The favored open-source firewall and routing platform constructed on FreeBSD, launched model 25.7.11 on January 15, 2026, bringing vital enhancements, together with a brand new host discovery service designed to boost community administration capabilities.
The discharge marks an important incremental replace that strengthens each IPv4 and IPv6 performance whereas making ready infrastructure for the upcoming main model 26.1.
Host Discovery Service: Core Enhancement
The spotlight of this launch is the introduction of a bunch discovery service powered by the hostwatch part (model 1.0.4), now enabled by default throughout all installations.
This service routinely maintains a dynamic registry of MAC addresses for IPv4 and IPv6 hosts linked to the firewall’s community segments.
The implementation seamlessly integrates with current OPNsense options, offering host knowledge on to MAC-type firewall aliases and captive portal purchasers with out requiring handbook configuration.
FeatureDescription / BenefitHost Discovery ServiceAutomatic MAC monitoring for IPv4/IPv6; higher visibility and firewall controlMAC-Kind Firewall AliasesDevice-based firewall guidelines as an alternative of static IPsCaptive Portal IntegrationImproved consumer identification and authenticationIPv6 Prefix FixesAccurate prefix lifetimes; fewer IPv6 errorsrtsold EnhancementPrevents IPv6 script execution failuresIPv6 Divert HandlingMore correct IPv6 visitors filteringexec() RemovalReduced command-injection assault surfaceIDS ImprovementsEasier rule administration and alert tuningISC-DHCP SafeguardsSafer DHCPv6 transition to KeaBackend HardeningFewer injection dangers in community servicesHostwatch UpdateCleaner logs and higher telemetryDNS SAN GenerationAutomated certificates SAN administration
This performance solves a longstanding problem in community administration: sustaining correct device-to-MAC mappings in advanced environments the place units ceaselessly join and disconnect.
Organizations can now implement extra granular firewall insurance policies based mostly on system identification relatively than relying solely on static IP configurations.
The service maintains backward compatibility, permitting directors to decide out by the automated discovery settings if most well-liked.
Builders invested substantial effort in IPv6 protocol enhancements throughout the vacation interval, addressing a number of protocol-level points recognized by customers throughout various community deployments.
Notable kernel fixes embrace correcting handle prefix lifetime calculations, eliminating off-by-one errors in prefix lifetime (pltime) and legitimate lifetime (vltime) expiration checks, and bettering DHCPv6 prefix dealing with.
The rtsold daemon now correctly validates Router Commercial (RA) lifetimes earlier than triggering configuration scripts, stopping edge-case failures in advanced IPv6 environments.
Moreover, IPv6 divert packet dealing with obtained corrections on the pf degree, bettering packet filtering accuracy for organizations working superior visitors manipulation insurance policies.
The replace ensures that hosts with prefix lengths of 128 now not set off misguided warnings throughout handle deletion operations.
The discharge continues the multi-version effort to eradicate direct exec() operate calls throughout the codebase, a security-focused refactoring that reduces command-injection assault surfaces.
Modifications span authentication scripts, system configuration utilities, and backend service administration.
The intrusion detection system obtained updates to refine alert choice mechanisms and to offer a extra useful trace for rule modifying.
ISC-DHCP integration obtained further safeguards for DHCPv6 property entry, a essential step as OPNsense transitions to changing ISC-DHCP with Kea in model 26.1.
Two hotfixes adopted the preliminary launch. Model 25.7.11_1 corrected a vsprintf() parsing vulnerability involving stray proportion characters.
Model 25.7.11_2 addressed edge-case tunable reset logic and suppressed extreme hostwatch logging messages that generated pointless system log bloat.
The steady launch cycle stays on schedule, with model 26.1-RC1 anticipated early within the week following launch and the ultimate model concentrating on January 28, 2026.
The improve maintains stability for manufacturing deployments whereas positioning organizations for the numerous architectural adjustments arriving within the subsequent main model.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
