23.1 “Quintessential Quail” Series¶
For more than 8 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
23.1, nicknamed “Quintessential Quail”, features Unbound DNS statistics with a blocklist rewrite in Python, improved WAN SLAAC operability, firewall alias BGP ASN type support, PHP 8.1, assorted FreeBSD networking updates, MVC/API pages for packet capture/virtual IPs/IPsec connection management, IPsec configuration file migration to swanctl.conf, new sslh plugin, ddclient custom backend support (including Azure), WireGuard kernel module plugin variant as the new default plus much more.
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/
South America: http://mirror.ueb.edu.ec/opnsense/releases/23.1/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.1/
Full mirror list: https://opnsense.org/download/
23.1.11 (June 28, 2023)¶
So this is the end of life release for the 23.1 series which includes the recent FreeBSD advisories as well as plugin support for Zabbix 6.4.
We have finished the OpenVPN MVC “instances” for anyone who is interested in a preview using the current development release. FreeBSD 13.2 side looks ready so we will be releasing 23.7-RC1 some time in the second half of July. The final 23.7 release is scheduled for July 31. The upgrade path from 23.1 will be enabled shortly after the new major release, but can take up to 24 hours due to testing and mirror propagation. Please do not despair. ;)
Here are the full patch notes:
system: add RADIUS authentication support for MSCHAPv2 using Crypt_CHAP_MSv2()
system: propagate error in rc.syshook scripts
dhcp: validate client hostnames in Dnsmasq/Unbound lease watchers
firmware: automatic kernel upgrade after reboot like base and package stages
firmware: sticky advanced mode if flavour is set to non-default
intrusion detection: add missing typecast in getAlertLogsAction()
mvc: fix locking regression that caused bulk changes to not being rendered correctly
plugins: os-zabbix-agent plugin variant for Zabbix 6.4
plugins: os-zabbix-proxy plugin variant for Zabbix 6.4
src: axgbe: account for 4 SFP ports during GPIO expander check
src: ipsec: make algorithm tables read-only
src: mpr: fix copying of event_mask [1]
src: pam_krb5: fix spoofing vulnerability [2]
src: loader: comconsole: do not unconditionally wipe out hw.uart.console [3]
src: contrib/tzdata: import tzdata 2023c [4]
src: ixgbe: change if condition for RSS and rxcsum
src: pf: fix pf_nv##_array() size check
src: e1000: fix VLAN 0
ports: py-setuptools fix for CVE-2022-40897
A hotfix release was issued as 23.1.11_1:
firmware: enable upgrade path to 23.7
ports: openssh 9.3p2 [5]
A hotfix release was issued as 23.1.11_2:
unbound: enable migration of Unbound DNS reports
23.1.10 (June 22, 2023)¶
As summer is approaching we release this minor update in preparation for the upcoming 23.7 series. We are planning the upgrade to FreeBSD 13.2 as well as offering an MVC variant of the OpenVPN integration amongst many other improvements some of which already shipped in previous 23.1.x releases.
There may be another kernel update before the final 23.7 arrives but that is for next week to decide. For now enjoy the sun and stay hydrated!
Here are the full patch notes:
system: do not delete dpinger PID file
system: improve RRD collector PID/service handling
system: do not touch /var/run/booting if it exists (contributed by William Desportes)
system: do a full transition on gateway group apply
system: automatically create core dump with installed debug kernel
interfaces: minor fixes in IP address status read
interfaces: additions for legacy_interface_stats()
interfaces: use interfaces_primary_address() during IPv4 renewal
firewall: remove duplicate table definitions
firewall: prevent VIP address adding /32 on IPv6 rule selection
dhcp: fix IPv6 lease page undefined vars and other issues
dhcp: share DUID parsing code via dhcpd_parse_duid()
dhcp: revamp the prefix route handling also adding support for statically mapped downstream routers
firmware: opnsense-update: move -K option to -x
firmware: opnsense-update: support deferred kernel set install
firmware: opnsense-update: use -w option with -a option in fetch(1)
firmware: opnsense-update: ensure kernel directory consistency
firmware: shift subscription key extract to “-x” option
firmware: use post-upgrade hook and stage kernel as well for clean abort
firmware: sort plugins before store
monit: fix “not on” validation
openvpn: fix typo in widget for client timestamp display
web proxy: syslog parsing cleanup
ui: remove noodp and noydir from HTML meta robots tag (contributed by William Desportes)
plugins: os-crowdsec 1.0.6 [1]
plugins: os-nginx 1.32.1 [2]
ports: curl 8.1.2 [3]
ports: krb5 1.21 [4]
ports: nss 3.90 [5]
ports: ntp 4.2.8p17 [6]
ports: openssl 1.1.1u [7]
ports: openvpn 2.6.5 [8]
ports: phalcon 5.2.2 [9]
ports: php 8.1.20 [10]
ports: python 3.9.17 [11]
ports: squid 5.9 [12]
ports: strongswan upstream fix for VICI stalls [13]
ports: suricata 6.0.13 [14]
A hotfix release was issued as 23.1.10_1:
firewall: align rule validation with port forward validation
plugins: os-nginx fix for missing load_module directive after nginx update to 1.24
23.1.9 (May 31, 2023)¶
A small update to improve stability with multiple delegated prefixes from DHCPv6 connectivity as well as proper “no binding” handling in the DHCPv6 client itself. Internally, the backend service has been refactored to allow for future additions, but no visible functionality changes have been done.
Still pretty happy with the IPsec connections MVC pages introduced in 23.1 so we would like to apply the same approach to OpenVPN for 23.7 and it is going to land in the next development version most likely for a sneak preview.
Here are the full patch notes:
system: fix MVC service page with ID-based reload like OpenVPN
system: fix issue with route add command for far gateway static route (contributed by Daniel Mason)
system: improve static routes error handling
system: fix a typo and align “attribute” use in gateway edit page
system: pluginctl: service mode can now batch-reload services when existing ID is omitted
firewall: simplify rule edit layout slightly and fix unused element ID
dhcp: remove ::/64 magic as it uses AdvRouterAddr yes
interfaces: deal with RENEW and REBIND only reporting partial PDINFO
ipsec: support the default selector ([dynamic]) when local_ts or remote_ts are left empty in connections
backend: improved nested command support, reorganise action types, use ActionFactory to offer the requested type
backend: add “getUtcTime” template helper function
ports: curl 8.1.1 [1]
ports: dhcp6c 20230530
ports: lighttpd 1.4.71 [2]
ports: openssh 9.3p1 [3]
ports: sqlite 3.42.0 [4]
ports: syslog-ng 4.2.0 [5]
23.1.8 (May 25, 2023)¶
This update improves IPv6 connectivity, extends module support for the axgbe network driver and fixes a panic with IPv6 refragmentation over policy-based routes amongst others.
We are currently testing FreeBSD 13.2 for the upcoming OPNsense 23.7 and it looks promising. Watch out for roadmap updates over the next few weeks as more MVC page conversions are being carried out.
Here are the full patch notes:
system: calling return_down_gateways() depends on default gateway switch setting
system: open new session if missing to prevent spurious CRSF errors in static pages
system: add device hint to empty interface address message in case of mismatch during default route attempt
system: add kernel messages to the general system log
system: make sure routing log messages all use “ROUTING:” prefix
system: print warning for duplicated gateway name
system: prefix API key filename with FQDN of this host
interfaces: deal with “prefixv6” as an array
interfaces: improve address cleanup when handling VIP modifications
interfaces: explicitly report current IP address during renewal avoidance
interfaces: patch in appropriate rebind/renew DHCPv6 handling
interfaces: for static “Use IPv4 connectivity” on PPPoE bring up IPv6 routes as well
interfaces: ifctl: fix typo causing content to be printed while adding it
interfaces: ifctl: avoid null route on fragile /64 prefix delegation
interfaces: ifctl: do not flush name server routes
firewall: add “set debug” and “set keepcounters” options to advanced options
dhcp: provide run task “static_mapping” to avoid polluting unrelated plugins
dnsmasq: use new run task “static_mapping” to collect static mappings from DHCP
firmware: show support tiers in plugin list
firmware: now that we have a full data model do not overdo cleanup during plugin registration
intrusion detection: minor performance improvements when parsing metadata from rules
openvpn: fix a warning by passing a desirable empty input containing a slash
unbound: fix migration edge case in model version 1.0.3
unbound: remove DNS blocklist start syshook causing an unnecessary download during bootup
unbound: when called via GET during override creation encode using URLSearchParams()
wizard: do not end up duplicating WAN_GW entry
mvc: add CIDRToMask() to utilities
mvc: prevent config restore when writer has flushed or partly written the file
mvc: format BaseModel logger to avoid duplicate timestamps
plugins: os-crowdsec 1.0.5 [1]
plugins: os-acme-client 3.17 [2]
src: axgbe: fix link issues for gigabit external SFP PHYs and 100/1000 fiber modules
src: axgbe: apply RRC to miibus attached PHYs and add support for variable bitrate 25G SFP+ DACs
src: axgbe: properly release resource in error case
src: ifconfig: improve VLAN identifier parsing
src: pfsync: hold b_mtx for callout_stop(pd_tmo)
src: pf: remove pd_refs from pfsync
src: pf: deal with KPI change bug on stable/13 by redirecting otherwise crashing traffic through ip6_output()
ports: curl 8.1.0 [3]
ports: dhcp6c 20230523
ports: lighttpd 1.4.70 [4]
ports: nss 3.89.1 [5]
ports: openvpn 2.6.4 [6]
ports: php 8.1.19 [7]
ports: suricata 6.0.12 [8]
23.1.7 (May 04, 2023)¶
Today we switch to OpenVPN 2.6 including deferred authentication which we know some people have been waiting for. The routing subsystem received a refactor to integrate default gateway switching into the actual routing code.
Suricata was finally updated to a newer release since the Netmap (IPS) stall bug inside their code had been found and fixed while we were still using an older code base that did not have the error.
Please also note that OpenVPN does no longer support the XOR feature due to FreeBSD ports blocking these types of out-of-project contributions and OpenVPN itself was never interested in supporting it natively. We have been keeping this alive since 2015, but several alternatives exist now that were not available back then.
Here are the full patch notes:
system: restructure routing to carry out default gateway switching and address family specific reconfig
system: prevent PHP session garbage collection from running early (contributed by lin-xianming)
system: finish simplifying plugins_run()
firewall: add missing scrub rules in dependency check for alias use
firewall: usability improvements and cleanups in scheduler pages (contributed by kuya1284)
interfaces: ensure single PPP netgraph node has the proper name
interfaces: reject invalid self-assignments in VLAN parent
interfaces: migrate trace route page to MVC/API
interfaces: migrate port probe page to MVC/API
interfaces: remove indirection in PPP ports handling
interfaces: exclude a few cases from PPPoEv6 negotiation
reporting: fix incorrect interface index in NetFlow init (contributed by Nicolas Thumann)
dhcp: restart radvd on config changes, otherwise keep SIGHUP
dhcp: when cleaning up static leases do not remove entries where only a MAC address is set
firmware: update size requirements for major upgrades from command line
firmware: embed build metadata into package annotations for use in runtime remote queries
firmware: fix execution of version queries when not possible
firmware: revoke 22.7 fingerprint
openvpn: fix two widget display issues
openvpn: use CARP INIT state the same way as BACKUP state for client start/stop
openvpn: enable deferred authentication (sponsored by m.a.x. it)
unbound: minor improvements to handle “Dot” endpoints ambiguity
web proxy: allow more signs for username and password (contributed by Bi0T1N)
mvc: change Phalcon logging to omit type and date
mvc: add strict option to NetworkField
ui: prevent crashing out when endpoint does not return data for SimpleActionButton
plugins: os-ddclient 1.13 [1]
plugins: os-stunnel fix for missing OpenSSL CRL functions
plugins: os-smart fix for highlighting result (contributed by Justin Horton)
ports: libxml 2.10.4 [2]
ports: openvpn 2.6.3 [3]
ports: sqlite 3.41.2 [4]
ports: suricata 6.0.11 [5]
ports: syslog-ng 4.1.1 [6]
A hotfix release was issued as 23.1.7_3:
system: fix a typo in monitor script preventing filter/routes reconfiguration
system: improve monitor alarm situation by not reloading monitors
openvpn: force the interface down before reconfiguration to work around a probable regression
23.1.6 (April 20, 2023)¶
Two major improvements being shipped today are standalone core DNS support for Bind and Dnscrypt-Proxy plugins as well as OpenVPN group firewall alias type. The latter makes it easier to manage distinct policies for connected VPN users. For more details please refer to the documentation listed below.
The other honorable mention is the netmap work we have been doing with Zenarmor and Klara on the FreeBSD kernel side which brings bridge device support as well as a considerable improvement to the emulated mode where several packet stalls and mbuf leaks have been identified and subsequently fixed. This should have an operational impact on Suricata (IPS mode) and Zenarmor. The state is much better now but please do not hesitate to contact us about issues that you might still be having with netmap-based packet flows as the topic is a rather complex one.
Orange FR users be aware that your ISP now requires strict VLAN PCP on all DHCPv4 requests so please now set ‘Use VLAN priority’ interface setting for both DHCPv4 and DHCPv6. The ‘Option Modifiers’ override for “vlan-pcp” in DHCPv4 can be removed.
Here are the full patch notes:
system: register DNS service ports for unified use across core and plugins
system: serialize deferred requests for web GUI restart
system: relocate API messages to backend log target as they currently end up in captive portal logs
system: remove /31 subnet restriction in wizard
system: use data attribute to find existing rows in service widget to avoid special character issues (contributed by Alexander O’Mara)
system: allow non-system group delete after faulty PHP 8 warning fix (contributed by kulikov-a)
system: handle empty DNS server gateway (contributed by Nicolas Thumann)
reporting: translate invalid interface name characters for NetFlow/Netgraph use
reporting: sort interfaces by description in health graphs
interfaces: ping diagnostic tool was rewritten using MVC/API
interfaces: allow to set PCP value on IPv4 DHCP traffic to address recent Orange FR changes
firewall: allow to create aliases for logged-in OpenVPN users [1]
firewall: leave out fractional seconds from timestamps in aliases
firewall: fix progress bar default value (contributed by Nicolas Thumann)
dhcp: fix too many addresses issue in radvd RDNSS setting
dhcp: add missing double quotes in hostname handling
firmware: remove flavouring support from update tools
ipsec: pull data for dashboard widget exclusively from backend
ipsec: move XAuth out of “IKE Extensions” block
ipsec: add connection child as option for manual SPDs
ipsec: another small GUI fix for basic log option in advanced settings
openvpn: fix dashboard widget and add missing byte data to status call
plugins: os-bind 1.26 [2]
plugins: os-crowdsec 1.0.4 [3]
plugins: os-ddclient 1.12 [4]
plugins: os-dnscrypt-proxy 1.13 [5]
plugins: os-nginx 1.32 [6]
plugins: os-upnp now allows subnet mask 0 in rules (contributed by Reiko Asakura)
src: bridge: add support for emulated netmap mode [7]
src: epair: also remove vlan metadata from mbufs
src: ifconfig: fix configuring if_bridge with additional operating parameters
src: netmap: fix queue stalls with generic interfaces [8]
src: netmap: assorted upstream stable patches
src: sched_ule: assorted fixes to address issues on newer AMD platforms
ports: curl 8.0.1 [9]
ports: ifinfo now also prints interface index (contributed by Nicolas Thumann)
ports: php 8.1.18 [10]
23.1.5 (March 29, 2023)¶
This moves MVC/API migration a bit further and fixes the radvd restart behaviour using SIGHUP which caused issues with the initial 23.1.4. Unbound gained wildcard domain blocking and its backend was further refactored and improved upon.
Here are the full patch notes:
system: timezone parsing issue for zones west of UTC using “-“
system: migrate services page and widget to MVC/API
system: move web GUI service definition to correct file
system: add service_by_filter() service search extension
system: pin down the auto-far gateway selection and routing log adjustments
system: prevent applying tunables which are already set
firewall: refactor alias update scripts
dhcp: bring back the SIGHUP handling of radvd due to fix upstream
ipsec: replace status call with portable alternative
network time: migrate service status to PID file
openvpn: fix client output for widget (contributed by kulikov-a)
openvpn: migrate connection status page and widget to MVC/API
unbound: replace status call with portable alternative
unbound: bring back missing advanced page ACL entry
unbound: implement wildcard blocking and refactor DNSBL module
unbound: account for CNAME redirection in DNSBL module
unbound: prevent logging SERVFAIL twice in DNSBL module
unbound: allow scripts to extend blocklist functionality
mvc: add MaskPerItem toggle to allow regex validation per entry in CSVListField
ui: add a fail() handler to disable action button spinner
plugins: os-frr 1.33 [1]
src: pfsync: fix pfsync_undefer_state() locking
src: pfsync: add missing unlock in pfsync_defer_tmo()
src: epair: merged assorted fixes
ports: openssl fix for CVE-2023-0464
ports: radvd fix for SIGHUP behaviour
A hotfix release was issued as 23.1.5_2:
firewall: ignore empty lines when reading current alias content using pfctl
network time: revert PID file use as it is still unreliable with ntpd
A hotfix release was issued as 23.1.5_4:
openvpn: fix typo in widget missing virtual address display
unbound: translate empty values to empty strings in DNSBL module
23.1.4 (March 21, 2023)¶
Another stable update to fix a StrongSwan regression and two OpenVPN incompatibilities introduced prior. We have also improved the service handling code in multiple areas, fixed issues like the VIP migration problem with IP alias on a CARP VIP and improved/simplified the firmware settings now that cryptography flavours no longer exist.
Here are the full patch notes:
system: address a number of web GUI startup problems
system: service handling refactor, tweaks and improvements
system: rework killbypid()/killbyname() behaviour
system: use system_resolver_configure() everywhere
reporting: simplify state collection for system-states.rrd
interfaces: fix an issue with a batch killbyname() in static ARP case
interfaces: make sure output buffering is disabled when downloading a packet capture
interfaces: lock gateway save button while the request is being processed
interfaces: fix IP alias with VHID validation issue
dhcp: several plumbing improvements in service handling
dnsmasq: remove now unused host configuration and refactor
firmware: responsiveness fix (contributed by kulikov-a)
firmware: move settings handling to full-fledged model
firmware: add advanced/help toggles, cancel button, subscription errors
monit: add permanent include statement for custom configuration files (contributed by codiflow)
openvpn: add ovpn_status.py script and configd action to fetch connected clients
openvpn: reintroduce “cipher” keyword for older clients
openvpn: add missing static-challenge parsing for auth framework introduced in 23.1.3
unbound: adhere to restart logic during hosts configure and wait for service to start
unbound: add infra-keep-probing advanced option
unbound: lowercase domain for case insensitive search in blocklists
mvc: fix PHP warnings and dance around null/0.0.0 ambiguity in migration code
plugins: os-api-backup 1.1 [1]
plugins: os-theme-cicada 1.34 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.27 (contributed by Team Rebellion)
plugins: os-theme-vicuna 1.45 (contributed by Team Rebellion)
ports: curl 7.88.1 [2]
ports: nss 3.89 [3]
ports: php 8.1.17 [4]
ports: py-vici 5.9.10
ports: squid 5.8 [5]
ports: strongswan EAP-TLS upstream fix [6]
A hotfix release was issued as 23.1.4_1:
dhcp: revert sending HUP to radvd for restart
23.1.3 (March 09, 2023)¶
This update was not planned as such, but an Sqlite compile change in FreeBSD ports required a clean rebuild so instead of a hotfix we are shipping this tiny stable update.
Here are the full patch notes:
firewall: fix mismatch of options in new automatic listing of floating rules in interface rules
ipsec: “Allow any remote gateway to connect” should suffix all in order to connect to the other end
ipsec: store proper log values in advanced settings
ipsec: add a routing hook and execute it for all VTI devices during reconfiguration
ports: phpseclib 3.0.19 [1]
ports: sqlite backs out disabling DQS option which broke software on multiple ends
ports: sudo 1.9.13p3 [2]
A hotfix release was issued as 23.1.3_4:
firewall: fix rule display of inverted aliases
firmware: add stub for previously removed -f option in opnsense-version
23.1.2 (March 07, 2023)¶
This is mainly a reliability update with fixes in assorted subsystems. Of note is the OpenVPN authentication framework rewrite in order to take advantage of the upcoming OpenVPN 2.6 deferred authentication feature and the fix for DHCP renew behaviour that was reported on 23.1.
The roadmap for 23.7 was published, but at this point mainly consists of MVC/API porting efforts for existing static pages. While the rewrite is not strictly necessary from a user perspective it will move us a lot closer to our mission goal to introduce privilege separation and to provide an API for all components.
Here are the full patch notes:
system: use singleton boot detection everywhere
system: protect against more stray scripts on boot
system: several shell_safe() conversions
system: when applying auto-far default route make sure the local address is not empty
system: refactor system_default_route() to prevent empty $gateway
system: create system_resolver_configure() and cron job support
system: add simple script and configd action to list current group membership (configctl auth list groups)
system: prevent alias reload in routing reconfiguration like we do in rc.syshook monitor reload
interfaces: protect against empty GIF host route
interfaces: fix parsing of device names with a dot in packet capture
interfaces: force newip calls through DHCP/PPP/OVPN on IPv4
interfaces: force newip calls through DHCP/PPP on IPv6
firewall: fix NAT dropdowns ignoring VIPs
firewall: fix validation of alias names such as “A_BC”
firewall: show all applicable floating rules when inspecting interface rules
firewall: prevent networks from being sent to DNS resolver in update_tables.py
reporting: make all status mapping colors configurable for themes in the Unbound DNS page
dnsmasq: add dns_forward_max, cache_size and local_ttl options to GUI (contributed by Dr. Uwe Meyer-Gruhl)
firmware: remove retired LibreSSL flavour handling and annotations
ipsec: reqid should not be provided on mobile sessions
ipsec: validate pool names on connections page
ipsec: allow “@” character in all other eap_id fields for new connections
ipsec: add connection data to XMLRPC sync
ipsec: “Dynamic gateway” (rightallowany) option should be translated to 0.0.0.0/0,::/0
network time: remove “disable monitor” to get rid of log warnings (contributed by Dr. Uwe Meyer-Gruhl)
openvpn: replace authentication handler to prepare for upcoming OpenVPN 2.6 with deferred authentication
openvpn: rename -cipher option to –data-ciphers-fallback and adjust GUI accordingly
unbound: fix typo in logger and create a pipe early in dnsbl_module.py (contributed by kulikov-a)
unbound: fix type cast to prevent unnecessary updateBlocklist action
unbound: add missing blocklist
ui: solve deprecation in PHP via html_safe() wrapper
wizard: unbound hardened DNSSEC setting moved
plugins: os-acme-client 3.16 [1]
plugins: os-crowdsec 1.0.2 [2]
plugins: os-rfc2136 1.8 [3]
plugins: os-theme-cicada 1.33 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.26 (contributed by Team Rebellion)
plugins: os-theme-vicuna 1.44 (contributed by Team Rebellion)
src: fix multiple OpenSSL vulnerabilities [4]
src: pfsync: support deferring IPv6 packets
src: pfsync: add missing bucket lock
src: pfsync: ensure ‘error’ is always initialised
ports: filterlog 0.7 fixes unknown TCP option print
ports: lighttpd 1.4.69 [5]
ports: monit 5.33.0 [6]
ports: nss 3.88.1 [7]
ports: openldap 2.6.4 [8]
ports: openssh 9.2p1 [9]
ports: php 8.1.16 [10]
ports: phalcon 5.2.1 [11]
ports: sqlite 3.41.0 [12]
ports: strongswan 5.9.10 [13]
ports: sudo 1.9.13p2 [14]
23.1.1 (February 15, 2023)¶
Apart from security updates for operating system and third party software this mainly fixes issues with the initial 23.1 release. IPsec and Unbound components in particular receive a number of improvements being the more prominent areas of work for this series. Unbound also gained a SafeSearch option and the new reporting database CPU usage should be much lower and easier to use.
Overall we are happy with how the major release turned out and look forward to further fixes in e.g. Netmap framework including Suricata changes for multi-threading support which has been in the works for a long time. OpenVPN 2.6 update and related changes are also pending at the moment.
The roadmap for 23.7 will be published soon and will again include a number of MVC/API conversions for static components. Statistics do indicate that we are over 60% done with converting the code base to a modern framework as compared to early 2015 which is now already over 8 years ago!
Here are the full patch notes:
system: replace single exec_command() with new shell_safe() wrapper
system: fix assorted PHP 8.1 deprecation notes
system: remove overreaching “Reconfigure a plugin facility” cron job and backend command that has no visible users
interfaces: fix VLAN rename after protocol addition in 23.1
interfaces: fix VLAN missing a config lock on delete
interfaces: make description field show for all types of VIP (contributed by FingerlessGloves)
interfaces: allow VHID reuse as it was before 23.1
firewall: prevent possible infinite loop in alias parsing (contributed by kulikov-a)
firewall: do not calculate local port range for alias (contributed by kulikov-a)
firewall: update validation of alias names to be slightly more restrictive
firewall: safeguard download_geolite() and log errors
firewall: do not switch gateway on bootup
captive portal: enforce a database repair during operation if necessary
firmware: move single-call function to reporter page
intrusion detection: properly reset metadata response when no metadata is found
ipsec: allow “@” character in eap_id fields for new connections
ipsec: missing remapping pool UUID to name for new connections
ipsec: change status column sizing and hide local/remote auth by default
ipsec: fix username parsing in lease status
ipsec: refactor widget to use new data format
ipsec: migrate duplicated cron job
ipsec: faulty unique constraint in pre-shared keys
ipsec: fix eap_id placement for eap-mschapv2
unbound: simplify logger logic for required queries
unbound: add SafeSearch option to blocklists
unbound: match white/blocklist action exactly from reporting page
unbound: always prioritize whitelists over blocklists
unbound: various UX improvements in reporting page
unbound: add serve-expired, log-servfail, log-local-actions and val-log-level advanced settings
unbound: drop unnecessary index from reporting database and other optimizations to lower CPU usage
unbound: add HTTPS record type to reporting
unbound: remember reporting page logarithmic setting
unbound: missing global so that cache is never flushed when requested
mvc: cleanse $record input in searchRecordsetBase() before usage
plugins: os-haproxy 4.1 [1]
plugins: os-openconnect 1.4.4 [2]
plugins: os-qemu-guest-agent 1.2 [3]
plugins: os-tayga fixes MVC interface registration
plugins: os-wireguard fixes MVC interface registration
src: geli: split the initalization of HMAC [4]
src: fix ena driver crash after reset in 7th gen AWS instance types [5]
src: fix sdhci broken write-protect settings [6]
src: import tzdata 2022g [7]
src: ipsec: clear pad bytes in PF_KEY messages
src: fib_algo: set vnet when destroying algo instance
src: if_ipsec: handle situations where there are no policy or SADB entry for if
src: if_ipsec: protect against user supplying unknown address family
src: if_me: use dedicated network privilege
src: vxlan: add support for socket ioctls SIOC[SG]TUNFIB
src: introduce and use the NET_EPOCH_DRAIN_CALLBACKS() macro
src: iflib: Add null check to iflib_stop()
src: x86: ignore stepping for APL30 errata
src: pfctl: rule.label is a two-dimensional array
src: pf: fix syncookies in conjunction with tcp fast port reuse
src: pf: fix panic on deferred packets
src: ipfw: Add missing ‘va’ code point name
src: netmap: try to count packet drops in emulated mode
src: netmap: fix a queue length check in the generic port rx path
src: netmap: tell the compiler to avoid reloading ring indices
ports: remove GnuTLS workarounds from ports previously required for LibreSSL
ports: dnsmasq 2.89 [8]
ports: dpinger 3.3 [9]
ports: lighttpd 1.4.68 [10]
ports: openssh 9.1p1 [11]
ports: openssl 1.1.1t [12]
ports: php 8.1.15 [13]
A hotfix release was issued as 23.1.1_2:
captive portal: remove mod_evasion use which was discontinued by lighttpd
unbound: wait for pipe in logger (contributed by kulikov-a)
Rate limiting was removed from the captive portal which was set to 250 connections by the same IP to the captive portal itself. This can be easily replaced by a manual firewall rule with advanced options set, e.g. “Max established” set to 250 with destination “This Firewall”.
23.1 (January 26, 2023)¶
For more than 8 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
23.1, nicknamed “Quintessential Quail”, features Unbound DNS statistics with a blocklist rewrite in Python, improved WAN SLAAC operability, firewall alias BGP ASN type support, PHP 8.1, assorted FreeBSD networking updates, MVC/API pages for packet capture/virtual IPs/IPsec connection management, IPsec configuration file migration to swanctl.conf, new sslh plugin, ddclient custom backend support (including Azure), WireGuard kernel module plugin variant as the new default plus much more.
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/
South America: http://mirror.ueb.edu.ec/opnsense/releases/23.1/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.1/
Full mirror list: https://opnsense.org/download/
Here are the full patch notes against 22.7.11:
system: replaced log_error() use with log_msg() and adjusted logging levels accordingly
system: introduced a service boot log
system: the LibreSSL flavour has been discontinued
system: simplify gateway monitoring setup code
system: add option to skip gateway monitor host route
system: populate /etc/hosts file with IPv6 addresses too
system: simplify and guard host route creation
system: merge system_staticroutes_configure() into system_routing_configure()
system: do not yield process after calling shutdown command
system: apply tunables during late boot in case a module was loaded depending on them to be set to a specific value
system: show size of ZFS ARC (adaptive replacement cache) in system widget
system: introduce support tier annotations for core and plugins [2]
system: add cron tasks for scrubbing and trimming ZFS pools (contributed by Iain Henderson)
system: fix 6rd/6to4 gateway interface detection (contributed by Frans J Elliott)
reporting: add Unbound DNS statistics frontend including client drill-down
interfaces: heavy cleanup of the wireless device integration
interfaces: use 802.1ad protocol for stacked VLAN parent (QinQ)
interfaces: GIF and GRE now support subnet-based IPv6 configurations instead of always falling back to a point-to-point (/128) setup
interfaces: GIF and GRE now disable IPv6 on IPv4 tunnels (contributed by Maurice Walker)
interfaces: add isolated PPPoEv6 mode to selectively enable IPv6 CP negotiation and turn it off when no IPv6 mode is set
interfaces: add support for SLAAC WAN interfaces without DHCPv6 (contributed by Maurice Walker)
interfaces: register LAGG, PPP, VLAN and wireless devices as plugins
interfaces: simplified get_real_interface() function
interfaces: removed obsolete “defaultgw” files
interfaces: simplified rc.linkup script
interfaces: improve IP address cache behaviour in rc.newwanip(v6) scripts
interfaces: converted virtual IPs to MVC/API
interfaces: add MAC filtering to packet capture
interfaces: convert ARP/NDP pages to server-side searchable variant
interfaces: create null route for DHCPv6 delegated prefix
interfaces: tighten the concept of hardware interfaces and pull supported plugin devices into assignments page automatically
firewall: remove deprecated “Dynamic state reset” mechanic
firewall: invalidate port forward rule entry when no target is specified
firewall: hide deprecated source OS rule setting under advanced
firewall: add group option to prevent grouping in interfaces menu
firewall: safeguard against missing name from the alias API call
intrusion detection: keep grid to prevent widgets being removed
intrusion detection: reload grid after log drop (contributed by kulikov-a)
intrusion detection: add verbose logging mode selector
ipsec: disable charon.install_routes completely in case upstream would implement it for FreeBSD later on
ipsec: move user PSK (pre-shared key) and static PSK items to new MVC/API implementation
ipsec: migrate existing configuration from ipsec.conf to swanctl.conf
ipsec: add a new independent connections MVC/API component to manage IPsec in a layout matching swanctl.conf syntax more closely
ipsec: rewrote lease status page in MVC/API
ipsec: add configurable “unique” setting to phase 1
ipsec: missing correct phase 1 to collect “Network List” option
monit: support start timeout setting (contributed by spoutin)
openvpn: add unique daemon name to each instance
unbound: add statistics database backend
unbound: add exact domain blocking
mvc: call plugins_interfaces() optionally on service reconfigure
mvc: match UUID for multiple values (contributed by kulikov-a)
mvc: convert setBase() to an upsert operation
mvc: change default sorting to case-insensitive
mvc: add TextField tests (contributed by agh1467)
mvc: implement required getRealInterface() variant
ui: assorted improvements in bootgrid and form controls
ui: switch to pure JSON data in bootgrids
plugins: os-bind 1.25 [3]
plugins: os-ddclient 1.11 [4]
plugins: os-dyndns end of life note moves to 23.7
plugins: os-freeradius 1.9.22 [5]
plugins: os-frr 1.32 [6]
plugins: os-haproxy 4.0 [7]
plugins: os-puppet-agent 1.1 [8]
plugins: os-sslh 1.0 [9] (contributed by agh1467)
plugins: os-theme-cicada 1.32 (contributed by Team Rebellion)
plugins: os-upnp 1.5 [10]
plugins: os-wireguard switches to kernel module with a separate os-wireguard-go variant available for installation to keep the old behaviour
src: assorted FreeBSD 13 stable fixes for e.g. bpf, bridge, bsdinstall ifconfig, iflib, ipfw, ipsec, lagg, netmap, pf, route and vlan components
ports: php 8.1.14 [11]
ports: sudo 1.9.12p2 [12]
A hotfix release was issued as 23.1_6:
system: incorrect link to CARP status page on dashboard widget
reporting: bail DNS resolve in traffic graphs when resolver is not configured
captive portal: for static MAC assignments make sure that the IP address actually changed before updating it
ipsec: missing a bracket for aggressive mode selection
ipsec: mute a spurious boot warning
ipsec: myid may be be optional
plugins: os-bind fix plugin directory path
plugins: os-ddclient minor PHP fix
plugins: os-frr allow restart via cron
plugins: os-nut wrong user for latest port
plugins: os-upnp typo in log level
plugins: os-wireguard service widget fix
Migration notes, known issues and limitations:
LibreSSL flavour has been discontinued. Switch to OpenSSL flavour to proceed with the upgrade.
StrongSwan IPsec configuration now uses the preferred swanctl.conf instead of the deprecated ipsec.conf which could lead to connectivity issues in ambiguous cases. Subtle bugs cannot be ruled out as well so please raise an issue on GitHub to be able to investigate each case.
The new IPsec connections pages and API create an independent set of connections following the design of swanctl.conf. Legacy tunnel settings cannot be managed from the API and are not migrated.
The public key for the 23.1 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4J0k7cPtunUYiR4vbRof
# AiNTnkkByaWpjTeKneR/CBAaImUxpED5EnFprwM0mm4BX3Vqkf1KYQtRSawNxeXz
# NiPT5Ykv0Vus0tYafBzIPsOCdUz/gtuJmtjih0uNvFSdwDRNE42MpX2RFeTm652H
# fNE5Rxv23liLYdm3RNDFcM7tJEMs+zr01Lrn3McDv4OUACl3YTwFKS1BJGkBqpDI
# gX1HsJMz934zNItrLxj6B2tDIR4oGrqowzW+1owT4+a8EoaimY48RAb8AUWezAZu
# tQcGQ0wuZ8qy2WClYvrogsmAEUpfv1Y0YcSfpdxopOx4KyE0KEzAooRF95iFLu94
# PODk1oPTr0N9qXn7XsLkpaufk+EpNecZSvbqrj3IWMyCLEBO60YuFpcFFI6SVJBC
# i5OG7JVQaE8hu4CY50tMOO0M54umM8lPIOW8AuIH2PlmQWJ4tPb7j8HHnV1cM1Sf
# Ha/EAJQlKEEyj4hbzSb6aKATv++qvh4jwgADsTsDtbCrtxrcBV7i+iLUM7DdxrPZ
# QnLELdJPjyFxtClzi4Tf1svrF5K6NGd/nJQ1pLSkM64dKPA0iTiMMzjQMHnN8++G
# UdhRzswRZ/BtB8ha1ZRRvnEHe+tcEtsXFZZSTgcR60lXlZzPY/0h+xfbgOApYlqq
# MIMJsdvZkuxYrGQ5eL2nk0UCAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2) = f25c10113ef1ea13c031fc6102f8e6caf73a7296b12bcc287670026cab29c7c7
# SHA256 (OPNsense-23.1-OpenSSL-nano-amd64.img.bz2) = 74ec824288adde409074f6855cb0110b860d0b28c33fbd6a30f12473a5e97d54
# SHA256 (OPNsense-23.1-OpenSSL-serial-amd64.img.bz2) = 2b0ea23de4d09eed952f074e561d55b06b5d323bf9d68a2eae34c3118c304318
# SHA256 (OPNsense-23.1-OpenSSL-vga-amd64.img.bz2) = 13b9f31651aa165862965566238eaecf66563a3b037fb7f8912a6d0440170bdb
23.1.r2 (January 19, 2023)¶
Only a small number of fixes and the usual third party updates.
Still on track for January 26. See you then…
Here are the full patch notes:
system: introduce support tier annotations for core and plugins
system: add cron tasks for scrubbing and trimming ZFS pools (contributed by Iain Henderson)
system: fix 6rd/6to4 gateway interface detection (contributed by Frans J Elliott)
interfaces: further simplify get_real_interface()
interfaces: correct PPPoEv6 device lookup
reporting: add Unbound DNS drill-down for client graph
mvc: implement required getRealInterface() variant
plugins: os-haproxy 4.0 [1]
ports: curl 7.87.0 [2]
ports: nss 3.87 [3]
ports: pcre 10.42 [4]
ports: phalcon 5.1.4 [5]
ports: php 8.1.14 [6]
ports: strongswan 5.9.9 [7]
ports: unbound 1.17.1 [8]
23.1.r1 (January 13, 2023)¶
For more than 8 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/
South America: http://mirror.ueb.edu.ec/opnsense/releases/23.1/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.1/
Full mirror list: https://opnsense.org/download/
Here are the full patch notes against 22.7.10:
system: replaced log_error() use with log_msg() and adjusted logging levels accordingly
system: introduced a service boot log
system: the LibreSSL flavour has been discontinued
system: simplify gateway monitoring setup code
system: add option to skip gateway monitor host route
system: populate /etc/hosts file with IPv6 addresses too
system: simplify host route creation
system: merge system_staticroutes_configure() into system_routing_configure()
system: do not yield process after calling shutdown command
system: apply tunables during late boot in case a module was loaded depending on them to be set to a specific value
system: show size of ZFS ARC (adaptive replacement cache) in system widget
interfaces: heavy cleanup of the wireless device integration
interfaces: use 802.1ad protocol for stacked VLAN parent (QinQ)
interfaces: GIF and GRE now support subnet-based IPv6 configurations instead of always falling back to a point-to-point (/128) setup
interfaces: GIF and GRE now disable IPv6 on IPv4 tunnels (contributed by Maurice Walker)
interfaces: add PPPoEv6 mode to prevent IPv6 CP negotiation over PPPoE in other IPv6 modes
interfaces: add support for SLAAC WAN interfaces without DHCPv6 (contributed by Maurice Walker)
interfaces: register LAGG, PPP, VLAN and wireless devices as plugins
interfaces: simplified get_real_interface() function
interfaces: removed obsolete “defaultgw” files
interfaces: simplified rc.linkup script
interfaces: improve IP address cache behaviour in rc.newwanip(v6) scripts
interfaces: converted virtual IPs to MVC/API
interfaces: add MAC filtering to packet capture
interfaces: convert ARP/NDP pages to server-side searchable variant
interfaces: create null route for DHCPv6 delegated prefix
interfaces: tighten the concept of hardware interfaces and pull supported plugin devices into assignments page automatically
firewall: remove deprecated “Dynamic state reset” mechanic
firewall: invalidate port forward rule entry when no target is specified
firewall: show automated “port 0” rule as actual port “0” on PHP 8
firewall: hide deprecated source OS rule setting under advanced
reporting: fix incompatible regex syntax in FreeBSD 13.1 for firewall state health statistics
intrusion detection: keep grid to prevent widgets being removed
intrusion detection: reload grid after log drop (contributed by kulikov-a)
ipsec: disable charon.install_routes completely in case upstream would implement it for FreeBSD later on
ipsec: move user PSK (pre-shared key) and static PSK items to new MVC/API implementation
ipsec: migrate existing configuration from ipsec.conf to swanctl.conf
ipsec: add a new independent connections MVC/API component to manage IPsec in a layout matching swanctl.conf syntax more closely
ipsec: rewrote lease status page in MVC/API
ipsec: add configurable “unique” setting to phase 1
monit: support start timeout setting (contributed by spoutin)
openvpn: add unique daemon name to each instance
unbound: add DNS statistics collector and reporting frontend
unbound: safeguard retrieval of blocklist shortcode
unbound: add exact domain blocking
mvc: call plugins_interfaces() optionally on service reconfigure
mvc: match UUID for multiple values (contributed by kulikov-a)
mvc: convert setBase() to an upsert operation
mvc: change default sorting to case-insensitive
mvc: fix IntegerField minimum value (contributed by xbb)
mvc: add TextField tests (contributed by agh1467)
ui: assorted improvements in bootgrid and form controls
ui: switch to pure JSON data in bootgrids
plugins: os-acme-client 3.15 [2]
plugins: os-bind 1.25 [3]
plugins: os-ddclient 1.11 [4]
plugins: os-dyndns end of life note moves to 23.7
plugins: os-freeradius 1.9.22 [5]
plugins: os-upnp 1.5 [6]
plugins: os-stunnel fixes missing include in certificate script
plugins: os-wireguard switches to kernel module with a separate os-wireguard-go variant available for installation to keep the old behaviour
plugins: os-sslh 1.0 [7] (contributed by agh1467)
src: assorted FreeBSD 13 stable fixes for e.g. bpf, bridge, bsdinstall ifconfig, iflib, ipfw, ipsec, lagg, netmap, pf, route and vlan components
ports: php 8.1.13 [8]
ports: sqlite 3.40.1 [9]
Migration notes, known issues and limitations:
LibreSSL flavour has been discontinued. Switch to OpenSSL flavour to proceed with the upgrade.
StrongSwan IPsec configuration now uses the preferred swanctl.conf instead of the deprecated ipsec.conf which could lead to connectivity issues in ambiguous cases. Subtle bugs cannot be ruled out as well so please raise an issue on GitHub to be able to investigate each case.
The new IPsec connections pages and API create an independent set of connections following the design of swanctl.conf. Legacy tunnel settings cannot be managed from the API and are not migrated.
The public key for the 23.1 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4J0k7cPtunUYiR4vbRof
# AiNTnkkByaWpjTeKneR/CBAaImUxpED5EnFprwM0mm4BX3Vqkf1KYQtRSawNxeXz
# NiPT5Ykv0Vus0tYafBzIPsOCdUz/gtuJmtjih0uNvFSdwDRNE42MpX2RFeTm652H
# fNE5Rxv23liLYdm3RNDFcM7tJEMs+zr01Lrn3McDv4OUACl3YTwFKS1BJGkBqpDI
# gX1HsJMz934zNItrLxj6B2tDIR4oGrqowzW+1owT4+a8EoaimY48RAb8AUWezAZu
# tQcGQ0wuZ8qy2WClYvrogsmAEUpfv1Y0YcSfpdxopOx4KyE0KEzAooRF95iFLu94
# PODk1oPTr0N9qXn7XsLkpaufk+EpNecZSvbqrj3IWMyCLEBO60YuFpcFFI6SVJBC
# i5OG7JVQaE8hu4CY50tMOO0M54umM8lPIOW8AuIH2PlmQWJ4tPb7j8HHnV1cM1Sf
# Ha/EAJQlKEEyj4hbzSb6aKATv++qvh4jwgADsTsDtbCrtxrcBV7i+iLUM7DdxrPZ
# QnLELdJPjyFxtClzi4Tf1svrF5K6NGd/nJQ1pLSkM64dKPA0iTiMMzjQMHnN8++G
# UdhRzswRZ/BtB8ha1ZRRvnEHe+tcEtsXFZZSTgcR60lXlZzPY/0h+xfbgOApYlqq
# MIMJsdvZkuxYrGQ5eL2nk0UCAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
# SHA256 (OPNsense-23.1.r1-OpenSSL-dvd-amd64.iso.bz2) = ed7d61d0107536c3095526d74c9d4e3b44cb86a7d8896bb51d65eccfd0a2056d
# SHA256 (OPNsense-23.1.r1-OpenSSL-nano-amd64.img.bz2) = 66269b2eb434476d437cbf705af25b938e5d17436727eee565dd5e88fe8e6247
# SHA256 (OPNsense-23.1.r1-OpenSSL-serial-amd64.img.bz2) = ca6676ae825241190e63b4fbedd8e727b28011fa484c35c1ef1e68e0355b1f4b
# SHA256 (OPNsense-23.1.r1-OpenSSL-vga-amd64.img.bz2) = 5a4a8ec5f248484890d569b89f2fd1e29470bb95996c48def20686648e279f77