Recent posts

#1
26.1, 26,4 Series / Re: Opnsense 26.1 installed o...
Last post by franco - Today at 06:56:16 AM
You don't need anything in /boot/loader.conf.local if the settings in config.xml are correct. EC2 is very pedantic about it.



Cheers,
Franco
#2
I think something associating actual addresses with loopback in 15.1 is a real thing of unknown proportions. It's definitely not core code doing this.


Cheers,
Franco
#3
The loopback device might have a network that overlaps with a network of a normal interface.

eg if loopback has 192.168.0.1/16 and your real LAN interface has 192.168.1.1/24 all DHCP leases would probably show as loopback owned.
#4
General Discussion / Re: Periodic NIC issues (?) wi...
Last post by fornax - Today at 06:03:16 AM
Quote from: tuto2 on July 01, 2026, 02:06:43 PMWhile having a look at this issue, I noticed a potential bug in the iflib code making an automatic reset in case of a TX hang impossible, a custom kernel has been published which resolves this (though likely not the final patch version). Would you mind installing this kernel to see if this changes anything about the issue?

Ok, reverted all tunables to defaults this morning and installed this kernel. Didn't have to wait long. The issue just popped up again. Again it was a down/up on the LAN interface (igc0) that resolved it. I do not see any references to watchdog timeouts, or indeed anything other that my work this morning and the reset I just did in dmesg or syslog. Here's the sysctl output on the interface while the issue was happening:

dev.igc.0.interrupts.rx_desc_min_thresh: 0
dev.igc.0.interrupts.asserts: 2544406
dev.igc.0.mac_stats.tso_txd: 0
dev.igc.0.mac_stats.tx_frames_1024_1522: 3606676
dev.igc.0.mac_stats.tx_frames_512_1023: 14052
dev.igc.0.mac_stats.tx_frames_256_511: 17180
dev.igc.0.mac_stats.tx_frames_128_255: 26586
dev.igc.0.mac_stats.tx_frames_65_127: 105743
dev.igc.0.mac_stats.tx_frames_64: 5542
dev.igc.0.mac_stats.mcast_pkts_txd: 2184
dev.igc.0.mac_stats.bcast_pkts_txd: 83
dev.igc.0.mac_stats.good_pkts_txd: 3775779
dev.igc.0.mac_stats.total_pkts_txd: 3775779
dev.igc.0.mac_stats.good_octets_txd: 5499410065
dev.igc.0.mac_stats.good_octets_recvd: 179427410
dev.igc.0.mac_stats.rx_frames_1024_1522: 28848
dev.igc.0.mac_stats.rx_frames_512_1023: 11786
dev.igc.0.mac_stats.rx_frames_256_511: 10339
dev.igc.0.mac_stats.rx_frames_128_255: 22011
dev.igc.0.mac_stats.rx_frames_65_127: 1596460
dev.igc.0.mac_stats.rx_frames_64: 26780
dev.igc.0.mac_stats.mcast_pkts_recvd: 3350
dev.igc.0.mac_stats.bcast_pkts_recvd: 44496
dev.igc.0.mac_stats.good_pkts_recvd: 1696224
dev.igc.0.mac_stats.total_pkts_recvd: 1705605
dev.igc.0.mac_stats.mgmt_pkts_txd: 0
dev.igc.0.mac_stats.mgmt_pkts_drop: 0
dev.igc.0.mac_stats.mgmt_pkts_recvd: 0
dev.igc.0.mac_stats.unsupported_fc_recvd: 0
dev.igc.0.mac_stats.xoff_txd: 0
dev.igc.0.mac_stats.xoff_recvd: 0
dev.igc.0.mac_stats.xon_txd: 0
dev.igc.0.mac_stats.xon_recvd: 0
dev.igc.0.mac_stats.alignment_errs: 0
dev.igc.0.mac_stats.crc_errs: 0
dev.igc.0.mac_stats.recv_errs: 0
dev.igc.0.mac_stats.recv_jabber: 0
dev.igc.0.mac_stats.recv_oversize: 0
dev.igc.0.mac_stats.recv_fragmented: 0
dev.igc.0.mac_stats.recv_undersize: 0
dev.igc.0.mac_stats.recv_no_buff: 0
dev.igc.0.mac_stats.recv_length_errors: 0
dev.igc.0.mac_stats.missed_packets: 197
dev.igc.0.mac_stats.defer_count: 0
dev.igc.0.mac_stats.sequence_errors: 0
dev.igc.0.mac_stats.symbol_errors: 0
dev.igc.0.mac_stats.collision_count: 0
dev.igc.0.mac_stats.late_coll: 0
dev.igc.0.mac_stats.multiple_coll: 0
dev.igc.0.mac_stats.single_coll: 0
dev.igc.0.mac_stats.excess_coll: 0
dev.igc.0.queue_rx_3.rx_irq: 0
dev.igc.0.queue_rx_3.rxd_tail: 612
dev.igc.0.queue_rx_3.rxd_head: 613
dev.igc.0.queue_rx_3.interrupt_rate: 20832
dev.igc.0.queue_rx_2.rx_irq: 0
dev.igc.0.queue_rx_2.rxd_tail: 368
dev.igc.0.queue_rx_2.rxd_head: 369
dev.igc.0.queue_rx_2.interrupt_rate: 20832
dev.igc.0.queue_rx_1.rx_irq: 0
dev.igc.0.queue_rx_1.rxd_tail: 830
dev.igc.0.queue_rx_1.rxd_head: 830
dev.igc.0.queue_rx_1.interrupt_rate: 4032
dev.igc.0.queue_rx_0.rx_irq: 0
dev.igc.0.queue_rx_0.rxd_tail: 605
dev.igc.0.queue_rx_0.rxd_head: 606
dev.igc.0.queue_rx_0.interrupt_rate: 20832
dev.igc.0.queue_tx_3.tx_irq: 0
dev.igc.0.queue_tx_3.txd_tail: 173
dev.igc.0.queue_tx_3.txd_head: 173
dev.igc.0.queue_tx_3.interrupt_rate: 20832
dev.igc.0.queue_tx_2.tx_irq: 0
dev.igc.0.queue_tx_2.txd_tail: 1000
dev.igc.0.queue_tx_2.txd_head: 1000
dev.igc.0.queue_tx_2.interrupt_rate: 20832
dev.igc.0.queue_tx_1.tx_irq: 0
dev.igc.0.queue_tx_1.txd_tail: 46
dev.igc.0.queue_tx_1.txd_head: 46
dev.igc.0.queue_tx_1.interrupt_rate: 4032
dev.igc.0.queue_tx_0.tx_irq: 0
dev.igc.0.queue_tx_0.txd_tail: 735
dev.igc.0.queue_tx_0.txd_head: 735
dev.igc.0.queue_tx_0.interrupt_rate: 20832
dev.igc.0.fc_low_water: 32752
dev.igc.0.fc_high_water: 32768
dev.igc.0.rx_control: 71335938
dev.igc.0.device_control: 1075578433
dev.igc.0.watchdog_timeouts: 0
dev.igc.0.rx_overruns: 0
dev.igc.0.link_irq: 3
dev.igc.0.dropped: 0
dev.igc.0.eee_control: 1
dev.igc.0.tso_tcp_flags_mask_last_segment: 3967
dev.igc.0.tso_tcp_flags_mask_middle_segment: 3958
dev.igc.0.tso_tcp_flags_mask_first_segment: 4086
dev.igc.0.dmac: 0
dev.igc.0.rs_dump: 0
dev.igc.0.reg_dump: General Registers
        CTRL     401c0641
        STATUS   00380683
        CTRL_EXIT        100000c0

Interrupt Registers
        ICR      00000000

RX Registers
        RCTL     04408002
        RDLEN    00004000
        RDH      0000025e
        RDT      0000025d
        RXDCTL   02040808
        RDBAL    75d88000
        RDBAH    00000000

TX Registers
        TCTL     a503f0fa
        TDBAL    750f8000
        TDBAH    00000000
        TDLEN    00004000
        TDH      000002df
        TDT      000002df
        TXDCTL   0201011f
        TDFH     00000000
        TDFT     00000000
        TDFHS    00000000
        TDFPC    00000000


dev.igc.0.fc: 3
dev.igc.0.debug: -1
dev.igc.0.fw_version: EEPROM V2.17-0 eTrack 0x80000303
dev.igc.0.enable_aim: 1
dev.igc.0.nvm: -1
dev.igc.0.iflib.rxq3.rxq_fl0.buf_size: 2048
dev.igc.0.iflib.rxq3.rxq_fl0.credits: 1023
dev.igc.0.iflib.rxq3.rxq_fl0.cidx: 613
dev.igc.0.iflib.rxq3.rxq_fl0.pidx: 612
dev.igc.0.iflib.rxq3.cpu: 3
dev.igc.0.iflib.rxq2.rxq_fl0.buf_size: 2048
dev.igc.0.iflib.rxq2.rxq_fl0.credits: 1023
dev.igc.0.iflib.rxq2.rxq_fl0.cidx: 369
dev.igc.0.iflib.rxq2.rxq_fl0.pidx: 368
dev.igc.0.iflib.rxq2.cpu: 2
dev.igc.0.iflib.rxq1.rxq_fl0.buf_size: 2048
dev.igc.0.iflib.rxq1.rxq_fl0.credits: 1023
dev.igc.0.iflib.rxq1.rxq_fl0.cidx: 831
dev.igc.0.iflib.rxq1.rxq_fl0.pidx: 830
dev.igc.0.iflib.rxq1.cpu: 1
dev.igc.0.iflib.rxq0.rxq_fl0.buf_size: 2048
dev.igc.0.iflib.rxq0.rxq_fl0.credits: 1023
dev.igc.0.iflib.rxq0.rxq_fl0.cidx: 606
dev.igc.0.iflib.rxq0.rxq_fl0.pidx: 605
dev.igc.0.iflib.rxq0.cpu: 0
dev.igc.0.iflib.txq3.r_abdications: 0
dev.igc.0.iflib.txq3.r_restarts: 0
dev.igc.0.iflib.txq3.r_stalls: 0
dev.igc.0.iflib.txq3.r_starts: 256058
dev.igc.0.iflib.txq3.r_drops: 0
dev.igc.0.iflib.txq3.r_enqueues: 256060
dev.igc.0.iflib.txq3.ring_state: pidx_head: 0060 pidx_tail: 0060 cidx: 0060 state: IDLE
dev.igc.0.iflib.txq3.txq_cleaned: 512129
dev.igc.0.iflib.txq3.txq_processed: 512169
dev.igc.0.iflib.txq3.txq_in_use: 44
dev.igc.0.iflib.txq3.txq_cidx_processed: 169
dev.igc.0.iflib.txq3.txq_cidx: 129
dev.igc.0.iflib.txq3.txq_pidx: 173
dev.igc.0.iflib.txq3.no_tx_dma_setup: 0
dev.igc.0.iflib.txq3.txd_encap_efbig: 0
dev.igc.0.iflib.txq3.tx_map_failed: 0
dev.igc.0.iflib.txq3.no_desc_avail: 0
dev.igc.0.iflib.txq3.mbuf_defrag_failed: 0
dev.igc.0.iflib.txq3.m_pullups: 0
dev.igc.0.iflib.txq3.mbuf_defrag: 0
dev.igc.0.iflib.txq3.cpu: 3
dev.igc.0.iflib.txq2.r_abdications: 0
dev.igc.0.iflib.txq2.r_restarts: 0
dev.igc.0.iflib.txq2.r_stalls: 0
dev.igc.0.iflib.txq2.r_starts: 195065
dev.igc.0.iflib.txq2.r_drops: 0
dev.igc.0.iflib.txq2.r_enqueues: 195065
dev.igc.0.iflib.txq2.ring_state: pidx_head: 0505 pidx_tail: 0505 cidx: 0505 state: IDLE
dev.igc.0.iflib.txq2.txq_cleaned: 390078
dev.igc.0.iflib.txq2.txq_processed: 390118
dev.igc.0.iflib.txq2.txq_in_use: 42
dev.igc.0.iflib.txq2.txq_cidx_processed: 998
dev.igc.0.iflib.txq2.txq_cidx: 958
dev.igc.0.iflib.txq2.txq_pidx: 1000
dev.igc.0.iflib.txq2.no_tx_dma_setup: 0
dev.igc.0.iflib.txq2.txd_encap_efbig: 0
dev.igc.0.iflib.txq2.tx_map_failed: 0
dev.igc.0.iflib.txq2.no_desc_avail: 0
dev.igc.0.iflib.txq2.mbuf_defrag_failed: 0
dev.igc.0.iflib.txq2.m_pullups: 0
dev.igc.0.iflib.txq2.mbuf_defrag: 0
dev.igc.0.iflib.txq2.cpu: 2
dev.igc.0.iflib.txq1.r_abdications: 0
dev.igc.0.iflib.txq1.r_restarts: 0
dev.igc.0.iflib.txq1.r_stalls: 0
dev.igc.0.iflib.txq1.r_starts: 3023378
dev.igc.0.iflib.txq1.r_drops: 0
dev.igc.0.iflib.txq1.r_enqueues: 3023383
dev.igc.0.iflib.txq1.ring_state: pidx_head: 0535 pidx_tail: 0535 cidx: 0535 state: IDLE
dev.igc.0.iflib.txq1.txq_cleaned: 6046724
dev.igc.0.iflib.txq1.txq_processed: 6046764
dev.igc.0.iflib.txq1.txq_in_use: 42
dev.igc.0.iflib.txq1.txq_cidx_processed: 44
dev.igc.0.iflib.txq1.txq_cidx: 4
dev.igc.0.iflib.txq1.txq_pidx: 46
dev.igc.0.iflib.txq1.no_tx_dma_setup: 0
dev.igc.0.iflib.txq1.txd_encap_efbig: 0
dev.igc.0.iflib.txq1.tx_map_failed: 0
dev.igc.0.iflib.txq1.no_desc_avail: 0
dev.igc.0.iflib.txq1.mbuf_defrag_failed: 0
dev.igc.0.iflib.txq1.m_pullups: 0
dev.igc.0.iflib.txq1.mbuf_defrag: 0
dev.igc.0.iflib.txq1.cpu: 1
dev.igc.0.iflib.txq0.r_abdications: 0
dev.igc.0.iflib.txq0.r_restarts: 0
dev.igc.0.iflib.txq0.r_stalls: 0
dev.igc.0.iflib.txq0.r_starts: 301485
dev.igc.0.iflib.txq0.r_drops: 0
dev.igc.0.iflib.txq0.r_enqueues: 301488
dev.igc.0.iflib.txq0.ring_state: pidx_head: 0432 pidx_tail: 0432 cidx: 0432 state: IDLE
dev.igc.0.iflib.txq0.txq_cleaned: 602805
dev.igc.0.iflib.txq0.txq_processed: 602845
dev.igc.0.iflib.txq0.txq_in_use: 42
dev.igc.0.iflib.txq0.txq_cidx_processed: 733
dev.igc.0.iflib.txq0.txq_cidx: 693
dev.igc.0.iflib.txq0.txq_pidx: 735
dev.igc.0.iflib.txq0.no_tx_dma_setup: 0
dev.igc.0.iflib.txq0.txd_encap_efbig: 0
dev.igc.0.iflib.txq0.tx_map_failed: 0
dev.igc.0.iflib.txq0.no_desc_avail: 0
dev.igc.0.iflib.txq0.mbuf_defrag_failed: 0
dev.igc.0.iflib.txq0.m_pullups: 3
dev.igc.0.iflib.txq0.mbuf_defrag: 0
dev.igc.0.iflib.txq0.cpu: 0
dev.igc.0.iflib.override_nrxds: 0
dev.igc.0.iflib.override_ntxds: 0
dev.igc.0.iflib.allocated_msix_vectors: 5
dev.igc.0.iflib.use_extra_msix_vectors: 0
dev.igc.0.iflib.use_logical_cores: 0
dev.igc.0.iflib.separate_txrx: 0
dev.igc.0.iflib.core_offset: 0
dev.igc.0.iflib.tx_abdicate: 0
dev.igc.0.iflib.rx_budget: 0
dev.igc.0.iflib.disable_msix: 0
dev.igc.0.iflib.override_qs_enable: 0
dev.igc.0.iflib.override_nrxqs: 0
dev.igc.0.iflib.override_ntxqs: 0
dev.igc.0.iflib.driver_version: 1
dev.igc.0.%iommu: rid=0x100
dev.igc.0.%parent: pci1
dev.igc.0.%pnpinfo: vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000 class=0x020000
dev.igc.0.%location: slot=0 function=0 dbsf=pci0:1:0:0
dev.igc.0.%driver: igc
dev.igc.0.%desc: Intel(R) Ethernet Controller I226-V
#5
General Discussion / Re: Periodic NIC issues (?) wi...
Last post by BrandyWine - Today at 04:54:19 AM
Quote from: tuto2 on July 01, 2026, 02:06:43 PMWhile having a look at this issue, I noticed a potential bug in the iflib code making an automatic reset in case of a TX hang impossible, a custom kernel has been published which resolves this (though likely not the final patch version). Would you mind installing this kernel to see if this changes anything about the issue?
Has the 226's NVM been updated?

Before installing new kernel,
I would try (from ssh or in a start script)
ifconfig igc0 -rxcsum -txcsum -rxcsum6 -txcsum6
ifconfig igc1 -rxcsum -txcsum -rxcsum6 -txcsum6
should be no need to down/up the device

Then monitor.

Offloading puts the function into hardware.

Disabled or not, iflib sits between kernel and driver. So the functional test logic may be:
1) Disabling offload runs ok, then the issue is likely igc/nic problem.
2) Disabling offload & issue comes back, this points to something else, maybe iflib.c
#6
Finally (in a sense) my bad 100% - everything seems related to config.xml and /boot/loader.conf "vanilla" coming from the distribution
Must be heavily edited

Not the /usr/local/etc/config.xml but /conf/config.xml
Here I added the required configurations (oversimplified for a start)
<webgui>
      <protocol>https</protocol>
      <nohttpreferercheck>1</nohttpreferercheck>
      <nodnsrebindcheck>1</nodnsrebindcheck>
</webgui>

<system>
  ...
  <serialspeed>115200</serialspeed>
  <primaryconsole>serial</primaryconsole>
  <secondaryconsole>video</secondaryconsole>
  <ssh>
    <enabled>enabled</enabled>
    <passwordauth>1</passwordauth>
    <permitrootlogin>1</permitrootlogin>
    <port>22</port>
  </ssh>
  ...
</system>

And in /boot/loader.conf.local
# dynamically generated console settings follow
comconsole_speed="115200"
boot_multicons="YES"
boot_serial="YES"
console="comconsole,vidconsole"

ssh access was still not working for a bizarre reason the outbound rule was not present in Firewall / rules / wan (or lan)
Added by hand in WebGUI

Now the console, ssh and webgui work

#7
Yeah probably not. Though I assume the config.xml would be translated somehow to the kea config. Though I am not entirely sure why it is grouping it this way yet. It is peculiar, but out of box, so maybe a bug, maybe not related here to the release but hard to know.
#8
Are these issues possibly related? https://github.com/opnsense/core/issues/10512

I'm only making the connection because of the loopback device.  At least in the linked issue @franco attributes it to a possible OS regression.


Editing myself... I don't think leases have much to do with routes.
#9
General Discussion / Re: Periodic NIC issues (?) wi...
Last post by OPNenthu - Today at 02:45:56 AM
Quote from: meyergru on July 09, 2026, 11:10:48 PMMaybe there will eventually be a fix for this: https://github.com/freebsd/freebsd-src/pull/2318

Looking forward to trying this when available in OPNsense!  Packet loss has been a constant companion, as are random stream disconnects, but interface statistics tell a different story (all clean).

🤞
#10
Thank you in advance for advice, in case people in this forum succeeded in installing "from scratch" Opnsense on AWS EC2 (i.e. not by using the commercial Opnsense AMI).

Followed an older post (only one I found on the topic : https://edepree.com/2020/08/02/installing-opnsense-on-lightsail.html) but this is for Opnsense 20.1 and FreeBSD 12 which is no longer available on AWS.

Details below

su
pkg install wget
wget https://raw.githubusercontent.com/opnsense/update/master/src/bootstrap/opnsense-bootstrap.sh.in
!!! comment out the reboot at the end
chmod +x opnsense-bootstrap.sh.in
sh ./opnsense-bootstrap.sh.in -r 26.1


Installing Opnsense 26.1 on FreeBSD 14 AMI (AWS) on EC2 (t3.micro or t3.small) works fine
...
Message from opnsense-26.1.11_6:

--
One step ahead, one step behind it, now you gotta run to get even
Fetching base-26.1.11-amd64.txz: ............ done
Fetching kernel-26.1.11-amd64.txz: ...... done
...
3. Prevent the standard FreeBSD syslogd from starting automatically by
   adding a line to the end of your /etc/rc.conf file that reads:
        syslogd_enable="NO"
4. Shut down the standard FreeBSD syslogd:
     kill `cat /var/run/syslog.pid`
5. Start syslog-ng:
     /usr/local/etc/rc.d/syslog-ng start
=====
Message from opnsense-26.1.11_6:
--
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Installing kernel-26.1.11-amd64.txz... done
Installing base-26.1.11-amd64.txz... done
Cleaning obsolete files... done
Please reboot.
root@freebsd:/home/ec2-user #

At this point the VM has 2 ENI (WAN=10.10.1.5, LAN=10.10.2.5) and I edited /usr/local/etc/config.xml (as per the post above) the LAN entry under   <interfaces> before rebooting
Original
    <wan>
      <enable>1</enable>
      <if>mismatch1</if>
      <mtu/>
      <ipaddr>dhcp</ipaddr>
      <ipaddrv6>dhcp6</ipaddrv6>
      <subnet/>
      <gateway/>
      <blockpriv>1</blockpriv>
      <blockbogons>1</blockbogons>
      <dhcphostname/>
      <media/>
      <mediaopt/>
      <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
    </wan>
    <lan>
      <enable>1</enable>
      <if>mismatch0</if>
      <ipaddr>192.168.1.1</ipaddr>
      <subnet>24</subnet>
      <ipaddrv6>idassoc6</ipaddrv6>
      <subnetv6>64</subnetv6>
      <media/>
      <mediaopt/>
      <track6-interface>wan</track6-interface>
      <track6-prefix-id>0</track6-prefix-id>
    </lan>

Modified

    <wan>
      <enable>1</enable>
      <if>mismatch1</if>
      <mtu/>
      <ipaddr>dhcp</ipaddr>
      <subnet/>
      <gateway/>
      <blockpriv>1</blockpriv>
      <blockbogons>1</blockbogons>
      <dhcphostname/>
      <media/>
      <mediaopt/>
    </wan>
    <lan>
      <enable>1</enable>
      <if>mismatch0</if>
      <ipaddr>dhcp</ipaddr>
      <subnet/>
      <media/>
      <mediaopt/>
    </lan>

Also to make sure the serial console remains available:
root@freebsd:/home/ec2-user # cat /boot/loader.conf.local
kern.vty=sc
kern.tty.comconsole="sc"

At this point I reboot and will get in the initial configuration, then hangs here in the console without getting in the menu

OPNsense.localdomain kernel - - [meta sequenceId="8"] <118>Service `sysctl' has been restarted.
OPNsense.localdomain kernel - - [meta sequenceId="9"] <118>>>> Invoking start script 'beep'
OPNsense.localdomain kernel - - [meta sequenceId="10"] <118>Root file system: /dev/gpt/rootfs
OPNsense.localdomain kernel - - [meta sequenceId="11"] <118>Thu Jul  9 18:13:32 UTC 2026
OPNsense.localdomain kernel - - [meta sequenceId="12"] <118>
OPNsense.localdomain kernel - - [meta sequenceId="13"] <118>*** OPNsense.localdomain: OPNsense 24.1.10_8 ***
OPNsense.localdomain kernel - - [meta sequenceId="14"] <118>
OPNsense.localdomain kernel - - [meta sequenceId="15"] <118> LAN (ena1)      -> v4/DHCP4: 10.10.2.5/24
OPNsense.localdomain kernel - - [meta sequenceId="16"] <118> WAN (ena0)      -> v4/DHCP4: 10.10.1.5/24
OPNsense.localdomain kernel - - [meta sequenceId="17"] <118>


 HTTPS: SHA256 42 17 B5 44 80 FE 11 27 C7 53 97 DD 1E 94 BA 24
               F6 53 14 77 66 C0 60 6A D6 E0 91 49 8B 0F AC 25

Also at this point ssh and  https connections to the WAN and LAN public IP fail with timeout and the only way I have to see what happened is to detach the root disk, attach it as data to another VM and look at the logs.  But looking at the system (/var/log/system_20260709.log) and filter (/var/log/filter_20260709.log) logs the system is not dead after printing the fingerprint at the console, the firewall seems to just block SSH and HTTPS to the WAN interface

system_20260709.log
...
OPNsense.localdomain kernel - - [meta sequenceId="18"] <118> HTTPS: SHA256 97 CC 6F 8F 2C 74 F7 F7 A0 E3 06 56 DE 6B 89 D3
OPNsense.localdomain kernel - - [meta sequenceId="19"] <118>               C2 C3 CC 3A 18 46 B4 0D 8C 27 DF E0 C9 2A B0 F5
OPNsense.localdomain opnsense 88982 - [meta sequenceId="20"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : opendns_configure_do())
OPNsense.localdomain opnsense 88982 - [meta sequenceId="21"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : openssh_configure_do(,lan))
OPNsense.localdomain opnsense 88982 - [meta sequenceId="22"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : unbound_configure_do(,lan))
OPNsense.localdomain opnsense 88982 - [meta sequenceId="23"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : vxlan_configure_do())
OPNsense.localdomain opnsense 88982 - [meta sequenceId="24"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : webgui_configure_do(,lan))
OPNsense.localdomain opnsense 88982 - [meta sequenceId="25"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : wireguard_sync(,lan))
OPNsense.localdomain opnsense 92965 - [meta sequenceId="26"] /usr/local/etc/rc.newwanip: The command '/usr/local/sbin/ntpd -g -c '/var/etc/ntpd.conf'' returned exit code '1', th
OPNsense.localdomain opnsense 92965 - [meta sequenceId="27"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : opendns_configure_do())
OPNsense.localdomain opnsense 92965 - [meta sequenceId="28"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : openssh_configure_do(,wan))
OPNsense.localdomain opnsense 92965 - [meta sequenceId="29"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : unbound_configure_do(,wan))
OPNsense.localdomain opnsense 92965 - [meta sequenceId="30"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : vxlan_configure_do())
OPNsense.localdomain opnsense 92965 - [meta sequenceId="31"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : webgui_configure_do(,wan))
OPNsense.localdomain opnsense 92965 - [meta sequenceId="32"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : wireguard_sync(,wan))
OPNsense.localdomain opnsense 88982 - [meta sequenceId="33"] /usr/local/etc/rc.newwanip: The command '/usr/sbin/daemon -f -p '/var/run/updaterrd.pid' '/var/db/rrd/updaterrd.sh''

filter_20260709.log
OPNsense.localdomain filterlog 25056 - [meta sequenceId="1"] 51,,,c6449923fcfe3ab76e49d9391c552b90,ena1,match,pass,in,4,0x0,,255,0,0,DF,17,udp,576,10.10.2.1,10.10.2.5,67,68,556
OPNsense.localdomain filterlog 25056 - [meta sequenceId="2"] 59,,,f994f615e00b8be0042263f86c79913f,ena0,match,pass,in,4,0x0,,255,0,0,DF,17,udp,576,10.10.1.1,10.10.1.5,67,68,556
OPNsense.localdomain filterlog 99278 - [meta sequenceId="3"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0x0,,64,0,0,DF,17,udp,56,10.10.2.5,170.247.170.2,17143,53,36
OPNsense.localdomain filterlog 99278 - [meta sequenceId="4"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0x0,,64,0,0,DF,17,udp,56,10.10.2.5,192.112.36.4,39965,53,36
OPNsense.localdomain filterlog 99278 - [meta sequenceId="5"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0x0,,64,0,0,DF,17,udp,56,10.10.2.5,198.97.190.53,36777,53,36
OPNsense.localdomain filterlog 99278 - [meta sequenceId="6"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0x0,,64,0,0,DF,17,udp,56,10.10.2.5,199.7.83.42,19529,53,36
OPNsense.localdomain filterlog 99278 - [meta sequenceId="7"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0x0,,64,0,0,DF,17,udp,56,10.10.2.5,192.36.148.17,46699,53,36
OPNsense.localdomain filterlog 99278 - [meta sequenceId="8"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0x0,,64,0,0,DF,17,udp,56,10.10.2.5,199.7.83.42,43062,53,36
OPNsense.localdomain filterlog 99278 - [meta sequenceId="9"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0x0,,64,0,0,DF,17,udp,56,10.10.2.5,192.36.148.17,11280,53,36

... and can see SSH and HTTPS are blocked by the firewall
OPNsense.localdomain filterlog 72498 - [meta sequenceId="49"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0xb8,,64,62599,0,none,17,udp,76,10.10.2.5,138.197.135.239,123,123,56
OPNsense.localdomain filterlog 72498 - [meta sequenceId="50"] 4,,,02f4bab031b57d1e30553ce08e0ec131,ena0,match,block,in,4,0x0,,116,21014,0,DF,6,tcp,52,76.65.68.5,10.10.1.5,55978,22,0,S,1116859751,,64240,,mss;nop;wscale;nop;nop;sackOK
OPNsense.localdomain filterlog 72498 - [meta sequenceId="51"] 4,,,02f4bab031b57d1e30553ce08e0ec131,ena0,match,block,in,4,0x0,,116,21015,0,DF,6,tcp,52,76.65.68.5,10.10.1.5,55978,22,0,S,1116859751,,64240,,mss;nop;wscale;nop;nop;sackOK
OPNsense.localdomain filterlog 72498 - [meta sequenceId="52"] 4,,,02f4bab031b57d1e30553ce08e0ec131,ena0,match,block,in,4,0x0,,116,21016,0,DF,6,tcp,52,76.65.68.5,10.10.1.5,55978,22,0,S,1116859751,,64240,,mss;nop;wscale;nop;nop;sackOK
OPNsense.localdomain filterlog 72498 - [meta sequenceId="53"] 4,,,02f4bab031b57d1e30553ce08e0ec131,ena0,match,block,in,4,0x0,,116,21017,0,DF,6,tcp,52,76.65.68.5,10.10.1.5,56039,443,0,S,1256389213,,64240,,mss;nop;wscale;nop;nop;sackOK
OPNsense.localdomain filterlog 72498 - [meta sequenceId="54"] 4,,,02f4bab031b57d1e30553ce08e0ec131,ena0,match,block,in,4,0x0,,116,21018,0,DF,6,tcp,52,76.65.68.5,10.10.1.5,56040,443,0,S,2039657916,,64240,,mss;nop;wscale;nop;nop;sackOK
OPNsense.localdomain filterlog 72498 - [meta sequenceId="55"] 4,,,02f4bab031b57d1e30553ce08e0ec131,ena0,match,block,in,4,0x0,,116,21019,0,DF,6,tcp,52,76.65.68.5,10.10.1.5,56041,443,0,S,2504498693,,64240,,mss;nop;wscale;nop;nop;sackOK
OPNsense.localdomain filterlog 72498 - [meta sequenceId="56"] 4,,,02f4bab031b57d1e30553ce08e0ec131,ena0,match,block,in,4,0x0,,116,21020,0,DF,6,tcp,52,76.65.68.5,10.10.1.5,56040,443,0,S,2039657916,,64240,,mss;nop;wscale;nop;nop;sackOK


Also
Tried FreeBSD 13 with Opnsense 24.1 same behavior. Extracted the /var/log logs (detached root volume, reattached to another VM as data) and in the logs there is no obvious error, kernel panic or anything that could explain the lockdown.