26.1 “Witty Woodpecker” Series
For over 11 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates, modern IPv6 support, as well as clear and stable 2-Clause BSD licensing.
26.1, nicknamed “Witty Woodpecker”, features almost a full firewall MVC/API experience as automation rules have been promoted to the new rules GUI, Suricata version 8 with inline inspection mode using “divert”, assorted IPv6 reliability and feature improvements, router advertisements MVC/API, full code shell command escaping revamp, default IPv6 mode now using Dnsmsaq for client connectivity, Unbound blocklist source selection, an automatic host discovery service, plus much more.
The upgrade path for 25.7 will likely be unlocked on January 29, which is probably tomorrow if anyone is asking why it is not there yet. We want to ensure the upgrade goes as smoothly as possible so please be patient! :)
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/26.1/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/26.1/
South America: http://mirror.ueb.edu.ec/opnsense/releases/26.1/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/26.1/
Full mirror list: https://opnsense.org/download/
26.1.4 (March 11, 2026)
This is basically a maintenance release in assorted areas, but also includes a CVE for the GUI for missing POST checks in the API. We thank everyone for reporting issues and testing the fixes with us to allow for easy and fast releases such as this one.
The roadmap is almost ready to be published. Expect it later this week.
Here are the full patch notes:
system: store dashboard layout types based on column breakpoints
system: do not show snapshot notes in the grid
system: use safe config iteration in admin settings page
reporting: use safe config iteration in RRD code
interfaces: remove unused ip_in_interface_alias_subnet()
interfaces: use safe config iteration in PPP edit page
firewall: fix access to deleted filter node in advanced settings
firewall: merge MVC NAT page templates into a single one
firewall: when repopulating the interface selectpicker, always restore current selection in new rules GUI
firewall: remove hardcoded colors where possible in new rules GUI
firewall: fix category colors in new rules GUI
firewall: merge read of groups and interfaces in new rules GUI
firewall: make MVC protocol selection match the old rules pages
firewall: add model validations for common errors in destination NAT
firewall: live view: allow regex use in “contains” cases
firewall: live view: fix SyntaxWarning in log reader backend
firewall: use safe iteration in old rule page for schedule lookup
firewall: use safe config iteration in outbound NAT page
firmware: add aux repository support
ipsec: use safe config iteration for VIP lookup
kea: guard prefix watcher when no link-local address exists for a route that should be installed
monit: use safe config iteration in gateway alert script
openvpn: debounce learn-address calls to limit the number of alias updates to a minimum
openvpn: add validation for selecting username as CN without setting any authentication
unbound: split logic in update_blocklist() and simplify getPoliciesAction()
unbound: move policy fetch to the controller and clean up accordingly
backend: remove unused examples throwing errors now
backend: fix configd using a new temporary file for cached items
mvc: ConfigMaintenance: when constructing class names use a safer way to strip .php extension
mvc: fix CSRF vulnerability in multiple API endpoints by enforcing POST-only requests [1] (contributed by Oliver Jueguen)
mvc: move CertificateField, InterfaceField and ProtocolField to newer static option API
shell: improve config restore UX using diff and additional meta data display
ui: remove two unused static PHP array definitions
ui: Bootgrid: split row selection behavior into rowSelection boolean
ui: Bootgrid: force a lightweight redraw when columns are programmatically changed
ui: Bootgrid: fix curRowCount type conversion issue when stored in localStorage
lang: various language updates
ports: libxml 2.15.2 [2]
ports: strongswan 6.0.4 [3]
ports: syslog-ng 4.11.0 [4]
26.1.3 (March 04, 2026)
This update finally brings in Python 3.13 after the struggle we had with 3.11 and missing security patches. A number of things were fixed for the new rules GUI as well as assorted minor things in all areas of the code base. Two FreeBSD security advisories are also included and a reboot is needed to finish this update.
Of note are the recent modifications of the firmware scripting as they follow a fix in 26.1.2 that seems to have resolved the partial upgrade failures people have been reporting over the last 2 years. It turned out that the issue was a cleanup routine in the core package that removed temporary files in the background while the package manager was still attempting to install more packages.
Here are the full patch notes:
system: add note field to store comments for each snapshot
system: add configurable “memberOf” attribute to LDAP connector
system: do not scrub unrelated IPv6 DHCP ranges from Dnsmasq LAN config during wizard
system: adapt DHCP address shell setup for new config access functions
system: adapt web GUI certificate renew for new config access function
system: adapt initial port configuration DHCP setting for new config access functions
system: avoid using “(system)” user revision annotation to match legacy and MVC code
system: fix log files ‘go to page’ edge case and row count persistence/max
system: ignore future backups when they exist to ensure new backups are saved
system: ensure proper types are emitted in searchGatewayAction() when configd action fails
system: use safe iteration for cert/ca in system_trust_configure()
system: fixed broken link in modal header when using HA and saving administration settings
system: create a backup on factory reset
system: unify pwd_changed_at usage
reporting: restore canvas state in health graph to fix Firefox display bug
interfaces: generalise the dhcp6c_script using the new IFNAME variable
interfaces: fix enter key in assignment description and general cleanup
interfaces: protect device reads against forcing empty arrays into $config
firewall: check for schedules in use in new rules
firewall: add import/export function and missing lock on set action
firewall: better focus selected alias updates to in crease performance when either –aliases or –types is used
firewall: implement missing ICMP types in new rules GUI (contributed by Bjoern Jakobsen)
firewall: adjust for parseReplace() for icmp-type “skip”
firewall: fix NAT rule enabled checks display (contributed by Aaron Rogers)
firewall: prevent separator char from being used in category names
firewall: fix running into error using well known protocols with “-” in them
firewall: add validation to prevent using both gateway and reply-to in the same rule in new GUI
firewall: add a command button to open the live log with pre-filled rule ID in new GUI
firewall: move download and upload commands out of partial into global commands in new GUI
firewall: reduce complexity in URL hash handling and when using firewall_rule_lookup.php in new GUI
firewall: fix default ipprotocol mismatch so that when not specified both are indicated
firewall: update destination NAT ACL to match our menu entry
firewall: fix issues with searching in the states page
firewall: allow well known ports in local-port destination NAT
firewall: adjust row selection behaviour for internal rules in MVC pages
firewall: offer aliases the same was as the field type expects them
dnsmasq: add IP address validations for some of the DHCPv4 and DHCPv6 options (contributed by Greelan)
firmware: fix automatic advanced toggle in settings
firmware: shorten the reboot message to fit the spinner on the same line
firmware: tweaks for update/upgrade cleanup behaviours between core and opnsense-update
firmware: add support for aux repository handling in opnsense-update
installer: ufs: ignore errors when flushing the full disk
intrusion detection: upgrade ET Open ruleset to version 8.0 (contributed by 0nnyx)
openvpn: add options for legacy ciphers (contributed by Bjoern Jakobsen)
radvd: use safe config array iteration over virtual IPs
unbound: persist overrides PTR configuration and allow the user to deselect it
backend: removed mwexec() and mwexec_bg() functions following their deprecation
backend: add config_push_array() and config_merge_array() helpers
backend: remove constant configd cleanups as they may influence requests from other threads executing different commands
mvc: restructure menu items and system using findNodeByPath()/getItem() additions
mvc: BaseListField: generic implementation of static options
mvc: PortField: make “well-known” port numbers known by allowing them to be mapped to their respective numbers
mvc: collect UUID field so it can be searched, but only if the searchPhrase contains a valid UUID
tests: merge stable filter tests to double check upcoming changes
ui: batch bootgrid enable/disable-selected toggle by default
ui: swap order of custom bootgrid commands placement making sure they participate in command binding
plugins: os-acme-client 4.14 [1]
plugins: os-caddy 2.1.0 [2]
plugins: os-haproxy 5.1 [3]
plugins: os-netbird 1.2
plugins: os-nextcloud-backup 1.2 [4]
plugins: os-q-feeds-connector 1.5 [5]
plugins: os-tailscale 1.4 [6]
plugins: os-theme-cicada 1.41 (contributed by Team Rebellion)
plugins: os-theme-flexcolor 1.1 (contributed by Schnuffel2008)
plugins: os-theme-tukan 1.31 (contributed by Team Rebellion)
plugins: os-theme-vicuna 1.51 (contributed by Team Rebellion)
plugins: os-upnp 1.9 [7]
src: igmp: do not upgrade IGMP version beyond net.inet.igmp.default_version
src: igmp: apply net.inet.igmp.default_version to existing interfaces
src: ice: handle allmulti flag in ice_if_promisc_set function
src: icmp6: clear csum_flags on mbuf reuse
src: file: qualify pointers to capsicum rights as const
src: file: add a fd flag with O_RESOLVE_BENEATH semantics
src: file: Fix the !CAPABILITIES build
src: unix: Set O_RESOLVE_BENEATH on fds transferred between jails [8]
src: rtsock: Fix stack overflow [9]
src: divert: Use a better source identifier for netisr_queue_src() calls
src: if_ovpn: add interface counters
src: e1000: fix setting the promiscuous mode
src: pfctl: allow new page character (^L) in pf.conf
src: sctp: support bridge interfaces
src: ifconfig: assorted stable fixes
src: ip_mroute: assorted stable fixes
src: vtnet: assorted stable fixes
ports: libucl 0.9.4
ports: nss 3.121 [10]
ports: python 3.13.12 [11]
26.1.2 (February 12, 2026)
This is a smallish update with a number of fixes and another round of Python CVEs addressed. New images based on this stable version are planned for next week.
At the moment work focuses on the IPv6 support for the captive portal which should not be too far away now. The 26.7 roadmap will also be published at the end of this month.
Here are the full patch notes:
system: remove “upstream” from gateway grid as priority already reflects the proper data
system: adjust gateway group priority (tier) wording
interfaces: fix wlanmode argument usage
firewall: fix target mapping inconsistency leading to references not being processed in destination NAT
firewall: use local-port as target when specified in destination NAT
firewall: fix missing reply-to when not specifically set in new rules
firewall: live view: fix parsing of combined filters stored as converted strings
firewall: fix group rename in source_net, destination_net and SNAT/DNAT target fields
firewall: add tcpflags_any in new rules GUI for parity with legacy rules
firewall: exclude loopback from interface selectpicker in new rules GUI
firewall: well known ports added to filter rule selection
firewall: undefined is also “*” in new rules grid
firewall: add download button for validation errors in rule import
firewall: allow TTL usage on host entries
firmware: avoid update-hook background cleanups
firmware: revoke 25.7 fingerprint
kea: fix subnets GUI missing root node
radvd: change tabs to spaces in radvd.conf for better maintenance
unbound: safeguard the blocklist tester against empty configuration testing
mvc: add $separator as parameter for CSV export and switch the default to a semicolon
mvc: InterfaceField: minor adjustments and add resetStaticOptionList()
mvc: catch empty data in CSV import
tests: Shell: add testing framework
plugins: os-haproxy 5.0 [1]
ports: expat 2.7.4 [2]
ports: hostwatch 1.0.12 now rate-limits database writes for recently seen hosts
ports: ldns 1.9.0 [3]
ports: nss 3.120 [4]
ports: openldap 2.6.12 [5]
ports: openvpn 2.6.19 [6]
ports: py-duckdb 1.4.4 [7]
A hotfix release was issued as 26.1.2_5:
firewall: add missing implementation for “disablereplyto” in new rules
firewall: fix encoding issue in dashboard widget
captive portal: fix hard-timeout calculation
kea: add required scope to prefix watcher link local address route
backend: allow non-intrusive config_read_array() and fix a gateway group delete issue with it
# SHA256 (OPNsense-26.1.2-dvd-amd64.iso.bz2) = 8b81427b049ca291bed982a85c6eb821e9887f70b79c1d8183c24721e037f938
# SHA256 (OPNsense-26.1.2-nano-amd64.img.bz2) = 24ae4c3f178bcc53475ab0b2ec50a7b06e9541f5080c156e5aa967c12a8d343e
# SHA256 (OPNsense-26.1.2-serial-amd64.img.bz2) = 519b19cbb433a736d51c1f18d614c4e84ad5a71773d2eb3ea9aa7beb5ee01015
# SHA256 (OPNsense-26.1.2-vga-amd64.img.bz2) = 8259592094d48d06190f0e3d23471a0cc2304e7d076c6ba4437a5c3b2b1ad020
26.1.1 (February 04, 2026)
This ships OpenSSL and Python security updates as well as address a number of shortcomings of the initial 26.1 and community-infused improvements of the new rules GUI which we would not have dreamed of to get this quickly.
We are very happy with the current state of the new rules GUI and all the discussions we have had on how it can be further improved. It is just the beginning. A roadmap for 26.7 will be in the works later this month.
Looking back 11 years it appears that the best hopes we had for the project back then have all come true. It took lot longer than expected but we got there together with you, our beloved community. It will only take a bit more work now to achieve MVC/API support for all core components and remove root access from the web GUI. And we hope that you will be up for it in the coming years as well.
Images will likely be reissued based on this release, but it is not an immediate priority. Upgrade paths from 25.7 will also be updated in the near future to ensure the best possible upgrade experience.
Here are the full patch notes:
interfaces: fix WLAN creation when $mode is empty
interfaces: fix interface settings save with disabled ISC DHCPv6 server
interfaces: add optional interval input to ping
firewall: fix rule anchor rendering for plugins
firewall: prevent autocomplete in alias auth password
firewall: validate UUID on rules migration import
firewall: fix overload table setting being written as UUID into pf.conf in new rules GUI
firewall: local-port field in destination NAT does not support range and well-known name
firewall: change toggle_log icon to help visibility in new rules GUI
firewall: add missing schedules support for new rules GUI
firewall: make statistics column responsive for new rules GUI
firewall: add link to states and put it first in list in new rules GUI
firewall: add “any” interface filter option and make it the default
reporting: render RRD integer as string in command invoke
dnsmasq: compare leases case insensitive
firmware: opnsense-code: allow -r to specify the release branch for core/plugins
firmware: opnsense-patch: when patching make no backups
firmware: opnsense-update: batch use of -g and -G options
kea: add several missing validations
kea: use hostwatch as source for prefix watcher
openssh: style update for config generation
radvd: correctly verify constructor interface if used
lang: added Persian as a new language and a few updates/fixes in existing translations
installer: ufs: flush the disk to avoid spurious partitioning errors
mvc: support verbose logging in run_migrations.php
mvc: shield exec_safe() against fatal type errors
mvc: mark exported CSV as content safe to disable escaping
mvc: ArrayField: support throwing exceptions in importRecordSet()
mvc: fix class names of ManualSpdController and VxlanController
mvc: BaseModel: create missing nodes in legacy mapper
ui: bootgrid: allow multi word tooltips (contributed by Matthias Kaduk)
ui: bootgrid: introduce toggle-selected command
ui: bootgrid: searchable column selectors
ui: move refresh of selectpicker types into setFormData() and improve type detection
plugins: os-acme-client 4.13 [1]
plugins: os-ddclient 1.30 [2]
plugins: os-freeradius 1.10.1 [3]
plugins: os-tayga 1.4 [4]
plugins: os-tinc 1.8 adds disable subnet routes option (contributed by Thojo0)
src: fix multiple vulnerabilities in OpenSSL [5]
src: jail escape by a privileged user via nullfs [6]
src: arm64 SVE signal context misalignment [7]
src: page fault handler fails to zero memory [8]
ports: dnsmasq 2.92 [9]
ports: libxml 2.15.1 [10]
ports: openssl 3.0.19 [11]
ports: phalcon 5.10.0 [12]
ports: php 8.3.30 [13]
ports: phpseclib 3.0.49 [14]
26.1 (January 28, 2026)
For over 11 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates, modern IPv6 support, as well as clear and stable 2-Clause BSD licensing.
26.1, nicknamed “Witty Woodpecker”, features almost a full firewall MVC/API experience as automation rules have been promoted to the new rules GUI, Suricata version 8 with inline inspection mode using “divert”, assorted IPv6 reliability and feature improvements, router advertisements MVC/API, full code shell command escaping revamp, default IPv6 mode now using Dnsmsaq for client connectivity, Unbound blocklist source selection, an automatic host discovery service, plus much more.
The upgrade path for 25.7 will likely be unlocked on January 29, which is probably tomorrow if anyone is asking why it is not there yet. We want to ensure the upgrade goes as smoothly as possible so please be patient! :)
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/26.1/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/26.1/
South America: http://mirror.ueb.edu.ec/opnsense/releases/26.1/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/26.1/
Full mirror list: https://opnsense.org/download/
Here are the full patch notes:
system: factory reset and console tools now default to using Dnsmasq for DHCP
system: wizard now offers an abort button and deployment type selections
system: wizard can disable WAN or LAN interface now
system: provide resolv.conf overrides via /etc/resolv.conf.local
system: add XMLRPC option for hostwatch
firewall: improve GeoIP alias expiry condition
firewall: escape selector in rule_protocol
firewall: “Port forward” was migrated to “Destination NAT” MVC/API
firewall: unified look and feel of MVC/API pages formerly known as “automation”
firewall: improved support of gateway groups in policy-based routing
firewall: plugin support for “ether” rules has been removed
firewall: add import/export to shaper queues and pipes
firewall: “divert-to” support in new rules GUI
firewall: added a rule migration page (use with care)
firewall: make previously associated DNAT rules editable
interfaces: a new IPv6 mode called “Identity association” was added
interfaces: settings page was migrated to MVC/API
interfaces: handle hostwatch user/group via package
interfaces: force-reload IPv6 connectivity when PDINFO changes during renew
interfaces: dhcp6c rapid-commit, request-dns and config write refactoring
interfaces: generalise the rtsold_script code
interfaces: use descriptive interface names in automatic discovery table
interfaces: harden settings page with file_safe() and allowed_classes=false
dhcrelay: relax the check for present addresses and CARP-related cleanups
dnsmasq: add automatic RDNSS option when none is configured
dnsmasq: fix log conditions
firmware: opnsense-code: run configure script on upgrade if needed
intrusion detection: add a “divert” intrusion prevention mode
ipsec: expose ChaCha20-Poly1305 AEAD proposals in IKEv2 (contributed by Kota Shiratsuka)
kea: add libdhcp_host_cmds.so to expose internal API commands for reservations
kea: exit prefix watcher script if no lease file exists
kea: allow “hw-address” for reservations
kea: add pool in subnet validation
kea: minor code cleanups in model code
openvpn: account for CARP status in start and restart cases as well
openvpn: removed the stale TheGreenBow client export
radvd: migrated to MVC/API
radvd: remove faulty empty address exception
radvd: remove configuration file if disabled
radvd: implement RemoveAdvOnExit override
radvd: add Base6Interface constructor
radvd: support nat64prefix
console: opnsense-log now supports “backend” and “php” aliases
backend: safe execution changes in the whole code base
backend: removed short-lived mwexecf_bg() function
lang: various translation updates
mvc: add ChangeCase support to ProtocolField for DNAT special case
mvc: improve importCsv() to support either comma or semicolon
mvc: removed long obsolete sessionClose() from ControllerRoot
mvc: BaseModel: isEmptyAndRequired() has been removed
mvc: removed unusued RegexField
rc: replace camcontrol with diskinfo for TRIM check (contributed by Maurice Walker)
ui: allow HTML tags in menu items and title
ui: improve user readability in SimpleFileUploadDlg()
plugins: os-acme-client 4.12 [2]
plugins: os-ddclient 1.29 [3]
plugins: os-freeradius 1.10 [4]
plugins: os-isc-dhcp 1.0 [5]
plugins: os-nextcloud-backup 1.1 [6]
plugins: os-nginx 1.36 [7]
plugins: os-postfix 1.24.1 [8]
plugins: os-q-feeds-connector 1.4 [9]
plugins: os-wazuh-agent 1.3 [10]
src: assorted patches from stable/14 for LinuxKPI, QAT, and network stack
src: e1000: revert “try auto-negotiation for fixed 100 or 10 configuration”
src: if_ovpn: use epoch to free peers
src: carp6: revise the generation of ND6 NA
ports: dhcp6c v20260122
ports: hostwatch 1.0.9
A hotfix release was issued as 26.1_4:
interfaces: host discovery: make sure the full dump includes NDP output on fallback
interfaces: fix migration for IPv6 no-release option
firewall: FilterBaseController requires BaseUserException
firewall: fix typo with sprintf() with DNAT rule
ports: hostwatch 1.0.11
Migration notes, known issues and limitations:
ISC-DHCP moves to a plugin. It will be automatically installed during upgrades. It is not installed on new installations because it is not being used, but you can still install and keep using it.
To accommodate the change away from ISC-DCHP defaults the “Track interface” IPv6 mode now has a sibling called “Identity Association” which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.
Dnsmasq is now the default for DHCPv4 and DHCPv6 as well as RA out of the box. One thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.
Due to command line execution safety concerns the historic functions mwexec_bg() and mwexec() will be removed in 26.1.x. Make sure your custom code is not using them and use mwexecf(), mwexecfb() and mwexecfm() instead.
The function sessionClose() has also been removed from the MVC code and is no longer needed. Make sure to remove it from your custom code.
The custom.yaml support has been removed from intrusion detection. Please migrate to the newer /usr/local/etc/suricata/conf.d override directory.
The new host discovery service “hostwatch” is enabled by default (since 25.7.11). You can always turn it off under Interfaces: Neighbors: Automatic Discovery if you so choose.
The firewall migration page is not something you need to jump into right away. Please make yourself familiar with the new rules GUI first and check the documentation for incompatibilities. Single interface from the floating interface will not be considered “floating” in priorities.
Firewall: NAT: Port Forwarding is now called “Destination NAT”. Firewall rule associations are no longer supported, but the old associated firewall rules remain in place with their last known configuration and can now be edited to suit future needs.
Firewall: NAT: Source NAT is from the set of pages formerly known as automation, but Outbound NAT is still the main page for these types of rules.
The public key for the 26.1 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArTnFQp0jjj5bkLNx9G1j
# q26WmN/EtAaJUt+2MY8W8h7L3kokRMlTgEvCYJOkUjbJYbjuG0Cut3JExNYa1vdD
# 1SLIlJShyI8OsjbAS/flZdJB9c0Vxz2CwpoX9Efmp5TaB3GWqhHS0OVLx4MSI3HJ
# qP/aQLjZMuCQHX8beUQB77YWcT6sPC5UMYeNEW1uHR7Oki/TpOXWnzNStEQXRL6/
# MiuYJovedlNXeNUeebJyG0TyLJ/3uGMYhHKYK+OJkB03P3iLGGVE/WWNugsqX6bY
# tTU9PquHo5zDApndp8iG49Fs/DC0r7V1P85ETPtW2SuZQ7YeDuz3VKvuMxAqyQoC
# 1FLOsIuEfudDmRuMuTsRgB6jaGACEWUTuRyiFG4+kVDi1/qOWpYatP8C8B7Lx9UU
# CTZhCl+Se4woWGtp5KOtYe+pvJ4oz40SL4drUQFEP3ZOsK/HzyLjPFRgxfANNUPG
# ONayKHJXVVFPg2ATk9jeNPsLmXlcDmi/rihyN4RM2w0/bi8BWSc+dMGZ5ZhNJdsF
# wHBIscgpiAhs+HS8Usxy3idv/JkY0h9tZ2QnljhUUwhYV+DT9yZf5ABU0B68VjJ4
# /GloUc3bS7HBeSTAauYMOQvgkY1vcySGWTXvsGOw/Crpk4DYx5KpGNYHmENRey2c
# AQdi+Fvi3fFkV1BoxGo78NcCAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-26.1-dvd-amd64.iso.bz2) = 856c00a4ddf62f40cdc0871cd9fb6bbd455fb4dcca9337713b95ff42a41c88b2
# SHA256 (OPNsense-26.1-nano-amd64.img.bz2) = 5731a3f21c5dbe221acf5b4777ed686f705f27e7560ffb05d29a68ea4e7c7e50
# SHA256 (OPNsense-26.1-serial-amd64.img.bz2) = aaca6d4c44371673c555be354317533cf91ced86fc86c026716325c29c451d79
# SHA256 (OPNsense-26.1-vga-amd64.img.bz2) = 3901b83750dd19ca26632b61bf5fe7ac86b8cfa0bfb3e633928c37416a14e5f9
26.1.r2 (January 26, 2026)
The second release candidate for 26.1 brings fixes for issues found by our awesome community. As an online-only update you need 26.1-RC1 to install it.
The long-awaited dhcp6c refresh has been included as well as the latest version for hostwatch addressing the community concerns collected from 25.7.11.
Here are the changes against version 26.1-RC1:
system: add XMLRPC option for hostwatch
interfaces: show ISC-DHCPv6 menu in “idassoc6” mode
interfaces: fix validation issue in “idassoc6” mode
interfaces: handle hostwatch user/group via package
interfaces: avoid forced reloads when PDINFO is not set
firewall: fix 3 issues and improve instructions in rule migration page
firewall: improve GeoIP alias expiry condition
firewall: escape selector in rule_protocol
kea: add libdhcp_host_cmds.so to expose internal API commands for reservations
kea: allow “hw-address” for reservations
kea: add pool in subnet validation
openvpn: account for CARP status in start and restart cases as well
radvd: remove faulty empty address exception
lang: various translation updates
mvc: add ChangeCase support to ProtocolField for DNAT special case
ports: dhcp6c v20260122
ports: hostwatch 1.0.9
A hotfix release was issued as 26.1.r2_2:
interfaces: if no idassoc6/track6 LAN is used also emit a PD request like before
firewall: make previously associated DNAT rules editable
Migration notes, known issues and limitations:
ISC-DHCP moves to a plugin. It will be automatically installed during upgrades. It is not installed on new installations because it is not being used, but you can still install and keep using it.
To accommodate the change away from ISC-DCHP defaults the “Track interface” IPv6 mode now has a sibling called “Identity Association” which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.
Due to command line execution safety concerns the historic functions mwexec_bg() and mwexec() will be removed in 26.1.x. Make sure your custom code is not using them and use mwexecf(), mwexecfb() and mwexecfm() instead.
The function sessionClose() has also been removed from the MVC code and is no longer needed. Make sure to remove it from your custom code.
The custom.yaml support has been removed from intrusion detection. Please migrate to the newer /usr/local/etc/suricata/conf.d override directory.
The new host discovery service “hostwatch” is enabled by default (since 25.7.11). You can always turn it off under Interfaces: Neighbors: Automatic Discovery if you so choose.
The firewall migration page is not something you need to jump into right away. Please make yourself familiar with the new rules GUI first and check the documentation for incompatibilities.
Firewall: NAT: Port Forwarding is now called “Destination NAT”. Firewall rule associations are no longer supported, but the old associated firewall rules remain in place with their last known configuration and can now be edited to suit future needs.
Please let us know about your experience!
Stay safe, Your OPNsense team
26.1.r1 (January 22, 2026)
Here we are now with the first release candidate to kickstart the 26.1 series. While this marks the end of an era as ISC-DHCP functionality moves to a plugin it is only the beginning of structural improvements and further innovation of topics that are important to our users: firewall GUI and API, IPv6, intrusion detection using Suricata and overall security.
Keep in mind this is mostly an image-based pre-production test release. Upgrades from the 25.7.11 development version will be available at some point, but it is not clear when. An online-only RC2 will probably follow as well. The final release date for 26.1 is January 28.
https://pkg.opnsense.org/releases/26.1/
Here are the development highlights since version 25.7 came out:
Introduce a new consistent rules GUI using MVC/API (formerly known as “Automation”)
Suricata version 8 and new inline inspection mode using “divert”
NAT port forwarding migrated to “Destination NAT” as MVC/API
Various IPv6 stability improvements and additional features
Setup wizard improvements including use case selection
Services: Router Advertisements migrated to MVC/API
Shell command escaping improvements and audit
Interfaces: Settings migrated to MVC/API
Default IPv6 setup now relies on Dnsmasq
Factory reset for individual components
The firewall live log was rewritten
Unbound blocklist source selection
Automatic host discovery service
A more detailed change log will follow!
Migration notes, known issues and limitations:
ISC-DHCP moves to a plugin. It will be automatically installed during upgrades. It is not installed on new installations because it is not being used, but you can still install and keep using it.
To accommodate the change away from ISC-DCHP defaults the “Track interface” IPv6 mode now has a sibling called “Identity Association” which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.
Due to command line execution safety concerns the historic functions mwexec_bg() and mwexec() will be removed in 26.1.x. Make sure your custom code is not using them and use mwexecf(), mwexecfb() and mwexecfm() instead.
The function sessionClose() has also been removed from the MVC code and is no longer needed. Make sure to remove it from your custom code.
The custom.yaml support has been removed from intrusion detection. Please migrate to the newer /usr/local/etc/suricata/conf.d override directory.
The public key for the 26.1 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArTnFQp0jjj5bkLNx9G1j
# q26WmN/EtAaJUt+2MY8W8h7L3kokRMlTgEvCYJOkUjbJYbjuG0Cut3JExNYa1vdD
# 1SLIlJShyI8OsjbAS/flZdJB9c0Vxz2CwpoX9Efmp5TaB3GWqhHS0OVLx4MSI3HJ
# qP/aQLjZMuCQHX8beUQB77YWcT6sPC5UMYeNEW1uHR7Oki/TpOXWnzNStEQXRL6/
# MiuYJovedlNXeNUeebJyG0TyLJ/3uGMYhHKYK+OJkB03P3iLGGVE/WWNugsqX6bY
# tTU9PquHo5zDApndp8iG49Fs/DC0r7V1P85ETPtW2SuZQ7YeDuz3VKvuMxAqyQoC
# 1FLOsIuEfudDmRuMuTsRgB6jaGACEWUTuRyiFG4+kVDi1/qOWpYatP8C8B7Lx9UU
# CTZhCl+Se4woWGtp5KOtYe+pvJ4oz40SL4drUQFEP3ZOsK/HzyLjPFRgxfANNUPG
# ONayKHJXVVFPg2ATk9jeNPsLmXlcDmi/rihyN4RM2w0/bi8BWSc+dMGZ5ZhNJdsF
# wHBIscgpiAhs+HS8Usxy3idv/JkY0h9tZ2QnljhUUwhYV+DT9yZf5ABU0B68VjJ4
# /GloUc3bS7HBeSTAauYMOQvgkY1vcySGWTXvsGOw/Crpk4DYx5KpGNYHmENRey2c
# AQdi+Fvi3fFkV1BoxGo78NcCAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
# SHA256 (OPNsense-26.1.r1-dvd-amd64.iso.bz2) = b0f1f48cd9104e96c37ab11c4381e3401d7d892c97ff8ec7aec1fcec44f16feb
# SHA256 (OPNsense-26.1.r1-nano-amd64.img.bz2) = e9c6d72908bc60fc4172ee9c6cd92e7b34bc0e234cc5ad17b3d9f951824cc22a
# SHA256 (OPNsense-26.1.r1-serial-amd64.img.bz2) = e03638f1d6fdbc300155fedf5d350603cb1479bf0f8ffe62c439ef0993b5aeb9
# SHA256 (OPNsense-26.1.r1-vga-amd64.img.bz2) = f78a0bb9f771fe8846c32ab501875d3970e569b0c4163eff08cfc3bedc1ad747