The OPNsense team has started the new year with the release of version 25.7.11, bringing a notable networking enhancement: a native host discovery service that deepens visibility into connected devices and tightens policy control across the firewall.
Native host discovery improves network visibility. The headline feature in 25.7.11 is the new host discovery service, built on the hostwatch component.
It automatically resolves and remembers MAC addresses for IPv4 and IPv6 hosts across connected networks.
This information is then exposed to key subsystems, including firewall MAC-based aliases and captive portal clients.
In practice, this means administrators have more accurate, timely knowledge of which devices are present on the network and how they are identified at Layer 2.
MAC-driven firewall rules can now rely on a continuously updated view of neighbours.At the same time, captive portal workflows can more reliably track client devices over time.
The service is enabled by default, but users who prefer a tighter privacy or manual control posture can opt out by turning off automatic discovery in the settings.
This keeps the feature aligned with diverse operational models, from home labs to strict enterprise environments.
True to OPNsense tradition, the holiday period was used to deliver a series of IPv6 improvements.
The release includes multiple kernel-level fixes around IPv6 address lifetime handling, router advertisement processing, and divert and pf behaviour for IPv6 traffic.
New Features
| Feature Category | Component | New Capability | Description |
| Network Discovery | Host Discovery Service | Native MAC address resolution | Automatically resolves and remembers IPv4/IPv6 MAC addresses via the hostwatch component |
| Network Discovery | MAC Aliases | Dynamic MAC data integration | Firewall MAC aliases now use live host discovery data instead of static entries |
| IPv6 Stack | Kernel IPv6 | Address lifetime management | Fixes pltime/vltime expiration checks and prefix lifetime updates |
| IPv6 Stack | Router Advertisements | RA lifetime validation | rtsold now checks RA lifetime before triggering scripts |
| IPv6 Stack | DHCPv6 Client | Infrastructure preparation | Groundwork for major dhcp6c update in 26.1 |
| Core Migration | ISC-DHCP Removal | Plugin-based architecture | ISC-DHCP being removed from core; plugin available in development version |
| System Security | Safe Execution | exec() call elimination | Removed numerous exec() calls across system, backend, and auth scripts |
| Certificate Management | Trust Store | DNS SAN preservation | Properly fills DNS Subject Alternative Names from existing certificates |
| Firewall Automation | ICMP Handling | Protocol-aware options | ICMP type only shows when protocol is ICMP; adds multi-select ICMP6 options |
| Captive Portal | Client Tracking | Host discovery integration | Uses host discovery service by default for ARP table monitoring |
| VPN Services | OpenVPN | Client export enhancements | Adds search functionality, fixes archive export, reduces exec() usage |
| DNS Services | Unbound | Reporting and management | Adds per-policy quick actions, reference counters for aliases, UI layout fixes |
| Monitoring | Suricata IDS | Security update integration | Updated to Suricata 8.0.3 with latest vulnerability fixes |
| Routing | FRR Plugin | Protocol enhancements | os-frr 1.50 brings routing protocol improvements and fixes |
| IPv6 Proxy | NDP Proxy | Infrastructure updates | os-ndp-proxy-go 1.3 provides IPv6 neighbor discovery improvements |
| Monitoring | Telegraf | Metrics collection updates | os-telegraf 1.12.14 includes plugin updates and bug fixes |
| Kernel Network | netlink subsystem | Buffer management fixes | Prevents overwriting existing data in linear buffers; avoids direct ifnet access |
| Kernel Network | pf firewall | IPv6 divert packet handling | Fixes handling of IPv6 divert packets and ip_divert_ptr tests |
| Kernel Network | netmap | Memory allocator control | Memory allocator parameters now settable via loader.conf |
Interface handling has been tightened to prefer longer address lifetimes when multiple exist, migrate “sharednet” tuning to the appropriate sysctls, and refine PPP checks.
These changes lay the groundwork for the upcoming 26.1 release, which will also ship a larger dhcp6c update.
At the same time, 25.7.11 continues the gradual removal of ISC-DHCP from the OPNsense core.
A replacement plugin is already available via the development branch and should auto-install there; administrators are advised to ensure it is present before rebooting into the new stack.
According to the OPNSense, 26.1-RC1 is expected early next week, with RC2 following shortly, and a final 26.1 release still targeted for January 28.
Refinements across firewall, services, and security stack. Beyond host discovery and IPv6, 25.7.11 brings a broad set of polish and hardening changes.
The firewall gains better ICMP/ICMPv6 handling in automation, simplified port alias checks, and direct integration with the discovery data for MAC aliases.
Captive portal handling is more robust against malformed JSON output from the interface.
Core services see usability and safety improvements, including enhanced certificate handling, safer execution paths in system and IPsec components, OpenVPN client export fixes and search, and several quality-of-life enhancements in Unbound reporting and overrides management.
The MVC framework and UI also receive performance and consistency tweaks.
On the security monitoring side, the ports tree updates Suricata to 8.0.3, a security-focused release that addresses multiple vulnerabilities and improves stability and accuracy for IDS/IPS deployments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates ancd Set GBH as a Preferred Source in Google.
