boot loop

[caplam]

Hello,

Few days ago i upgraded from 26.1.2.5 to 26.1.3 and my router was acting normal.

Today i want to upgrade to 26.1.4 but as soon as i go to firmware page router says it will reboot to complete 26.1.3 update.

There is no possibility to run health or security audit. The only thing i can access  in firmware menu is log and there is only one message:

Code Select Expand

2026-03-05T11:27:18Noticepkg-staticpython311-3.11.14_2 deinstalled
Is there something i can do apart from restoring snapshot ?

[Monviech (Cedrik)]

You can connect to the shell (ssh, option 8) and run the health check from there

# /usr/local/opnsense/scripts/firmware/health.sh

[caplam]

when i connect with ssh i have no option to choose. and if i execute health.sh i have:

Code Select Expand

/usr/local/opnsense/scripts/firmware/health.sh
/usr/local/opnsense/scripts/firmware/config.sh: cannot create /tmp/pkg_upgrade.progress: Permission denied
if i execute it with sudo it won't take my password.

[caplam]

Finally i could run it by disabling password for sudo:

Code Select Expand

sudo  /usr/local/opnsense/scripts/firmware/health.sh
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 26.1.3 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 26.1.3 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
mimugmail (Priority: 5)
>>> Check installed plugins
os-acme-client 4.14
os-apcupsd 1.2_3
os-caddy 2.1.0
os-cpu-microcode-intel 1.1
os-crowdsec 1.0.12
os-ddclient 1.30
os-freeradius 1.10.1
os-igmp-proxy 1.5_6
os-iperf 1.0_2
os-isc-dhcp 1.0_4
os-mdns-repeater 1.2
os-net-snmp 1.6_1
os-opnarp-maxit 1.0_4
os-q-feeds-connector 1.5
os-unifi9-maxit 1.4
os-wol 2.5_3
os-zabbix74-agent 1.18
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .
isc-dhcp44-server-4.4.3P1_2: missing file /usr/local/share/licenses/isc-dhcp44-server-4.4.3P1_2/LICENSE
Checking all packages............ done
>>> Check for core packages consistency
Core package "opnsense" at 26.1.3 has 67 dependencies to check.
Checking packages: .......................
opnsense-26.1.3 version mismatch, expected 26.1.4
Checking packages: ..
opnsense-lang-26.1.1 version mismatch, expected 26.1.4
Checking packages: .....................................
strongswan-6.0.3_1 version mismatch, expected 6.0.4
Checking packages: ..
suricata-8.0.3_1 version mismatch, expected 8.0.3_2
Checking packages: .
syslog-ng-4.10.2 version mismatch, expected 4.11.0
Checking packages: ... done
should i reinstall all listed mismatch packages? It sounds weird as for now i haven't get a chance to upgrade to 26.1.4 so why is it expecting 26.1.4 packages?

[newsense]

Run this command and post here the output.

Code Select Expand

opnsense-update -p

[caplam]

Code Select Expand

Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: 100%    179 B   0.2kB/s    00:01
mimugmail repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: 100%    179 B   0.2kB/s    00:01
mimugmail repository is up to date.
All repositories are up to date.
Checking for upgrades (33 candidates): 100%
Processing candidates (33 candidates):   6%
pkg-static: glib-bootstrap has a missing dependency: python311
pkg-static: glib has a missing dependency: python311
pkg-static: glib-bootstrap has a missing dependency: python311
Processing candidates (33 candidates):  36%
pkg-static: glib-bootstrap has a missing dependency: python311
pkg-static: glib-bootstrap has a missing dependency: python311
Processing candidates (33 candidates): 100%
The following 17 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
colordiff: 1.0.22 [OPNsense]

Installed packages to be UPGRADED:
bind-tools: 9.20.19 -> 9.20.20 [OPNsense]
caddy-custom: 2.11.1.0.0.4.5.9 -> 2.11.2.0.0.4.5.10 [OPNsense]
crowdsec: 1.7.6_1 -> 1.7.6_2 [OPNsense]
crowdsec-firewall-bouncer: 0.0.32_12 -> 0.0.34 [OPNsense]
groff: 1.23.0_5 -> 1.24.0_1 [OPNsense]
libunistring: 1.4.1 -> 1.4.2 [OPNsense]
libxml2: 2.15.1_1 -> 2.15.2 [OPNsense]
opnsense: 26.1.3 -> 26.1.4 [OPNsense]
opnsense-lang: 26.1.1 -> 26.1.4 [OPNsense]
os-ddclient: 1.30 -> 1.30_1 [OPNsense]
os-q-feeds-connector: 1.5 -> 1.5_1 [OPNsense]
py313-filelock: 3.20.1 -> 3.25.0 [OPNsense]
strongswan: 6.0.3_1 -> 6.0.4 [OPNsense]
suricata: 8.0.3_1 -> 8.0.3_2 [OPNsense]
syslog-ng: 4.10.2 -> 4.11.0 [OPNsense]

Installed packages to be REINSTALLED:
net-snmp-5.9.5.2,1 [OPNsense] (options changed)

Number of packages to be installed: 1
Number of packages to be upgraded: 15
Number of packages to be reinstalled: 1

The operation will free 9 MiB.
112 MiB to be downloaded.
[1/17] Fetching groff-1.24.0_1.pkg: 100%    3 MiB   2.7MB/s    00:01
[2/17] Fetching libunistring-1.4.2.pkg: 100%  705 KiB 721.7kB/s    00:01
[3/17] Fetching crowdsec-1.7.6_2.pkg: 100%   62 MiB  65.0MB/s    00:01
[4/17] Fetching syslog-ng-4.11.0.pkg: 100%    1 MiB   1.1MB/s    00:01
[5/17] Fetching colordiff-1.0.22.pkg: 100%   16 KiB  16.3kB/s    00:01
[6/17] Fetching os-ddclient-1.30_1.pkg: 100%   33 KiB  33.4kB/s    00:01
[7/17] Fetching caddy-custom-2.11.2.0.0.4.5.10.pkg: 100%   14 MiB  15.0MB/s    00:01
[8/17] Fetching net-snmp-5.9.5.2,1.pkg: 100%    2 MiB   2.5MB/s    00:01
[9/17] Fetching libxml2-2.15.2.pkg: 100%  902 KiB 923.3kB/s    00:01
[10/17] Fetching bind-tools-9.20.20.pkg: 100%    2 MiB   1.6MB/s    00:01
[11/17] Fetching crowdsec-firewall-bouncer-0.0.34.pkg: 100%    4 MiB   4.6MB/s    00:01
[12/17] Fetching os-q-feeds-connector-1.5_1.pkg: 100%   29 KiB  30.2kB/s    00:01
[13/17] Fetching py313-filelock-3.25.0.pkg: 100%   46 KiB  47.4kB/s    00:01
[14/17] Fetching suricata-8.0.3_2.pkg: 100%   12 MiB  12.6MB/s    00:01
[15/17] Fetching opnsense-26.1.4.pkg: 100%    6 MiB   6.1MB/s    00:01
[16/17] Fetching strongswan-6.0.4.pkg: 100%  893 KiB 914.7kB/s    00:01
[17/17] Fetching opnsense-lang-26.1.4.pkg: 100%    3 MiB   3.4MB/s    00:01
Checking integrity... done (0 conflicting)
[1/17] Upgrading bind-tools from 9.20.19 to 9.20.20...
[1/17] Extracting bind-tools-9.20.20: 100%
[2/17] Upgrading caddy-custom from 2.11.1.0.0.4.5.9 to 2.11.2.0.0.4.5.10...
[2/17] Extracting caddy-custom-2.11.2.0.0.4.5.10: 100%
[3/17] Installing colordiff-1.0.22...
[3/17] Extracting colordiff-1.0.22: 100%
[4/17] Upgrading crowdsec-firewall-bouncer from 0.0.32_12 to 0.0.34...
[4/17] Extracting crowdsec-firewall-bouncer-0.0.34: 100%
crowdsec_firewall is running as pid 70614.
Stopping crowdsec_firewall.
[5/17] Upgrading crowdsec from 1.7.6_1 to 1.7.6_2...
[5/17] Extracting crowdsec-1.7.6_2: 100%
crowdsec is running as pid 66897.
Stopping crowdsec.
Waiting for PIDS: 66897.
Updating crowdsec hub data
Loaded: 161 parsers, 11 postoverflows, 777 scenarios, 9 contexts, 5 appsec-configs, 196 appsec-rules, 161 collections
Unmanaged items: 1 local, 0 tainted
Starting crowdsec.
[6/17] Upgrading groff from 1.23.0_5 to 1.24.0_1...
[6/17] Extracting groff-1.24.0_1: 100%
[7/17] Upgrading libunistring from 1.4.1 to 1.4.2...
[7/17] Extracting libunistring-1.4.2: 100%
[8/17] Upgrading libxml2 from 2.15.1_1 to 2.15.2...
[8/17] Extracting libxml2-2.15.2: 100%
[9/17] Reinstalling net-snmp-5.9.5.2,1...
===> Creating groups
Using existing group 'snmpd'
===> Creating users
Using existing user 'snmpd'
[9/17] Extracting net-snmp-5.9.5.2,1: 100%
[10/17] Upgrading opnsense-lang from 26.1.1 to 26.1.4...
[10/17] Extracting opnsense-lang-26.1.4: 100%
[11/17] Upgrading os-ddclient from 1.30 to 1.30_1...
[11/17] Extracting os-ddclient-1.30_1: 100%
Stopping configd...done
Starting configd.
Reloading plugin configuration
Flushing all caches...done.
Configuring system logging...done.
Reloading template OPNsense/Syslog: OK
Reloading template OPNsense/ddclient: OK
[12/17] Upgrading os-q-feeds-connector from 1.5 to 1.5_1...
[12/17] Extracting os-q-feeds-connector-1.5_1: 100%
Stopping configd...done
Starting configd.
Reloading plugin configuration
Flushing all caches...done.
Configuring system logging...done.
Reloading template OPNsense/QFeeds: OK
Service `cron' has been restarted.
[13/17] Upgrading py313-filelock from 3.20.1 to 3.25.0...
[13/17] Extracting py313-filelock-3.25.0: 100%
[14/17] Upgrading strongswan from 6.0.3_1 to 6.0.4...
[14/17] Extracting strongswan-6.0.4: 100%
[15/17] Upgrading suricata from 8.0.3_1 to 8.0.3_2...
[15/17] Extracting suricata-8.0.3_2: 100%
[16/17] Upgrading syslog-ng from 4.10.2 to 4.11.0...
[16/17] Extracting syslog-ng-4.11.0: 100%
[17/17] Upgrading opnsense from 26.1.3 to 26.1.4...
[17/17] Extracting opnsense-26.1.4: 100%
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh.sh'
Flushing all caches...done.
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: Modified 192 trust store links.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
You may need to manually remove /usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/config.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/local_api_credentials.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/online_api_credentials.yaml if it is no longer needed.
=====
Message from net-snmp-5.9.5.2,1:

--
snmpd now drops privileges by default after initialization is completed.
Ensure that any extension commands defined in your snmpd.conf can be executed
by the snmpd user.

It is possible to start and run snmpd entirely as a non-root user with the
following steps:

1. Add the following lines to /etc/rc.conf:

snmpd_user="snmpd"
snmpd_group="snmpd"
snmpd_pidfile="/var/net-snmp/snmpd.pid"

2. Configure the mac_portacl(4) kernel module:

   a. Load mac_portacl.ko at boot time by adding the following line to
      /etc/rc.conf:

kld_list="mac_portacl"

   b. Configure the following sysctls in sysctl.conf(5):

      net.inet.ip.portrange.reservedhigh=0
      security.mac.portacl.rules=gid:344:udp:161,gid:344:tcp:161,gid:344:tcp:199,gid:344:tcp:705

   This allows snmpd to bind to these privileged ports without holding
   special privileges.

3. Make sure that the snmpd user has read/write or read-only access to the
   following:

RW - /var/log/snmpd.log
RW - /var/net-snmp/*
RO - /usr/local/share/snmp/*

   Note that snmpd creates the /var/net-snmp directory upon its initial
   startup, and this cannot be done by the snmpd user.

4. Ensure that any and all extension commands defined in snmpd.conf can be
   executed by the snmpd user.
=====
Message from strongswan-6.0.4:

--
The default strongSwan configuration interface have been updated to vici.
To use the stroke interface by default either compile the port without the vici option or
set 'strongswan_interface="stroke"' in your rc.conf file.
You may need to manually remove /usr/local/etc/suricata/classification.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/reference.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/suricata.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
=====
Message from opnsense-26.1.4:

--
One step ahead, one step behind it, now you gotta run to get even
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: 100%
The following package files will be deleted:
/var/cache/pkg/strongswan-6.0.4~ed94b06ef3.pkg
/var/cache/pkg/crowdsec-firewall-bouncer-0.0.34.pkg
/var/cache/pkg/libxml2-2.15.2~4af2bc4b58.pkg
/var/cache/pkg/caddy-custom-2.11.2.0.0.4.5.10~2dcf099933.pkg
/var/cache/pkg/caddy-custom-2.11.2.0.0.4.5.10.pkg
/var/cache/pkg/groff-1.24.0_1~22d230794f.pkg
/var/cache/pkg/libunistring-1.4.2.pkg
/var/cache/pkg/os-q-feeds-connector-1.5_1.pkg
/var/cache/pkg/suricata-8.0.3_2~dd572055ee.pkg
/var/cache/pkg/syslog-ng-4.11.0~82419d7eef.pkg
/var/cache/pkg/py313-filelock-3.25.0~da88d7097b.pkg
/var/cache/pkg/suricata-8.0.3_2.pkg
/var/cache/pkg/net-snmp-5.9.5.2,1.pkg
/var/cache/pkg/groff-1.24.0_1.pkg
/var/cache/pkg/colordiff-1.0.22~3aad2bc5c6.pkg
/var/cache/pkg/os-q-feeds-connector-1.5_1~9b52641aec.pkg
/var/cache/pkg/syslog-ng-4.11.0.pkg
/var/cache/pkg/crowdsec-1.7.6_2~0d51523a18.pkg
/var/cache/pkg/opnsense-26.1.4~a301052b11.pkg
/var/cache/pkg/opnsense-26.1.4.pkg
/var/cache/pkg/os-ddclient-1.30_1~8edee5f3a6.pkg
/var/cache/pkg/libunistring-1.4.2~5e8f30955c.pkg
/var/cache/pkg/crowdsec-1.7.6_2.pkg
/var/cache/pkg/net-snmp-5.9.5.2,1~ea5bfcfec1.pkg
/var/cache/pkg/crowdsec-firewall-bouncer-0.0.34~d9a17cf6a6.pkg
/var/cache/pkg/py313-filelock-3.25.0.pkg
/var/cache/pkg/bind-tools-9.20.20.pkg
/var/cache/pkg/opnsense-lang-26.1.4.pkg
/var/cache/pkg/strongswan-6.0.4.pkg
/var/cache/pkg/os-ddclient-1.30_1.pkg
/var/cache/pkg/colordiff-1.0.22.pkg
/var/cache/pkg/opnsense-lang-26.1.4~7577f137d2.pkg
/var/cache/pkg/bind-tools-9.20.20~75d18e9d99.pkg
/var/cache/pkg/libxml2-2.15.2.pkg
The cleanup will free 112 MiB
Deleting files: 100%
Flushing temporary package files... done

[caplam]

it seems to be ok now but i had to run /usr/local/opnsense/scripts/firmware/check.sh
without that it wouldn't do update check.


edit: spoke too soon. Now i can't run any command on firmware status page

rerun the command:

Code Select Expand

sudo opnsense-update -p
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: 100%    179 B   0.2kB/s    00:01
mimugmail repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: 100%    179 B   0.2kB/s    00:01
mimugmail repository is up to date.
All repositories are up to date.
Checking for upgrades (17 candidates): 100%
Processing candidates (17 candidates):   5%
pkg-static: glib has a missing dependency: python311
Processing candidates (17 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: 100%
Nothing to do.
Flushing temporary package files... done
When i try to reinstall glib it goes to the update tab but the content of the screen is the result of the update.
It doesn't do anything from gui.