Upgrade from 25.7 to 26.1 results in a bootlock

Started by transmissionend, May 11, 2026, 09:21:18 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 11, 2026, 09:21:18 PM Last Edit: May 13, 2026, 04:36:58 PM by transmissionend
Hello everyone,

I currently have a reproducible issue with OPNsense on a PC Engines APU2D4 and would appreciate any hints or similar experiences.

## Hardware / Setup

- PC Engines APU2D4
- Serial console only (no VGA)
- mSATA SSD
- FreeBSD base installation with GELI encryption
- Afterwards bootstrapped to OPNsense

## Initial Situation

The system previously worked fine with OPNsense 25.7.

The upgrade to 26.1 was performed from an existing FreeBSD installation using:

opnsense-update -ur 26.1
pkg upgrade


The upgrade process itself completes successfully without errors.

---

# Problem

After:

- successfully upgrading to 26.1 with 3 reboots
  or
- performing a completely fresh FreeBSD + OPNsense 26.1 (bootstrap) installation and restoring my old configuration

the system gets stuck during the boot process.

Without restoring the config on a fresh FreeBSD + OPNsense 26.1 (bootstrap) installation, it boots normally.

However, with the restored config:

- GELI unlock works
- boot messages continue normally
- output then appears to stop at:


amdtemp0: found 4 cores and 1 sensors


---

# Important Findings

After additional testing, the system also seems to not be completely frozen on newer versions.

## 1) Testing with FreeBSD + OPNsense bootstrap

### FreeBSD + OPNsense 25.7

* install a fresh FreeBSD + OPNsense 25.7
- then restore the same old config

The APU2 shows EXACTLY the same behavior on the serial console:

- console output appears to stop at `amdtemp0`

HOWEVER, with the older 25.7 version:

- network interfaces are initialized correctly
- the WebGUI is fully reachable
- routing/firewall functionality works normally

This strongly suggests that:

- the serial console and/or
- console login / getty / tty handling

stops working correctly after restoring the configuration.

I have tested official FreeBSD + OPNsense bootstrap installations with and without:

- GELI
- hardening options such as:

  * hide_uids
  * hide_gids
  * hide_jail
  * procfs restrictions
  * read_msgbuf
  * random_pid
  * additional sysctl/hardening options
- different mSATA sizes (60GB / 120GB / 240GB)

=> none of these settings make any difference regarding the issue.

Independently from the boot stop on 26.1 on the APU2, I can boot the exact same device (mSATA) fully working on a ThinkPad T500 and X230:

- all interfaces are initialized correctly
- settings are applied correctly
- the system is fully usable

Therefore, this definitely appears to be an APU2-specific issue in combination with FreeBSD 14.x and OPNsense 26.1.

---

## 2) Testing with direct OPNsense 26.1 installation

- flashing a fresh OPNsense 26.1 image to the APU2 works correctly
- I can connect normally after installation, just like in test case 1

However, an important point is:

- restoring the old config does not seem to work correctly in this setup

What happens:

- the encrypted config file is accepted
- I receive the message that the restore was successful
- the APU2 reboots normally

BUT:

- on the serial console I still only see the default 2 interfaces from the stock installation
- after logging into the WebGUI, the system still looks like a fresh installation

So apparently the old configuration is either:

- not fully restored
  or
- partially ignored during boot/startup.

=> I will try to decrypt the config file and search for problematic settings.

---

The main issue seems to be related to OPNsense 26.1 itself, so there may have been significant changes affecting the APU2 boot process.

---

# Additional Observations on the Serial Console

- newly attached USB devices are still detected
- corresponding kernel messages continue to appear on the serial console
- the kernel/system itself therefore still appears to be running

On OPNsense 26.1 additionally (with restored old config):

- no reachable interfaces/WebGUI
- interfaces apparently are not initialized correctly
- possibly an additional issue related to config/plugins/interface mapping

---

# Current Suspicions

At the moment I suspect a combination of:

- serial console/getty issue
- old console/TTY settings in config.xml
- possible plugin incompatibility
- old interface/VLAN mapping
- FreeBSD 14.x / OPNsense 26.1 interaction on the APU2 (currently my main suspicion)

After my testing, the following point can probably be excluded regarding the boot hangs:

- interaction with enabled FreeBSD hardening options

Currently the behavior looks more like:

- console/login broken plus some init/startup issues

rather than:

- a complete system freeze.

---

# Planned Analysis

Next I plan to:

- boot the system with the restored config until the apparent "hang"
- power it off
- boot the mSATA in another machine
- analyze logs and config.xml there

However, as a FreeBSD beginner, recovering/debugging FreeBSD bootloader issues is still somewhat tricky for me and may take some time.

Relevant files are probably:


/var/log/system/latest.log
/var/log/boot/latest.log
/var/log/configd/latest.log
/conf/config.xml


---

# Questions

1. Has anyone experienced similar issues with:

   * APU2
   * serial console
   * restored configs
   * OPNsense 26.1
   * FreeBSD 14.x?

2. Are there any known issues involving:

   * old console/TTY settings
   * plugins
   * getty/serial login
   * restored config.xml on 26.1?

3. Could there be any known APU2-specific regressions in FreeBSD 14.x or OPNsense 26.1?

Thanks in advance.


EDIT-1 - 2026-05-13 (EU): after multiple testing => I changed Block "Important Findings" and add Points 1) and 2) ; updated "Additional Observations on the Serial Console" and "Current Suspicions"
EDIT-2 - 2026-05-13 (EU): add EDIT 1 and 2 =)
May 12, 2026, 09:50:26 AM #1
Quote from: transmissionend on May 11, 2026, 09:21:18 PM* output then appears to stop at:
amdtemp0: found 4 cores and 1 sensors

Possibly your imported configuration is simply not configured for serial console output? That's what would happen if that was the case.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 12, 2026, 01:05:00 PM #2
There's no reason to use a Frankenstein version of OPN, no justification for GELI or a FreeBSD install.

Best option is to start from scratch with the official OPNsense installer.

For anything else you're really on your own since we cannot guess what hardening measures you did there nor can we account for changes between the official OPN and stock FreeBSD version unknown

Last but not least by not using the OPN binaries you're missing out on patches that haven't been backported to FreeBSD for a multitude of reasons outside of scope here.
May 13, 2026, 04:34:02 PM #3
Ok Ive tested multiple different configurations now and updated the main post completely.
So please read it again.
Print
Go Up Pages1
User actions