Upgrade from 25.7 to 26.1 results in a bootlock

[transmissionend]

Hello everyone,

I currently have a reproducible issue with OPNsense on a PC Engines APU2D4 and would appreciate any hints or similar experiences.

## Hardware / Setup

* PC Engines APU2D4
* Serial console only (no VGA)
* mSATA SSD
* FreeBSD base installation with GELI encryption
* Afterwards bootstrapped to OPNsense

## Initial Situation

The system previously worked fine with OPNsense 25.7.

The upgrade to 26.1 was performed from an existing FreeBSD installation using:


opnsense-update -ur 26.1
pkg upgrade

The upgrade process itself completes successfully without errors.

---

# Problem

After:

* successfully upgrading to 26.1 with 3 reboots
  or
* performing a completely fresh FreeBSD - OPNsense 26.1 (bootstrap) installation and restoring my old configuration

the system gets stuck during the boot process.

Without restoring the config on fresh FreeBSD - OPNsense 26.1 (bootstrap) installation, it boots normally.

But with restored config:

* GELI unlock works
* boot messages continue normally
* output then appears to stop at:


amdtemp0: found 4 cores and 1 sensors


---

# Important Findings:

After additional testing, the system also seems to not be completely frozen on newer versions.

If I:

* install a fresh FreeBSD + OPNsense 25.7
* then restore the same old config

the APU2 shows EXACTLY the same behavior at serial:

* console output appears to stop at `amdtemp0`

HOWEVER, with the older 25.7 version:

* network interfaces are initialized correctly
* the WebGUI is fully reachable
* routing/firewall functionality works normally

This strongly suggests that:

* the serial console and/or
* console login / getty / tty handling

stops working correctly after restoring the configuration.

---

# Additional Observations

* newly attached USB devices are still detected
* corresponding kernel messages continue to appear on the serial console
* the kernel/system itself therefore still appears to be running

On OPNsense 26.1 additionally (with also old config restore:

* no reachable interfaces/WebGUI
* possibly an additional issue related to config/plugins/interface mapping

---

# Additional Important Information:

During the original FreeBSD installation I enabled all optional security hardening settings offered by the installer, including:

* hide_uids
* hide_gids
* hide_jail
* procfs restrictions
* read_msgbuf
* random_pid
* additional sysctl/hardening options

(Possibly relevant regarding tty/getty/login/serial console behavior.)

---

# Current Suspicions

At the moment I suspect a combination of:

* serial console/getty issue
* old console/TTY settings in config.xml
* possible plugin incompatibility
* old interface/VLAN mapping
* FreeBSD 14 / OPNsense 26.1 interaction on APU2
* possible interaction with enabled FreeBSD hardening options

Currently the behavior looks more like:

* console/login broken plus some init issues or something else during startup
  rather than:
* a complete system freeze.

---

# Planned Analysis

Next I plan to:

* boot the system with the restored config until the apparent "hang"
* power it off
* boot the mSATA in another machine
* analyze logs and config.xml there
=> however, as a FreeBSD beginner, recovering/debugging FreeBSD bootloader issues is still somewhat tricky for me and can take some time

Relevant files are probably:

/var/log/system/latest.log
/var/log/boot/latest.log
/var/log/configd/latest.log
/conf/config.xml


---

# Questions

1. Has anyone experienced similar issues with

   * APU2
   * serial console
   * restored configs
   * OPNsense 26.1
   * FreeBSD 14?

2. Are there any known issues involving

   * old console/TTY settings
   * plugins
   * getty/serial login
   * restored config.xml on 26.1?

3. Could the enabled FreeBSD hardening options be relevant here?



Thanks in advance

[Patrick M. Hausen]

* output then appears to stop at:
amdtemp0: found 4 cores and 1 sensors

Possibly your imported configuration is simply not configured for serial console output? That's what would happen if that was the case.

[newsense]

There's no reason to use a Frankenstein version of OPN, no justification for GELI or a FreeBSD install.

Best option is to start from scratch with the official OPNsense installer.

For anything else you're really on your own since we cannot guess what hardening measures you did there nor can we account for changes between the official OPN and stock FreeBSD version unknown

Last but not least by not using the OPN binaries you're missing out on patches that haven't been backported to FreeBSD for a multitude of reasons outside of scope here.