25.4 Series
The OPNsense business edition transitions to this 25.4 release including numerous MVC/API conversions, a new user self-service portal, user CSV import/export, improved security zones support and documentation, a new UI look with a light and dark theme, PHP 8.3, FreeBSD 14.2 plus much more.
Please make sure to read the migration notes before upgrading.
Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.
https://downloads.opnsense.com/
25.4.2 (August 06, 2025)
This business release is based on the OPNsense 25.1.12 community version with additional reliability improvements, but without Dnsmasq DHCP support and without the captive portal backend switch.
Here are the full patch notes:
system: safeguard local_group_set() since users may not exist for valid reasons
system: fix regression in setGroupMembership()
system: add “Source Networks” option to groups to restrict connectivity to web GUI
system: remove defunct “sshlogingroup” OpenSSH option because non-admins are no longer permitted shell access
system: reduce font size in thermal sensors widget tooltip (contributed by indeed-a-genius)
system: allow access to cached watcher gateway status
system: implement “force_down” failover support
system: implement base_bootgrid_table in user, group and priv templates
system: balance fastcgi servers a bit better
system: check private key matches provided certificate data
system: introduce a “wwwonly” user and group and related privilege separation preparations
system: add minimalistic interface to support SSO authentication
system: refactor a couple of existing empty() tests to isEmpty()
system: refactor cache flush into system_cache_flush()
system: add backend call for returning timezones
system: fix “weight” default fallback causing non-string return in gateway status
system: fix route status removal buttons
system: fix passing “arguments” as parameters for cron jobs
system: add banner to HA sync and firmware page when proxy environment override is used
system: fix audit message strings
system: add missing “kernel” application for remote logging
interfaces: emulate device name return in ifconfig edge case for legacy_interface_create()
interfaces: cleanup spurious functions regarding VIP access
interfaces: interfaces: improve private and bogon network filters (contributed by Maurice Walker)
interfaces: consider tracked interfaces linked devices on reload
interfaces: convert bridge configuration to MVC/API
interfaces: remove unused is_interface_assigned()
interfaces: refactor newwanip IPv4/v6 scripts to reduce differences between them
interfaces: do not call a description a “dmesg”
interfaces: relax regex for dmesg probing to seamlessly support dmesg timestamps
interfaces: remove unused “friendly” value from get_interface_list()
interfaces: add update mode to ifctl
interfaces: attempt to work around mangled MPD label
firewall: add ability to specify IPv6 pipe and queue masking using the src-ip6/dst-ipv6 specifiers (contributed by Daniel Tang)
firewall: use shared base_bootgrid_table and base_apply_button in shaper
firewall: use CIDR notation for specifying masks to dnctl (contributed by Daniel Tang)
firewall: improve dummynet_stats.py parsing of mask descriptor lines (contributed by Daniel Tang)
firewall: exclude interfaces with local links only when generating force gateway rules
firewall: fix missing lock while refactoring config for group changes
firewall: properly synchronize load order for shaper when reloading configuration
firewall: add toggle log command in automation
firewall: since bogons source writes a comment first prefix our exclusions too
firewall: tighten address / range validation for aliases
firewall: align alias tokenizer options with the ones in our base template
firewall: improve address family validation for rule source and destination
firewall: fix faulty ICMP type evaluation on NAT rules
firewall: skip reply-to for inversion rules
firewall: fix AttributeError: DNAME object has no attribute address on DNS fetch for aliases
captive portal: balance fastcgi servers a bit better
captive portal: do not share a fastcgi socket with web GUI
dnsmasq: allow AliasesField values to be cleared
dnsmasq: allow host wildcards in domain overrides again
dnsmasq: fix DomainIPField to allow IP address to be emptied
firmware: upgrade scripts for automatic GDrive, IPsec and OpenVPN legacy plugin installation
firmware: remove unbound/duckdb migration script
intrusion detection: add an override banner for custom.yaml use
ipsec: fix ipsec column identifier
ipsec: add “cacert” option in remote auth section and allow spaces and wildcards in id fields
ipsec: be more verbose when modifying SPDs
ipsec: add aes256-sha1 ESP proposal
kea-dhcp: fix parsing both address families in static mappings
kea-dhcp: add advanced options (pd-)allocator in DHCPv6
kea-dhcp: add static_routes validation (contributed by Dr. Uwe Meyer-Gruhl)
kea-dhcp: fix fatal socket path refusal in new Kea release
kea-dhcp: add DNS field to Kea DHCP4 reservations (contributed by Gtt1229)
openvpn: add port-share as advanced feature
openvpn: add (push) block-ipv6 option
openvpn: remove deprecated use of is_interface_assigned() in legacy client/server
openvpn: validate group membership after authentication
openvpn: add nopool directive
openvpn: let server/server_ipv6 require a netmask
openvpn: “keepalive_timeout” must be at least twice the interval value validation
unbound: remove “inplace” in chained assignment (contributed by dstapa)
unbound: improve the chroot mounting code to avoid excessive (un)mount calls
unbound: ignore TXT records for wildcard host entries
wireguard: add diagnostics and log file ACL
backend: use the new errors:no instead of “exit 0” in actions
lang: update language translations to their latest state
lang: further updates
mvc: add contribDir to app config (contributed by Freddie Sackur)
mvc: show versions on migration failure for clarity
mvc: deny whitespaces, asterisks and slashes in HostnameField
mvc: support array response type in session->get()
mvc: eventually phase out getCurrentValue() in favour of getValue()
ui: backwards-compatible merge of Tabulator grid replacement changes
ui: replace self-closing select element (contributed by Gavin Chappell)
ui: add standard HTML color input support
plugins: os-OPMWAF 1.9
plugins: os-beats 1.0 (contributed by Maxime Thiebaut)
plugins: os-c-icap 1.8 [1]
plugins: os-caddy 2.0.2 [2]
plugins: os-crowdsec 1.0.10 [3]
plugins: os-haproxy 4.6 [4]
plugins: os-postfix 1.24 [5]
plugins: os-radsecproxy 1.1 [6]
plugins: os-stunnel 1.0.6 adds LDAP and NNTP to supported STARTTLS protocols (contributed by Patrick M. Hausen)
plugins: os-sunnyvalley 1.5 switches mirror domain
plugins: os-zabbix-agent 1.16 [7]
plugins: os-zabbix-proxy 1.13 [8]
src: pf: explicitly NULL state key pointers
src: pf: fix panic in pf_return()
src: pf: do not use state keys after pf_state_insert()
src: netlink, socket, sctp, tcp, udp: assorted upstream stable changes
src: in6_control_ioctl: correctly report errors from SIOCAIFADDR_IN6
src: axgbe: add support for Yellow Carp Ethernet device
src: dhclient: keep two clocks
src: rtw88, rtw89: merge Realtek driver based on Linux v6.14
src: iwlwififw: remove Intel iwlwifi firmware from src.git
src: ifconfig: optimise non-listing case with netlink
src: xz: fix use-after-free in multi-threaded xz decoder [9]
src: ena: fix misconfiguration when requesting regular LLQ [10]
src: zfs: fix corruption in ZFS replication streams from encrypted datasets [11]
src: libc: allow __cxa_atexit handlers to be added during __cxa_finalize [12]
ports: curl 8.14.1 [13]
ports: dhcp6c 20250513 fixes spawning multiple instances
ports: kea 2.6.3 [14]
ports: libxml 2.14.5 [15]
ports: nss 3.113.1 [16]
ports: openldap 2.6.10 [17]
ports: openssl 3.0.17 [18]
ports: perl 5.40.2 [19]
ports: pftop 0.13
ports: php 8.3.23 [20]
ports: phpseclib 3.0.46
ports: py-duckdb 1.3.1 [21]
ports: python 3.11.13 [22]
ports: sqlite 3.50.2 [23]
ports: sudo 1.9.17p1 [24]
ports: suricata 7.0.11 [25]
ports: unbound 1.23.1 [26]
25.4.1 (May 22, 2025)
This business release is based on the OPNsense 25.1.6 community version with additional reliability improvements, but without Dnsmasq DHCP support and the recent captive portal backend switch.
Here are the full patch notes:
system: extend XMLRPC “nosync” support to keep backup items for new cases
system: use RADIUS Message Authenticator by default
system: prevent recursion loop when CAs are cross-referencing each other
system: fix off by one error due to line ending at the end of a log file
system: offer config directory to store locations for external certificates and support it in the certificates widget
system: allow multiple manual DNS search domains
system: fix gateway watcher backoff
system: minor code cleanups in auth.inc
system: kill gateways states for failback scenario when a higher priority gateway goes back online
system: update to latest tzdata content for time zones and ISO 3166 definitions
system: clean up a number of unused functions
system: refactor a VIP access in auth.inc
system: add field “boottime” to api/system/systemTime (contributed by eopo)
reporting: move NetFlow backend single_pass to command line parameters for easier debugging
reporting: use client time in traffic dashboard widget
reporting: replace insights totals chart with ChartJS variant
reporting: minor style fixes and cleanups in health graphs
interfaces: refactor bridge configuration backend
interfaces: refactor wireless device assignment
interfaces: allow literal comma by escape sequence in DHCP advanced option modifiers
interfaces: fix refresh button in ARP page
interfaces: fix “(de)select all” button in packet capture
interfaces: rename ip_in_subnet() to reflect it is only for IPv4
interfaces: remove unused get_vip_descr()
dnsmasq: domain to host migration for hosts
firewall: automation filter UI revamp
firewall: fix regression in alias table in JSON format
firewall: replace update_params for argparse in filter log reader
firewall: prevent source/destination inversion when multiple nets are selected
firewall: support comma separated alias targets in refactor() call
firewall: added multi-select for ICMP type
firewall: update user agent in alias URL fetch
firmware: ignore dashboard check for updates link automation if user clicks check for updates too
firmware: fix reboot flag handling due to changed BooleanField default in 25.1.4
firmware: add cleanup audit script
intrusion detection: fix a log reader regression in the alert view
intrusion detection: fix alert info button
ipsec: move mobile clients charon attributes to “Advanced settings”
ipsec: fix auth server parsing regression
ipsec: copy “Split DNS name” to undocumented “25” option
ipsec: fix more ACLs related to individual IPsec page use
ipsec: add DH Group 2 for basic Azure VPN gateway compatibility
ipsec: fix trimming NULL values
ipsec: attr 28673 previously rendered as 1 instead of strongswan default “yes”/”no” for a boolean
isc-dhcp: use “lease_type” to key lease map in addition to “iaid_duid” (contributed by Alex Goodkind)
isc-dhcp: fix invalid FQDN generation from DHCPv4 static map domains (contributed by Steven Zimmermann)
kea-dhcp: allow manual configuration for advanced scenarios
kea-dhcp: add DHCPv6 support
kea-dhcp: split into multiple id-based services
kea-dhcp: fix menu for overlapping leases links
kea-dhcp: correct static mapping returns for IPv6 addresses
kea-dhcp: translate reservation MAC address when dash is used
openvpn: display virtual IPv6 addresses for clients in dashboard widget (contributed by cs-1 and lucaspalomodevelop)
openvpn: simplify the VIP handling in legacy pages
router advertisements: fix list of source addresses on overlapping link-locals (contributed by Robin Müller)
unbound: add optional TTL field
backend: support “errors:no” clause on actions
mvc: prefer ui/user_portal above system_usermanager_passwordmg.php in ACLs
mvc: implement “ignore” field type in forms
mvc: allow referencing disabled interfaces in LinkAddressField
mvc: fix scoping issue in CertificatesField
mvc: BooleanField now defaults to “0” on creation
mvc: add static $internalStaticChildren in classes extending ArrayField
mvc: safeguard JsonKeyValueStoreField->setSourceField()
ui: include “all” instead of only “solid” and “brands” Font Awesome styles
ui: ensure fields stay aligned relatively to another when headers are used in forms
ui: add fetch_options() which can build grouped selectpickers
ui: improve and extend Bootgrid behaviour
plugins: os-caddy 1.8.5 [1]
plugins: os-ndproxy 1.1 [2]
plugins: os-sftp-backup 1.1 adds hostname prefix and filedrop-only support (contributed by beposec)
plugins: os-theme-rebellion 1.9.3 (contributed by Team Rebellion)
plugins: os-turnserver 1.0 (contributed by Frank Wall)
plugnis: os-squid 1.2 [3]
src: ifconfig: fix reporting optics on most 100g interfaces
src: igc: fix attach for I226-K and LMVP devices
src: inpcb: assorted changes for upcoming FIB support
src: ipfw: fix dump_soptcodes() handler
src: ixgbe: add support for 1000BASE-BX SFP modules
src: ixgbe: fix mailbox ack handling
src: netinet6: add the missing lock acquire to nd6_get_llentry
src: netinet: fix getcred sysctl handlers to do nothing if no input is given
src: netinet: if mb_unmapped_to_ext() failed, return directly
src: netlink: fix getting route scope of interface IPv4 addresses
src: ovpn: fix use-after-free of mbuf
src: pf: improve pf_state_key_attach() error handling
src: pfkey2: use correct value for a key length
src: routing: do not allow PINNED routes to be overriden
src: sctp: fix double unlock in case adding a remote address fails
src: tcp: clear sendfile logging struct
src: udp: do not recursively enter net epoch
src: wg: remove overly-restrictive address family check
src: caroot: update the root bundle
src: openssl: import OpenSSL 3.0.16
src: daemon: stop rebuilding the kqueue every restart of the child
src: contrib/expat: update libexpat from 2.6.0 to 2.7.1
src: contrib/tzdata: import tzdata 2025b
src: pfctl: fix faulty rule anchor counter print
src: pfctl: fix recursive printing of NAT rules
src: pf: Use a macro to get the hash row in pf_find_state_byid()
src: netinet6: work around synchronization issue in dying netgraph device
src: wg: Improve wg_peer_alloc() to simplify the calling
src: bnxt_en: Retrieve maximum of 128 APP TLVs
src: Revert “amd64 GENERIC: Switch uart hints from isa to acpi”
ports: curl 8.13.0 [4]
ports: expat 2.7.1 [5]
ports: kea 2.6.2 [6]
ports: lighttpd 1.4.79 [7]
ports: monit 5.35.2 [8]
ports: nss 3.110 [9]
ports: openssh 10.0p1 [10]
ports: phalcon 5.9.3 [11]
ports: php 8.3.20 [12]
ports: py-duckdb 1.2.2 [13]
ports: python 3.11.12 [14]
ports: syslog-ng 4.8.2 [15]
ports: unbound 1.23.0 [16]
# SHA256 (OPNsense-business-25.4.1-dvd-amd64.iso.bz2) = 12aa36a2ce6743217e9714ac1ba16de6bc81ef2f8a4f3c7635215268a0944b18
# SHA256 (OPNsense-business-25.4.1-nano-amd64.img.bz2) = 12361c910da612fe37cdec2814ff6d8363d9bee6171fe50de8cd58adb6a0e22d
# SHA256 (OPNsense-business-25.4.1-serial-amd64.img.bz2) = 41283f6cf854608b56cb08f7960c5e0291c9ef1a32e6f0736f59f287cf2e9ba2
# SHA256 (OPNsense-business-25.4.1-vga-amd64.img.bz2) = f20dd969784088eb1578df9c8dc5eb0a90502405027ab95b2b66277960803225
25.4 (April 09, 2025)
The OPNsense business edition transitions to this 25.4 release including numerous MVC/API conversions, a new user self-service portal, user CSV import/export, improved security zones support and documentation, a new UI look with a light and dark theme, PHP 8.3, FreeBSD 14.2 plus much more.
Please make sure to read the migration notes before upgrading.
Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.
https://downloads.opnsense.com/
This business release is based on the OPNsense 25.1.4 community version with additional reliability improvements.
Here are the full patch notes against version 24.10.2:
system: migrate user, group and privilege management to MVC/API
system: remove the “disable integrated authentication” feature
system: add “Default groups” option to add standard groups when a LDAP/RADIUS user logs in
system: remove the old manual LDAP importer
system: migrate HA status page to MVC/API
system: allow custom additions to sshd_config (contributed by Neil Greatorex)
system: increase max-request-field-size for web GUI
system: set tunable default for checksum offloading of the vtnet(4) driver to disabled (contributed by Patrick M. Hausen)
system: add support for RFC 5549 routes and refactor static route creation code
system: improve notification support to also allow persistent notifications and static banners
system: add notifications for low disk space and OpenSSH file override use
system: migrate tunables page to MVC/API
system: switch to temperature sensor caching
system: add certificate widget to track expiration dates and allow quick renewal
system: remove deprecated “page-getserviceprovider”, “page-dashboard-all” and “page-system-groupmanager-addprivs” privileges
system: replace file_get_contents() with curl implementation in XMLRPC sync and add verifypeer option
system: add item edit links to several dashboard widgets
system: prioritize index page and prevent redirection to a /api page on login
system: mute disk space status in case of live install media
system: optimize system status collection
system: exclude pchtherm thresholds temperature thresholds
system: update button wording on new HA status page
system: adjust gateway widget to use the intended caching mechanism
system: thermal sensors widget can now select individual sensors to display plus UX changes
system: handle dev.pchtherm temperatures in the thermal dashboard widget (contributed by Joe Roback)
system: use new apply button partial in tunables page
system: move high availability option “disable preempt” to advanced mode
system: straighten out syslog-ng rc.d scripting
system: implement user CSV import/export functionality (sponsored by: m.a.x. it)
system: switch boot logo and MOTD to the new-style logo (contributed by Gavin Chappell)
system: migrate “default” tunable value to empty one and improve UX
system: replace legacy service widget hook with a proper configd call
system: add “Kill states when down” option to gatways
system: stop pushing “nextuid” and “nextgid” during XMLRPC
system: migrate tunables to implicit defaults
system: secure access to sysctl configuration node
system: fix RADIUS error check
system: rewire system_usermanager_passwordmg.php to /ui/user_portal for cooperation with the next business edition
system: default “net.inet.carp.senderr_demotion_factor” tunable to “0”
system: opnsense-beep: serialize access to /dev/speaker (contributed by Leonid Evdokimov)
system: fix URL hash in certificate link so redirection shows the correct menu path
system: add a user portal for self-servicing OTP and OpenVPN profiles [2]
reporting: fix missing typecast in epoch range for DNS statistics
reporting: switch health graphs to ChartJS
reporting: minor code cleanups in insight backend
interfaces: adhere to DAD during VIP recreation in rc.newwanipv6
interfaces: remove non-functional features from bridges
interfaces: remove PPP edit in interfaces settings
interfaces: batched device type creation under “Devices” submenu
interfaces: move PPP and wireless logs to system log
interfaces: remove “Use IPv4 connectivity” setting as it will be set by default
interfaces: fix undefined array key warnings in DHCP client setup (contributed by Ben Smithurst)
interfaces: add “nosync” option to VIPs and fix sync conditional
interfaces: use shared base_bootgrid_table and base_apply_button where possible
interfaces: remove obsolete code in get_real_interfaces() to match getRealInterface()
interfaces: improve validation for CARP/proxy ARP VIP
interfaces: remove defunct “other” VIP type
interfaces: skip “nosync” processing on VIPs
interfaces: move “(de)select all” button to the same row on packet capture page
interfaces: add ARP address family option to packet capture
interfaces: fix advanced mode visibility in VIPs
firewall: use “skip lo0” instead of policing lo0 explicitly following OpenBSD best practice
firewall: remove duplicate table definition and make sure bogonsv6 table always exists
firewall: cleanup of CARP and IPv6 rules behaviour
firewall: filter feature parity in automation rules
firewall: offer multi-select on source and destination addresses
firewall: add experimental inline shaper support to filter rules
firewall: add missing columns on one-to-one NAT page
firewall: fix anti-lockout and “allow access to DHCP failover” automatic rules
firewall: add optional authorization for URL type aliases
firewall: add “URL Table in JSON format (IPs)” alias type
firewall: properly unpack multiple source/destination items in the rules page
firewall: hide internal aliases to align with previous legacy_list_aliases() function
firewall: support partial alias exports
firewall: performance improvement by using pf overall table stats instead of dumping each table
firewall: offer better plug-ability for dynamic alias type
firewall: alias rename action ignored due to missing lock
firewall: support “jq” processing syntax for JSON-based URL table aliases
firewall: fix presentation when alias name overlaps group name
captive portal: fix missing class import
captive portal: partially revert new lighttpd TLS defaults
captive portal: urlencode() selector items in voucher group list
dhcrelay: integrate layout_partials bootgrid/apply
dnsmasq: migrate existing frontend to MVC/API
firmware: fix “r” abbreviation vs. version_compare();
firmware: opnsense-update: fix failure to clean up the working directory
firmware: opnsense-update: support -B and -K with -c option check
firmware: opnsense-update: let -u skip already installed packages set
firmware: kernel may not be pending so be sure to check on upgrade attempt
firmware: add an upgrade test for wrong pkg repository
firmware: revoke 24.7 fingerprint
installer: fixed missing prompt and help text in ZFS disk selection
installer: warn on low RAM for ZFS as well
installer: added a power off option
intrusion detection: policy content dropdown missing data-container
ipsec: add log search button in sessions
ipsec: add banner message when using custom configuration files
ipsec: fix glob pattern for advanced configuration banner
ipsec: add deprecation notices for legacy components (will move to plugins)
ipsec: pre-shared key permission fix
kea-dhcp: add “v6-only-preferred” option (contributed by darses)
kea-dhcp: use shared base_bootgrid_table and base_apply_button
kea-dhcp: add missing ACL privileges
lang: update available translations
monit: flag file overwrites when they exist
network time: take IPv6 addresses into account
network time: remove support for explicit VIP selection
network time: move XMLRPC definition to correct file
openvpn: add validation pertaining to auth-gen-token and reneg-sec combinations
openvpn: add deprecation notices for legacy components (will move to plugins)
openvpn: add DCO validation for fragment size
openvpn: use shared base_bootgrid_table and base_apply_button
openvpn: add support for assorted options [3] (contributed by Marius Halden)
openvpn: add basic HTTP client option
openvpn: add “Enable static challenge (OTP)” option in client export
router advertisements: move plugin code to its own space
unbound: cleanup available blocklists and add hagezi blocklists
unbound: fix root.hits permission on copy
unbound: flag file overwrites when they exist
unbound: add support for forward-first when configuring forwarders (contributed by Nigel Jones)
unbound: use shared base_bootgrid_table and base_apply_button
unbound: move whitelist (passlist) handling to Unbound plugin
unbound: drop “exclude” phrase from plugin log entry
wireguard: change tracking of peer status, improve widget and diagnostic
wireguard: use shared base_bootgrid_table and base_apply_button
backend: -m option is unused so remove its complication
backend: add an “import” rc.syshook facility
backend: change the “monitor” rc.syshook facility and de-deprecate its use
backend: remove unused functions and move once-used functions to their call script
backend: allow pluginctl to filter on -x/-X option
mvc: implement reusable grid template using form definitions
mvc: add Default() method to reset a model to its factory defaults
mvc: fix LegacyMapper when the mount point is not the XML root
mvc: move explicit cast in BaseModel when calling field->setValue()
mvc: fields should implement getCurrentValue() rather than __toString()
mvc: fix value lookup in LinkAddressField
mvc: memory preservation fix in BaseListField
mvc: support lazy loading on alias models and use it in NetworkAliasField
mvc: wrap locks around updates and perform some minor cleanups in ApiMutableModelControllerBase
mvc: move “lazy loading” option to base model implementation and force usage on run_migrations.php
mvc: safeguard checkToken() to prevent fetching an non existing POST item
mvc: decode HTML tags in menu items
mvc: fix unit tests for model relation fields
mvc: merge NetworkValidator into NetworkField to ease extensibility and add unit test
mvc: send audit messages emitted in the authentication sequence to proper channel
ui: upgrade Font Awesome icons to version 6
ui: push search/edit logic towards bootgrid implementation
ui: improved links with automatic edit and/or search
ui: rewritten default theme for a light look and new logo
ui: added default theme variant with a dark look
ui: header image scaling fixes in default light theme
ui: remove right border from “aside” element in default dark theme
ui: upgrade ChartJS to v4
ui: change backdrop background color to black in dark theme
ui: create a unified layout partial for the apply button
plugins: adjust all themes for ChartJS 4 use
plugins: os-OPNBEcore 1.5
plugins: os-OPNWAF 1.8
plugins: os-OPNcentral 1.11
plugins: os-acme-client 4.9 [4]
plugins: os-caddy 1.8.4 [5]
plugins: os-cpu-microcode 1.1 removes unneeded late loading code
plugins: os-crowdsec 1.0.9 [6]
plugins: os-ddclient 1.27 [7]
plugins: os-dmidecode 1.2 adds new dashboard widget (contributed by Neil Merchant)
plugins: os-frr 1.44 [8]
plugins: os-haproxy 4.5 [9]
plugins: os-intrusion-detection-content-pt-open 1.0 (contributed by kulikov-a)
plugins: os-sftp-backup 1.0 allows configuration backups over SFTP
plugins: os-tailscale 1.2 [10]
plugins: os-theme-cicada 1.39 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.29 (contributed by Team Rebellion)
plugins: os-theme-vicuna 1.49 (contributed by Team Rebellion)
plugins: os-zabbix-agent 1.15 [11]
plugins: os-zabbix-proxy 1.12 [12]
src: FreeBSD 14.2-RELEASE [13]
src: bpf: fix potential race conditions
src: carp: fix checking IPv4 multicast address
src: e1000: fix vlan PCP/DEI on lem(4)
src: icmp: use per rate limit randomized jitter
src: if_vxlan: invoke vxlan_stop event handler only when the interface is configured
src: if_vxlan: prefer SYSCTL_INT over TUNABLE_INT
src: if_vxlan: use static initializers
src: ifconfig: make -vht work
src: ifnet: detach BPF descriptors on interface vmove event
src: igc: remove unused register IGC_RXD_SPC_VLAN_MASK
src: ipfw: add missing initializer for “limit” table value
src: ipfw: make “ipfw show” output compatible with “ipfw add” command
src: iwlwifi: update Intel iwlwifi/mvm driver et al
src: ixgbe: add ixgbe_dev_from_hw() back
src: ixgbe: fix a logic error in ixgbe_read_mailbox_vf()
src: ktrace: fix uninitialized memory disclosure]
src: libkern: add ilog2 macro et al
src: net80211: 11ac: add options to manage VHT STBC
src: net: if_media for 100BASE-BX
src: netinet6: do not forward to the unspecified address
src: netinet: do not forward or ICMP response to INADDR_ANY
src: netinet: ipsec and ktls cannot coexists
src: pf: add “allow-related” to always allow SCTP multihome extra connections
src: pf: add extra SCTP multihoming probe points
src: pf: align sanity checks for pfrw_free
src: pf: allow ICMP messages related to an SCTP state to pass
src: pf: allow all forms of neighbor advertisements in either direction
src: pf: cleanup leftover PF_ICMP_MULTI_* code that is not needed anymore
src: pf: do not keep state when dropping overlapping IPv6 fragments
src: pf: drop IPv6 packets built from overlapping fragments in pf reassembly
src: pf: fix fragment hole count
src: pf: force logging if pf_create_state() fails
src: pf: only force state failure logging if logging was requested
src: pf: send ICMP destination unreachable fragmentation needed when appropriate
src: pf: stop using net_epoch to synchronize access to eth rules
src: pf: verify SCTP v_tag before updating connection state
src: pf: verify that ABORT chunks are not mixed with DATA chunks
src: pfil: set PFIL_FWD for IPv4 forwarding
src: rtw89: update Realtek rtw88/rtw89 driver et al
src: sysctl: enable vnet sysctl variables to be loader tunable
src: tzdata: import tzdata 2025a
ports: ca_root_nss 3.108 [14]
ports: curl 8.12.1 [15]
ports: dnsmasq 2.91 [16]
ports: expat 2.7.0 [17]
ports: lighttpd 1.4.78 [18]
ports: monit 5.34.4 [19]
ports: nss 3.109 [20]
ports: openssl 3.0.16 [21]
ports: openvpn 2.6.14 [22]
ports: pcre2 10.45 [23]
ports: pecl-radius now offers message authenticator support (scheduled to be enabled with 25.4.2)
ports: pftop 0.12
ports: phalcon 5.9.0 [24]
ports: php 8.3.19 [25]
ports: py-duckdb 1.2.1 [26]
ports: py-jq 1.8.0 [27]
ports: radvd 2.20 [28]
ports: suricata 7.0.10 [29]
Migration notes, known issues and limitations:
The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. The integrated authentication via PAM has been the default for a long time so the option to disable it has been removed. The manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option. The “page-system-groupmanager-addprivs” privilege was removed since the page does not exist anymore. A multi-purpose privilege editor has been added under the existing “page-system-usermanager-addprivs” instead.
PPP devices can no longer be configured on the interface settings page. To edit the device settings use the native PPP device edit page instead.
The public key for the 25.4 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsnbyFjWXvUcUC4BqnQ9w
# uH3yiaG7AY8UzwepXf2TqqOYt5Y0USbse3OBjxYnRs0iW5EHtdKSRcmelup374Hp
# XDDeQ/mjmhhnvXryfQL57gyVpYeL5gRVhf/2DwEZELLCFUFhMNh52QPaJ5zTvdws
# m1Q+OwI1WfTDR7ytm+0Too2tVerG3mM3XataZ+XOKwHp2xP0Mr8E4F+PZdR4hWbb
# yC2elIzICXDWWpcEEg4JT48TIYZJPGnE2IJAzWRntrqVU2eLcEn5MffwTawXNoCZ
# mvLYqguYskmeR/dAL7ZmZcPeMeibXMtld8xIZp49g7DPq7PqxCY1wxcgeuZPFOHv
# kbYzL3BHbyni3K/qdLXKzy8oZeUUvlbUgaj8Xx14DSiNzJDknNf0Xg/eby7MkzgP
# eUXgtB0MRQMih85BfaiH5r+uQMgPKnjutVWR8qUWglxDKIc4s69b8PXylfu2FwiP
# iKMBdO8xnVvNFKOkuaUtI31cqxauw2hBAlILFvltM+adUz2rfB3Ch0bjfjDE5Hxq
# En4fEUVHgQCu+Ojyyy3/8RwUpsRZq05fObypyeL3E/MvlwpaOVjwvw2ozVPGi2zi
# xmXemn5CbgjD3vPR9XERXrFkHTwPnIiqz53znqn34P+NGEgD1veMhZPE6OGZRu/h
# IfceSaxJ/An5SUh0zr7YgOsCAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-business-25.4-dvd-amd64.iso.bz2) = 6b99523d8b8f166ea6fc1e30de3206da8f5184fc36f646d3cefd3b2409930f49
# SHA256 (OPNsense-business-25.4-nano-amd64.img.bz2) = 1aa61b516ea61491c3b5c438c7d003d6f0812cc4638ddd767f4fe0e2f89ad0ea
# SHA256 (OPNsense-business-25.4-serial-amd64.img.bz2) = d54c59bbfb89282cc5dc7a40b1c0b42b0c616e23f70700c2d2aeb32ab9474509
# SHA256 (OPNsense-business-25.4-vga-amd64.img.bz2) = cb95d7cc0ef9c8875173bbaf4bd852c477ff1e1d529387fdb6f08be38041eda6