16.7 “Dancing Dolphin” Series

It is time for the next major iteration in open-source security! After 6 months and 20 minor releases we hereby declare the general availability of OPNsense 16.7, nicknamed “Dancing Dolphin”. The highlights of this major release include:

  • Suricata 3.1.1 with Intel Hyperscan support

  • NetFlow-based reporting and export

  • Traffic shaping using CoDel / FQ-CoDel

  • Two-factor authentication based on RFC 6238 (TOTP)

  • HTTPS and ICAP support in the proxy server

  • FreeBSD 10.3 with full integration of HardenedBSD ASLR

  • UEFI boot and installation modes

  • Substantial updates to our language packs: Japanese, Russian, German, French, Chinese

We thank all contributors, testers and users for their relentless support and invaluable feedback. The release candidate phase has been the most fun we have had so far. :)

Attention: An incompatibility in Chrome may prevent the firmware update from running. Try a different browser to upgrade to 16.7 where a workaround has been added to avoid the problem in the future.

All images can be found on the mirrors below with checksums attached to the end of this announcement:


16.7.14 (January 25, 2017)

We are back for one last update of the 16.7 series with a small number of fixes and security-related package updates. Do not forget that 17.1 is scheduled for next week: the update instructions will be delivered via the usual firmware update path.

Until then, here are the full patch notes:

  • traffic shaper: order rules numerically by sequence number

  • firmware: added opnsense-revert tool for release-based package revert

  • captive portal: fix downloading files in Chrome

  • insight: fix downloading files in Chrome

  • mvc: consistently set locale (contributed by Alexander Shursha)

  • mvc: do not deliver content twice on API calls

  • python: downgraded to 2.7.12 in order to fix segmentation faults within insight reporting

  • libressl: avoid possible side-channel leak of ECDSA private keys when signing [1]

  • ports: bind 9.10.4-P5 [2]

  • ports: perl 5.24.1 [3]

  • ports: sqlite 3.16.2 [4]

  • ports: openssh 7.4p1 [5]

  • ports: sudo 1.8.19p2 [6]

  • ports: lighttpd 1.4.45 [7]

  • ports: php 5.6.30 [8]

16.7.13 (January 06, 2017)

This update ships with the latest version of Squid, an enhanced version of the HAProxy plugin and other assorted reliability improvements.

As 17.1 inevitably approaches, we have set the release date to January 31. If all goes well, the upcoming 16.7.14 will be the EOL release for the 16.7 series.

Here are the full patch notes:

  • system: extended sudo option to allow an additional no-password mode

  • firmware: the package manager will now always delete modified package files

  • firmware: allow major upgrades into other flavours from the command line

  • firmware: do not overwrite /etc/rc.shutdown on base updates

  • firewall: add a note that ports only apply to TCP and/or UDP (contributed by Andrew Berry)

  • dns resolver: correctly handle empty DHCP lease sections

  • dhcp: use regular expressions to optimize static lease reading (contributed by Senol Korkmaz)

  • web proxy: fix subnet computation

  • netflow: fix missing check for egress_only

  • plugins: HAProxy 1.10 with HA sync, custom TCP checks, bugfixes (contributed by Frank Wall)

  • ports: curl 7.52.1 [1]

  • ports: ca_root_nss 3.28

  • ports: squid 3.5.23 [2]

  • ports: python 2.7.13 [3]

  • ports: perl 5.24.1-RC5 [4]

  • ports: lighttpd 1.4.44 [5]

  • ports: phalcon 3.0.3 [6]

  • ports: heimdal 7.1.0 [7]

16.7.12 (December 29, 2016)

This is a minor reliability update. We were investigating a possible OpenVPN regression and have therefore reverted an upstream patch. The results are currently inconclusive and we will be holding off on the newly released version 2.4 for OPNsense 17.1 for further testing. If something was off in your setup please let us know.

Here are the full patch notes:

  • system: improve cancel button behaviour

  • system: change coupled /tmp+/var MFS to /var MFS

  • system: load AESNI in the default configuration

  • firmware: list all licenses of packages

  • firewall: improve cancel button behaviour

  • traffic shaper: do not error on apply when no configuration is set

  • interfaces: do not allow VLAN delete when in use

  • interfaces: improve cancel button behaviour

  • interfaces: only parse lease sections for ARP entries

  • interfaces: fix QinQ setup

  • services: improve cancel button behaviour

  • ipsec: add clone phase 2 option to ease duplication

  • openvpn: force rewrite of Viscosity client export files

  • dns resolver: remove unused EDNS support

  • dns forwarder: allow to run on non-standard port when resolver is running

  • lang: updates for Czech, German and Italian

  • plugins: os-haproxy 1.8 (contributed by Frank Wall)

  • plugins: compatibility fix for os-pptp, os-pppoe and os-l2tp

  • ports: openvpn [1] (reverted topology subnet fix)

  • ports: pkg (license viewer upstream fix)

  • ports: sudo 1.8.19p1 [2]

  • ports: php 5.6.29 [3]

16.7.11 (December 14, 2016)

The builds for 17.1-BETA are rolling as we write this and we are mighty proud of having come so far! Almost two years ago we started with a simple vision and have been staying true to our goal of providing stable licensing, swift updates and modern features. But that story is not for today. :)

In the meantime, this 16.7.11 update receives newer versions of OpenVPN and Suricata, improved password hashing and two DNS forwarder fixes. Furthermore, the firmware feature received an extensive user experience boost, including, but not limited to, being able to read pending release notes.

Here is the full list of changes:

  • system: improved password hashing [1] (contributed by OSNet)

  • system: make sure vital kernel modules are always loaded

  • system: added mute console support and improved tty reconfiguration

  • system: revived “normal” power state config option for powerd (contributed by Tikimotel)

  • system: removed description support for ACL entries

  • system: brought back LDAP scope and authentication containers support

  • system: separate class for ui/api routing

  • firmware: pull update sets from ABI-specific directory

  • firmware: multiple tweaks in opnsense-update workflow

  • firmware: no longer track UUID in a crash report submission

  • firmware: pkg-audit to view current FreeBSD vulnerability report

  • firmware: changelog viewer with all older and newer releases

  • firmware: more intelligent plugin handling, e.g. detecting orphaned plugins

  • firmware: simplified update presentation and workflow

  • firmware: license viewer for installed packages

  • firewall: added alias selection to missing NAT elements

  • openvpn: add reneg-sec option to client exports

  • dnsmasq: fix 16.7.10 regression in host file handling

  • web proxy: make backend config plugin-friendly

  • plugins: fix a potential error in MPD5 plugins (contributed by Evgeny Bevz)

  • src: fix possible login(1) argument injection in telnetd(8) [2]

  • src: fix link_ntoa(3) buffer overflow in libc [3]

  • src: fix possible escape from bhyve(8) virtual machine [4]

  • src: fix extended descriptor regression with netmap(4) on em(4)

  • src: fix use-after-free bugs in pfsync(4)

  • src: tzdata updated to version 2016j

  • ports: openvpn 2.3.14 [5]

  • ports: phalcon 3.0.2 [6]

  • ports: suricata 3.2 [7]

List of hotfixes contained:

  • system: properly load crypto and thermal modules

16.7.10 (December 01, 2016)

Another week, another update. We are addressing two regressions caught by our users and update the ports to their latest versions including NTP, Squid, and strongSwan. As always, thank you for your support!

This update also enables console upgrades for the development version into the upcoming 17.1-BETA, which will be published right after we finish the WiFi configuration and the last known trouble with PHP 7.0 in the GUI pages. Please make sure you understand the implications of upgrading to BETA. Release notes will be published along with it as soon as it is out.

Here are the full patch notes:

  • system: revamped message of the day on console login

  • system: validate passed arguments instead of $_POST or $_REQUEST

  • system: merged VPN servers into get_possible_listen_ips()

  • system: repair French translation for user manager (contributed by Valentin Deville)

  • dashboard: do not arbitrarily split descriptions in services

  • firewall: added maximum fragments setting

  • dhcp: interface column for leases

  • ipsec: properly configure syslog output

  • dns forwarder: use plugin framework

  • dns forwarder: improve DHCP registration option

  • dns resolver: use plugin framework

  • dns resolver: improve DHCP registration option

  • universal plug and play: fix regression in rules anchor

  • radvd: mark interface used in case of interface tracking

  • radvd: do not inject local DNS server when there is no IP

  • radvd: match service running metric with how it works

  • captive portal: validate input of voucher validity and quantity

  • captive portal: add error message on failed validation (contributed by Fabian Franz)

  • netflow: added service control

  • ntp: use plugin framework

  • intrusion detection: rotate eve-log every 500 MB

  • web proxy: add FTP support back to remote ACL fetch

  • web proxy: performance improvements on ACL parse

  • web proxy: allow option to disable HTTPS verification

  • web proxy: enable remote ACL by default when creating it

  • plugins: allow Tinc to sync via XMLRPC

  • lang: updates for Czech, French and German

  • ports: pkg 1.9.3 upstream fetch patch [1]

  • ports: sqlite 3.15.1 [2]

  • ports: strongswan 5.5.1 [3]

  • ports: ntp 4.2.8p9 [4]

  • ports: squid 3.5.22 [5]

  • ports: flock 2.29

  • ports: syslogd 11.0

16.7.9 (November 22, 2016)

This week’s update is a pure maintenance release in preparation for the upcoming 17.1-BETA. A reboot is not necessary.

Here are the full patch notes:

  • system: prevent spurious error with LDAP authentication

  • system: call-site support for plugins_configure()

  • dashboard: firmware update check is now a direct link

  • insight: use ISO date in details selection

  • firewall: add a generic service reload button

  • firewall: move deprecated disablevpnrules option to IPsec settings

  • router advertisements: removed unused subnet settings

  • router advertisements: improved CARP usability

  • dhcp: static IPv6 entry domain support

  • dns resolver: fixed private address range (contributed by Tikimotel)

  • dns resolver: improved CARP usability with interface-automatic option

  • dns resolver: straightened out reload behaviour

  • dns forwarder: straightened out reload behaviour

  • web proxy: renamed from “proxy server” to avoid confusion

  • snmp: prepared move to plugins

  • igmp proxy: prepared move to plugins

  • load balancer: prepared move to plugins

  • upnp: straightened out reload behaviour

  • plugins: HAproxy “default certificate” parameter and advanced options (contributed by Frank Wall)

  • plugins: fix a warning in L2TP, PPTP and PPPoE server configure

  • mvc: allow menu to recognise “#” in URLs by ignoring it

  • mvc: fix a spurious API error on unused view render

  • mvc: added copy item command for GUI usage

  • mvc: fix sorting on array field

Stay safe, Your OPNsense team

16.7.8 (November 16, 2016)

Today we present to you the latest stable iteration of the 16.7 series focusing on improved reliability and security in all areas and major feature upgrades.

Big news this week are the inclusion of two new fully-featured plugins for Tinc VPN and FTP proxying, the latter being kindly sponsored by EURO-LOG AG [1] . Together with the community we are continuing the trend towards a comprehensive plugins environment based on top of our distinctive MVC GUI framework, with more plugins already in direct development.

Speaking of such, the MVC framework received fine-grained versioning and constraint support as well as a completely revamped API error handling and plugin-compatible authentication handling.

Last but not least, enclosed within are third-party software updates, most importantly the latest versions of LibreSSL, Bind, Sudo, OpenVPN, Suricata, PHP and Curl.

A reboot is not strictly necessary, but recommended.

Here are the full patch notes:

  • system: trigger xmlrpc sync before service action

  • system: header redirection security through url_safe()

  • system: “work in progress” indicator for service controls

  • system: always restart apinger to fix configuration apply

  • system: use Etc/UTC when timezone was removed from tzdata

  • system: fix infinite console menu loop on tty close (contributed by Stephane Lesimple)

  • system: SSH launcher rework

  • firmware: only do console update reboot when update went ok

  • firmware: improved usefulness of several GUI status messages

  • firmware: allow inline use of opnsense-update -t

  • firmware: allow to resolve ABI using opnsense-verify -a

  • interfaces: set txcsum6 and rxcsum6 like their IPv4 counterparts

  • firewall: traffic shaper address lists and inversion support

  • firewall: revamped bogons download and verification

  • firewall: properly set NAT reflection helper for IPv6

  • firewall: allow pluggable rules anchors

  • captive portal: increase the database timeout to 30 seconds

  • captive portal: allow custom values for voucher validity and quantity

  • captive portal: fix spurious error on successful login

  • dynamic dns: fix race in page, reminiscent of previous widget correction

  • dynamic dns: log r53 errors to system log file

  • intrusion detection: fix ET open ruleset content

  • openvpn: missing p2p shared key settings for local subnets

  • universal plug and play: prepare for move into plugins

  • mvc: implemented model constraints and migrations

  • mvc: improved error reporting of API failures (contributed by Per von Zweigbergk)

  • mvc: add spinner for row toggle (contributed by Frank Brendel)

  • mvc: pluggable authentication framework

  • mvc: added update-only field type

  • plugins: first release of FTP Proxy (contributed by Frank Brendel)

  • plugins: first release of Tinc VPN

  • ports: pkg 1.9.3 [2] [3] [4] [5]

  • ports: bind 9.10.4P4 [6]

  • ports: curl 7.51.0 [7]

  • ports: libressl 2.4.4 [8]

  • ports: lighttd 1.4.43 [9]

  • ports: openvpn 2.3.13 [10]

  • ports: pecl-radius 1.4.0b1 [11]

  • ports: php 5.6.28 [12]

  • ports: sudo 1.8.18p1 [13]

  • ports: suricata 3.1.3 [14]

16.7.7 (October 27, 2016)

This update brings several reliability and security improvements as usual. Our LibreSSL fans will notice the version 2.3 has finally been replaced with 2.4 and we switched to position independent executables in our base system to make good use of HardenedBSD ASLR.

Another hot topic is the addition of a Czech translation into the release. Many thanks to pavelb for making that happen!

Overall progress towards OPNsense 17.1 is steady: native PAM support is through the testing phase and major FreeBSD upgrade support is already enclosed within this very update. Our next step is the release of beta images some time during November.

Here are the full patch notes:

  • captive portal: add expire voucher option

  • intrusion detection: added support for compressed rule files

  • web proxy: basic auth support for remote ACLs

  • web proxy: fix ICAP config write for MIME-types (contributed by Fabian Franz)

  • ipsec: fix spacing and type for shared secrets on Windows 7+

  • ipsec: restart must only restart, not completely reconfigure

  • ipsec: correctly set 28673 option to “yes”

  • openvpn: reintroduce zip usage instead of 7z

  • interfaces: fix performance issues on status page

  • interfaces: fix ARP and NDP to show all entries

  • rc: revamp the handling of /boot/loader.conf to be fully pluggable

  • firmware: opnsense-update can now perform major FreeBSD updates

  • plugins: multiple fixes for HAProxy plugin (contributed by Frank Wall)

  • plugins: new PT research rule set intrusion detection plugin

  • lang: new language Czech at 54% completed (contributed by pavelb)

  • lang: updates for German and French

  • ports: libressl 2.4.3 [1]

  • ports: isc-dhcp 4.3.5 [2]

  • ports: php 5.6.27 [3]

  • ports: lighttpd 1.4.42 [4]

  • src: base system now uses position independent executables

  • src: tzdata updated to version 2016h [5]

  • src: revised dummynet patches for NAT, also includes IPv6 support

  • src: Fix bspatch heap overflow vulnerability [6]

  • src: Fix multiple libarchive vulnerabilities [7]

  • src: Fix virtual memory subsystem bugs [8]

  • src: Fix incorrect argument validation in sysarch(2) [9]

16.7.6 (October 11, 2016)

This update is preparation for the upcoming major release firmware upgrades, because FreeBSD 11.0 just came out (yay!). The intended target for this version is OPNsense 17.1, so it feels only natural to add the bits and bolts for it as early as possible. Seamless upgrades from any major release to the next is our mission. :)

A few security-related ports got updated to their latest versions and we have fixed the PSK-related IPsec regression that sneaked into 16.7.5.

Here are the full patch notes:

  • system: add language selection to initial wizard

  • system: allow disabling the root user

  • firmware: new mirror in Serbia (contributed by FourDots [1] )

  • firmware: assorted changes for upcoming major upgrade

  • interfaces: wait for DHCP6 client to properly exit

  • firewall: allow route-to to loopback gateways

  • openvpn: fix download of config file for iOS

  • ipsec: fix mobile / PSK regression of 16.7.5

  • intrusion detection: added syslog support

  • dns: improve forwarder interface listening generation

  • rc: silence backup warnings about stripped leading slashes

  • ports: bind 9.10.4-P3 [2]

  • ports: ca_root_nss 3.27.1 [3]

  • ports: libressl 2.3.8 [4]

  • ports: unbound 1.5.10 [5]

16.7.5 (September 28, 2016)

Now that we got the chance to ship not one, but two OpenSSL bumps at the same time we barely missed the LibreSSL updates. That is life. But we still have a few great things to offer this week.

First and foremost, users noted that the captive portal did not work with the transparent proxy. This lead to internal investigation into the operating system kernel itself, where a number of issues with using several packet filters in a row can lead to shortcuts in packet paths through the networking stack.

This circled back to a simple fix for the captive portal: you can now edit each zone to enable the proxy for HTTP (port 3128) or HTTPS (port 3129) for captive portal use without requiring the firewall redirect. You only have to make sure you actually have your captive portal interface set up as an interface in the proxy.

We will continue to look into the remaining kernel issues and give updates and calls for testing when we reach new milestones.

In other news, both OpenVPN and IPsec received several improvements for interoperability and the occasional bug with the missing firewall rules tab for their respective interfaces.

Here are the full patch notes:

  • captive portal: handle transparent proxy from within the zone configuration

  • openvpn: adapt to cipher output changes in OpenVPN 2.3.12

  • openvpn: improve plugin probing for virtual interface

  • openvpn: added missing IPv6 tunnel network to overrides

  • ipsec: human-readable format of authentication method in overview

  • ipsec: refine behaviour of enable/apply on main page

  • ipsec: deduplicate leftsubnet/rightsubnet for meshed IKEv2

  • ipsec: more elegant interface and service plugging

  • ipsec: added unmeshed “tunnel isolation” mode for IKEv2

  • ipsec: cleanup pass over backend code

  • ipsec: allow Camellia for IKEv2

  • ipsec: allow %any in phase 1

  • ipsec: allow EAP-MSCHAPV2

  • system: load if_bridge on boot to correctly set its sysctl values

  • system: do not explicitly call plugins_interfaces() anymore

  • services: DNS resolver translation fixes (contributed by Fabian Franz)

  • services: fix a race in the DynDNS widget display

  • ports: curl 7.50.3 [1] , sudo 1.8.18 [2] , php 5.6.26 [3] , openssl 1.0.2j [4] [5]

  • src: Multiple OpenSSL vulnerabilities [5]

  • src: updated tzdata to 2016f [6]

16.7.4 (September 22, 2016)

We are deliberately skipping waiting for OpenSSL to announce their new version today as the roundtrip time for incorporating patches and updates into FreeBSD and maybe also LibreSSL will likely delay an update to next week. We will simply do a 16.7.5 next week as well and let 16.7.4 stand on its own feet.

The prominent theme of this update is CARP. We have identified a number of issues with the way it was being set up and reverted the process back to what BSD standards recommend. We have a shiny new test lab to preview and scrutinise these changes in a larger environment. The tests were promising. Let us know what you think!

Another thing is the introduction of the Intel Gigabit driver plugin based on the stock driver code version 7.6.2 as multiple reports popped up regarding driver reliability. If you are having trouble with CARP or intrusion detection IPS mode with your em(4) driver, try installing the new plugin and reboot to activate.

The full list of changes is a follows:

  • system: SSH-enabled installer and associated changes

  • system: deprecate DSA keys as per OpenSSH recommendation

  • system: reworked config import / export for consistency

  • system: reboot after config import is now selectable

  • system: fix improper escape of HTML entities in log file filter

  • system: handle legal boolean return result from searchUsers() (contributed by Evgeny Bevz)

  • system: add dynamic DNS update to cron

  • system: fix race in php.ini setup

  • system: always keep repository configurations on core package deinstall

  • system: properly trigger filter reload on HA peer

  • system: add ordering to rc.syshook scripting facility

  • system: add missing parameter for LDAPS authentication server

  • firewall: change CARP to operate using BSD standards to fix several edge cases and reported issues

  • firewall: fix validation of redirection in NAT

  • firewall: redirect target IP selection can now use aliases

  • firewall: simplify empty rules message in interface rules tabs

  • interfaces: do not attempt to fix the MAC address of a broken NIC

  • interfaces: adapt validation of PPP to not require idle timeout to be set

  • interfaces: add missing help toggle to settings page

  • services: DHCP lease pages show MAC manufacturers without Nmap install

  • services: improve cleanup of multiple captive portal zones

  • services: fix writing empty DNS resolver ACL

  • reporting: automatic database repair added

  • lang: translation improvements (contributed by Simon Brunet, Antonio Prado and Fabian Franz)

  • lang: updates for French, German, Italian and Spanish

  • plugins: add stock Intel e1000 driver version 7.6.2 a “os-intel-em” (requires a reboot)

  • plugins: lower early start priorities of VMware and Xen plugins

  • ports: haproxy 1.6.9 [1] , hyperscan 4.3.1 [2] , suricata 3.1.2 [3] , phalcon 3.0.1 [4] , samplicator 1.3.8rc1

16.7.3 (August 31, 2016)

We bring to your attention this update with a batch of enhancements and the occasional bugfix intertwined. It is interesting to note that the enhancements vs. bugfix ratio is as high as 5:1. :)

Brand new is the general availability of the Italian translation thanks to the work of Antonio Prado. The work is still ongoing and all help is highly appreciated. Also, the web font has been updated to enhance display of Cyrillic letters. We just love fostering the translations!

Here are the full patch notes:

  • system: allow selection of secondary console

  • system: added EFI as a console option

  • system: fixed status display of tiered gateway groups

  • system: allow to configure sudo(8) usage for administrators

  • system: package manager can no longer uninstall the GUI package (marked as “vital”)

  • system: also beep on factory reset

  • system: added opnsense-code command line utility

  • interfaces: do not store packet captures in /root

  • interfaces: sort interface listings by name only

  • interfaces: do not prevent configuring an IP used by the PPTP and L2TP plugins

  • firewall: add normalisation options for source port and direction

  • firewall: improved parsing of alias input

  • firewall: fixed nesting of aliases with underscores in their names

  • openvpn: fix script mismatch on export page

  • openvpn: added reneg-sec option to server to allow persistent TOTP sessions

  • openvpn: added option to prevent usage of username-as-common-name

  • services: fix WOL widget link

  • services: aligned backend calls of DNS and DHCP

  • services: fix writing of DNS resolver host entries

  • services: simplify configuring of DNS resolver listening addresses

  • services: allow proxy to match against SSL URLs only (contributed by Fabio Mello)

  • lang: updated Source Sans Pro font to improve the Cyrillic experience

  • lang: Italian is now a release language (contributed by Antonio Prado)

  • lang: minor updates for Russian (contributed by Smart-Soft)

  • lang: minor updates for German and French

  • ports: haproxy 1.6.8 [1]

  • ports: php 5.6.25 [2]

  • ports: sqlite 3.14.1 [3]

  • ports: openvpn 2.3.12 [4]

  • ports: libxml 2.9.4 [5]

16.7.2 (August 18, 2016)

The release schedule is being stretched bit by bit to see how long we can go without an update. Well, we did not want wait any longer to share with you the following bits… so here they are. ;)

FreeBSD incorporated several reliability fixes for Hyper-V and we had to back out an ICMP stable commit that was not fully working for trace route output over the network. There are several important ports updates, namely Lighttpd, Strongswan and OpenSSH all brought to their latest versions.

On our side, multi-point VPN plugins have been corrected to properly group to their respective firewall rule interface. For anyone waiting to migrate their VPNs from 16.1.20 to 16.7, now is the time to do so! Also, the stale OpenVPN windows binaries have been removed. Note that we gracefully support configuration file export in several formats.

Here are the full patch notes:

  • src: revert fix ICMP translation in pf [1]

  • src: better handle unknown options received from a DHCP server [2]

  • src: void using spin locks for channel message locks [3]

  • src: enable INQUIRY result check only on Windows 10 host systems [4]

  • src: register time counter early enough for TSC freq calibration [5]

  • src: disable incorrect callout in hv_storvsc(4) [6]

  • src: better handle the GPADL setup failure in Hyper-V [7]

  • src: fix SCSI INQUIRY checks and error handling [8]

  • ports: lighttpd 1.4.41 [9] , strongswan 5.5.0 [10] , curl 7.50.1 [11]

  • ports: ca_root_nss 3.26, openssh 7.3p1 [12]

  • ports: enabled LDAP SASL bindings

  • system: remove source maps to prevent further Chrome breakage during API calls

  • system: switch to individual registration of PHP extensions

  • system: added UO field to CSR

  • interfaces: properly remove PPPoE server from list of firewall interfaces when deactivated

  • interfaces: extended logging for 4G modems

  • interfaces: correct download of large packet captures

  • interfaces: add lacp_fast_timeout flag support for LAGG

  • interfaces: fix clearing the DHCP config file when override file is gone

  • interfaces: improve dmesg probe on interface listing (contributed by Per von Zweigbergk)

  • firewall: double-check file availability after alias URL download

  • services: corrected DNS forwarder settings save in mobile layout

  • dashboard: fix gateway widget status text update

  • plugins: corrected firewall interface usage for multi-point VPNs

  • vpn: removed the stale OpenVPN windows installer binaries

  • vpn: default to IPsec main mode

  • lang: assorted translation fixes (contributed by Fabian Franz and Antonio Prado)

  • lang: translation updates for Chinese, French, German and Japanese

16.7.1 (August 02, 2016)

Thanks again for the warm welcome of the 16.7 series! The feedback has been overwhelming, quite positively so. It was partly addressed in to be released code, shall be weaved into the upcoming roadmap or will be further discussed in our forums. Every wee bit counts on our way to 17.1. :)

This release addresses a pressing issue with the Intel e1000 driver in conjunction with IPS mode. For now, a piece of code that went into FreeBSD 10.3 has been reverted to bring back stability, but we are working with the author on a more permanent solution.

Here are the full patch notes:

  • system: default config now disables hardware offloading features

  • system: prevent carp demotion on sender and pfsync failures

  • firewall: removed obsolete reflection timeout value

  • firewall: added logging option for outbound NAT

  • firewall: fix interface address IPv6 outbound NAT

  • firewall: fix one-to-one copy feature

  • firewall: execute custom scrub rules before auto-generated rules

  • firmware: fixed race on base / kernel fetch

  • firmware: revoke the obsoleted 16.1 update fingerprint

  • interfaces: allow default route on multi-WAN PPPoE

  • interfaces: allow to set txpower for WiFi adapters

  • interfaces: allow backwards-compatible interface enable

  • vpn: fix faulty IPSec authenticator selection in phase 1

  • mvc: add missing CRL type in certificates cache

  • mvc: set robots meta to nofollow, noindex

  • mvc: always show logout button in menu

  • src: fix bspatch heap overflow vulnerability [1]

  • src: fix ICMP translation in pf

  • src: revert extended descriptor format for em(4) [2]

  • src: lower spurious log notice to debug in rtsold

  • plugins: os-haproxy 1.4 (contributed by Frank Wall)

  • ports: libressl 2.3.7 [3]

16.7 (July 28, 2016)

It is time for the next major iteration in open-source security! After 6 months and 20 minor releases we hereby declare the general availability of OPNsense 16.7, nicknamed “Dancing Dolphin”. The highlights of this major release include:

  • Suricata 3.1.1 with Intel Hyperscan support

  • NetFlow-based reporting and export

  • Traffic shaping using CoDel / FQ-CoDel

  • Two-factor authentication based on RFC 6238 (TOTP)

  • HTTPS and ICAP support in the proxy server

  • FreeBSD 10.3 with full integration of HardenedBSD ASLR

  • UEFI boot and installation modes

  • Substantial updates to our language packs: Japanese, Russian, German, French, Chinese

We thank all contributors, testers and users for their relentless support and invaluable feedback. The release candidate phase has been the most fun we have had so far. :)

Attention: An incompatibility in Chrome may prevent the firmware update from running. Try a different browser to upgrade to 16.7 where a workaround has been added to avoid the problem in the future.

All images can be found on the mirrors below with checksums attached to the end of this announcement:


Please stay in touch, tell us what you think about OPNsense and how we can improve it further! You can find us in any of these popular locations:

Lastly, here are the full changes since 16.7-RC2:

  • installer: fix UI glitch with overlong disk name selections

  • installer: warn on low RAM as install phase can fail

  • ports: suricata 3.1.1 [1] , php 5.6.24 [2]

  • system: Etc/UTC is now the default time zone

  • system: prevent user from deleting itself

  • interfaces: register groups in the system immediately

  • firmware: add subscription option for private repositories [3]

  • firmware: work around API POST problem on Chrome by deleting css source map pointer

  • firewall: allow cron to set arbitrary syslog times for alias updates

  • proxy: add syslog target for access_log

  • reporting: can now individually flush health reports

  • reporting: can now flush insight and NetFlow data

  • reporting: translate interface names on health page

  • reporting: shut down insight service on backup to prevent database corruption

  • lang: Russian is now 97% completed (contributed by Smart-Soft)

  • lang: minor updates in all other languages

# SHA256 (OPNsense-16.7-OpenSSL-cdrom-amd64.iso.bz2) = 3808ebf4519beef9122f32b2919c9fad337efd4971529621c6d4a7eede7433db
# SHA256 (OPNsense-16.7-OpenSSL-nano-amd64.img.bz2) = 48e70fc263efeb27c8d8ac0f6e3284505833977f3ba2dfe200d83109cd0ce511
# SHA256 (OPNsense-16.7-OpenSSL-serial-amd64.img.bz2) = 2346cb43389600f544505c48b4fc8c1648e74eae457f97ca6ae613c6b4ca8482
# SHA256 (OPNsense-16.7-OpenSSL-vga-amd64.img.bz2) = 0c93d516a33b0a33fb9f98e7709d3270d472fa96136611751bcbf795c399a95a
# SHA256 (OPNsense-16.7-OpenSSL-cdrom-i386.iso.bz2) = 9a1e7c13c9ed70fdc758781048ef8806c44e375bfeb1c7b788602e38b9d635cf
# SHA256 (OPNsense-16.7-OpenSSL-nano-i386.img.bz2) = 3a6c47927c3005714eddeadcab21a5833394e09cd3516e576a61d5f257b8fdc4
# SHA256 (OPNsense-16.7-OpenSSL-serial-i386.img.bz2) = b193c21dec852aaf90d1172c7d41ac63e403ff6c832a10217daea03d2d1725b0
# SHA256 (OPNsense-16.7-OpenSSL-vga-i386.img.bz2) = 086cc24ca8eed27e504cdc1b48e15f8bf5640304f3f8874938d0973b72a47b9a
# MD5 (OPNsense-16.7-OpenSSL-cdrom-amd64.iso.bz2) = 96a11a6892bde8b1d10a45b39f2fa47e
# MD5 (OPNsense-16.7-OpenSSL-nano-amd64.img.bz2) = 21e94d5ebf3fba92d71ff5a3074f0f29
# MD5 (OPNsense-16.7-OpenSSL-serial-amd64.img.bz2) = bcaa7d4cf5a9bb29bc7fa32a8fcfb2b7
# MD5 (OPNsense-16.7-OpenSSL-vga-amd64.img.bz2) = 8149bad48d1825cbb8641d9d1f4f1bc3
# MD5 (OPNsense-16.7-OpenSSL-cdrom-i386.iso.bz2) = f7136f20169b746e95ffdd867ee40ce3
# MD5 (OPNsense-16.7-OpenSSL-nano-i386.img.bz2) = a9c9fe086b015bf13fa32d201940b80f
# MD5 (OPNsense-16.7-OpenSSL-serial-i386.img.bz2) = fc5c6e39b2c2017290f67a12605e9924
# MD5 (OPNsense-16.7-OpenSSL-vga-i386.img.bz2) = 292ef2aaa10853264cc8045c857b4e67

16.7.r2 (July 14, 2016)

16.7-RC2 is here and brings major additions to amd64 architectures: Intel Hyperscan library to speed up Suricata rule matching and UEFI boot support! It also brings language packs to their correct 16.7 state, with Japanese already having been completed by the amazing Chie Taguchi.

The mirrors have been expanded to allow trackers of -stable or -devel packages to upgrade to the release candidate. Users of LibreSSL wanting to upgrade can now switch to OpenSSL instead of seeing upgrade errors until LibreSSL becomes available again and their systems move back to LibreSSL automatically.

Otherwise, only minor issues have been reported and fixed. This likely means there will not be another release candidate.

New images are available from all known mirrors, checksums are found below:


Here is the list of all changes since 16.7-RC1:

  • vga: UEFI boot support on amd64

  • cdrom: UEFI boot support on amd64

  • nano: firmware is now always fetched to persistent storage

  • ports: python 2.7.12 [1] , squid 3.5.20 [2] , pkg 1.8.7 [3] , hyperscan 4.2.0 [4]

  • installer: allow installation on /dev/raid devices

  • installer: added a welcome message

  • installer: added GPT/UEFI mode on amd64

  • lang: only allow to select stable languages

  • lang: first update for 16.7 with full Japanese translation (contributed by Chie Taguchi)

  • lang: numerous cleanups in translations (contributed by Fabian Franz)

  • interfaces: correctly restart all running DNS services on interface reload

  • interfaces: properly configure OpenVPN interfaces on bootup

  • interfaces: fix iteration over empty interface array

  • interfaces: do not show dhcpd6 service when prefix delegation is not enabled

  • openvpn: repaired status page to show service status

  • openvpn: refactored scripting in export page

  • firmware: enable trim even for GPT/UFS labeled root file systems

  • firmware: removed / disabled defunct mirrors

  • firmware: removed deprecated status.php page

  • intrusion detection: allow to select pattern matcher, e.g. Intel Hyperscan

  • wizard: fix misalignment on page titles and contents

  • firewall: fix missing dependency in alias download script

  • firewall: correctly skip “//” type comments in remote alias files

  • firewall: validate IP or alias in NPT source / destination

  • proxy: do not escape output twice in page

  • proxy: move ACL parts to separate file and allow pre and post hooks

# SHA256 (OPNsense-16.7.r2-OpenSSL-cdrom-amd64.iso.bz2) = ebf55f742bf096a14702726f4a959bec40092e41fc718481b6ed6c1a0d173233
# SHA256 (OPNsense-16.7.r2-OpenSSL-nano-amd64.img.bz2) = 95bc2671d97937f03492a46f7eae1ff3f18e9ccbae4b50016d0566025e1fbfea
# SHA256 (OPNsense-16.7.r2-OpenSSL-serial-amd64.img.bz2) = bc96863150c534c1edf5a9f525382122b28b01dd27df3e3b1dea89a6c941c031
# SHA256 (OPNsense-16.7.r2-OpenSSL-vga-amd64.img.bz2) = 8a1d5e5bf90c3cedd81527152c76911d09121dbd98de37d9c5b981191b827812
# SHA256 (OPNsense-16.7.r2-OpenSSL-cdrom-i386.iso.bz2) = b8aa7c28d3fe7d76eb0bdf5f02c9d14bea42364587e0bd81adb461430a1eb018
# SHA256 (OPNsense-16.7.r2-OpenSSL-nano-i386.img.bz2) = 6f017b73c0e850054fbc43a409942c0855fea0a2e10fdf43a6e5b009211cdd00
# SHA256 (OPNsense-16.7.r2-OpenSSL-serial-i386.img.bz2) = 9558be99ebf9b54d6350108a9ff237c2fbc87f4f80a1ac8a3297819c44a56de0
# SHA256 (OPNsense-16.7.r2-OpenSSL-vga-i386.img.bz2) = f0cbdff9765138106f6f055de53fc810ed48e5a15f0def795dc6039351a39368
# MD5 (OPNsense-16.7.r2-OpenSSL-cdrom-amd64.iso.bz2) = cc1522078c8eb3bdca5ee4423ffef828
# MD5 (OPNsense-16.7.r2-OpenSSL-nano-amd64.img.bz2) = 64a3c7debe67366a28dcefaeaa7599fa
# MD5 (OPNsense-16.7.r2-OpenSSL-serial-amd64.img.bz2) = 04a05db79ac1b4a64a216e94b59bc0f6
# MD5 (OPNsense-16.7.r2-OpenSSL-vga-amd64.img.bz2) = 720441975be264eb9930b894b604fe62
# MD5 (OPNsense-16.7.r2-OpenSSL-cdrom-i386.iso.bz2) = 9d38019afe7c0c549fd250e193ea18a2
# MD5 (OPNsense-16.7.r2-OpenSSL-nano-i386.img.bz2) = 8b094505b7e73c675e3591ff1307f5cf
# MD5 (OPNsense-16.7.r2-OpenSSL-serial-i386.img.bz2) = b4b7f1cb56d7fff74cc72d7786cc2a63
# MD5 (OPNsense-16.7.r2-OpenSSL-vga-i386.img.bz2) = a85285bc4873ae56c3d6e721c1f7c064

16.7.r1 (July 04, 2016)

It has been 5 months since 16.1 came out. Since then, over 1500 commits and 18 stable releases have continuously improved and enhanced the project. Since then, thousands of new users have joined. And, since then, our new documentation has been extended and tweaked with numerous guides, explanations and answers to your questions.

The cumulation of these efforts is this announcement of the first release candidate for 16.7. Images are being provided to encourage to try these in a fresh setting, but the config import in the installer and the GUI work as usual so that migration is simple. Checksums for the images can be found below. VGA images have been omitted to permit work on the UEFI variant in the meantime.


The RC cycle will end in a month with the actual 16.7 release so that early birds will not have to reinstall afterwards. Remember: feedback is key in this phase, feel free to contact us in any way you like and let us make 16.7 grand together.

Here is our list of major features that were worked on since 16.1:

  • SSL fingerprinting / blacklisting in the IDS/IPS

  • Firewall rules category tags for easy filtering

  • CPU temperature graph in system health

  • Custom mirror support for firmware upgrades

  • OpenVPN client-specific overrides can now be bound to selected servers

  • Added RFC 4638 support (MTU > 1492 in PPPoE)

  • NTP can now be disabled if required

  • New category-based remote ACL support in proxy server

  • ICAP configuration aded to proxy server

  • Pluggable service infrastructure

  • Pluggable syslog infrastructure

  • Finished a full sweep of visible GUI pages for improved look and feel

  • HTTPS proxy support

  • Russian translations 100% completed

  • NetFlow export to multiple remote destinations

  • NetFlow local reporting frontend

  • PPTP, L2TP and PPPoE Servers ported to MPD5

  • HAProxy plugin

  • Traffic shaping with CoDel / FQ-CoDel

  • Firewall alias geolocation support

  • Cron GUI and API

  • Japanese translations 100% completed

  • Dashboard revamp with multi-column support, drag and drop and mini API

  • RFC 6238 (TOTP) support for two-factor authentication

  • HardenedBSD ASLR implementation

  • High availability page for remote service status and start/stop/restart

  • API commands for remote reboot and power off

  • Firmware page resume support and cron-based “nightly” updates

  • opnsense-patch, the tremendously nifty patching tool

  • Traffic graphs frontend has been replaced by a modern alternative

  • PPTP, L2TP and PPPoE Servers are now individual plugins no longer found in the default installation

  • Pluggable interface infrastructure

  • New firewall GUI page for custom scrubbing rules (normalisation)

  • Removal of proxy-based NAT reflection

  • No more custom PHP modules

  • FreeBSD 10.3

  • Suricata 3.1

# SHA256 (OPNsense-16.7.r1-OpenSSL-cdrom-amd64.iso.bz2) = d5db6f91221121ab2e0efb962e9aa08ec095977e733a74f4e797d81329a4a1b7
# SHA256 (OPNsense-16.7.r1-OpenSSL-nano-amd64.img.bz2) = 596aa7468850a1857140bc3373650556b53bdde73fa1ac7cc639a868f4a0bcc7
# SHA256 (OPNsense-16.7.r1-OpenSSL-serial-amd64.img.bz2) = c28f7eebb6b56e91152bd21dee6a741ad09732d144af05c9a5099da12961531f
# SHA256 (OPNsense-16.7.r1-OpenSSL-cdrom-i386.iso.bz2) = fcac3e7aad5c09ed4f5352dc125cd00e200616bc77a47fa3ce4cf04826fc0970
# SHA256 (OPNsense-16.7.r1-OpenSSL-nano-i386.img.bz2) = 6a22e438ef30f7611df835ca53b0e0087d7eda3137f41224d2ee9e0d01d9ffe4
# SHA256 (OPNsense-16.7.r1-OpenSSL-serial-i386.img.bz2) = aeb5502a81520f7398187635d0426630034c276491fa32512e5702eb73d8525f
# MD5 (OPNsense-16.7.r1-OpenSSL-cdrom-amd64.iso.bz2) = 5a440e46e841d3c4c05bdb8ee6566fe6
# MD5 (OPNsense-16.7.r1-OpenSSL-nano-amd64.img.bz2) = 13ccbcf88b1b5338ccba7440526f146f
# MD5 (OPNsense-16.7.r1-OpenSSL-serial-amd64.img.bz2) = 97a3c5e08c4cecff62c5c63d5e29dda0
# MD5 (OPNsense-16.7.r1-OpenSSL-cdrom-i386.iso.bz2) = 8cced3f828d063ac237d96f32a8bb2e3
# MD5 (OPNsense-16.7.r1-OpenSSL-nano-i386.img.bz2) = 2f38a263a2f0ed2071d5698e31eeb30f
# MD5 (OPNsense-16.7.r1-OpenSSL-serial-i386.img.bz2) = 397a54eb4a51f5703b8ec3062afbcef0