diff --git a/net/frr/Makefile b/net/frr/Makefile
index 72426c8e5..5e04f6ac3 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.49
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 0f648c4db..28367b2b4 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -18,6 +18,7 @@ Plugin Changelog
 * Fix SNMP OSPF argument flags in RC configuration file
 * Fix STATIC template interface issue
 * Replace shell_exec() with mwexecfm()
+* Prevent errors in diagnostics view when a frr daemon is not started
 
 1.48
 
diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index 32b7e533c..291c82d51 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -33,137 +33,160 @@ message:request frr
 [diagnostics.general_running-config]
 command:/usr/local/bin/vtysh -c "show running-config"
 parameters:
+errors:no
 type:script_output
 message:FRR diagnosticts "show running-config"
 
 [diagnostics.general_route4]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip route %s'
+errors:no
 type:script_output
 message:FRR diagnosticts "show ip route"
 
 [diagnostics.general_route6]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 route %s'
+errors:no
 type:script_output
 message:FRR diagnosticts "show ipv6 route"
 
 [diagnostics.bgp_route4]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv4 %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv4 %s"
 
 [diagnostics.bgp_route6]
 command:/usr/local/bin/vtysh
 parameters:-c 'show bgp ipv6 %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv6 %s"
 
 [diagnostics.bgp_summary]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp summary %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp summary %s"
 
 [diagnostics.bgp_summary4]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv4 summary %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv4 summary %s"
 
 [diagnostics.bgp_summary6]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv6 summary %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv6 summary %s"
 
 [diagnostics.bgp_neighbors]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp neighbors %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp neighbors %s"
 
 [diagnostics.bgp_neighbors4]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv4 neighbors %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv4 neighbors %s"
 
 [diagnostics.bgp_neighbors6]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv6 neighbors %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv6 neighbors %s"
 
 [diagnostics.ospf_overview]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf %s"
 
 [diagnostics.ospf_neighbor]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf neighbor %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf neighbor %s"
 
 [diagnostics.ospf_route]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf route %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf route %s"
 
 [diagnostics.ospf_interface]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf interface %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf interface %s"
 
 [diagnostics.bfd_neighbors]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bfd peers %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bfd peers json %s"
 
 [diagnostics.bfd_summary]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bfd peers brief %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bfd peers brief %s"
 
 [diagnostics.bfd_counters]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bfd peers counters %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bfd peers counters %s"
 
 [diagnostics.ospf_database]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf database %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf database"
 
 [diagnostics.ospfv3_overview]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 ospf6 %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ipv6 ospf6 %s"
 
 [diagnostics.ospfv3_route]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 ospf6 route %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ipv6 ospf6 route %s"
 
 [diagnostics.ospfv3_database]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 ospf6 database %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ipv6 ospf6 database json"
 
 [diagnostics.ospfv3_interface]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 ospf6 interface %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ipv6 ospf6 interface %s"
diff --git a/net/ndp-proxy-go/pkg-descr b/net/ndp-proxy-go/pkg-descr
index 73d314b14..161f8684e 100644
--- a/net/ndp-proxy-go/pkg-descr
+++ b/net/ndp-proxy-go/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 1.3
 
 * Add ratelimit for pfctl operations
+* Add CARP failover
 
 1.2
 
diff --git a/net/ndp-proxy-go/src/etc/rc.syshook.d/carp/20-ndpproxy b/net/ndp-proxy-go/src/etc/rc.syshook.d/carp/20-ndpproxy
new file mode 100755
index 000000000..8ec0ccb33
--- /dev/null
+++ b/net/ndp-proxy-go/src/etc/rc.syshook.d/carp/20-ndpproxy
@@ -0,0 +1,53 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2025 Cedrik Pischem
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once('script/load_phalcon.php');
+require_once('util.inc');
+
+use OPNsense\NdpProxy\NdpProxy;
+
+$subsystem = $argv[1] ?? '';
+$type = $argv[2] ?? '';
+$model = new NdpProxy();
+
+if (
+    (!in_array($type, ['MASTER', 'BACKUP'], true)) ||  /* exclude INIT */
+    strpos($subsystem, '@') === false ||  /* only react to real CARP events */
+    $model->general->enabled->isEmpty() ||
+    $model->general->carp_depend_on->isEmpty()
+) {
+    exit(0);
+}
+
+$actions = [
+    'MASTER' => 'start',
+    'BACKUP' => 'stop',
+];
+
+mwexecfm('/usr/local/etc/rc.d/ndp-proxy-go ' . $actions[$type]);
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
index 5d6c3372d..596c7b1af 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
@@ -9,6 +9,13 @@
         <type>checkbox</type>
         <help>Enable or disable this service.</help>
     </field>
+    <field>
+        <id>ndpproxy.general.carp_depend_on</id>
+        <label>Enable CARP failover</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>If any CARP VHID on this node is in MASTER state the service will be started, otherwise stopped. As NDP is stateless, a short interruption of IPv6 connectivity must be expected during CARP transitions.</help>
+    </field>
     <field>
         <type>header</type>
         <label>Proxy Settings</label>
@@ -39,7 +46,8 @@
     </field>
     <field>
         <type>header</type>
-        <label>Performance Settings</label>
+        <label>Neighbor Settings</label>
+        <collapse>true</collapse>
     </field>
     <field>
         <id>ndpproxy.general.cache_ttl</id>
@@ -61,6 +69,11 @@
         <type>checkbox</type>
         <help>Persist cache to file on service stop and load it on service start. Only neighbors with a valid cache lifetime are loaded. This helps on system reboots to minimize downtime of individual clients.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Performance Settings</label>
+        <collapse>true</collapse>
+    </field>
     <field>
         <id>ndpproxy.general.route_qps</id>
         <label>Max route operations</label>
@@ -82,6 +95,11 @@
         <hint>50</hint>
         <help>Controls CPU usage vs. NDP responsiveness. Lower values (e.g., 25 ms) minimize latency during cache refresh at the cost of more CPU. Higher values (100–250 ms) reduce CPU use but may introduce small latency spikes.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Log Settings</label>
+        <collapse>true</collapse>
+    </field>
     <field>
         <id>ndpproxy.general.debug</id>
         <label>Debug log</label>
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
index b71d38512..9f02e1146 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/ndpproxy</mount>
     <description>NDP Proxy model</description>
-    <version>1.0</version>
+    <version>1.1</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -43,6 +43,10 @@
                 <Default>0</Default>
                 <Required>Y</Required>
             </debug>
+            <carp_depend_on type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </carp_depend_on>
         </general>
         <aliases>
             <alias type="ArrayField">
diff --git a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
index f5131e9af..61b7c01f2 100644
--- a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
+++ b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
@@ -2,6 +2,9 @@
 {% set general = helpers.getNodeByTag('OPNsense.ndpproxy.general') %}
 {% if general.enabled|default("0") == "1" and general.upstream and general.downstream %}
 ndp_proxy_go_enable="YES"
+{%     if general.carp_depend_on %}
+ndp_proxy_go_check_carp="YES"
+{%     endif %}
 ndp_proxy_go_upstream="{{ helpers.physical_interface(general.upstream) }}"
 {%     set downstream_interfaces = [] %}
 {%     for interface in general.downstream.split(',') %}
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
index 18f9d6196..99791664d 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
@@ -87,6 +87,16 @@
             active-response action.
         </help>
     </field>
+    <field>
+        <id>agent.active_response.repeated_offenders</id>
+        <label>Repeated offenders</label>
+        <type>text</type>
+        <help>
+            Comma-separated list of increasing timeout values in minutes for repeat offenders (e.g., 30,60,120,240).
+            When an IP triggers active response multiple times, each subsequent block uses the next timeout value.
+            Leave empty to disable repeated offender escalation.
+        </help>
+    </field>
     <field>
         <id>agent.active_response.remote_commands</id>
         <label>Wazuh remote commands</label>
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
index 62941e94a..9657b91ba 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/WazuhAgent</mount>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <description>Wazuh Agent</description>
     <items>
         <general>
@@ -112,6 +112,11 @@
                 </Model>
                 <Required>N</Required>
             </fw_alias_ignore>
+            <repeated_offenders type="TextField">
+                <Required>N</Required>
+                <Mask>/^([0-9]+)(,[0-9]+)*$/</Mask>
+                <ValidationMessage>Enter comma-separated timeout values in minutes (e.g., 30,60,120,240)</ValidationMessage>
+            </repeated_offenders>
         </active_response>
     </items>
 </model>
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
index b97c63439..b014fbaaf 100644
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
@@ -1,4 +1,4 @@
 [general]
 {% if not helpers.empty('OPNsense.WazuhAgent.active_response.fw_alias_ignore') and helpers.getUUID(OPNsense.WazuhAgent.active_response.fw_alias_ignore) %}
-skip_alias={{helpers.getUUID(OPNsense.WazuhAgent.wazuh_command.fw_alias_ignore).name}}
+skip_alias={{helpers.getUUID(OPNsense.WazuhAgent.active_response.fw_alias_ignore).name}}
 {% endif %}
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
index 5abdacd54..c92a5825f 100644
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
@@ -22,7 +22,7 @@
   </client_buffer>
 
 {%  for sfilename in helpers.glob("OPNsense/WazuhAgent/ossec_config.d/*.conf") %}{%
-        include sfilename without context
+        include sfilename
 +%}
 
 {%  endfor %}
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf
index 6627c9eac..711e86fcc 100644
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf
@@ -1,4 +1,7 @@
   <!-- Active response -->
   <active-response>
     <disabled>{% if not helpers.empty('OPNsense.WazuhAgent.active_response.enabled') %}no{% else %}yes{% endif %}</disabled>
+{% if not helpers.empty('OPNsense.WazuhAgent.active_response.repeated_offenders') %}
+    <repeated_offenders>{{ OPNsense.WazuhAgent.active_response.repeated_offenders }}</repeated_offenders>
+{% endif %}
   </active-response>