"Recent posts
#91
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by franco - January 22, 2026, 09:40:46 AM> I'm not using Prevent Release, but my /60 delegation doesn't change often so I don't think I should see anything interesting except these timers will eventually reset?
Yes, correct.
The biggest issue we've had here was a kernel bug that would not update the link route lifetimes when they were renewed by the deamon. Ifconfig was fine but the route disappeared. This was fixed in 25.7.11 with https://github.com/opnsense/src/commit/46f807c0c
So you should see your prefix renew and your clients still able to connect after each renewal.
Thank you for testing. The last few reports have improved the confidence to tag and ship the new dhcp6c code in 26.1 so we will probably do that.
Cheers,
Franco
Yes, correct.
The biggest issue we've had here was a kernel bug that would not update the link route lifetimes when they were renewed by the deamon. Ifconfig was fine but the route disappeared. This was fixed in 25.7.11 with https://github.com/opnsense/src/commit/46f807c0c
So you should see your prefix renew and your clients still able to connect after each renewal.
Thank you for testing. The last few reports have improved the confidence to tag and ship the new dhcp6c code in 26.1 so we will probably do that.
Cheers,
Franco
#92
Announcements / OPNsense 26.1-RC1 released
Last post by franco - January 22, 2026, 09:37:35 AMGood morning world,
Here we are now with the first release candidate to kickstart the 26.1
series. While this marks the end of an era as ISC-DHCP functionality
moves to a plugin it is only the beginning of structural improvements
and further innovation of topics that are important to our users: firewall
GUI and API, IPv6, intrusion detection using Suricata and overall security.
Keep in mind this is mostly an image-based pre-production test release.
Upgrades from the 25.7.11 development version will be available at some
point, but it is not clear when. An online-only RC2 will probably follow
as well. The final release date for 26.1 is January 28.
https://pkg.opnsense.org/releases/26.1/
Here are the development highlights since version 25.7 came out:
o Introduce a new consistent rules GUI using MVC/API (formerly known as "Automation")
o Suricata version 8 and new inline inspection mode using "divert"
o NAT port forwarding migrated to "Destination NAT" as MVC/API
o Various IPv6 stability improvements and additional features
o Setup wizard improvements including use case selection
o Services: Router Advertisements migrated to MVC/API
o Shell command escaping improvements and audit
o Interfaces: Settings migrated to MVC/API
o Default IPv6 setup now relies on Dnsmasq
o Factory reset for individual components
o The firewall live log was rewritten
o Unbound blocklist source selection
o Automatic host discovery service
A more detailed change log will follow!
Migration notes, known issues and limitations:
o ISC-DHCP moves to a plugin. It will be automatically installed during upgrades. It is not installed on new installations because it is not being used, but you can still install and keep using it.
o To accomodate the change away from ISC-DCHP defaults the "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.
o Due to command line execution safety concerns the historic functions mwexec_bg() and mwexec() will be removed in 26.1.x. Make sure your custom code is not using them and use mwexecf(), mwexecfb() and mwexecfm() instead.
o The function sessionClose() has also been removed from the MVC code and is no longer needed. Make sure to remove it from your custom code.
o The custom.yaml support has been removed from intrusion detection. Please migrate to the newer /usr/local/etc/suricata/conf.d override directory.
The public key for the 26.1 series is:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArTnFQp0jjj5bkLNx9G1j
q26WmN/EtAaJUt+2MY8W8h7L3kokRMlTgEvCYJOkUjbJYbjuG0Cut3JExNYa1vdD
1SLIlJShyI8OsjbAS/flZdJB9c0Vxz2CwpoX9Efmp5TaB3GWqhHS0OVLx4MSI3HJ
qP/aQLjZMuCQHX8beUQB77YWcT6sPC5UMYeNEW1uHR7Oki/TpOXWnzNStEQXRL6/
MiuYJovedlNXeNUeebJyG0TyLJ/3uGMYhHKYK+OJkB03P3iLGGVE/WWNugsqX6bY
tTU9PquHo5zDApndp8iG49Fs/DC0r7V1P85ETPtW2SuZQ7YeDuz3VKvuMxAqyQoC
1FLOsIuEfudDmRuMuTsRgB6jaGACEWUTuRyiFG4+kVDi1/qOWpYatP8C8B7Lx9UU
CTZhCl+Se4woWGtp5KOtYe+pvJ4oz40SL4drUQFEP3ZOsK/HzyLjPFRgxfANNUPG
ONayKHJXVVFPg2ATk9jeNPsLmXlcDmi/rihyN4RM2w0/bi8BWSc+dMGZ5ZhNJdsF
wHBIscgpiAhs+HS8Usxy3idv/JkY0h9tZ2QnljhUUwhYV+DT9yZf5ABU0B68VjJ4
/GloUc3bS7HBeSTAauYMOQvgkY1vcySGWTXvsGOw/Crpk4DYx5KpGNYHmENRey2c
AQdi+Fvi3fFkV1BoxGo78NcCAwEAAQ==
-----END PUBLIC KEY-----
Please let us know about your experience!
Stay safe,
Your OPNsense team
--
SHA256 (OPNsense-26.1.r1-dvd-amd64.iso.bz2) = b0f1f48cd9104e96c37ab11c4381e3401d7d892c97ff8ec7aec1fcec44f16feb
SHA256 (OPNsense-26.1.r1-nano-amd64.img.bz2) = e9c6d72908bc60fc4172ee9c6cd92e7b34bc0e234cc5ad17b3d9f951824cc22a
SHA256 (OPNsense-26.1.r1-serial-amd64.img.bz2) = e03638f1d6fdbc300155fedf5d350603cb1479bf0f8ffe62c439ef0993b5aeb9
SHA256 (OPNsense-26.1.r1-vga-amd64.img.bz2) = f78a0bb9f771fe8846c32ab501875d3970e569b0c4163eff08cfc3bedc1ad747
Here we are now with the first release candidate to kickstart the 26.1
series. While this marks the end of an era as ISC-DHCP functionality
moves to a plugin it is only the beginning of structural improvements
and further innovation of topics that are important to our users: firewall
GUI and API, IPv6, intrusion detection using Suricata and overall security.
Keep in mind this is mostly an image-based pre-production test release.
Upgrades from the 25.7.11 development version will be available at some
point, but it is not clear when. An online-only RC2 will probably follow
as well. The final release date for 26.1 is January 28.
https://pkg.opnsense.org/releases/26.1/
Here are the development highlights since version 25.7 came out:
o Introduce a new consistent rules GUI using MVC/API (formerly known as "Automation")
o Suricata version 8 and new inline inspection mode using "divert"
o NAT port forwarding migrated to "Destination NAT" as MVC/API
o Various IPv6 stability improvements and additional features
o Setup wizard improvements including use case selection
o Services: Router Advertisements migrated to MVC/API
o Shell command escaping improvements and audit
o Interfaces: Settings migrated to MVC/API
o Default IPv6 setup now relies on Dnsmasq
o Factory reset for individual components
o The firewall live log was rewritten
o Unbound blocklist source selection
o Automatic host discovery service
A more detailed change log will follow!
Migration notes, known issues and limitations:
o ISC-DHCP moves to a plugin. It will be automatically installed during upgrades. It is not installed on new installations because it is not being used, but you can still install and keep using it.
o To accomodate the change away from ISC-DCHP defaults the "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.
o Due to command line execution safety concerns the historic functions mwexec_bg() and mwexec() will be removed in 26.1.x. Make sure your custom code is not using them and use mwexecf(), mwexecfb() and mwexecfm() instead.
o The function sessionClose() has also been removed from the MVC code and is no longer needed. Make sure to remove it from your custom code.
o The custom.yaml support has been removed from intrusion detection. Please migrate to the newer /usr/local/etc/suricata/conf.d override directory.
The public key for the 26.1 series is:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArTnFQp0jjj5bkLNx9G1j
q26WmN/EtAaJUt+2MY8W8h7L3kokRMlTgEvCYJOkUjbJYbjuG0Cut3JExNYa1vdD
1SLIlJShyI8OsjbAS/flZdJB9c0Vxz2CwpoX9Efmp5TaB3GWqhHS0OVLx4MSI3HJ
qP/aQLjZMuCQHX8beUQB77YWcT6sPC5UMYeNEW1uHR7Oki/TpOXWnzNStEQXRL6/
MiuYJovedlNXeNUeebJyG0TyLJ/3uGMYhHKYK+OJkB03P3iLGGVE/WWNugsqX6bY
tTU9PquHo5zDApndp8iG49Fs/DC0r7V1P85ETPtW2SuZQ7YeDuz3VKvuMxAqyQoC
1FLOsIuEfudDmRuMuTsRgB6jaGACEWUTuRyiFG4+kVDi1/qOWpYatP8C8B7Lx9UU
CTZhCl+Se4woWGtp5KOtYe+pvJ4oz40SL4drUQFEP3ZOsK/HzyLjPFRgxfANNUPG
ONayKHJXVVFPg2ATk9jeNPsLmXlcDmi/rihyN4RM2w0/bi8BWSc+dMGZ5ZhNJdsF
wHBIscgpiAhs+HS8Usxy3idv/JkY0h9tZ2QnljhUUwhYV+DT9yZf5ABU0B68VjJ4
/GloUc3bS7HBeSTAauYMOQvgkY1vcySGWTXvsGOw/Crpk4DYx5KpGNYHmENRey2c
AQdi+Fvi3fFkV1BoxGo78NcCAwEAAQ==
-----END PUBLIC KEY-----
Please let us know about your experience!
Stay safe,
Your OPNsense team
--
SHA256 (OPNsense-26.1.r1-dvd-amd64.iso.bz2) = b0f1f48cd9104e96c37ab11c4381e3401d7d892c97ff8ec7aec1fcec44f16feb
SHA256 (OPNsense-26.1.r1-nano-amd64.img.bz2) = e9c6d72908bc60fc4172ee9c6cd92e7b34bc0e234cc5ad17b3d9f951824cc22a
SHA256 (OPNsense-26.1.r1-serial-amd64.img.bz2) = e03638f1d6fdbc300155fedf5d350603cb1479bf0f8ffe62c439ef0993b5aeb9
SHA256 (OPNsense-26.1.r1-vga-amd64.img.bz2) = f78a0bb9f771fe8846c32ab501875d3970e569b0c4163eff08cfc3bedc1ad747
#93
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by OPNenthu - January 22, 2026, 09:36:31 AMI don't have multi-WAN but I just tried the first part. I also see pltime = vltime and both are counting down.
I'm not using Prevent Release, but my /60 delegation doesn't change often so I don't think I should see anything interesting except these timers will eventually reset?
I'm not using Prevent Release, but my /60 delegation doesn't change often so I don't think I should see anything interesting except these timers will eventually reset?
Code Select
root@firewall:~ # ifconfig -L
igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: LAN (lan)
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 64:xx:xx:xx:xx:9e
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::66xx:xxxx:xxxx:xx9e%igc0 prefixlen 64 scopeid 0x1
inet6 2601:xx:xxxx:3161::1 prefixlen 64 pltime 4588 vltime 4588
groups: IG_LOCAL IG_OUT_WAN IG_DNS IG_NTP IG_DROP_LOW
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
igc1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN (wan)
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 02:xx:xx:xx:xx:b2
hwaddr 64:xx:xx:xx:xx:9f
inet 69.xxx.xx.99 netmask 0xfffffc00 broadcast 255.255.255.255
inet6 fe80::xx:xxxx:xxxx:xxb2%igc1 prefixlen 64 scopeid 0x2
inet6 2601:xx:xxxx:3160:xxxx:xxxx:xxxx:xxxx prefixlen 64 pltime 4588 vltime 4588
media: Ethernet autoselect (2500Base-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
...
#94
25.7, 25.10 Series / Re: After updating Opnsense fr...
Last post by wide - January 22, 2026, 08:59:26 AMI was able to isolate this issue to WebGUI Dashboard. When I have shell open at the same time when I login to WebGUI and tens of php processes starts to spawn I then run killall php from the shell and then go to some other part of the WebGUI without any issues. So there is something in the Dashboard itself or in my particular Dashboard view which gets Opnsense to go haywire.
#95
German - Deutsch / Re: IPv6 am PON-Anschluss von ...
Last post by meyergru - January 22, 2026, 08:52:02 AMDas ist Deine Meinung, die RegTP sieht es offenbar anders. Aber nochmal, ich bin bei einem anderen Punkt: Hast Du überhaupt ausreichend sichergestellt, dass Du nicht einen Konfigurationsfehler gemacht hast?
DHCPv6 kann eben viele Optionen bzgl. IA_NA, IA_PD usw., auch bezogen darauf, welche Präfixlänge man anfordert. Was wirklich geht, sieht man teilweise mit dem ISP-gelieferten Equipment am besten. Oder man probiert es. Ich sagte ja schon, was ich machen würde.
Was ich damit sagen will: Falls ich so vorgegangen wäre, wie Du schriebst und nicht herumprobiert hätte, hätte ich bis heute bei meinem Provider (M-Net) überhaupt kein IPv6, weil der ohne "Request prefix only" keine Adressen liefert.
Da DHCPv6 in den Schnittstellen genannt wird, gehe ich davon aus, dass mindestens eine IA_NA geliefert wird, wahrscheinlich aber (auch) eine /64 IA_PD, weil die IA_NA ja ohne NAT66 für die LAN-Clients nicht nutzbar ist.
Also: Was ist es denn nun (zum dritten Mall)?
DHCPv6 kann eben viele Optionen bzgl. IA_NA, IA_PD usw., auch bezogen darauf, welche Präfixlänge man anfordert. Was wirklich geht, sieht man teilweise mit dem ISP-gelieferten Equipment am besten. Oder man probiert es. Ich sagte ja schon, was ich machen würde.
Was ich damit sagen will: Falls ich so vorgegangen wäre, wie Du schriebst und nicht herumprobiert hätte, hätte ich bis heute bei meinem Provider (M-Net) überhaupt kein IPv6, weil der ohne "Request prefix only" keine Adressen liefert.
Da DHCPv6 in den Schnittstellen genannt wird, gehe ich davon aus, dass mindestens eine IA_NA geliefert wird, wahrscheinlich aber (auch) eine /64 IA_PD, weil die IA_NA ja ohne NAT66 für die LAN-Clients nicht nutzbar ist.
Also: Was ist es denn nun (zum dritten Mall)?
#96
Tutorials and FAQs / Re: Tutorial: Caddy (Reverse P...
Last post by Monviech (Cedrik) - January 22, 2026, 08:15:09 AMI do recommend not to host a website or files on your firewall.
#97
Tutorials and FAQs / Re: Tutorial: Caddy (Reverse P...
Last post by n3 - January 22, 2026, 08:13:17 AMHey, I want to use Caddy as a revers proxy and as I read, there is also a webserver integrated. Is it possible or recommended to use the caddy plugin to host a simple website or is it better to host the website somewhere else?
I read in the FAQ "There is no WAF (Web Application Firewall) support in this plugin. For a business grade Reverse Proxy with WAF functionality, use os-OPNWAF.". My setup is a HomeLab but when I expose services to the internet, I want a business grade secured setting.
So...
1. Can I host a website with the caddy plugin? If yes...
2. Should I host the website with the caddy plugin? If yes...
3. Do I have to do additional steps harden the system?
I read in the FAQ "There is no WAF (Web Application Firewall) support in this plugin. For a business grade Reverse Proxy with WAF functionality, use os-OPNWAF.". My setup is a HomeLab but when I expose services to the internet, I want a business grade secured setting.
So...
1. Can I host a website with the caddy plugin? If yes...
2. Should I host the website with the caddy plugin? If yes...
3. Do I have to do additional steps harden the system?
#98
25.1, 25.4 Series / Re: Large Alias Causing CPU sp...
Last post by franco - January 22, 2026, 07:34:21 AMSpikes will exist always based on setup. If you refer to code changes related to reducing spikes I suppose you're already running all the relevant code changes on 25.10.1 too. Details matter. Asking for blanket solutions on 6 months old threads isn't going to achieve much IMO.
Cheers,
Franco
Cheers,
Franco
#99
25.7, 25.10 Series / Re: [SOLVED] hostwatch at 100%...
Last post by franco - January 22, 2026, 07:31:32 AMHere's an updated version of hostwatch we're also consider shipping in a hotfix based on user feedback:
# pkg add -f https://pkg.opnsense.org/FreeBSD:14:amd64/snapshots/misc/hostwatch-1.0.6.pkg
Apply once from the GUI under Interfaces: Neighbors: Automatic Discovery to restart with the new binary.
To go back to the latest shipped version just issue this command:
# opnsense-revert -r 25.7.11_2 hostwatch
And reapply again from the GUI.
Cheers,
Franco
# pkg add -f https://pkg.opnsense.org/FreeBSD:14:amd64/snapshots/misc/hostwatch-1.0.6.pkg
Apply once from the GUI under Interfaces: Neighbors: Automatic Discovery to restart with the new binary.
To go back to the latest shipped version just issue this command:
# opnsense-revert -r 25.7.11_2 hostwatch
And reapply again from the GUI.
Cheers,
Franco
#100
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by Slashing - January 22, 2026, 06:44:38 AMI have also completed the first part, and so far everything seems to be fine.
Code Select
vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: LAN (lan)
options=880008<VLAN_MTU,LINKSTATE,HWSTATS>
ether bc:24:11:e4:42:08
inet 192.168.8.1 netmask 0xffffff00 broadcast 192.168.8.255
inet6 fe80::be24:11ff:fee4:4208%vtnet0 prefixlen 64 scopeid 0x1
inet6 2601:2c1:c600:5671:be24:11ff:fee4:4208 prefixlen 64 pltime 3700 vltime 3700
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vtnet1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN (wan)
options=880008<VLAN_MTU,LINKSTATE,HWSTATS>
ether bc:24:11:e3:3c:83
inet 76.30.75.80 netmask 0xfffffc00 broadcast 255.255.255.255
inet 192.168.100.2 netmask 0xffffff00 broadcast 192.168.100.255
inet6 fe80::be24:11ff:fee3:3c83%vtnet1 prefixlen 64 scopeid 0x2
inet6 2001:558:6022:c6:b103:3def:f639:2dfb prefixlen 128 pltime 5505 vltime 5505
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
vlan0.10: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: iot (opt1)
options=80000<LINKSTATE>
ether bc:24:11:e4:42:08
inet 172.16.127.1 netmask 0xffffff00 broadcast 172.16.127.255
inet6 fe80::be24:11ff:fee4:4208%vlan0.10 prefixlen 64 scopeid 0x7
inet6 2601:2c1:c600:5672:be24:11ff:fee4:4208 prefixlen 64 pltime 3700 vltime 3700
groups: vlan
vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: vtnet0
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
