"Recent posts
#21
25.7, 25.10 Series / python -- several vulnerabilit...
Last post by makman26 - Today at 05:58:19 PMHello,
I am new here and have looked for an answer to my question but have been unable to. I have been getting this alert when I run the security checkup lately and I am not sure what to do. It states that it is inadvisable to update python on its own but I have been through a few minor upgrades and the issue still perists. I am on version 25.7.11_2
Thank you
Dave
Here is the full error.
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 25.7.11_2 (amd64) at Wed Jan 21 09:44:22 MST 2026
Fetching vuln.xml.xz: .......... done
python311-3.11.14 is vulnerable:
python -- several vulnerabilities
CVE: CVE-2025-13836
CVE: CVE-2025-12084
WWW: https://vuxml.freebsd.org/freebsd/613d0f9e-d477-11f0-9e85-03ddfea11990.html
1 problem(s) in 1 package(s) found.
***DONE***
I am new here and have looked for an answer to my question but have been unable to. I have been getting this alert when I run the security checkup lately and I am not sure what to do. It states that it is inadvisable to update python on its own but I have been through a few minor upgrades and the issue still perists. I am on version 25.7.11_2
Thank you
Dave
Here is the full error.
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 25.7.11_2 (amd64) at Wed Jan 21 09:44:22 MST 2026
Fetching vuln.xml.xz: .......... done
python311-3.11.14 is vulnerable:
python -- several vulnerabilities
CVE: CVE-2025-13836
CVE: CVE-2025-12084
WWW: https://vuxml.freebsd.org/freebsd/613d0f9e-d477-11f0-9e85-03ddfea11990.html
1 problem(s) in 1 package(s) found.
***DONE***
#22
25.7, 25.10 Series / Re: IPv6 link-local route does...
Last post by Monviech (Cedrik) - Today at 05:50:01 PMKea sets automatic routes now, it was a roadmap item:
https://docs.opnsense.org/manual/kea.html#prefix-delegation-ia-pd
https://docs.opnsense.org/manual/kea.html#prefix-delegation-ia-pd
#23
25.7, 25.10 Series / Re: [SOLVED]--Unbound + dnscry...
Last post by opnessense - Today at 05:47:43 PMI prefer this setup because.Adguard do the filtering for all my vlans for spam and other malware with low cpu usage.
If the rpi breaks, like its happened to me before, I still have my dns working on all my home net,i just bypass the filtering.
(This is an extra layer because on the top i have Zenarmour running)
Than i manage unbound and dnscrypt with a proper firewall.The flow is perfect, plus my firewall is a bit more powerfull than a rpi.
The RPI is not reliable to run all the vlans DNS, but for the filtering is ok.
This is my thought ,but yes you could do that.
If the rpi breaks, like its happened to me before, I still have my dns working on all my home net,i just bypass the filtering.
(This is an extra layer because on the top i have Zenarmour running)
Than i manage unbound and dnscrypt with a proper firewall.The flow is perfect, plus my firewall is a bit more powerfull than a rpi.
The RPI is not reliable to run all the vlans DNS, but for the filtering is ok.
This is my thought ,but yes you could do that.
#24
Virtual private networks / Re: OpenVPN instance setup and...
Last post by viragomann - Today at 05:46:48 PMQuote from: Maduck on Today at 05:23:26 PMIssue is that every .ovpn profile imported from OpnSense OpenVPN instance style setup does not connectI cannot find a difference between these.
How did you import the OpenVPN profile on Linux?
Do you run it from the shell or in network manager?
Any logs?
#25
German - Deutsch / Re: IPv6 am PON-Anschluss von ...
Last post by meyergru - Today at 05:33:29 PMAus Deinen Angaben wird immer noch nicht klar, was Du eigentlich erhältst:
IA_NA?
IA_PD? Wenn ja, mit welcher Präfix-Länge? /56, /64 oder gar nicht?
Beachte auch, dass manche Provider nur Präfixe aushändigen, wenn man "Request prefix only" anhakt, siehe: https://forum.opnsense.org/index.php?topic=45822.0
Am Rande bemerkt, müsste der Provider und nicht die RegTP die Anschlussdaten bereitstellen. Offenbar ist der ISP aber so rigoros, dass er auch nicht sagt, wie man beispielsweise mit einer Fiber-Fritzbox oder sonstigem eigenen ONT arbeiten kann - und dass muss er, weil Endgerätefreiheit != Routerfreiheit. Wenn Du also aus dem Vertrag raus willst...
IA_NA?
IA_PD? Wenn ja, mit welcher Präfix-Länge? /56, /64 oder gar nicht?
Beachte auch, dass manche Provider nur Präfixe aushändigen, wenn man "Request prefix only" anhakt, siehe: https://forum.opnsense.org/index.php?topic=45822.0
Am Rande bemerkt, müsste der Provider und nicht die RegTP die Anschlussdaten bereitstellen. Offenbar ist der ISP aber so rigoros, dass er auch nicht sagt, wie man beispielsweise mit einer Fiber-Fritzbox oder sonstigem eigenen ONT arbeiten kann - und dass muss er, weil Endgerätefreiheit != Routerfreiheit. Wenn Du also aus dem Vertrag raus willst...
#26
Hardware and Performance / Re: (Solved) Internet speeds r...
Last post by manki_09 - Today at 05:32:34 PMI don't think it's an issue per say with shaping, but the fact that the switch didn't actually apply flow control when the interface was enabled.
Then changing some settings in shaping (enabling and disabling) seemed to have forced flow control to enable even though it should have been already.
Then changing some settings in shaping (enabling and disabling) seemed to have forced flow control to enable even though it should have been already.
#27
25.7, 25.10 Series / Re: Intel Thermal Sensor Virtu...
Last post by WhatAMess - Today at 05:31:30 PMYep I am using the one in the list Intel Core CPU on die, looks like my only choice. It works on my other build but not this one. Of course this is a different board, so the driver may be useless.--Thanks
#28
25.7, 25.10 Series / Re: NAT breaks Windows update
Last post by TheAutomationGuy - Today at 05:27:59 PMNot sure if you are still experiencing a problem, but you'll have to do better at explaining your situation.
EVERY device using an IPv4 address behind a firewall/router is NATTED. The major function of a router is to handle NAT. If you are having problems with devices behind your firewall/router communicating with "the internet", it is due to a configuration issue. Hopefully we can help solve it, but you'll need to give us a lot more information before anyone can start to guess what the problem might be.
EVERY device using an IPv4 address behind a firewall/router is NATTED. The major function of a router is to handle NAT. If you are having problems with devices behind your firewall/router communicating with "the internet", it is due to a configuration issue. Hopefully we can help solve it, but you'll need to give us a lot more information before anyone can start to guess what the problem might be.
#29
Virtual private networks / OpenVPN instance setup and Lin...
Last post by Maduck - Today at 05:23:26 PMHello,
I've been chatting with GPT, crawled through sites and tried to get Linux OpenVPN connection to work on Fedora 43, Linux Mint, Ubuntu but no luck. I just switched from W -> Linux and brought my .ovpn files. Issue is that every .ovpn profile imported from OpnSense OpenVPN instance style setup does not connect, but legacy client server style profiles connect nice and fast. Sorry if this question is too obvious, but what should I do: roll back updated OpnSense firewalls to legacy OpenVPN client/server setting or is there something I don't get?
Thank you in advance!
Br Maduck
I've been chatting with GPT, crawled through sites and tried to get Linux OpenVPN connection to work on Fedora 43, Linux Mint, Ubuntu but no luck. I just switched from W -> Linux and brought my .ovpn files. Issue is that every .ovpn profile imported from OpnSense OpenVPN instance style setup does not connect, but legacy client server style profiles connect nice and fast. Sorry if this question is too obvious, but what should I do: roll back updated OpnSense firewalls to legacy OpenVPN client/server setting or is there something I don't get?
Thank you in advance!
Br Maduck
#30
25.7, 25.10 Series / Re: IPv6 link-local route does...
Last post by Maurice - Today at 05:00:30 PMNothing wrong with your configuration, it's most likely a bug. I've seen this behaviour before under hard to reproduce circumstances - some static IPv6 routes sometimes don't get added to the routing table after a reboot. Haven't been able to pinpoint it and mostly worked around it with Monit.
If it's reproducible in your setup, creating an issue on GitHub with as many details as possible (logs) might be the best way forward.
Cheers
Maurice
If it's reproducible in your setup, creating an issue on GitHub with as many details as possible (logs) might be the best way forward.
Cheers
Maurice
