Open Source Firewall OPNsense 25.7.11 Released With Host Discovery

OPNsense, the popular open-source firewall and routing platform built on FreeBSD, released version 25.7.11 on January 15, 2026. This update introduces significant improvements, notably a new host discovery service designed to enhance network management capabilities.

The release marks an essential incremental update that strengthens both IPv4 and IPv6 functionality while preparing infrastructure for the upcoming major version 26.1.

Host Discovery Service: Core Enhancement

The highlight of this release is the introduction of a host discovery service powered by the hostwatch component (version 1.0.4), now enabled by default across all installations.

This service automatically maintains a dynamic registry of MAC addresses for IPv4 and IPv6 hosts connected to the firewall’s network segments.

The implementation seamlessly integrates with existing OPNsense features, providing host data directly to MAC-type firewall aliases and captive portal clients without requiring manual configuration.

This functionality solves a longstanding challenge in network administration: maintaining accurate device-to-MAC mappings in complex environments where devices frequently connect and disconnect.

Organizations can now implement more granular firewall policies based on device identity rather than relying solely on static IP configurations.

The service maintains backward compatibility, allowing administrators to opt out through the automatic discovery settings if preferred.

Developers invested substantial effort in IPv6 protocol improvements during the holiday period, addressing multiple protocol-level issues identified by users across diverse network deployments.

Notable kernel fixes include correcting address prefix lifetime calculations, eliminating off-by-one errors in prefix lifetime (pltime) and valid lifetime (vltime) expiration checks, and improving DHCPv6 prefix handling.

The rtsold daemon now properly validates Router Advertisement (RA) lifetimes before triggering configuration scripts, preventing edge-case failures in complex IPv6 environments.

Additionally, IPv6 divert packet handling received corrections at the pf level, improving packet filtering accuracy for organizations running advanced traffic manipulation policies.

The update ensures that hosts with prefix lengths of 128 no longer trigger erroneous warnings during address deletion operations.

The release continues the multi-version effort to eliminate direct exec() function calls across the codebase, a security-focused refactoring that reduces command-injection attack surfaces.

Changes span authentication scripts, system configuration utilities, and backend service management.

The intrusion detection system received updates to refine alert selection mechanisms and to provide a more helpful hint for rule editing.

ISC-DHCP integration received additional safeguards for DHCPv6 property access, a critical step as OPNsense transitions to replacing ISC-DHCP with Kea in version 26.1.

Two hotfixes followed the initial release. Version 25.7.11_1 corrected a vsprintf() parsing vulnerability involving stray percentage characters.

Version 25.7.11_2 addressed edge-case tunable reset logic and suppressed excessive hostwatch logging messages that generated unnecessary system log bloat.

The stable release cycle remains on schedule, with version 26.1-RC1 expected early in the week following release and the final version targeting January 28, 2026.

The upgrade maintains stability for production deployments while positioning organizations for the significant architectural changes arriving in the next major version.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.