opnsense-docs/source/releases/CE_25.7.rst

===========================================================================================
25.7  "Visionary Viper" Series
===========================================================================================



For over a decade now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.

25.7, nicknamed "Visionary Viper", features reusable and thoroughly
revamped frontend code, an SFTP backup plugin, experimental privilege
separation for the GUI, JSON container support for aliases, a new and
improved firewall automation GUI, performance enhancements especially
for numerous aliases being used at once, Dnsmasq DHCP support, Kea DHCPv6
support, Greek as a new language, FreeBSD 14.3 plus much more.

Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__  and the checksums for the images
can be found below as well.

* Europe: https://opnsense.c0urier.net/releases/25.7/
* US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.7/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.7/
* South America: http://mirror.ueb.edu.ec/opnsense/releases/25.7/
* East Asia: https://mirror.ntct.edu.tw/opnsense/releases/25.7/
* Full mirror list: https://opnsense.org/download/


--------------------------------------------------------------------------
25.7.5 (October 08, 2025)
--------------------------------------------------------------------------


This updates provides for a new GeoIP database source by IPinfo, stability
fixes for several network drivers and the recent OpenSSL security update
amongst others.

Here are the full patch notes:

* system: add the pfsync "defer" option to high availability
* system: return both interfaces in a single call for get_nameservers()
* system: safeguard legacy local_sync_accounts() against malformed user entries
* firewall: support IPinfo format for GeoIP `[1] <https://docs.opnsense.org/manual/how-tos/ipinfo_geo_ip.html>`__ 
* firewall: adapt default table size calculation
* firewall: fix flags not showing on GeoIP selection
* captive portal: case insensitive MAC parsing
* captive portal: remove stale dir-listing.activate from web server
* dnsmasq: refine the selection of automatic DHCP rules for eligible interfaces
* firmware: switch business mirror layout
* ipsec: dots are not allowed in pool names
* kea-dhcp: expose lease expiration settings to the GUI (contributed by Konstantinos Spartalis)
* kea-dhcp: support DHCP option 121 (classless static routes)
* mvc: protect JSON response against UFT-8 encoding failures
* mvc: HTML-decode select element values
* plugins: os-etpro-telemetry 1.8 now shows more status responses in widget
* plugins: os-shadowsocks 1.3 `[2] <https://github.com/opnsense/plugins/blob/stable/25.7/net/shadowsocks/pkg-descr>`__ 
* src: bnxt: fix the request length in bnxt_hwrm_func_backing_store_cfg()
* src: iflib: set the get counter routine prior to attaching the interface
* src: ifnet: defer detaching address family dependent data
* src: ixgbe: fix incomplete speed coverage in link status logging
* src: ixl: fix queue MSI and legacy IRQ rearming
* src: openssl: fix multiple vulnerabilities `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-25:08.openssl.asc>`__ 
* src: re: add PNP info for module
* src: re: make sure re_rxeof() is called in net epoch context
* src: vfs: fix copy_file_range() failing to set output parameters `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-25:16.vfs.asc>`__ 
* ports: curl 8.16.0 `[5] <https://curl.se/changes.html#8_16_0>`__ 
* ports: expat 2.7.3 `[6] <https://github.com/libexpat/libexpat/blob/R_2_7_3/expat/Changes>`__ 
* ports: nss 3.117 `[7] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_117.html>`__ 
* ports: openssl 3.0.18 `[8] <https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md>`__ 
* ports: pcre2 10.46 `[9] <https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.46>`__ 
* ports: phpseclib 3.0.47 `[10] <https://github.com/phpseclib/phpseclib/releases/tag/3.0.47>`__ 



--------------------------------------------------------------------------
25.7.4 (September 30, 2025)
--------------------------------------------------------------------------


Updates are slower than usual at the moment, but it is also relatively
calm out there security-wise.  While this finally ships Kea version 3
we are still working on the package manager version 2 and Suricata 8
with good results.  Stay tuned!

Here are the full patch notes:

* system: fix reconfigure control on HA status page for small viewports
* system: add pluginctl -m and -v options for model migrations and validations calls
* system: add "power off" backend action to GUI cron options
* interfaces: replace MAC vendor database from py-netaddr with a simple local implementation
* interfaces: refactor getting both devices from interface in settings page
* interfaces: get both devices of interface in one call
* interfaces: fix flags display in interface overview detail
* firewall: treat "skip" protocol as a string to avoid syntax error
* firewall: improve alias parsing performance in diagnostics page
* intrusion detection: make grids virtual to fix performance issues
* kea-dhcp: honour IPv4 client specific reservation domain name option (contributed by NOYB)
* lang: new Ukrainian language and assorted updates
* monit: fix migration weirdness with run/post use
* unbound: add support for TXT records in host overrides
* backend: add "!" operator to execute and flush cache when it exists
* mvc: remove empty string fallbacks for backend invokes that are no longer needed
* mvc: more style changes on existing core models
* mvc: disable Dnsmasq/Unbound template generation
* mvc: remove getDescription() overlay in ModelRelationField
* ui: legacy_html_escape_form_data() was not escaping keys only data elements `[1] <https://www.cve.org/cverecord?id=CVE-2025-34182>`__  (reported by Alex Williams from Pellera Technologies)
* ui: do not add an empty option into an empty option group
* ui: add datetime-local to field types
* plugins: os-caddy 2.0.4 `[2] <https://github.com/opnsense/plugins/blob/stable/25.7/www/caddy/pkg-descr>`__ 
* plugins: os-netbird 1.1 fixes service startup and switches to syslog (contributed by Bethuel Mmbaga)
* plugins: os-theme-advanced 1.1 fixes styling issues on 25.7 (contributed by Jaka Prašnikar)
* plugins: os-zabbix-agent 1.17 `[3] <https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-agent/pkg-descr>`__ 
* plugins: os-zabbix-proxy 1.14 `[4] <https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-proxy/pkg-descr>`__ 
* ports: dnspython 2.8.0 `[5] <https://dnspython.readthedocs.io/en/stable/whatsnew.html>`__ 
* ports: kea 3.0.1 `[6] <https://downloads.isc.org/isc/kea/3.0.1/Kea-3.0.1-ReleaseNotes.txt>`__ 
* ports: libpfctl 0.17
* ports: lighttpd 1.4.82 `[7] <https://www.lighttpd.net/2025/9/12/1.4.82/>`__ 
* ports: nss 3.116 `[8] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_116.html>`__ 
* ports: openvpn 2.6.15 `[9] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.15>`__ 
* ports: php 8.3.26 `[10] <https://www.php.net/ChangeLog-8.php#8.3.26>`__ 
* ports: py-requests 2.32.5
* ports: suricata 7.0.12 `[11] <https://suricata.io/2025/09/16/suricata-8-0-1-and-7-0-12-released/>`__ 
* ports: unbound 1.24.0 `[12] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-0>`__ 



--------------------------------------------------------------------------
25.7.3 (September 09, 2025)
--------------------------------------------------------------------------


The Tabulator introduction into MVC grid views was a major success with
virtually no complaints.  Did you notice?  Maybe you will now that more
features have been unlocked: Dnsmasq grids group by interfaces, firewall
automation rules now can show folders using categories and row count default
and selections have been increased.  A few performance and UX tweaks were
carried out as well while at it.

StrongSwan moves to version 6.0.1 now after elaborate testing.  The
"make_before_break" value was flipped from off to on in their version
jump, but the settings will still default to off for everyone unless
already otherwise configured.

Here are the full patch notes:

* system: properly check request type on HA status page in restartAllAction() (reported by Stanislav Fort of Aisle Research)
* system: prevent misconfigurations with the automatic user creation option
* system: add pluginctl hook for cache_flush
* system: rewrite wwwonly bootstrap procedure
* system: allow authentication events from wwwonly user
* interfaces: moved get_real_interface() to util.inc
* firewall: add "quick" mode in alias update to skip table size comparison during schedules
* firewall: adjust firewall_rule_lookup to open correct interface and rule from firewall live log
* firewall: add port alias selection to source_port and destination_port
* firewall: implement alias description tooltip and other UX tweaks
* firewall: add optional Tabulator tree view to show categories as rule folders in automation
* firewall: put sequence and sort_order in advanced mode of automation rules
* firewall: front-end table rendering performance improvement for alias diagnostics
* firewall: also set groups for special IPv6 interfaces
* firewall: ignore empty lines for pf table counting
* firewall: support tags in source NAT automation rules
* firewall: allow alias nesting for URL tables
* captive portal: move backend scripts directory
* captive portal: various style cleanups
* captive portal: restyle default login template
* dnsmasq: add Tabulator "groupBy" functionality to group by interfaces
* dnsmasq: add leases widget that shows latest leases
* firmware: add US east coast mirror for business edition
* firmware: opnsense-patch: fix cache flush using new hook
* firmware: add vuxml.freebsd.org to CRL handling hostnames
* intrusion detection: fix downloads tab not loading with Tabulator
* ipsec: add default value to "make_before_break" that retains disabled default
* monit: move backend scripts directory
* mvc: BaseModel: minor non-functional cleanups
* mvc: ModelRelationField: keep array structure in memory to avoid reinitiating object construction
* mvc: tweaked model definitions, especially descriptions and validation message style
* mvc: slightly adjust two getOption() calls in constraints
* mvc: BaseListField: always map values in getDescription()
* mvc: BaseListField: account for option container and passthrough value
* mvc: remove getCurrentValue() compatibility wrapper
* mvc: Backend: always return strings in configdRun() and configdpRun()
* mvc: improve replaceInputWithSelector() to support an empty placeholder
* mvc: stream output not properly cleansed when used in widget (reported by Stanislav Fort of Aisle Research)
* ui: bootgrid: add tabulatorOptions to translateCompatOptions()
* ui: bootgrid: raise rowCount default to 50 and adjust selections accordingly for most pages
* ui: bootgrid: simplify custom grid command additions
* plugins: os-caddy 2.0.3 `[1] <https://github.com/opnsense/plugins/blob/stable/25.7/www/caddy/pkg-descr>`__ 
* plugins: os-frr 1.47 `[2] <https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr>`__ 
* plugins: os-netbird 1.0 (contributed by Gauss23 and Bethuel Mmbaga)
* plugins: os-nginx 1.35 `[3] <https://github.com/opnsense/plugins/blob/stable/25.7/www/nginx/pkg-descr>`__ 
* plugins: os-squid 1.3 `[4] <https://github.com/opnsense/plugins/blob/stable/25.7/www/squid/pkg-descr>`__ 
* src: libfetch: ignore leaf certificates missing CRL which in practice is not offered by most authorities
* src: assorted network stack fixes via stable/14
* src: if_ovpn: support IPv6 link-local addresses
* src: if_ovpn: support floating clients
* src: if_ovpn: fill out sin_len/sin6_len
* src: if_ovpn: destroy cloned interfaces via a prison removal callback
* src: ifconfig: support VLAN ID in static/deladdr
* ports: krb5 1.22.1 `[5] <https://web.mit.edu/kerberos/krb5-1.22/>`__ 
* ports: nss 3.115.1 `[6] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_115_1.html>`__ 
* ports: perl 5.42.0 `[7] <https://perldoc.perl.org/5.42.0/perldelta>`__ 
* ports: php 8.3.25 `[8] <https://www.php.net/ChangeLog-8.php#8.3.25>`__ 
* ports: strongswan 6.0.1 `[9] <https://github.com/strongswan/strongswan/releases/tag/6.0.0>`__  `[10] <https://github.com/strongswan/strongswan/releases/tag/6.0.1>`__ 

A hotfix release was issued as 25.7.3_3:

* system: fix two regressions due to stream output path safety addition
* firewall: fix interface_net aliases not being populated
* intrusion detection: revert "fix downloads tab not loading with Tabulator"

A hotfix release was issued as 25.7.3_4:

* mvc: setDefault() not fired as setValue() was set with an empty string

A hotfix release was issued as 25.7.3_7:

* firewall: fix return value when failing to resolve host entries for aliases and no previous content is known
* ipsec: fix bulk operations in SPD page
* mvc: allow empty responses to fix a regression due to stream output safety path addition



--------------------------------------------------------------------------
25.7.2 (August 21, 2025)
--------------------------------------------------------------------------


This stable update has the look and feel of a typical update across all
corners of the project: FreeBSD advisories and errata, fixes and quality
of life improvements in core, several plugin and third party software
updates.

We are also compiling the roadmap for 26.1 at the moment.  Stay tuned.

Here are the full patch notes:

* system: increase log file download timeout to prevent exit before data has returned
* system: HTML decode entities when generating new QR code for user
* system: add missing timestamp formatter in snapshots
* system: prevent the root user from changing its name
* interfaces: capture netmap ring when listening on interfaces in netmap mode
* firewall: skip reply-to for inversion rules
* firewall: remove unused "set loginterface" clause
* firewall: additional statistics for alias grid
* firewall: fix shaper reset button
* captive portal: preparations for SSO identification support
* dnsmasq: swap hosts and domains tab for consistency reasons
* dnsmasq: allow disabling local for DHCP domains
* firmware: abort on what appear to be partial updates due to obscure file errors
* firmware: store update and upgrade logs in edge cases
* firmware: opnsense-version: support file based -R option
* firmware: opnsense-update: support -g for update log view
* firmware: remove tier 2 workaround for Zenarmor plugins
* firmware: add date to modal header
* kea-dhcp: ignore encoding errors in lease parser
* intrusion detection: fix and simplify grid search in download tab
* ipsec: passthrough networks setting missed "allow new" flag
* ipsec: add firewall rules skip option for VTIs
* ipsec: deprecate legacy stroke and implement swanctl for overview
* isc-dhcp: allow static mapping export for disabled entries
* openvpn: add nopool directive
* unbound: configurable top domain list length in reporting view (contributed by sopex)
* unbound: remove unknown model reference and protect/simplify remaining one
* wireguard: move backend scripts to proper location
* backend: added IPv6 bracket helper for templates (contributed by BPplays)
* lang: updates for Chinese, Czech, German and Greek
* mvc: improve resilience of VPNIdField and LinkAddressField
* mvc: repair side affect of getDescription() change causing performance regressions
* mvc: modify existing and add missing descriptions in models
* mvc: set default validation message for CertificateField
* rc: make changes to php,var,tmp bootstrap
* ui: fix language selection for low vertical resolution screens (contributed by sopex)
* ui: hide header of the picture widget on the dashboard (contributed by sopex)
* plugins: os-clamav 1.8.1 `[1] <https://github.com/opnsense/plugins/blob/stable/25.7/security/clamav/pkg-descr>`__ 
* plugins: os-crowdsec 1.0.12 `[2] <https://github.com/opnsense/plugins/blob/stable/25.7/security/crowdsec/pkg-descr>`__ 
* plugins: os-frr 1.46 `[3] <https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr>`__ 
* plugins: os-shadowsocks 1.2 switches to shadowsocks-rust
* plugins: os-smart 2.4 adds extended info option (contributed by poisonbl)
* plugins: os-telegraf 1.12.13 `[4] <https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/telegraf/pkg-descr>`__ 
* plugins: os-theme-advanced updates logos (contributed by Raushan Patel)
* src: route: fix "route -n monitor" when its output is redirected `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-25:14.route.asc>`__ 
* src: add a new sysctl in order to differentiate UEFI architectures `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-25:12.efi.asc>`__ 
* src: libarchive: merge version 3.8.1 `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-25:07.libarchive.asc>`__ 
* src: lagg: fix if_hw_tsomax_update() not being called
* src: wg: add support for removing allowed-ip entries and assorted cleanups
* src: ovpn: support multihomed server configurations and assorted cleanups
* src: netlink: fully clear parser state between messages
* src: udp: fix a inpcb refcount leak in the tunnel receive path
* src: p9fs: assorted fixes
* ports: ca_root_nss / nss 3.115 `[8] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_115.html>`__ 
* ports: krb5 1.22 `[9] <https://web.mit.edu/kerberos/krb5-1.22/>`__ 
* ports: libpfctl 0.16
* ports: lighttpd 1.4.81 `[10] <https://www.lighttpd.net/2025/8/17/1.4.81/>`__ 
* ports: perl 5.40.3 `[11] <https://perldoc.perl.org/5.40.3/perldelta>`__ 
* ports: php 8.3.24 `[12] <https://www.php.net/ChangeLog-8.php#8.3.24>`__ 
* ports: py-jq 1.10.0 `[13] <https://github.com/mwilliamson/jq.py/blob/master/CHANGELOG.rst>`__ 



--------------------------------------------------------------------------
25.7.1 (July 31, 2025)
--------------------------------------------------------------------------


This update mainly addresses a number of cosmetic UI concerns in core and
plugins.  25.7 has been a very good release and we would like to thank
everyone for trying it quickly and thoroughly.  You people are awesome!  <3

Here are the full patch notes:

* system: add banner to HA sync and firmware page when proxy environment override is used
* reporting: fixed internal parameter names in insight graphs
* interfaces: attempt to work around mangled MPD label
* firewall: a few minor improvements in automation GUI
* firmware: opnsense-version: support more elaborate -R replacement
* intrusion detection: fix interface name conversion
* intrusion detection: fix ja4 option templating
* openvpn: let server/server_ipv6 require a netmask
* radvd: refine checks that ignored 6rd and 6to4
* unbound: fix error in edge case of initial model migration
* mvc: migrated use of setInternalIsVirtual() to volatile field types
* mvc: fix getDescription() in NetworkAliasField
* ui: bootgrid: clean up leftover compatibility bits
* ui: bootgrid: add missing sortable option
* ui: bootgrid: provide more styling possibilities from formatters
* plugins: os-c-icap 1.9 `[1] <https://github.com/opnsense/plugins/blob/stable/25.7/www/c-icap/pkg-descr>`__ 
* plugins: os-dnscrypt-proxy 1.16 `[2] <https://github.com/opnsense/plugins/blob/stable/25.7/dns/dnscrypt-proxy/pkg-descr>`__ 
* plugins: os-theme-cicada 1.40 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.30 (contributed by Team Rebellion)
* plugins: os-theme-vicuna 1.50 (contributed by Team Rebellion)
* ports: curl 8.15.0 `[3] <https://curl.se/changes.html#8_15_0>`__ 
* ports: nss 3.114 `[4] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_114.html>`__ 
* ports: py-duckdb 1.3.2 `[5] <https://github.com/duckdb/duckdb/releases/tag/v1.3.2>`__ 
* ports: sudo 1.9.17p2 `[6] <https://www.sudo.ws/stable.html#1.9.17p2>`__ 

A hotfix release was issued as 25.7.1_1:

* ipsec: fix regression in configuration write with introduced volatile fields



--------------------------------------------------------------------------
25.7 (July 23, 2025)
--------------------------------------------------------------------------


For over a decade now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.

25.7, nicknamed "Visionary Viper", features reusable and thoroughly
revamped frontend code, an SFTP backup plugin, experimental privilege
separation for the GUI, JSON container support for aliases, a new and
improved firewall automation GUI, performance enhancements especially
for numerous aliases being used at once, Dnsmasq DHCP support, Kea DHCPv6
support, Greek as a new language, FreeBSD 14.3 plus much more.

Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__  and the checksums for the images
can be found below as well.

* Europe: https://opnsense.c0urier.net/releases/25.7/
* US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.7/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.7/
* South America: http://mirror.ueb.edu.ec/opnsense/releases/25.7/
* East Asia: https://mirror.ntct.edu.tw/opnsense/releases/25.7/
* Full mirror list: https://opnsense.org/download/

Here are the full patch notes:

* system: the setup wizard was rewritten using MVC/API
* system: change default DHCP use from ISC to Dnsmasq for factory reset and console port and address assignments
* system: numerous permission, ownership and directory alignments for web GUI privilege separation
* system: allow experimental feature to run web GUI privilege separated as "wwwonly" user
* system: add a banner when trying to revert the privilege separated GUI back to root at run time
* system: consistently use empty() checks on "blockbogons", "blockpriv", "dnsallowoverride" and "dnsallowoverride_exclude"
* system: change default system domain to "internal" (contributed by Self-Hosting-Group)
* system: add missing "kernel" application for remote logging
* system: remove the "optional" notion of tunables known to the system
* system: enable kernel timestamps by default
* system: allow CSR to be downloaded from System/Trust/Certificates (contributed by Gavin Chappell)
* reporting: removed the unused second argument in getSystemHealthAction()
* reporting: renamed getRRDlistAction() to getRrdListAction()
* interfaces: fix media settings write issue since 24.7 as it would not apply when "autoselect" result already matched
* interfaces: removed defunct SLAAC tracking functionality (SLAAC on WAN still works fine)
* interfaces: no longer fix improper WLAN clone naming at run time as it should be ensured by code for a long time now
* interfaces: remove the functions get_configured_carp_interface_list() and get_configured_ip_aliases_list()
* interfaces: add VIP grid formatter to hide row field content based on the set mode
* interfaces: drop redundant updates in rtsold_resolvconf.sh (contributed by Andrew Baumann)
* firewall: add expire option to external aliases to automatically cleanup tables via cron
* firewall: removed the expiretable binary use in favour of the builtin pfctl
* firewall: speed up alias functionality by using the new model caching
* firewall: consolidated ipfw/dnctl scripting and fix edge case reloads
* firewall: code cleanup and performance improvements for alias diagnostics page
* firewall: fix AttributeError: DNAME object has no attribute address on DNS fetch for aliases
* firewall: assorted UI updates for automation pages
* captive portal: make room for additional authentication profiles
* captive portal: API dispatcher is now privilege separated via "wwwonly" user and group
* dnsmasq: add optional subnet mask to "dhcp-range" to satisfy DHCP relay requirements
* dnsmasq: sync CSV export with ISC and Kea structure
* dnsmasq: add CNAME configuration option to host overrides
* dnsmasq: add ipset support
* firmware: opnsense-version: build time package variable replacements can now be read at run time
* firmware: hide community plugins by default and add a checkbox to unhide them on the same page
* firmware: introduce a new support tier 4 for development and otherwise unknown plugins
* firmware: disable the FreeBSD-kmods repository by default
* firmware: sunset mirror dns-root.de (many thanks to Alexander Lauster for maintaining it for almost a decade!)
* intrusion detection: add an override banner for custom.yaml use
* intrusion detection: add JA4 support (contributed by Maxime Thiebaut)
* isc-dhcp: show tracking IPv6 interfaces when automatically enabled and offer an explicit disable
* isc-dhcp: hide IPv4 menu items when Dnsmasq DHCP is enabled to improve out of the box experience
* isc-dhcp: add static mapping CSV export
* kea-dhcp: add DNS field to Kea DHCP4 reservations (contributed by Gtt1229)
* lang: add Greek as a new language (contributed by sopex)
* lang: make more strings translate-able (contributed by Tobias Degen)
* openvpn: the server wizard functionality has been permanently removed as it required the old wizard implementation
* openvpn: "keepalive_timeout" must be at least twice the interval value validation
* wireguard: add diagnostics and log file ACL
* backend: trigger boot template reload without using configd
* mvc: introduce generic model caching to improve operational performance
* mvc: field types quality of life improvements with new getValues() and isEqual() functions
* mvc: filed types deprecated getCurrentValue() in favour of getValue() and removed isEmptyString()
* mvc: new BaseSetField() as a parent class for several other field types and numerous new and improved unit tests
* mvc: support chown/chgrp in File and FileObject classes
* mvc: use getNodeContent() to gather grid data
* mvc: allow PortOptional=Y for IPPortField
* mvc: remove SelectOptions support for CSVListField
* ui: switch from Bootgrid to Tabulator for MVC grid rendering
* ui: numerous switches to shared base_bootgrid_table and base_apply_button use
* ui: flatten nested containers for grid inclusion
* ui: use snake_case for all API URLs and adjust ACLs accordingly
* ui: add standard HTML color input support
* ui: move tooltip load event to single-fire mode
* ui: add checkmark to SimpleActionButton as additional indicator
* ui: improve menu icons/text spacing (contributed by sopex)
* plugins: replace variables in package scripts by default
* plugins: os-acme-client 4.10 `[2] <https://github.com/opnsense/plugins/blob/stable/25.7/security/acme-client/pkg-descr>`__ 
* plugins: os-bind 1.34 `[3] <https://github.com/opnsense/plugins/blob/stable/25.7/dns/bind/pkg-descr>`__ 
* plugins: os-crowdsec 1.0.11 `[4] <https://github.com/opnsense/plugins/blob/stable/25.7/security/crowdsec/pkg-descr>`__ 
* plugins: os-frr 1.45 `[5] <https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr>`__ 
* plugins: os-gdrive-backup 1.0 for Google Drive backup support
* plugins: os-grid_example 1.1 updates best practice on grid development
* plugins: os-openvpn-legacy 1.0 for legacy OpenVPN components support
* plugins: os-puppet-agent 1.2 `[6] <https://github.com/opnsense/plugins/blob/stable/25.7/sysutils/puppet-agent/pkg-descr>`__ 
* plugins: os-strongswan-legacy 1.0 for legacy IPsec components support
* src: FreeBSD 14.3-RELEASE-p1 plus assorted stable/14 networking commits `[7] <https://www.freebsd.org/releases/14.3R/relnotes/>`__ 

Migration notes, known issues and limitations:

* Deprecated Google Drive backups due to upstream policy changes and moved to plugins for existing users.
* API URLs registered in the default ACLs have been switched from "camelCase" to "snake_case".
* API grid return values now offer "%field" for a value description when available.  "field" will now always be the literal value from the configuration. The API previously returned a display value for some field types, but not all.
* Reverted tunables "hw.ibrs_disable" and "vm.pmap.pti" to FreeBSD defaults.  If you want these set differently, then add them with an explicit value.
* While the mirror dns-root.de has been removed it will not be stripped from a running configuration and may keep working for a while longer.  To ensure updates, however, please choose a different mirror at your own convenience.
* Moved OpenVPN legacy to plugins as a first step to deprecation.
* Moved IPsec legacy to plugins as a first step to deprecation.

The public key for the 25.7 series is:

.. code-block::

    # -----BEGIN PUBLIC KEY-----
    # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn9lXekbm5KcktbiWpmQf
    # drRC8LmAOTV9Cbdd3em6iDFFcw8vmRS7Rbo2/exxYiPCqEPxxPtUsW+g/a6fqPJp
    # pof5D1EHWqzPfkjRQV6ipQjm+ocJGkfbeHsp5I77L+w7om5TbPYBkOjg+iMd442d
    # VYxgqXmMZy+6v78ofVM+wyba0GkRymFt0qf5k5uk3Auztcfanc2Ymsc+PDdjGHQd
    # c9H8T0T6To8Z0xrbEXzY00IqSRkLto9Cl+xEmEAz/AiEu2WtEadOqSpDy9dsJfQg
    # HpBQVlGQdphj5zmkqG6JSL1Uw+02OeIXOfFWRtqgW7vMyU0IbER3hLpvh6BlsqNJ
    # LCPfD7F/dzDPU5LniDRRb4MrTlVpJk2h8pk7GbmJCqAyWJJZ6n3a+InPtUfl9gP5
    # T0d15N7myh8RLssP+TIy8hiBHtc/yK89dUahGei1xDuh0HdytRLLLWVXqgWwgXhd
    # 9it8l8AJ/D2BtuyExpJOWx3sYvmhJiPN8phCaR2G2E+QRA2X5nHGyUw5jYpKI8Om
    # Q2khz1PBYcA/T5lKhM3HRFCu2HZsPKT5CEevZfUuPDXIqwx+LMFs6qqbzbGrdn1F
    # H6ZSlG0BWuokeyjhN2mB0Fr6kdLobmfVgZHUS7KOwcI9BdftSDbEk8kMxrQlwugh
    # 4I1hTrAycMERbjeUKg1plx8CAwEAAQ==
    # -----END PUBLIC KEY-----


.. code-block::

    # SHA256 (OPNsense-25.7-dvd-amd64.iso.bz2) = fa4b30df3f5fd7a2b1a1b2bdfaecfe02337ee42f77e2d0ae8a60753ea7eb153e
    # SHA256 (OPNsense-25.7-nano-amd64.img.bz2) = f58f57da42a2a6d445b6e04780572d6e2d6d9ceaff8a9e5f7bbefd0fedeaa3c0
    # SHA256 (OPNsense-25.7-serial-amd64.img.bz2) = 889d81fa738d472b996008c35718278e2076d19b7bbc108f2dc04353e01766fd
    # SHA256 (OPNsense-25.7-vga-amd64.img.bz2) = 705e112e3c0566e6e568605173a8353a51d48074d48facf5c5831d2a0f7fb175


--------------------------------------------------------------------------
25.7.r2 (July 17, 2025)
--------------------------------------------------------------------------


This is the second release candidate for your consideration.  A kernel update
was included to keep up with FreeBSD stable/14.  A few nice things have
been added to Dnsmasq as well.  This is an online update only.

Here are the development highlights since version 25.1 came out:

* Replace the setup wizard with a modern MVC/API variant
* Switch to reusable frontend code
* ChartJS 4 update and related functionality migrations
* User manager CSV export and import option
* New plugin for SFTP configuration backups
* Move frontend grid from Bootgrid to Tabulator
* Optional privilege separation for the web GUI (running as non-root)
* User/group manager adds optional source network constraint
* JSON container support for aliases
* Firewall automation GUI revamp
* Performance improvements when using large amounts of aliases
* Dnsmasq DHCP support for small and medium sized setups
* Support advanced (manual) configurations in Kea
* Add IPv6 support (including prefix delegation) to Kea
* Bridges MVC migration
* Migrate IPsec mobile page to MVC
* Greek as a new language
* FreeBSD 14.3

And these are the full patch notes against 25.7-RC1:

* system: fix passing "arguments" as parameters for cron jobs
* firewall: code cleanup and performance improvements for alias diagnostics page
* dnsmasq: add CNAME configuration option to host overrides
* dnsmasq: add optional subnet mask to "dhcp-range" to satisfy DHCP relay requirements
* dnsmasq: fix empty DHCP option value spawning stray comma
* lang: make more strings translate-able (contributed by Tobias Degen)
* lang: further updates
* isc-dhcp: add static mapping CSV export
* backend: trigger boot template reload without using configd
* mvc: use getNodeContent to gather grid data
* ui: adjusted grid command column sizes appropriately where needed
* ui: exclude container fields from search functionality for now
* src: bnxt: fix BASE-T, 40G AOC, 1G-CX, autoneg and unknown media lists
* src: net80211: in ieee80211_sta_join() only do_ht if HT is avail
* src: linuxkpi: assorted changes from stable/14
* src: iwlwifi: compile in ACPI support
* src: rtw89: enable ACPI support on FreeBSD
* src: ifconfig: optimise non-listing case with netlink
* src: pf: fix ICMP ECHO handling of ID conflicts

Migration notes, known issues and limitations:

* Deprecated Google Drive backups due to upstream policy changes and moved to plugins for existing users.
* API URLs registered in the default ACLs have been switched from "camelCase" to "snake_case".
* API grid return values now offer "%field" for a value description when available. "field" will now always be the literal value from the configuration. The API previously returned a display value for some field types, but not all.
* Reverted tunables "hw.ibrs_disable" and "vm.pmap.pti" to FreeBSD defaults.
* The new wizard still has bugs relating to disabling LAN configuration.
* Moved OpenVPN legacy to plugins as a first step to deprecation.
* Moved IPsec legacy to plugins as a first step to deprecation.


Stay safe,
Your OPNsense team

--------------------------------------------------------------------------
25.7.r1 (July 14, 2025)
--------------------------------------------------------------------------


After a small struggle to finish the release candidate last week, it is
here now with FreeBSD 14.3 and lots of other highlights.  We will promise
to deliver full release notes once 25.7 is released, but for now we need
to get this going.

Keep in mind this is mostly an image-based pre-production test release.
Upgrades from the 25.1.11 development version will be available as soon as
that is out later this week.  An online-only RC2 will probably follow as
well.  The final release date for 25.7 is July 23.

https://pkg.opnsense.org/releases/25.7/

Here are the development highlights since version 25.1 came out:

* Replace the setup wizard with a modern MVC/API variant
* Switch to reusable frontend code
* ChartJS 4 update and related functionality migrations
* User manager CSV export and import option
* New plugin for SFTP configuration backups
* Move frontend grid from Bootgrid to Tabulator
* Optional privilege separation for the web GUI (running as non-root)
* User/group manager adds optional source network constraint
* JSON container support for aliases
* Firewall automation GUI revamp
* Performance improvements when using large amounts of aliases
* Dnsmasq DHCP support for small and medium sized setups
* Support advanced (manual) configurations in Kea
* Add IPv6 support (including prefix delegation) to Kea
* Bridges MVC migration
* Migrate IPsec mobile page to MVC
* Greek as a new language
* FreeBSD 14.3

A more detailed change log will follow!

Migration notes, known issues and limitations:

* Deprecated Google Drive backups due to upstream policy changes and moved to plugins for existing users.
* API URLs registered in the default ACLs have been switched from "camelCase" to "snake_case".
* Reverted tunables "hw.ibrs_disable" and "vm.pmap.pti" to FreeBSD defaults.
* The new wizard still has bugs relating to disabling LAN configuration.
* Moved OpenVPN legacy to plugins as a first step to deprecation.
* Moved IPsec legacy to plugins as a first step to deprecation.

The public key for the 25.7 series is:

.. code-block::

    # -----BEGIN PUBLIC KEY-----
    # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn9lXekbm5KcktbiWpmQf
    # drRC8LmAOTV9Cbdd3em6iDFFcw8vmRS7Rbo2/exxYiPCqEPxxPtUsW+g/a6fqPJp
    # pof5D1EHWqzPfkjRQV6ipQjm+ocJGkfbeHsp5I77L+w7om5TbPYBkOjg+iMd442d
    # VYxgqXmMZy+6v78ofVM+wyba0GkRymFt0qf5k5uk3Auztcfanc2Ymsc+PDdjGHQd
    # c9H8T0T6To8Z0xrbEXzY00IqSRkLto9Cl+xEmEAz/AiEu2WtEadOqSpDy9dsJfQg
    # HpBQVlGQdphj5zmkqG6JSL1Uw+02OeIXOfFWRtqgW7vMyU0IbER3hLpvh6BlsqNJ
    # LCPfD7F/dzDPU5LniDRRb4MrTlVpJk2h8pk7GbmJCqAyWJJZ6n3a+InPtUfl9gP5
    # T0d15N7myh8RLssP+TIy8hiBHtc/yK89dUahGei1xDuh0HdytRLLLWVXqgWwgXhd
    # 9it8l8AJ/D2BtuyExpJOWx3sYvmhJiPN8phCaR2G2E+QRA2X5nHGyUw5jYpKI8Om
    # Q2khz1PBYcA/T5lKhM3HRFCu2HZsPKT5CEevZfUuPDXIqwx+LMFs6qqbzbGrdn1F
    # H6ZSlG0BWuokeyjhN2mB0Fr6kdLobmfVgZHUS7KOwcI9BdftSDbEk8kMxrQlwugh
    # 4I1hTrAycMERbjeUKg1plx8CAwEAAQ==
    # -----END PUBLIC KEY-----

Please let us know about your experience!


.. code-block::

    # SHA256 (OPNsense-25.7.r1-dvd-amd64.iso.bz2) = 1e8e874942f6b7293f345e854afcae62baa0b699b09c0dd49d1942f34eadfbfe
    # SHA256 (OPNsense-25.7.r1-nano-amd64.img.bz2) = f93eacc72c7f75ccfdd2189e4d414fff523f2204c5e11f6ad9c57c55a6c60568
    # SHA256 (OPNsense-25.7.r1-serial-amd64.img.bz2) = 89602b42f7631dff10cef4303753f9377c0995a0ac3966ef8564fe0414ac6cff
    # SHA256 (OPNsense-25.7.r1-vga-amd64.img.bz2) = 77e2aeb3acacd7d9d252e30d09463c793ae641cf2938ddd90819529043b5e3e8