21.10 Series

The OPNsense business edition successfully transitions to this 21.10 release with a new installer including ZFS support, improved central management and Intel network driver updates amongst others.

Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.

https://downloads.opnsense.com/

21.10 (October 14, 2021)

The OPNsense business edition successfully transitions to this 21.10 release with a new installer including ZFS support, improved central management and Intel network driver updates amongst others.

Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.

https://downloads.opnsense.com/

This business release is based on the OPNsense 21.7.3 community version with additional reliability improvements.

Here are the full patch notes:

  • system: allow automatic user creation on LDAP-based logins

  • system: circular logs are now disabled by default

  • system: default gateway failure state killing is now disabled by default

  • system: allow cron-based restarts of all “restart” action providers

  • system: allow more characters in the certificate/authority organization fields (contributed by Jan De Luyck)

  • system: default RSS widget feed to forum announcements

  • system: prevent use of client certificates in web GUI

  • system: raised encryption standard for encrypted config.xml export

  • system: reload FreeBSD services when reloading all services from console

  • system: add missing ACL for Syslog targets page

  • system: removed NextCloud backup from core functionality

  • system: removed unused traffic API dashboard feed

  • interfaces: add and use unified function is_interface_assigned() to prevent deleting assigned interfaces

  • interfaces: add netstat tree search and improve page layout

  • interfaces: allow interface-based overrides of hardware checksum settings

  • interfaces: correct indent in dhclient configuration

  • interfaces: clear PPPoE SLAAC addresses on linkdown

  • interfaces: flush IPv6 addresses on the correct IPv6 interface when it differs from the IPv4 interface

  • interfaces: improve GRE/GIF configuration handling and dynamic reload behaviour

  • interfaces: packet capture quick select for all interfaces

  • interfaces: refactor DNS lookup and add PTR to output (contributed by Maurice Walker)

  • interfaces: refactored address removal into interfaces_addresses_flush()

  • interfaces: remove duplicated handling of PPP IPv6 interface detection

  • interfaces: replace opportunistic diagnostics IP address lookups with more robust variants

  • interfaces: sync firewall groups after internal create/destroy operations

  • interfaces: use -M option in rtsold invoke in preparation for 22.1

  • firewall: MVC rewrite of the pfTop diagnostics pages under “Sessions”

  • firewall: MVC rewrite of the states diagnostics pages under “States”

  • firewall: add manual reply-to configuration to rules

  • firewall: add quick link to states counter from firewall rule inspection

  • firewall: aliases maximum entries progress bar

  • firewall: allow to specify port ranges for outgoing NAT (contributed by Nikolay Denev)

  • firewall: clarify match/set priority in rules

  • firewall: delete related rules when an interface group is removed

  • firewall: improve alias description/preview

  • firewall: make sure net.pf.request_maxcount and table-entries are always aligned

  • firewall: only set state options on rules when state is being tracked

  • firewall: rename source/destination networks when group name changes

  • firewall: renamed “pfTables” diagnostics to “Aliases”

  • firewall: use permanent promiscuous mode for pflog0

  • dhcp: add shared dhcpd_leases() reader and use it in both lease pages

  • dhcp: always deprecate prefixes in automatic router advertisements

  • dhcp: assorted improvements surrounding dhcpd_staticmap() for real world operation

  • dhcp: fix table header sorting in lease pages (contributed by vnxme)

  • dhcp: lock access to settings pages when interface is not suitable for running a DHCP server

  • dhcp: remove ::/0 route from router advertisements (contributed by Maurice Walker)

  • firmware: also check plugins sync for up to date core package

  • firmware: backend now supports reinstall like opnsense-bootstrap -q

  • firmware: confirm plugin removal dialog

  • firmware: introduced connectivity check

  • firmware: opnsense-patch can now patch installer and updater files

  • firmware: opnsense-update -c option now honours the -f option

  • firmware: opnsense-update improvements for mirror manipulation options

  • firmware: replace php version_compare() call with pkg-version shell command

  • firmware: revoke 21.1 fingerprint

  • firmware: static template for firmware upgrade message

  • firmware: sync plugins in console update

  • ipsec: add auto type for identities

  • ipsec: adhere to system defaults for route-to and reply-to when creating automatic VPN rules

  • ipsec: fix a regression in VTI handling

  • ipsec: fix a regression in rightsubnets for non-mobile phase 2

  • ipsec: identity quoting for ASN1DN and FQDN types with “#” characters

  • ipsec: switched to explicit type selection for identities

  • openvpn: CARP status read cleanups (contributed by vnxme)

  • openvpn: do not create empty router file

  • openvpn: validate tunnel prefix to avoid OpenVPN 2.5 start errors (contributed by kulikov-a)

  • openvpn: improve the cipher parsing

  • openvpn: increase consistency between export types

  • openvpn: offer the ability to export a user without a certificate

  • openvpn: simplify CIDR validation and remove trim() usage

  • openvpn: tls-crypt support (contributed by vnxme)

  • openvpn: untie server-ipv6 from server directive

  • openvpn: use is_interface_assigned() to prevent deletion of assigned instances

  • unbound: add “unbound check” backend action

  • unbound: add qname-minimisation-strict option

  • unbound: allow to retain cache on service reload

  • unbound: automatically add “do-not-query-localhost: no” on DoT when needed

  • unbound: fix /var MFS dilemma for DNSBL after boot

  • unbound: fix domain overrides for private address reverse lookup zones (contributed by Maurice Walker)

  • unbound: register DHCP leases with their matching IP range configured DHCP domain

  • unbound: reject invalid cache data

  • unbound: remove deprecated custom options setting

  • unbound: renamed “blacklist” to “blocklist” for clarity

  • unbound: support insecure-domain directive

  • unbound: switch model to integrate full DNS over TLS support

  • console: throw error when opnsense-importer encounters an encrypted config.xml

  • mvc: allow to unset attribute via setAttributeValue()

  • mvc: reduce differentials in config.xml when saving models

  • rc: opnsense-beep melody database directory

  • ui: improved JS hook_ipv4v6() to jump to /64 on IPv6 and back to /32 on IPv4

  • ui: inject default tooltips into bootgrid formatters

  • ui: work on unification of add buttons by minifying them and adding primary color markup

  • ui: removed $main_buttons magic handler

  • plugins: OPNcentral core requirements are now installed by default via os-OPNBEcore plugin

  • plugins: os-OPNBEcore 1.0

  • plugins: os-OPNcentral 1.3 [2]

  • plugins: os-acme-client 3.2 [3]

  • plugins: os-bind 1.18 [4]

  • plugins: os-chrony 1.4 [5]

  • plugins: os-collectd 1.4 [6]

  • plugins: os-dnscrypt-proxy 1.9 [7]

  • plugins: os-fetchmail 1.1 [8]

  • plugins: os-freeradius 1.9.16 [9]

  • plugins: os-frr 1.22 [10]

  • plugins: os-haproxy 3.5 [11]

  • plugins: os-net-snmp 1.5 [12]

  • plugins: os-nextcloud-backup 1.0

  • plugins: os-nginx Phalcon 4 fixes

  • plugins: os-postfix 1.20 [13]

  • plugins: os-radsecproxy 1.0 (contributed by Tobias Boehnert)

  • plugins: os-realtek-re 1.0 adds Realtek vendor NIC driver module

  • plugins: os-telegraf 1.12.1 [14]

  • plugins: os-tftp 1.0 (contributed by Michael Muenz)

  • plugins: os-tor Phalcon 4 fix

  • src: FreeBSD updates for Intel e1000, ixgbe and ixl drivers

  • src: FreeBSD updates for the pf(4) and iflib(4) subsystems

  • src: compatibility shim for upcoming rtsold “-M” command line option

  • src: dhclient support for VLAN 0 decapsulation

  • src: dhclient: skip_to_semi() consumes semicolon already

  • src: fix libfetch out of bounds read [15]

  • src: fix missing error handling in bhyve(8) device models [16]

  • src: fix remote code execution in ggatec(8) [17]

  • src: iflib: fix partial length accounting error in netmap mode

  • src: lib: add libnetmap and related patches

  • src: rtsold: slightly change address read

  • src: runtime RSS code preparations and assorted related upstream patches

  • src: separately log NAT and firewall rules in pf(4)

  • ports: drop hardening options and switch to FreeBSD ports tree

  • ports: curl 7.79.1 [18]

  • ports: dnsmasq 2.86 [19]

  • ports: filterlog 0.5 removes unused IPv6 options support

  • ports: ifinfo 13.0

  • ports: krb5 1.19.2 [20]

  • ports: monit 5.29.0 [21]

  • ports: mpd5 adds L2TP interoperability fix from upstream

  • ports: nettle 3.7.3

  • ports: nss 3.70 [22]

  • ports: openvpn 2.5.3 [23]

  • ports: pcre 8.45 [24]

  • ports: php 7.4.23 [25]

  • ports: phpseclib 2.0.32 [26]

  • ports: python 3.8.12 [27]

  • ports: strongswan 5.9.3 [28]

  • ports: sudo 1.9.8p1 [29]

  • ports: suricata 6.0.3 [30]

  • ports: syslog-ng 3.34.1 [31]

  • ports: unbound 1.13.2 [32]

Known issues and limitations:

  • NextCloud backup feature moved from core to plugins. Please reinstall if needed.

  • IPsec identities are now set using their explicit type. See StrongSwan documentation [33] for the old automatic defaults.

  • Unbound custom options setting has been discontinued. Local override directory /usr/local/etc/unbound.opnsense.d exists.

  • OpenVPN network input validation changed. Check all clients and servers for GUI errors after upgrade by saving their configuration and removing stray whitespace on errors.

  • OPNcentral plugin is no longer required on managed nodes after upgrade.

The public key for the 21.10 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1Cc2Mw+t6NAgU5Ts8feU
# +vJSn4N8Ex1afuZ/tyXnRwxQ7w0+Hr0Bs8Ygy2X67KQi/7pi5FQ/hIJyEnf5Tm/7
# 7sS6O6XPvu2fg7UN1RBi5VgFJh4vajwhVGUg+EpuMNIgZw7AkWNlULvQSLBHOX7S
# FAthJQQ957OU2RARQA+LVT3wyiLpEhQp0S9h/YAO1tITQKlsPjlU4+0Iv58JZuAG
# lek+FaZyBLqCUF4ItLxGjqO3L4cx5iy3yD7qIOR3dN7tncdEYxQweut8cA80hFUe
# Wy8DgPUKVZRRZnVWSZp9QXzoo9ACLebAv6DOzN17DrVdO0iH6iYr6s/7tDoxtN0G
# +r6huk0tTKQ0UJX7O9l5GAQe+HWFH1WxTU37Pb79BbxXW+9LCUtAZ35HKLmIaQyb
# 6t3Jr0FTX+LtJBMUpWtYIAYjQIH2dlBGbwFRbljsibbSTsi/E+1WW3ob1r5O5fML
# b734CktIXm3HFvQ0qZ4DyIQDZS0J8zoVO2wHjlh9MsxCJdDvDXe6Dbj/Y93SBXVr
# Az8T8YrEwjK0fPt8dB1p+Ue49eYXPs5lJPmB5iaiXlp1VTqUwH2Lm3BZG5bUKded
# zOjHavmTeTXuSKWEYh/UP7mLGeY1FQF0o7VHJfdiJLt/4s2ybM9DNUssjSDBqBRV
# CPvKwujGiI0N2BPJHP21g1ECAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-business-21.10-OpenSSL-dvd-amd64.iso.bz2) = 0060cb221ebc43f1685b12145736a1c2f6a5954fcdf4711cfdb8c820c396d36d
# SHA256 (OPNsense-business-21.10-OpenSSL-nano-amd64.img.bz2) = 6ed0f4aa20878a9fed5e1aa3bc2055c6eebec7363eee1477ced18c982404100e
# SHA256 (OPNsense-business-21.10-OpenSSL-serial-amd64.img.bz2) = bf892938acbbc4a91d8f4f0f0f9c7aee1e5587d7ac7a5b5dcf336f5915769050
# SHA256 (OPNsense-business-21.10-OpenSSL-vga-amd64.img.bz2) = 54ca32990238db54fd830daf787d3a35eaf2ad8dad383948bed3ea2f2d0ddf46