Upgrade Completely Broke System

[House Of Cards]

Good day,

Last night I made the mistake of trying to upgrade my system.  I moved from 25.7 to the suggested 26.1 using the GUI.  Upon reboot, the first thing I noticed was that all of my WiFi nodes were showing offline lights, even though some WiFi devices could still browse fine.  None of my laptops could access the internet (limited connectivity notice), but a WiFi-only tablet was connected and browsing still.  I could no longer access the OPNSense GUI, except on a few small screen devices, which made troubleshooting nearly impossible.  Some things worked, some things didn't.

On OPNSense itself, the live logs showed traffic passing, I saw no errors if I rebooted the system, but the internet was completely in shambles.  I tried re-running upgrades from the shell in case something hadn't completed properly, no luck.  If I accessed the GUI from the one working tablet, I saw nothing resembling my old DHCP leases, etc... so I assume this was being caused by changes from ISC DHCP.  No idea, so I went into recovery mode.

I made a bootable USB with 25.7, and used the configuration importer to use the backup before the upgrade, and boom.  Everything came back online.  So now I'm back on 25.7, but I have a new problem.  I have some conflicting plugins which showed an error.  When I tried to reinstall them, I got an error saying I had to upgrade to the version that broke everything in order to reinstall those plugins. 

You cannot view this attachment.

With nothing else to try, I deregistered them, but I have this list that I need to recover.

You cannot view this attachment.

At this point, I need to first get my system back to where it was. 

1.  How can I get these plugins corrected and reinstalled?
2.  What likely happened, and why?
3.  How can I get back in business now that I know upgrading will break everything?

When I tried to upgrade again (before deregistering missing plugins), I got an "unknown error" and the upgrade to 26.1 simply failed.  I restored to 25.7 again, and all is back.  I haven't tried upgrading again since deregistering the plugins.  So right now, I'm left with a slightly broken 25.7 install I need to fix.  I have alias', rules around those alias', on a system with WAN and four separate subnets (LAN, OPT1, OPT2) using a four port NIC.  A fair amount of rules...  All works fine until the upgrade happens.

Any recommendations of where to start with this mess?

Thanks!

[Netlearn]

Last night I made the mistake of trying to upgrade my system.

Upgrading is not the mistake. Lack of recovery methods is.

Next time, use snapshots at least.

[newsense]

> Any recommendations of where to start with this mess?

Start by updating 25.7. When check for updates again and your OPN plugins will be restored. For mimugmail you'll need to add the repo again.

When 25.7 is back up, take a snapshot. Then upgrade to the latest 26.1 ( so upgrade twice )

We can discuss 26.1 issues when/if you have the same bad outcome coming up to 26.1.5.

Anything else that happened in the past is pure speculation but it all boils down to user error for me - no proper troubleshooting, not asking for help on the forums, no snapshots and nuking everything and starting over from an older version than necessary-when 26.1 would have been enough.

[House Of Cards]

Last night I made the mistake of trying to upgrade my system.

Upgrading is not the mistake. Lack of recovery methods is.

Next time, use snapshots at least.

This system has been running since before ZFS was an install option.  And this is the first upgrade that didn't work.  I had a backup "config.xml" like the developers told me...  And I clicked the little button to upgrade the developers told me to use. 

Then it seems the DHCP options got hosed, and I figured I'd reinstall the working version, using the backup from that version.  Now I'm here, asking for help, and getting none.

[newsense]

> Any recommendations of where to start with this mess?

Start by updating 25.7. When check for updates again and your OPN plugins will be restored. For mimugmail you'll need to add the repo again.

When 25.7 is back up, take a snapshot. Then upgrade to the latest 26.1 ( so upgrade twice )

We can discuss 26.1 issues when/if you have the same bad outcome coming up to 26.1.5.

......

>>> Now I'm here, asking for help, and getting none.


 Erm...if you're getting none then maybe wait until you get a more satisfactory response?

[House Of Cards]

> Any recommendations of where to start with this mess?

Anything else that happened in the past is pure speculation but it all boils down to user error for me - no proper troubleshooting, not asking for help on the forums, no snapshots and nuking everything and starting over from an older version than necessary-when 26.1 would have been enough.

So I started troubleshooting using 26.1, and got the same outcome whether I installed fresh and then restored config, or restored the config during install initially.  Running a fresh install of 26.1, using clean disks, and choosing to import a configuration during install had the same result.  I can't get any more clean of a chance than that.  I have a recent backup from 25.7.  That's what I have to work with, because I've been running this since before ZFS.  I don't have snapshots, I have "config.xml"...  What the developers said you need if you have a problem.

So I started with fresh partitions, reinstalled my 25.7 selecting my backup config to import during install, and installed to a ZFS disk this time.  I'm familiar with ZFS.  In my snapshots page I have one active (N)ow and (R)eboot.  I'm assuming that is the current one.  Will an upgrade make a snapshot first, or should I make one anyhow?

I still got the plugins which need repair at this point.  I haven't fixed plugin conflicts this time around yet.  I'm back to the working system (minus plugins) I had prior to upgrading.  I'm on 25.7 with 25.7.11 available.  There is this warning...

"The changes are otherwise clustered around preparation for the major upgrade which brings an number of fundamental changes with the ongoing removal of ISC-DHCP from core. A plugin is already available through the development version and should auto-install. If not make sure you install it before attempting a reboot there. For the stable version everything is as it was."

What's first?  And thank you...

[newsense]

Grr... trying to make sense of it all :)

Ok, assuming you're on 26.1 fresh install, upgrade to 26.1.5, after reboot install os-isc-dhcp, then check for updates again and wait for the missing plugins to be reinstalled.

Reboot again and you should be back up with almost everything.

Add mimugmail repo and reinstall home assistant—-but take a snapshot first as it may not work. Michael still has to rebuild his repo for the python 3.13 change but we're two weeks in and it didn't happen yet, so just in case something breaks badly with HA have a snapshot and wait until Michael has a python3.13 repo ready.


Before moving on with HA installation do a health check and post it here

[House Of Cards]

Well right now, I'm on 25.7...  It's the only one that works.  My config restored, but I have those few plugins which show conflicts.

I spent all day reinstalling in various ways.  Anything to do with 26.1 and I have issues.  Even a fresh install.  I'm not sure if it's a rule not carrying over correctly, or a failure of the ISC-DHCP thing in some way.  I have a bunch of rules, NAT redirects, etc...  Alias based rules, DNS redirects to avoid things phoning home.  It all works until I plop it into 26.1, then... all hell breaks loose.  Some things work, some don't...  My routers appear offline (by the light indicators) and many things don't connect, but some random devices use the WiFi fine...  It's bizarre.  Most everything was static IP'd, with DHCP pools on all the interfaces for random connected things...  I like to tinker.  LOL

Tomorrow will be busy, but maybe tomorrow night I will take a snapshot and run the upgrade to 25.7.11 and see if it goes well. 

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.7 (amd64) at Wed Mar 25 22:42:16 EDT 2026
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 25.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
No plugins found.
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 25.7 has 68 dependencies to check.
Checking packages: ..
ca_root_nss-3.108 version mismatch, expected 3.117_2
Checking packages: ......
dpinger-3.3 version mismatch, expected 3.4
Checking packages: .
filterlog-0.7_1 version mismatch, expected 0.7_2
Checking packages: .......
kea-2.6.3_1 version mismatch, expected 3.0.2
Checking packages: .
lighttpd-1.4.79 version mismatch, expected 1.4.82
Checking packages: ...
ntp-4.2.8p18_4 version mismatch, expected 4.2.8p18_5
Checking packages: .
openssh-portable-10.0.p1_1,1 version mismatch, expected 10.2.p1_1,1
Checking packages: .
openvpn-2.6.14 version mismatch, expected 2.6.17
Checking packages: .
opnsense-25.7 version mismatch, expected 25.7.11_9
Checking packages: ..
opnsense-lang-25.1.11 version mismatch, expected 25.7.4
Checking packages: .
opnsense-update-25.7 version mismatch, expected 25.7.11
Checking packages: ...
php83-ctype-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-curl-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-dom-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-filter-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-gettext-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-ldap-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-pcntl-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-pdo-8.3.23 version mismatch, expected 8.3.28
Checking packages: ....
php83-phpseclib-3.0.46 version mismatch, expected 3.0.48
Checking packages: .
php83-session-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-simplexml-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-sockets-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-sqlite3-8.3.23_1 version mismatch, expected 8.3.28
Checking packages: .
php83-xml-8.3.23 version mismatch, expected 8.3.28
Checking packages: .
php83-zlib-8.3.23 version mismatch, expected 8.3.28
Checking packages: ...
py311-dnspython-2.7.0,1 version mismatch, expected 2.8.0_1,1
Checking packages: .
py311-duckdb-1.3.1_1 version mismatch, expected 1.3.2
Checking packages: .
py311-jq-1.8.0_1 version mismatch, expected 1.10.0
Checking packages: ...
py311-numpy-1.26.4_6,1 version mismatch, expected 1.26.4_11,1
Checking packages: .
py311-pandas-2.2.3_2,1 version mismatch, expected 2.3.3,1
Checking packages: .
py311-requests-2.32.4 version mismatch, expected 2.32.5
Checking packages: .
py311-sqlite3-3.11.13_11 version mismatch, expected 3.11.14_11
Checking packages: .
py311-ujson-5.10.0_1 version mismatch, expected 5.11.0
Checking packages: .
py311-vici-5.9.11_1 version mismatch, expected 6.0.3
Checking packages: ....
strongswan-5.9.14 version mismatch, expected 6.0.3_1
Checking packages: .
sudo-1.9.17p1 version mismatch, expected 1.9.17p2_2
Checking packages: .
suricata-7.0.11_1 version mismatch, expected 8.0.3
Checking packages: .
syslog-ng-4.8.2_3 version mismatch, expected 4.10.2
Checking packages: ..
wpa_supplicant-2.11_5 version mismatch, expected 2.11_7
Checking packages: . done
***DONE***
So what would be your first suggestion from here?  I'll try it tomorrow.  I can't handle more troubleshooting today.  I'm up and running for now.

[newsense]

Apply 25.7 updates then check for updates again to retrieve the plugins.

Reboot - Snapshot

Install HA - Snapshot

Move to 26.1, then 26.1.5

If needed install the os-isc-dhcp but I don't think it will be the case.

Post health check here.

[House Of Cards]

Good day,

So I'm upgraded and fixed all the plugins up to 25.7.11_9.  Right now, I seem to be back to where I was.  I haven't tried the 26.1 update yet.  I want to sit on this a week and make sure everything is working right first.  Here is my health check.

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.7.11_9 (amd64) at Fri Mar 27 19:00:24 EDT 2026
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 25.7.11 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7.11 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
mimugmail (Priority: 5)
>>> Check installed plugins
os-homeassistant-maxit 1.0
os-theme-advanced 1.1
os-theme-cicada 1.40
os-theme-rebellion 1.9.4
os-theme-solarized-community 0.4_1
os-theme-tukan 1.30
os-theme-vicuna 1.50
os-tor 1.10
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 25.7.11_9 has 68 dependencies to check.
Checking packages: ..................................................................... done
***DONE***

[Netlearn]

Snapshots must be made by the user, they are not automatic. Fairly easy to use and a real lifesaver when things go wrong.

As long as 25.7.11_9 is running fine, hardware issues are unlikely. Nevertheless, if your system has some time, as it appears to be, I would test memory and storage (either hdd or ssd), just to rule that out.

There are mentions to Python 3.13 in this post. OPNsense has this package already upgraded in newer 26.x versions, and it seems that it's still pending in mimugmail repo. I don`t know if that could be an issue, but it seems relevant to me: os-homeassistant-maxit working with an older version than installed when you reach OPNsense 26.x with the newest Python version installed could break things.