work in ethernet multi-access networks. Yet the issue with this are the source of the router advertisements, they cannot be a CARP IP address like with radvd.
There are ways to combine it with radvd but right now its not possible yet because Base64Interface is missing as an option. https://github.com/opnsense/core/issues/9334
All in all, such a setup is not currently possible.
To become HA capable, it would need to exchange data between multiple running instances via a network socket, most likely in the scope of KEAs implementation. Though that would imply the proxy is stateful, which it isn't, and there are no plans to create such a data socket for it.
Another way would be a depend on CARP option that starts and stops it depending on CARP status. That could work theoretically work in ethernet multi-access networks. Yet the issue with this are the source of the router advertisements, they cannot be a CARP IP address like with radvd.
There are ways to combine it with radvd but right now its not possible yet because Base64Interface is missing as an option. https://github.com/opnsense/core/issues/9334
All in all, such a setup is not currently possible.
