Published: in Videos
OPNsense 26.1 "Witty Woodpecker" released - what changed and what to check before upgrading
OPNsense 26.1 has been released, and this is not a minor point update. It introduces real behavioural changes to firewall rules, intrusion prevention, IPv6, and DHCP defaults.
If you are planning to upgrade - especially in a homelab, small business, or production environment - it is worth understanding what has changed before clicking the update button.
I have also covered these changes in the video below if you prefer a walkthrough.
Video: OPNsense 26.1 - what changed and why it matters
What changed and why
Over time, different parts of OPNsense were built using different internal systems.
Firewall rules, NAT, automation features, and the API did not always use the same framework underneath. This led to:
-
Confusing menus
-
Duplicate configuration options
-
Rules behaving differently depending on where they were created
Everything worked, but it was not consistent and was difficult to extend safely.
Version 26.1 focuses on moving more of the platform onto the same modern MVC and API framework so that:
-
The web interface and automation behave the same way
-
Features can be added more cleanly
-
Security improvements can be applied consistently
Firewall rules and NAT: unified rule handling
This is the biggest architectural change in 26.1.
Previously, OPNsense effectively used two systems:
-
The classic firewall rule pages
-
Separate automation pages for some NAT and policy routing features
This meant that some rules could be created in one place but not fully managed in another, which made troubleshooting difficult.
Port forwarding also created automatic firewall rules that were treated differently from normal rules, even though they looked similar in the interface.
In 26.1, most firewall and NAT features now use one unified rules engine.
What this means in practice:
-
"Port Forward" is now called Destination NAT
-
NAT rules and firewall rules use the same backend system
-
Policy routing is part of the normal rule editor
-
Suricata divert rules are created using the same rule interface
Existing rules are not forcibly converted and will continue to work as before.
There is now a firewall rule migration page if you want to convert older rules to the new system, but the OPNsense team recommends learning the new interface first before attempting any migration.
The goal is not to change how your firewall behaves, but to ensure everything uses the same framework going forward.
Suricata 8 and inline intrusion prevention
OPNsense 26.1 upgrades Suricata to version 8 and introduces a new inspection method using divert mode.
Previously, traffic was often copied and analysed separately. With divert mode, traffic can now be inspected and blocked while it is passing through the firewall.
This allows for:
-
Faster blocking
-
Better performance
-
More reliable intrusion prevention
For most home users, Suricata should simply perform better without any configuration changes.
However, there is an important change for advanced users.
The old custom.yaml override method is no longer used. Custom Suricata configuration must now be placed in:
/usr/local/etc/suricata/conf.d/
If overrides are not moved to this directory, they will not be loaded.
IPv6 improvements and new operating modes
IPv6 has historically been one of the more complex parts of firewall configuration, particularly when dealing with multiple DHCP and router advertisement services.
OPNsense 26.1 introduces a new IPv6 mode called Identity Association.
It behaves similarly to Track Interface, but it does not automatically start:
-
DHCPv6 server
-
Router advertisements
This allows administrators to choose which services they want to use, such as:
-
Kea
-
Dnsmasq
-
Or other DHCP services
Router advertisements have also been modernised, including:
-
Better handling when the service is disabled
-
Support for NAT64 prefixes
-
Fewer leftover configuration files
DHCPv6 behaviour has also been improved, with:
-
Faster setup
-
More reliable renew behaviour
-
Improved DNS handling
Overall, IPv6 connectivity should now be more predictable and easier to manage in mixed-service environments.
Dnsmasq is now the default DHCP and RA service
One of the most important default changes in 26.1 is that Dnsmasq is now used by default for:
-
DHCPv4
-
DHCPv6
-
Router advertisements
This applies to new installations and factory resets.
However, Dnsmasq does not support IPv6 prefix delegation from ISPs. If your internet provider uses DHCPv6 prefix delegation, you will need to use:
-
Kea
-
Or another DHCPv6 service
ISC DHCP is no longer built into the base system and is now provided as a plugin.
During upgrades, the plugin will be installed automatically so existing setups continue to work. On new installations, it is not installed unless you explicitly choose to install it.
This reflects a longer-term move away from ISC DHCP towards Dnsmasq and Kea.
Automatic host discovery (hostwatch)
OPNsense now includes a background discovery service called hostwatch.
It automatically detects:
-
Neighbour devices
-
Active hosts on the network
This improves visibility in dashboards and neighbour tables.
Hostwatch is enabled by default, but it can be disabled under:
Interfaces -> Neighbours -> Automatic Discovery
Should you upgrade immediately?
This depends on how you are using OPNsense.
Upgrading sooner makes sense if:
-
You want the new firewall rule framework
-
You use Suricata for intrusion prevention
-
You want improved IPv6 stability
-
You rely on API automation
You may want to test first if:
-
This is a production firewall
-
You have complex NAT configurations
-
You rely on IPv6 prefix delegation
-
You run custom scripts or plugins
This release changes core networking behaviour, not just surface features, so testing is strongly recommended before upgrading critical systems.
Always take a full configuration backup before updating.