OPNsense 25.7.11: Why This “Minor” Update Matters More Than It Looks

OPNsense 25.7.11 has been released, and at first glance it appears to be a routine patch update. However, several important changes in this version, along with what it prepares for in the upcoming 26.1 release, make this an update that network administrators and IT teams should not ignore.

This post highlights what actually changed in 25.7.11, why it matters, and what organizations should be preparing for before upgrading to OPNsense 26.1.

Full video:

---

New Host Discovery Service: More Accurate Device Tracking

One of the biggest functional changes in OPNsense 25.7.11 is the introduction of a new background service called HostWatch.

HostWatch passively monitors network traffic using packet capture and identifies devices by observing:

• ARP traffic for IPv4

• Neighbor Discovery traffic for IPv6

Rather than relying solely on ARP or neighbor tables, HostWatch detects devices as soon as they communicate on the network. It records IP addresses, MAC addresses, interfaces, and protocol versions, and stores this information in a local database so it persists across reboots.

This data is now used by:

• Firewall MAC address aliases

• Captive portal client tracking

For environments with mobile devices, IoT equipment, or IPv6-only clients, this provides more reliable and consistent device identification than older discovery methods. Host discovery is enabled by default, though administrators can disable automatic discovery if needed.

---

IPv6 Stability and Kernel Improvements

OPNsense 25.7.11 also includes a collection of IPv6-related fixes and kernel updates aimed at improving long-term stability.

These changes include:

• Improved handling of IPv6 address and prefix lifetimes

• Router advertisement behavior corrections

• Neighbor discovery and interface update fixes

• Kernel-level adjustments related to IPv6 networking

In addition, the developers have confirmed that dhcp6c (the DHCPv6 client used on WAN interfaces) will receive more extensive updates in version 26.1. For organisations that rely on IPv6 prefix delegation from ISPs, these changes are especially relevant, as they target common causes of IPv6 dropouts and renewal issues.

---

Crypto Library Upgrade: libsodium 1.0.21

Although not mentioned directly in the release notes, the 25.7.11 update upgrades libsodium from version 1.0.19 to 1.0.21. This is a significant update to a core cryptographic library used by multiple security components.

Key improvements in this upgrade include:

• Security fixes for Ed25519 point validation

• Protection against speculative execution side-channel risks

• Performance improvements for encryption and hashing on ARM platforms

While this change is not visible in the user interface, it strengthens the cryptographic foundation of the system and improves performance on many modern firewall appliances.

---

Suricata and Service Improvements

Intrusion Detection and Prevention users will also benefit from the upgrade of Suricata to version 8.0.3, which includes engine-level stability and performance fixes.

Additional quality-of-life improvements were made across:

• Firewall rule automation (especially ICMP and ICMPv6 handling)

• DNS reporting and alias tracking in Unbound

• OpenVPN client export usability

• Backend execution safety and performance

Individually these may seem minor, but together they contribute to improved reliability and maintainability.

---

The Bigger Story: DHCP Changes Coming in OPNsense 26.1

Perhaps the most important point to understand is that OPNsense 25.7.11 continues preparing for a major architectural change in the upcoming 26.1 release: the removal of ISC-DHCP from the core system and the full transition to Kea DHCP.

In 25.7.x:

• ISC-DHCP remains fully supported

• Existing DHCP configurations continue to work as before

In 26.1 and newer:

• DHCP server functionality is expected to rely on Kea

• ISC-DHCP becomes externalized as a plugin

This transition can impact environments that rely on:

• Static DHCP mappings

• Multiple VLANs and interfaces

• PXE boot

• VoIP phones

• Captive portal and guest networks

Because DHCP is foundational to network operations, organisations should plan to test OPNsense 26.1 release candidates in non-production environments before deploying the upgrade broadly.

---

Should You Upgrade to 25.7.11?

For most users, upgrading to 25.7.11 is recommended, particularly if:

• You use IPv6

• You rely on MAC-based firewall rules

• You operate captive portals or guest networks

As always, best practices apply:

• Take configuration backups

• Snapshot virtual machines where applicable

• Avoid production upgrades during peak business hours

While 25.7.11 itself is stable, it should also be seen as a reminder that more significant changes are approaching.

---

Planning Ahead

OPNsense 25.7.11 is not just a maintenance update, it is a transition point. With new host discovery mechanisms, improved IPv6 handling, updated cryptographic libraries, and major DHCP changes on the horizon, administrators should treat this release as an opportunity to prepare rather than simply patch.

Understanding what is changing now will make the upgrade to OPNsense 26.1 smoother and help avoid unexpected network disruptions later.

If you manage OPNsense systems in production, now is the time to begin testing and planning.