IP Fire 2.29 Core Update 199 It arrives laden with profound changes These updates affect virtually every layer of the system: from next-generation wireless support to hardened core security, including improvements to VPN, proxy, web interface, and a host of updated packages. This version, initially released as a test build, is aimed squarely at demanding environments, both enterprise and advanced home users.
Throughout this guide we will break down all the technical and functional innovations This update includes: support for WiFi 7 and WiFi 6, native LLDP/CDP integration, a new kernel, changes to the intrusion prevention system, improvements to OpenVPN, proxy refinements, minor interface tweaks, updated add-ons, and the significant development effort behind it. If you use IPFire in a production environment, you'll want to understand what's changed and how it can benefit you.
IPFire 2.29 Core Update 199 takes a leap forward in wireless networking: support for WiFi 7 and WiFi 6
One of the big stars of this version is the IPFire's direct compatibility with WiFi 7 and WiFi 6 access pointsUntil now, some of the hardware was already working, but the advanced capabilities of these standards weren't being fully utilized. With Core Update 199, the system can now take full advantage of these advanced features to deliver greater speed and lower latency.
Now it is possible to simply indicate the preferred WiFi mode from the interfaceand let IPFire handle the rest of the configuration. 802.11be (WiFi 7) and 802.11ax (WiFi 6) are added to the existing 802.11ac/agn, and a channel width of up to 320 MHz is supported. This translates into truly impressive bandwidth figures: over 5,7 Gbps with two spatial streams or around 11,5 Gbps with four streams, all over the air.
Another important change is that IPFire automatically detects the capabilities of the WiFi hardware and activates supported features without the need to fiddle with cryptic settings. Previously, configuring "HT Capabilities" and "VHT Capabilities" was done manually, with the consequent risk of errors and wasted time. Now the system takes care of enabling everything the wireless card supports securely, resulting in more stable and faster networks.
Regarding wireless security, the option is introduced to strengthen networks that still use WPA2 or WPA1When there are clients that cannot use WPA3, IPFire will allow the use of SHA256 during authentication, strengthening the handshake without forcing the abandonment of these older protocols, something still necessary in many mixed device parks.
This update comes standard. Enable SSID protection via MFP (Management Frame Protection, 802.11w) where available. In these cases, the system automatically enables Beacon Protection and Operating Channel Validation, hindering attacks based on spoofed management frames and improving network robustness against malicious interference.
To optimize spectrum usage, IPFire incorporates a mechanism that converts multicast traffic to unicast by default. This is especially useful when most clients are modern and fast. It frees up airtime and reduces collisions, which is particularly helpful in densely populated networks that consume a lot of audiovisual services or broadcast traffic.
If the hardware allows it, it is done background radar detectionThis is essential for proper operation with DFS channels and compliance with regulations for frequency bands shared with radar services. All of this is integrated seamlessly into the interface, which remains largely unchanged, as the real work happens under the hood.
Lightning Wire Labs products, designed specifically for IPFire, These advanced WiFi capabilities will be activated automatically.This means that users of these appliances will get the most out of the new wireless battery from the very first moment.
Network discovery with LLDP and Cisco Discovery Protocol
In complex environments, knowing exactly what is each firewall interface connecting to? It is key for diagnosis and documentation. With Core Update 199, IPFire incorporates native support for LLDP (Link Layer Discovery Protocol) and CDPv2 (Cisco Discovery Protocol), two protocols widely used in managed switches and professional network equipment.
Thanks to this integration, the firewall can automatically identify the devices connected to each physical port and determine which switch port each interface connects to. This greatly simplifies things when working with racks full of equipment, VLANs, trunks, and aggregations, and integrates seamlessly with monitoring and mapping tools like Observium.
The functionality is conveniently managed from the web interface, in the menu. Services → LLDPwhere it can be activated, deactivated, or parameters adjusted according to the needs of the environment. In this way, IPFire becomes a more visible and fully integrated player in the network topology.
Updated kernel and performance improvements in IPFire 2.29 Core Update 199
Another key component of this Core Update is the IPFire kernel update to Linux branch 6.12.58This version upgrade brings numerous security and stability fixes, as well as performance improvements that are especially noticeable on modern hardware and demanding workloads.
Certain things have been reviewed configuration settings related to scheduling debugging and concurrency (preemption debugging). Disabling or fine-tuning certain debugging parameters that are not needed in production results in a noticeable increase in performance on many systems, reducing latency and improving firewall response time under load.
Strengthening the intrusion prevention system (IPS)
The heart of IPFire's IPS, Suricata has been updated to version 8.0.2This change not only brings internal improvements to the traffic analysis engine, but also opens the door to new rules and detection capabilities, keeping the system up-to-date against current threats.
The IPS reporting functionality also received A significant adjustment due to issues with the SQLite database used internally. When this system was busy, some alerts could be missed. This problem has been resolved with version 0.5 of the suricata-reporter package, which ensures that alerts are reliably logged and reported.
In addition, the IPS reports will now have a fixed delivery schedule at 1:00 AMThis small change responds to the request of several administrators who needed to have the reports ready first thing in the morning, thus facilitating the daily review of the security status before the start of the workday.
OpenVPN improvements for roaming clients in IPFire 2.29 Core Update 199
The OpenVPN Roadwarrior module also receives a package of small but significant optimizations for remote access environmentsFirst, if the server still uses ciphers considered legacy, the interface will highlight them to draw the administrator's attention and encourage them to plan a migration to more robust algorithms.
The possibility of push multiple DNS and WINS servers to clientsThis is very useful in corporate networks with multiple domains, internal resolvers, or mixed environments. It greatly simplifies configuration without requiring hacks or additional scripts on the client side.
The OpenVPN server is now working. always in multi-home modeThis better aligns with the reality of IPFire, which is typically deployed with multiple network interfaces. With this setting, the server consistently responds using the same IP address the client connects to, regardless of whether the connection originates from the internal or external network, preventing unexpected behavior in multi-route scenarios.
A bug has also been fixed that prevented the first custom route from being pushed correctly This vulnerability could cause certain networks to be inaccessible through the tunnel, even if the rest of the configuration was correctly defined. With the patch, custom routes are now distributed as expected.
Regarding authentication, the component responsible for validating users It handles OTP flows better.When the client gets "confused" during the two-step authentication process, the server will make an extra effort to guide them and complete the login correctly, reducing incidents due to end-user misunderstandings.
Finally, it is removed from client configuration file the auth-nocache directivesince it was ineffective in this context. Removing it simplifies the file without negatively impacting the actual security of the deployment.
Proxy: IPFire 2.29 Core Update 199 Security and Stability Mitigations
IPFire's proxy also benefits from changes designed to reduce safety risks and refine racing situationsFirst, a specific mitigation is applied against the vulnerability identified as CVE-2025-62168, reinforcing the configuration to prevent possible exploitations.
On the other hand, it is solved a race condition that could cause the URL Filter process to be forcibly terminated during the compilation of their databases. Under certain circumstances, this resulted in occasional crashes or loss of filtering until the service was restarted. With the built-in fix, list compilation should proceed without interruption.
Small but significant improvements to the web interface
The web administration interface receives several improvements that, while not spectacular, They clearly improve everyday usability.The firewall module corrects a bug that prevented the creation of new location groups, a very useful feature for managing rules based on countries or regions.
In the section dedicated to hardware vulnerabilities, A clearer message is now displayed when the system does not support SMT (Simultaneous Multithreading). Instead of confusing messages, the administrator better understands the CPU situation and how it affects certain mitigations.
The mail module adjusts the handling of credentials that they contain delicate special charactersThis prevents them from becoming corrupted or "mangled" during saving. This reduces issues when configuring notifications and other services that rely on SMTP authentication.
General changes and system update package
Beyond the specific features, this update includes fundamental system modifications and a large batch of updated packagesFirst, the D-Bus daemon is now set to run by default in IPFire, paving the way for future features that will rely on this internal messaging infrastructure.
The initramfs construction system also evolves: dracut is replaced by dracut-ngSince the original project has been abandoned by Red Hat, this change ensures active maintenance and a more solid foundation for startup and recovery processes.
Among the new utility features, the addition of dma, a tool designed to generate local mailboxes and manage email in a lightweight way, especially useful in systems that do not require a heavy MTA but do require some internal delivery functionality.
The encryption stack is also adjusted to align IPFire with current recommendations: The SSH cipher suite synchronizes with upstream and prioritizes AES-GCM over AES-CTR, favoring more robust authenticated modes by default.
It is also corrected a race condition in firewall rule enforcementIn the previous system, a set of rules already in place could disappear if another rule was inserted at the same time. With this new system, the rules remain consistent even with frequent policy changes.
Other changes
Regarding the core package catalog, Core Update 199 updates a long list of fundamental components. These include, among many others, coreutils 9.8, c-ares 1.34.5 (patched against CVE-2025-31498), cURL 8.17.0 and BIND 9.20.16, basic pillars for system utilities and name resolution.
Key libraries and tools are also being upgraded, such as boost 1.89.0, btrfs-progs 6.17.1, elfutils 0.194, expat 2.7.3 (with fixes for CVE-2025-59375 and CVE-2024-8176), fmt 12.1.0, FUSE 3.17.4 and glib 2.86.0, reinforcing compatibility and security.
Updates are included harfbuzz 12.1.0, hwdata 0.400, iana-etc 20251030, iproute2 6.17.0, kbd 2.9.0, less 685, libarchive 3.8.2, libcap 2.77, libgpg-error 1.56, libxml2 2.15.1 and LVM2 2.03.36all of them critical components for system management, console, storage and data parsing.
The suite of building and development tools is also being updated with nasm 3.00, ninja 1.13.1, protobuf 33.0 and Rust 1.85.0Meanwhile, the embedded database and various network services are improved thanks to SQLite 3.51.0, Suricata 8.0.2, suricata-reporter 0.5, strongSwan 6.0.3, unbound 1.24.1 and others.
The update package is completed by various system and administrative utilities such as sysvinit 3.14, udev 258, util-linux 2.41.2, vim 9.1.1854, whois 5.6.5, usbutils 019 and xfsprogs 6.17.0In addition to multiple "code cleanups" spread throughout the code, which improve maintainability and reduce technical debt.
Add-ons: New features and updated versions
The IPFire plugin ecosystem is also being updated, incorporating Corrections and new features in several add-onsOne of the tools receiving attention is arpwatch, which is designed to monitor changes in MAC addresses on the network.
A bug that prevented arpwatch from Send the correct sender name in the notification emailsThis caused some servers to reject those messages. Furthermore, MAC addresses are now always displayed with zero padding, making them easier to read and preventing confusion.
The ffmpeg add-on is updated to the Version 8.0 incorporates a new link with OpenSSL and the lame libraryThanks to this, IPFire can once again handle streams from external sources via HTTPS and mp3 encoding without problems, recovering streaming capabilities that some administrators missed.
Along with these changes, numerous additional packages within the add-ons are updated, such as ClamAV 1.5.1, dnsdist 2.0.1, fetchmail 6.5.7, hostapd f747ae0, libmpdclient 2.23, mpd 0.24.5 and mympd 22.1.1, improving antivirus functions, advanced DNS, email, multimedia services and access point management.
The scale of this version makes it clear that IPFire continues to bet on expand network capabilities, strengthen security, and continuously refine the management experienceFrom the new generation WiFi and improved visibility with LLDP/CDP, to the modernized kernel, the more reliable IPS, improvements to OpenVPN, the reinforced proxy, small interface fixes, the updated package library and expanded add-ons, everything comes together to offer a faster, more secure system ready for complex scenarios, always backed by a community and team that need support to keep up with this pace of evolution.