OPNsense 25.7 Released: A Comprehensive Open-Source Firewall Distribution

On July 23, 2025, the release of the firewall distribution OPNsense 25.7, based on FreeBSD code, was announced. This project, which branched off from pfSense in 2015, aims to develop a completely open-source distribution capable of providing functionalities comparable to commercial solutions for deploying firewalls and network gateways.

Unlike pfSense, OPNsense is designed to be community-driven, ensuring that the development process is fully transparent and not controlled by any single company. The project allows users to integrate its components into third-party products, including commercial ones. The source code for OPNsense components and the tools used for its compilation are available under the BSD license.

OPNsense builds can be accessed as LiveCD and system image files for installation on flash drives, with a size of 490 MB.

The features of OPNsense include a fully open-source build toolkit, package installation on standard FreeBSD, load balancing capabilities, a web interface for connecting users to the network (Captive Portal), stateful firewall mechanisms based on pf, bandwidth control, traffic filtering, VPN support using IPsec, OpenVPN, and PPTP, LDAP and RADIUS integration, DDNS (Dynamic DNS) support, as well as a comprehensive reporting and graphing system.

Utilizing the OPNsense distribution enables the creation of high-availability configurations that implement the CARP protocol, allowing for a backup node to be automatically synchronized with the primary firewall’s configuration, taking over in case the main node fails.

For system administrators, OPNsense provides a web interface for firewall configuration, built on the Bootstrap and Phalcon MVC web frameworks.

According to OpenNET, the main updates and additions in OPNsense 25.7 include:

— Migration to FreeBSD 14.3 codebase (previously using FreeBSD 14.2);
— The setup wizard has been migrated to an MVC framework and is now also accessible via Web API for automating network configuration management;
— Dnsmasq is now the default DHCP implementation instead of ISC DHCP, with an optional option to use the Kea DHCP server for DHCPv6;
— Improvements in privilege separation for web interface operations, including an experimental feature for running the web interface under a separate user «wwwonly» instead of «root»;
— A new «expire» option has been added to the firewall for automatic clearing of tables via cron, with an updated alias caching model;
— Additional authentication profiles have been introduced in the Captive Portal;
— The FreeBSD-kmods repository is disabled by default, and community-developed third-party plugins are hidden (a button has been added on the plugins page to show such plugins);
— Support for the JA4 traffic fingerprinting method has been added to the intrusion detection toolkit;
— The user interface has been enhanced for better automation of firewall operations;
— A plugin for SFTP backup saving has been added;
— The user interface for tabular content layout now utilizes the Tabulator JavaScript library instead of Bootgrid;
— Plugins have been updated, including os-acme-client 4.10, os-bind 1.34, os-crowdsec 1.0.11, os-frr 1.45, os-gdrive-backup 1.0, os-grid_example 1.1, os-openvpn-legacy 1.0, os-puppet-agent 1.2, and os-strongswan-legacy 1.0.