OPNsense 25.7.11 released

Started by franco, January 15, 2026, 05:08:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 15, 2026, 05:08:41 PM Last Edit: January 15, 2026, 05:14:37 PM by franco
A happy new year to all of you!

25.7.11 comes at a strange point in time but we will try to offer a bit of
familiarity and common sense as we probably all need more of this.  <3

This release brings the new host discovery service which resolves and remembers
MAC addresses for IPv4 and IPv6 hosts in your connected networks and provides
this data for the firewall MAC aliases and captive portal clients.  It is now
enabled by default, but you can choose to opt out by disabling the automatic
discovery option.

A lot of work went into IPv6 improvements over the holidays as is tradition
with the help of users debugging their networks during that time.  A number
of kernel fixes have been supplied and dhcp6c will also receive a larger update
in 26.1 soon.

The changes are otherwise clustered around preparation for the major upgrade
which brings an number of fundamental changes with the ongoing removal of
ISC-DHCP from core.  A plugin is already available through the development
version and should auto-install.  If not make sure you install it before
attempting a reboot there.  For the stable version everything is as it was.

That being said, 26.1-RC1 will be out early next week and RC2 likely follows
quickly.  We are still set for a final release date of January 28.  See you on
the other side!

Here are the full patch notes:

o system: add tooltip explaining active status in snapshots
o system: add "lazy loading" model support on Trust\Cert
o system: properly fill DNS SAN from existing certificates (contributed by Klaas Demter)
o system: rename sudoers file to make it more sortable (David Jack Wange Olrik)
o system: numerous safe execution changes
o system: sort to retain order in syslog-ng source definitions
o interfaces: fix comparison in PPP check code during assignment
o interfaces: prefer longer lifetimes if multiple exist
o interfaces: defer manual rtsold script execution
o interfaces: use mwexecfb() in two instances
o interfaces: move configure_interface_hardware() to main file
o interfaces: migrate "sharednet" setting to its respective sysctls
o interfaces: add and enable new host discovery feature for neighbours via hostwatch
o firewall: automation: only show ICMP type when protocol is ICMP
o firewall: automation: add multi-select ICMP6 options
o firewall: use new host discovery in MAC type aliases
o firewall: simplify port alias check
o captive portal: assign empty array when "interface list arp json" returns invalid JSON
o captive portal: use new host discovery service by default
o dhcrelay: reload table to update relay status
o intrusion detection: datakey hint was missing for rules edit
o intrusion detection: replace "all" alert selection with explicit maximum choices
o ipsec: most safe execution transformations done
o isc-dhcp: interalize interfaces_staticarp_configure()
o isc-dhcp: safeguard access to DHCPv6 "enable" property
o kea: refactor daemon(8) call to mwexecfb()
o network time: fix GPS coordinate display in status page (contributed by brotherla)
o openvpn: add simple search functionality for accounts table in client export
o openvpn: skip dynamic content when loading the model in client export
o openvpn: convert two more exec() calls
o openvpn: fix archive client export
o unbound: remove delete selected button for single select overrides grid
o unbound: add per-policy quick actions in reporting overview
o unbound: add overrides reference counter for aliases
o unbound: info section was larger than table width
o backend: exec() removal in get_sysctl()/set_sysctl()
o backend: exec() removal in auth scripts
o mvc: reduce some call overheaad in BaseField/IntegerField
o mvc: introduce defaultConfig property for AppConfig
o mvc: uppercase all form labels
o mvc: use asInt() in GidField and UidField
o mvc: BaseField: add isSet()
o tests: revamped config and base model tests
o ui: bootgrid: allow conditional command rendering through a filter function
o plugins: os-frr 1.50[1]
o plugins: os-ndp-proxy-go 1.3[2]
o plugins: os-telegraf 1.12.14[3]
o src: in6: modify address prefix lifetimes when updating address lifetimes
o src: ipv6: fix off-by-one in pltime and vltime expiration checks
o src: ipv6: do not complain when deleting an address with prefix length of 128
o src: ifconfig: fix the -L flag when using netlink
o src: netlink: do not directly access ifnet members
o src: netlink: do not overwrite existing data in a linear buffer in snl_writer
o src: netmap: Let memory allocator parameters be settable via loader.conf
o src: pfsync: avoid zeroing the state export union
o src: divert: fix removal of divert sockets from a group
o src: divert: use a jenkins hash to select the target socket
o src: divert: define semantics for SO_REUSEPORT_LB on divert sockets
o src: divert: use CK_SLISTs for the divcb hash table
o src: pf: rationalize the ip_divert_ptr test
o src: pf: fix handling of IPv6 divert packets
o src: rtsold: check RA lifetime before triggering the one-shot always script
o ports: suricata 8.0.3[4]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.7/net/ndp-proxy-go/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/telegraf/pkg-descr
[4] https://suricata.io/2026/01/13/suricata-8-0-3-and-7-0-14-released/
January 15, 2026, 10:59:25 PM #1
A hotfix release was issued as 25.7.11_1:

o system: fix vsprintf() error on stray % invoke
Print
Go Up Pages1
User actions