25.1 RC1 - installation

[planetf1]

I noticed the 25.1 rc announce.

I had presumed the right way to install on my existing 24.7 was to change from community->development, and then run an update

This seemed to only download a single update - will this be applied on reboot, or did I take the wrong approach

(Running on proxmox, so I have a snapshot before the update, as well as backups so easy to back off)

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 24.7.12 (amd64) at Wed Jan 22 11:38:13 GMT 2025
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (53 candidates): .......... done
Processing candidates (53 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
Nothing to do.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following packages will be fetched:

New packages to be FETCHED:
opnsense: 24.7.12 (4 MiB: 48.61% of the 9 MiB to download)
opnsense-devel: 25.1.b_121 (5 MiB: 51.39% of the 9 MiB to download)

Number of packages to be fetched: 2

The process will require 9 MiB more space.
9 MiB to be downloaded.
Fetching opnsense-24.7.12.pkg: .......... done
Fetching opnsense-devel-25.1.b_121.pkg: .......... done
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking integrity... done (1 conflicting)
  - opnsense-devel-25.1.b_121 conflicts with opnsense-24.7.12 on /boot/lua/brand-opnsense.lua
Checking integrity... done (0 conflicting)
The following 2 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
opnsense: 24.7.12

New packages to be INSTALLED:
opnsense-devel: 25.1.b_121

Number of packages to be removed: 1
Number of packages to be installed: 1

The process will require 6 MiB more space.
[1/2] Deinstalling opnsense-24.7.12...
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
[1/2] Deleting files for opnsense-24.7.12: .......... done
[2/2] Installing opnsense-devel-25.1.b_121...
[2/2] Extracting opnsense-devel-25.1.b_121: .......... done
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh.sh'
Migrated OPNsense\Core\Hasync from 1.0.1 to 1.0.2
Migrated OPNsense\Core\Tunables from <unversioned> to 1.0.0
Migrated OPNsense\Kea\KeaDhcpv4 from 1.0.2 to 1.0.3
Migrated OPNsense\Auth\Group
Migrated OPNsense\Auth\User
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
=====
Message from opnsense-devel-25.1.b_121:

--
Carry on my wayward son
Nothing to do.
Starting web GUI...done.
***DONE***

[planetf1]

The system shows as '25.1.b_121' which is from the beta.
I had previously installed this, but had an update problem, so had previously restored from a snaphot. Perhaps update files were lingering.

Not rebooted yet - any recommendation?

[planetf1]

If I toggle back to community I get prompted to install 24.7.12 - though I've not done this yet.

[franco]

The upgrade path to RC1 still has to be published for opnsense-devel on 24.7.x. Most likely tomorrow morning after another round of testing.

Usually these critical major upgrade paths are a bit slower than the images, because if we publish those first and then find an issue during image testing we need to revoke the upgrades or redo them creating a lot of extra work.  Redoing images on issues is bad enough as it is (yes there was one issue that caused RC1 to be redone too in order to publish good images).


Cheers,
Franco

[planetf1]

Thanks for clarifying - I'll keep an eye out on the announcements.

[franco]

It's there now :)

[julsssark]

I tried installing the RC but I can't get into the GUI or SSH after the update. I started with 24.7.12_2 running on Proxmox in a test VM, switched to the dev channel and was offered the beta. I accepted and then it skipped to offering me the RC. I accepted. It seems to install fine, then install the base fine and then reboot successfully. The console shows 25.1.r_6 as the version, but I can't get into the GUI or SSH. If I log into the console and do an option 12 update, the same thing seems to happen. The LAN interface in the welcome has the same IP address as before and I can ping from the console, so I should be able to connect. I am new to trying RCs so it's probably something I am doing wrong.

[Cljackhammer]

I had the same problem. I was not able access the Web-GUI because a default deny firewall rule was altered with the update that blocks access. I had to disable the packet filter on the command line, then I was able to login and then I specifically had to add a firewall rule to my lan interface allowing ip's from my lan to access the lan address 192.168.1.1 on port 443.

I believe that others have reported this issue, but it hasn't been resolved.

[julsssark]

Thank you @Cljackhammer.

Your fix worked partially. Disabling the packet filter via the command line allowed me to get into the GUI. Unfortunately, I haven't figured out a firewall rule that works to keep it fixed. My configuration is non-standard because it is a test VM. OPNsense is listening on 10.7.1.26 and setting rules to allow 443 to either the IP address or "this firewall" doesn't keep it fixed. It's a test VM, so this is just for fun.

Do you have a link to the issue on GitHub? I searched but couldn't find it. I'd like to help test the fix.

[julsssark]

To the awesome OPNsense team: I really like the new dark theme. Keep proving that it is possible to love a router.

[Cljackhammer]

I'm not sure if a GitHub  issue was raised. It was discussed in the main the Beta feedback thread (first 3 pages). I thought that issue would have been addressed with the RC. I'll provide an image of my LAN ruleset. The first rule is the one the new rule that I had to add to address the LAN Web-UI issue. Before I added the rule the the default deny rule was blocking access. I'm not sure if this was introduced to address a security issue. Nothing was added to release notes about this.

Nothing fancy here in terms of firewall rules. It took some time for the rule to take effect, although I didn't reset firewall states after I made the change. The OPNsense team should probably weigh in here.

The first rule is the new one that I needed to add to address the WebUI access issue.

LAN firewall ruleset

Thank you @Cljackhammer.

Your fix worked partially. Disabling the packet filter via the command line allowed me to get into the GUI. Unfortunately, I haven't figured out a firewall rule that works to keep it fixed. My configuration is non-standard because it is a test VM. OPNsense is listening on 10.7.1.26 and setting rules to allow 443 to either the IP address or "this firewall" doesn't keep it fixed. It's a test VM, so this is just for fun.

Do you have a link to the issue on GitHub? I searched but couldn't find it. I'd like to help test the fix.

[franco]

I think we internally discovered the anti-lockout wasn't working as expected but it was never tracked on GitHub so I think we need to fix for RC2 today.


Thanks,
Franco

[Cljackhammer]

Many thanks Franco. I wasn't sure if adding the rule was appropriate. The RC is looking good.

[franco]

Created a ticket for it https://github.com/opnsense/core/issues/8242

[franco]

Fixed now in RC2 (it's online).