24.7 “Thriving Tiger” Series¶
For more than 9 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
24.7, nicknamed “Thriving Tiger”, features a new dashboard, system trust MVC/API support, GRE and GIF MVC/API support, NAT 1-to-1 MVC/API support, WireGuard QR code generator, dynamic IPsec VTI tunnel support, experimental OpenVPN DCO support, FreeBSD 14.1, Python 3.11 plus much more.
The upgrade path from 24.1.x will follow tomorrow. Do not be hasty. The major operating system upgrade has not happened in while and should be taken with the appropriate amount of care.
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.7/
South America: http://mirror.ueb.edu.ec/opnsense/releases/24.7/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/24.7/
Full mirror list: https://opnsense.org/download/
24.7.3 (August 29, 2024)¶
Today we are switching pf stateful tracking of ICMPv6 neighbour discoveries off in order to fix the previous instability with the FreeBSD security advisory first shipped in 24.7.1. We do this in order to provide the same reliable IPv6 functionality that was on all previous versions prior to 24.7.1 at the cost of resurfacing CVE-2024-6640 until a better solution has been devised. A link to the long and difficult upstream bug report is included below.
But that is not all. The GUI gains snapshot support on ZFS installations by implementing what is called “boot environments” which allows one to move seamlessly from one snapshot to another via reboot. This functionality can also be accessed from the boot loader menu option “8” for a quick recovery ensuring that at least one other snapshot was created to boot into. A very special thank you to Sheridan Computers for contributing this feature.
Here are the full patch notes:
system: add snapshots (boot environments) support via MVC/API (contributed by Sheridan Computers)
system: remove obsolete dashboard sync
system: compact services widget on dashboard
system: convert lock mode to edit mode on dashboard
system: link certificates by subject on import
system: unify how log search clauses work and add a search time constraint
system: move to static imports for widget base classes on dashboard
system: fix ACL check on dashboard restore and add safety check for save action
system: change dashboard modify buttons to a bootstrap group (contributed by Jaka Prašnikar)
interfaces: add “newwanip_map” event and deprecate old “newwanip” one
interfaces: keep 24.7 backwards compatibility by allowing 6RD and 6to4 on PPP
interfaces: add logging to PPP link scripts to check for overlap
interfaces: return correct uppercase interface name in getArp()
interfaces: fix issue with PPP port not being posted
dhcrelay: start on “newwanip_map” event as well
intrusion detection: update the default suricata.yaml (contributed by Jim McKibben)
ipsec: move two logging settings to correct location misplaced in previous version
ipsec: fix migration and regression during handling of “disablevpnrules” setting
wireguard: support CARP VHID reuse on different interfaces
mvc: when a hint is provided, also show them for selectpickers
rc: fix banner HTTPS fingerprint
plugins: os-ddclient 1.24 [1]
plugins: os-theme-advanced 1.0 based on AdvancedTomato (contributed by Jaka Prašnikar)
plugins: os-theme-cicada 1.38 (contributed by Team Rebellion)
plugins: os-theme-vicuna 1.48 (contributed by Team Rebellion)
plugins: os-upnp 1.6 [2]
plugins: os-wol 2.5 adds widget for new dashboard (contributed by Michał Brzeziński)
src: pf: fully annotated patch of disabling ND state tracking and issues for ICMPv6 [3]
src: u3g: add SIERRA AC340U
ports: dhcrelay 1.0 switches to official release numbering, but otherwise equal to 0.6
ports: sqlite 3.46.1 [4]
A hotfix release was issued as 24.7.3_1:
intrusion detection: fix indent in suricata.yaml
24.7.2 (August 21, 2024)¶
Today a follow-up for the FreeBSD security advisory for pf/ICMP ships that addresses the undesired traceroute behaviour. A few dashboard improvements are included as well as better IPv6 recovery for dhcp6c and assorted stability fixes.
As a special note we now have native CPU microcode update plugins for either AMD or Intel to install from the GUI. Apart from a reboot these plugins require no further user interaction and will keep the applicable microcode at the latest known version as shipped in the packages repository.
We are currently working on making PPP capable of running in IPv6-only deployments; additionally ZFS snapshots (a.k.a boot environments) are coming to the next stable release and can already be previewed in the bundled development version.
Last but not least, an “importmap” free dashboard version is also ready for testing in the development release. We hereby ask for feedback so that it can be included in a subsequent stable release.
Here are the full patch notes:
system: CRL import ignored text input and triggered unrelated validations
system: improve the locking during web GUI restart
system: improve WireGuard and IPsec widgets
system: add CPU widget graph selection
system: reformat traffic graphs to bps
system: add gateway widget item selection
system: add table view to interface statistics widget on expansion
system: improve widget error recovery
system: fix wrong variable assignment in system log search backend
system: add missing delAction() for proper CRL removal
interfaces: require PPP interface to be in up state (contributed by Nicolai Scheer)
interfaces: lock down PPP modes when editing interfaces
interfaces: backport required interface_ppps_capable()
interfaces: retire interfaces_bring_up()
reporting: start using cron for RRD collection
firmware: remove inactive mirrors from the list
firmware: introduce sanity checks prior to upgrades
firmware: cleanup package manager temporary files prior to upgrades
kea-dhcp: fix privileges for page ACL
ipsec: advanced settings MVC/API conversion
ipsec: add retransmission settings in charon section in advanced settings
openvpn: unhide server fields for DCO instances
mvc: remove setJsonContent() and make sure Response->send() handles array types properly
mvc: FileObject write() should sync by default
rc: export default ZPOOL_IMPORT_PATH
ui: sidebar submenu expand fix (contributed by Team Rebellion)
plugins: os-caddy 1.6.3 [1]
plugins: os-cpu-microcode-amd 1.0
plugins: os-cpu-microcode-intel 1.0
plugins: os-freeradius 1.9.25 [2]
plugins: os-intrusion-detection-content-snort-vrt 1.2 switch to newer ruleset snapshot (contributed by Jim McKibben)
plugins: os-theme-tukan 1.28 (contributed by Dr. Uwe Meyer-Gruhl)
src: axgbe: implement ifdi_i2c_req for diagnostics information
src: if_clone: allow maxunit to be zero
src: if_pflog: limit the maximum unit via the new KPI
src: pf: invert direction for inner icmp state lookups
src: pf: fix icmp-in-icmp state lookup
src: pf: vnet-ify pf_hashsize, pf_hashmask, pf_srchashsize and V_pf_srchashmask
ports: dhcp6c 20240820 fixes two renewal edge cases
ports: nss 3.103 [3]
ports: phpseclib 3.0.41 [4]
ports: unbound 1.21.0 [5]
24.7.1 (August 08, 2024)¶
This release includes a batch of dashboard changes due to the reliable feedback we have received from you all so far. There will be more dashboard changes in the future mostly relating to UX and sane default behaviour so just know we are aware.
A few smaller regressions due to the Phalcon module replacement efforts have been fixed as well. IPv6 behaviour has been adjusted for SLAAC and the web GUI.
Last but not least we found and fixed a number of issues with FreeBSD 14.1 and are including its security advisories from yesterday while at it.
MVC/API conversions are already being carried out in the development version and it seems that PPP-related connectivity will get a bigger makeover too. The roadmap for 25.1 will be discussed and likely published later this month.
Here are the full patch notes:
system: guard destroy on traffic widget
system: adjust address display in interfaces widget
system: fix display of multiple sources in thermal sensor widget
system: add load average back to system info widget
system: remove dots from traffic widget graphs
system: add publication date to announcement widget
system: fix monit widget status code handling
system: allow and persist vertical resize in widgets
system: improve formatting of byte values in widgets
system: update OpenVPN widget server status color
system: add aggregated traffic information about connected children in IPsec widget
system: remove animated transition from row hover for table widgets
system: improve the styling of the widget lock button
system: apply locked state to newly added widgets as well
system: account for removal of rows in non-rotated widget tables with top headers
system: use “importmap” to force cache safe imports of base classes for widgets
system: allow custom fonts in the widgets with gauges (contributed by Jaka Prasnika)
system: add monitor IP to gateway API result (contributed by Herman Bonnes)
system: better define “in use” flag and safety guards in certificates section
system: export p12 resulted in mangled binary blob in certificates section
system: when using debug kernels prevent them from triggering unrelated panics on assertions
system: switch Twitter to Reddit URL in message of the day
system: fix API exception on empty CA selection
system: skip tentative IPv6 addresses for binding in the web GUI (contributed by tionu)
interfaces: avoid deprecating SLAAC address for now
firewall: show inspect button on “xs” size screen
firewall: fix parsing port alias names in /etc/services
captive portal: fix client disconnect (contributed by Vivek Panchal)
firmware: revoke old fingerprints
ipsec: add aggregated traffic totals to phase 1 view
kea-dhcp: ignore invalid hostnames in static mappings to prevent DNS services crashes
openvpn: use new trust model to link users by common_name in exporter
openvpn: DCO mode only supports UDP on FreeBSD
openvpn: add “float” option to instances (contributed by Christian Kohlstedde)
backend: patch -6 address support into pluginctl
mvc: fix API endpoint sending data without giving the Response object the chance to flush its headers
plugins: os-acme-client 4.5 [1]
plugins: os-apcupsd 1.2 [2]
plugins: os-caddy 1.6.2 [3]
plugins: os-ddclient 1.23 [4]
plugins: os-theme-rebellion 1.9.1 fixes more compatibility issues with new dashboard (contributed by Team Rebellion)
src: pf incorrectly matches different ICMPv6 states in the state table [5]
src: ktrace(2) fails to detach when executing a setuid binary [6]
src: NFS client accepts file names containing path separators [7]
src: xen/netfront: Decouple XENNET tags from mbuf lifetimes
src: dummynet: fix fq_pie traffic stall
src: mcast: fix leaked igmp packets on multicast cleanup
src: wg: change dhost to something other than a broadcast address (contributed by Sunny Valley Networks)
ports: curl 8.9.1 [8]
ports: dhcrelay 0.6 [9]
ports: kea 2.6.1 [10]
ports: nss 3.102 [11]
ports: php 8.2.22 [12]
ports: rrdtool 1.9.0 [13]
ports: syslog-ng 4.8.0 [14]
24.7 (July 25, 2024)¶
For more than 9 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
24.7, nicknamed “Thriving Tiger”, features a new dashboard, system trust MVC/API support, GRE and GIF MVC/API support, NAT 1-to-1 MVC/API support, WireGuard QR code generator, dynamic IPsec VTI tunnel support, experimental OpenVPN DCO support, FreeBSD 14.1, Python 3.11 plus much more.
The upgrade path from 24.1.x will follow tomorrow. Do not be hasty. The major operating system upgrade has not happened in while and should be taken with the appropriate amount of care.
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.7/
South America: http://mirror.ueb.edu.ec/opnsense/releases/24.7/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/24.7/
Full mirror list: https://opnsense.org/download/
Here are the full changes against version 24.1.10:
system: remove “load_balancer” configuration remnants from core
system: replace usage of mt_rand() with random_int()
system: rewrote Trust configuration using MVC/API
system: add XMLRPC option for OpenDNS
system: rewrote the high availability settings page using MVC/API
system: remove obsolete SSH DSA key handling
system: replaced the dashboard with a modern alternative with streaming widgets
system: harden a number of PHP settings according to best practices
system: support streaming of log files for the new dashboard widget
system: assorted dashboard widget tweaks
system: sidebar optimisation and fixes (contributed by Team Rebellion)
system: set short Cache-Control lifetime for widgets
interfaces: rewrote GRE configuration using MVC/API
interfaces: rewrote GIF configuration using MVC/API
interfaces: temporary flush SLAAC addresses in DHCPv6 WAN mode to avoid using them primarily
interfaces: add peer/peer6 options to CARP VIPs
interfaces: allow to assign a prefix ID to WAN interface in DHCPv6 as well
interfaces: allow to set manual interface ID in DHCPv6 and tracking modes
firewall: performance improvements in alias handling
firewall: refactor pftop output, move search to controller layer and implement cache for sessions page
firewall: support streaming of filter logs for the new dashboard widget
captive portal: add “Allow inbound” option to select interfaces which may enter the zone
captive portal: remove defunct transparent proxy settings
captive portal: clean up the codebase
ipsec: prevent gateway when remote gateway family does not match selected protocol in legacy tunnel configuration
isc-dhcp: do not reload DNS services when editing static mappings to match behaviour with Kea
monit: expose HTTPD username and password settings to GUI
openvpn: optionally support DCO devices for instances
openvpn: remove duplicate and irrelevant data for the client session in question
openvpn: add “remote_cert_tls” option to instances
backend: add “cache_ttl” parameter to allow for generic caching of actions
backend: run default action “configd actions” when none was specified
backend: extended support for streaming actions
installer: update the ZFS install script to the latest FreeBSD 14.1 code
installer: prefer ZFS over UFS in main menu selection
ui: assorted improvements for screen readers (contributed by Jason Fayre)
ui: add “select all” to standard form selectors and remove dialog on “clear all” for tokenizers
ui: lock save button while in progress to prevent duplicate input on Bootgrid
ui: backport accessibility fix in Bootstrap
mvc: replaced most of the Phalcon MVC use with a native band compatible implementation
mvc: improve searchRecordsetBase() filtering capabilities
mvc: improve container field cloning
mvc: remove obsolete getParams() usage in ApiControllerBase
mvc: hook default index action in API handler
plugins: os-acme-client 4.4 [2]
plugins: os-caddy 1.6.1 [3]
plugins: os-dec-hw 1.1 replaces the dashboard widget
plugins: os-etpro-telemetry 1.7 replaces dashboard widget
plugins: os-freeradius 1.29.4 [4]
plugins: os-nginx 1.34 [5]
plugins: os-theme-cicada 1.37 fixes dropdown element style (contributed by Team Rebellion)
plugins: os-theme-vicuna 1.47 fixes dropdown element style (contributed by Team Rebellion)
src: FreeBSD 14.1-RELEASE [6]
src: assorted backports from FreeBSD stable/14 branch
ports: hostapd 2.11 [7]
ports: libpfctl 0.12
ports: phalcon 5.8.0 [8]
ports: openvpn 2.6.12 [9]
ports: wpa_supplicant 2.11 [10]
A hotfix release was issued as 24.7_5:
system: fix disk widget byte unit “B” parsing crashing the whole widget
interfaces: improve apply of the new peer/peer6 options to avoid unneeded reset
firewall: fix one-to-one NAT migration with external address without a subnet set
openvpn: disable DCO permanently in legacy client/server configuration
mvc: fix API regression due to getParams() removal
plugins: os-udpbroadcastrelay API error fixes (contributed by Team Rebellion)
A hotfix release was issued as 24.7_9:
system: increase widget timeout to 5 seconds
system: cores and threads flipped in system widget
system: increase the PHP children count of the web GUI
mvc: make Response->setContentType() second argument optional
plugins: os-theme-rebellion 1.9 fixes compatibility issues with new dashboard (contributed by Team Rebellion)
Migration notes, known issues and limitations:
The dashboard has been replaced. Widgets from the old format are no longer supported and need to be rewritten by the respective authors.
ISC DHCP will no longer reload DNS services on static mapping edits. This is for feature parity with Kea DHCP and avoiding cross-service complications. If you expect your static mappings to show up in a particular DNS service please restart this service manually.
The public key for the 24.7 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAunCgLymz7ichjk+uZ4pR
# XwFX8FxG0KFBf4f6kCfQ+wNF9KTFBELzGg2tXPUmrJD/DzcMqQExP3WyTg0Z96ZW
# HofN2AbOCG84PpNlsKXpaUtm9Ow8kiYh7tn26eX7FaOEPtpJkMiwUymbCJJaPE0O
# smQbWGnJTvF8LTmuviPoiMrPv1cJ0kEyJvjDD0yMw1HrIgwPOazGmTQiuM3LoLOK
# F0KWf2p40c77QDOuGC7AIobQgDkZTabfU7PQUn6gDiKARYCst7y2xX3OQ7foXCJW
# nDDypfbfHixv77mVAeIED0h9ZsQaIHskL2dqqRbFHiY+OHjQTCAJP1Ptm/HGSCdj
# GOjpuD4WXvxru8AgcOCh6GpqO4IbByIHXu+67Ur3UBlxsp4x44lxBWXQzeemVhaS
# ZAmkJNemw51oRDTxYtpR7TF3OlgLAQBOB/0tqHmkbSBouQ6PK7HYzNglu9LStxo1
# uxgMss5q8GoZCkWKvRDz87YceeC75l0aWOVnkOMmC5Lf+fFMJp6TF7BzCi3ZC7CD
# DQchBlE2F98D3E7KiI4vGrLUj3qKwfwV41JSQ8OtwOV+KFGOmyHeNassTQHm1Mdn
# reTzHeusqUdAL7+pXH1XNwoFSZo7A6RoZzTzb0p7WYbKU9SV39DPytsYES7FsyY8
# l7+AsM+sBOY1ngeB/twBzyUCAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-24.7-dvd-amd64.iso.bz2) = 4452df716417cac324bb06322fc4428870ac2a64fd6ae47675a421e8db0a18b5
# SHA256 (OPNsense-24.7-nano-amd64.img.bz2) = a44711b6c088d6d12434afef9a3ccadc4ef1b56e44babd13e4b199589170c51a
# SHA256 (OPNsense-24.7-serial-amd64.img.bz2) = a94207c3515389c3fab5c6d72eeda4951526f9f50f06794ad9a4c1478bc8e8d0
# SHA256 (OPNsense-24.7-vga-amd64.img.bz2) = 11031aecabce97f6d5502f943d347704b5a888ec213d7f9229200877d72f297c
24.7.r2 (July 19, 2024)¶
For more than 9 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.7/
South America: http://mirror.ueb.edu.ec/opnsense/releases/24.7/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/24.7/
Full mirror list: https://opnsense.org/download/
Here are the full changes against version 24.7-RC1:
system: assorted dashboard widget tweaks
system: sidebar optimisation and fixes (contributed by Team Rebellion)
installer: update the ZFS install script to the latest FreeBSD 14.1 code
mvc: remove obsolete getParams() usage in ApiControllerBase
mvc: hook default index action in API handler
src: assorted backports from FreeBSD stable/14 branch
plugins: os-caddy 1.6.1 [2]
plugins: os-dec-hw 1.1 replaces the dashboard widget
plugins: os-nginx 1.34 [3]
plugins: os-theme-cicada 1.37 fixes dropdown element style (contributed by Team Rebellion)
plugins: os-theme-vicuna 1.47 fixes dropdown element style (contributed by Team Rebellion)
Migration notes, known issues and limitations:
The dashboard has been replaced. Widgets from the old format are no longer supported and need to be rewritten by the respective authors.
ISC DHCP will no longer reload DNS services on static mapping edits. This is for feature parity with Kea DHCP and avoiding cross-service complications. If you expect your static mappings to show up in a particular DNS service please restart this service manually.
The public key for the 24.7 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAunCgLymz7ichjk+uZ4pR
# XwFX8FxG0KFBf4f6kCfQ+wNF9KTFBELzGg2tXPUmrJD/DzcMqQExP3WyTg0Z96ZW
# HofN2AbOCG84PpNlsKXpaUtm9Ow8kiYh7tn26eX7FaOEPtpJkMiwUymbCJJaPE0O
# smQbWGnJTvF8LTmuviPoiMrPv1cJ0kEyJvjDD0yMw1HrIgwPOazGmTQiuM3LoLOK
# F0KWf2p40c77QDOuGC7AIobQgDkZTabfU7PQUn6gDiKARYCst7y2xX3OQ7foXCJW
# nDDypfbfHixv77mVAeIED0h9ZsQaIHskL2dqqRbFHiY+OHjQTCAJP1Ptm/HGSCdj
# GOjpuD4WXvxru8AgcOCh6GpqO4IbByIHXu+67Ur3UBlxsp4x44lxBWXQzeemVhaS
# ZAmkJNemw51oRDTxYtpR7TF3OlgLAQBOB/0tqHmkbSBouQ6PK7HYzNglu9LStxo1
# uxgMss5q8GoZCkWKvRDz87YceeC75l0aWOVnkOMmC5Lf+fFMJp6TF7BzCi3ZC7CD
# DQchBlE2F98D3E7KiI4vGrLUj3qKwfwV41JSQ8OtwOV+KFGOmyHeNassTQHm1Mdn
# reTzHeusqUdAL7+pXH1XNwoFSZo7A6RoZzTzb0p7WYbKU9SV39DPytsYES7FsyY8
# l7+AsM+sBOY1ngeB/twBzyUCAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
# SHA256 (OPNsense-24.7.r2-dvd-amd64.iso.bz2) = 43617bcb97b40a4c681c9468e0f7837aef9e7ff3849377649ab350287ad4639b
# SHA256 (OPNsense-24.7.r2-nano-amd64.img.bz2) = 8fad59de6fdb07b9df2edb637a9d5f18a892d462d76118da6270dede90180a35
# SHA256 (OPNsense-24.7.r2-serial-amd64.img.bz2) = 5c4d9b6f7ef4baf555c43d949f5946b59856fea45303a4b32890c102909d9f75
# SHA256 (OPNsense-24.7.r2-vga-amd64.img.bz2) = 46f78b3fa40a429f52adbe1caf923cb8f4856e01ff61888b3db2658b43fe3f56
24.7.r1 (July 16, 2024)¶
If you have not heard: 24.7-RC1 is an online update. You can update from the 24.7-BETA and switch to the community release type for the stable track which leads into 24.7.x. The development version of the upcoming 24.1.11 release will also be able to update to the RC. An RC2 will follow up with the relevant images and additional information at the end of the week.
Here are the full changes against version 24.1.10:
system: remove “load_balancer” configuration remnants from core
system: replace usage of mt_rand() with random_int()
system: rewrote Trust configuration using MVC/API
system: add XMLRPC option for OpenDNS
system: rewrote the high availability settings page using MVC/API
system: remove obsolete SSH DSA key handling
system: replaced the dashboard with a modern alternative with streaming widgets
system: harden a number of PHP settings according to best practices
system: support streaming of log files for the new dashboard widget
interfaces: rewrote GRE configuration using MVC/API
interfaces: rewrote GIF configuration using MVC/API
interfaces: temporary flush SLAAC addresses in DHCPv6 WAN mode to avoid using them primarily
interfaces: add peer/peer6 options to CARP VIPs
interfaces: allow to assign a prefix ID to WAN interface in DHCPv6 as well
interfaces: allow to set manual interface ID in DHCPv6 and tracking modes
firewall: performance improvements in alias handling
firewall: refactor pftop output, move search to controller layer and implement cache for sessions page
firewall: support streaming of filter logs for the new dashboard widget
captive portal: add “Allow inbound” option to select interfaces which may enter the zone
captive portal: remove defunct transparent proxy settings
captive portal: clean up the codebase
ipsec: prevent gateway when remote gateway family does not match selected protocol in legacy tunnel configuration
isc-dhcp: do not reload DNS services when editing static mappings to match behaviour with Kea
monit: expose HTTPD username and password settings to GUI
openvpn: optionally support DCO devices for instances
openvpn: remove duplicate and irrelevant data for the client session in question
openvpn: add “remote_cert_tls” option to instances
backend: add “cache_ttl” parameter to allow for generic caching of actions
backend: run default action “configd actions” when none was specified
backend: extended support for streaming actions
ui: assorted improvements for screen readers (contributed by Jason Fayre)
ui: add “select all” to standard form selectors and remove dialog on “clear all” for tokenizers
ui: lock save button while in progress to prevent duplicate input on Bootgrid
ui: backport accessibility fix in Bootstrap
mvc: replaced most of the Phalcon MVC use with a native band compatible implementation
mvc: improve searchRecordsetBase() filtering capabilities
mvc: improve container field cloning
plugins: os-acme-client 4.4 [1]
plugins: os-etpro-telemetry 1.7 replaces dashboard widget
src: FreeBSD 14.1-RELEASE [2]
ports: phalcon 5.8.0 [3]
Migration notes, known issues and limitations:
The dashboard has been replaced. Widgets from the old format are no longer supported and need to be rewritten by the respective authors.
ISC DHCP will no longer reload DNS services on static mapping edits. This is for feature parity with Kea DHCP and avoiding cross-service complications. If you expect your static mappings to show up in a particular DNS service please restart this service manually.
24.7.b (June 13, 2024)¶
Since OPNsense 24.7 will be based on a newer FreeBSD major version it is crucial for us to release these BETA images based on the latest development state. This is not meant for production use but all plugins are provided and future updates of installations based on these images will be possible.
https://pkg.opnsense.org/releases/24.7/
There is a bit more work to be done yet most of the milestones have already been reached. If you have a test deployment or would like to check out some of the new features these images are for you. Together we can make OPNsense better than it ever was.
The final release date for 24.7 is July 24. A release candidate will follow in early July.
Highlights over the current 24.1 series include:
Dashboard replacement with streaming widgets
System: High Availability: Settings page has been converted to MVC
System: Trust section has been converted to MVC/API
Interfaces: GIF section has been converted to MVC/API
Interfaces: GRE section has been converted to MVC/API
Firewall: NAT 1-to-1 has been converted to MVC/API
Added experimental OpenVPN DCO device type support
Added unicast CARP support to Virtual IPs
DHCPv6 on WAN can now assign a prefix subnet to itself and support static interface identifiers
Built-in cache capability for backend commands
Captive portal backend refactor and new “Allow inbound interfaces” option
Large portions of Phalcon MVC have been replaced by native PHP implementation
FreeBSD 14.1
The public key for the 24.7 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAunCgLymz7ichjk+uZ4pR
# XwFX8FxG0KFBf4f6kCfQ+wNF9KTFBELzGg2tXPUmrJD/DzcMqQExP3WyTg0Z96ZW
# HofN2AbOCG84PpNlsKXpaUtm9Ow8kiYh7tn26eX7FaOEPtpJkMiwUymbCJJaPE0O
# smQbWGnJTvF8LTmuviPoiMrPv1cJ0kEyJvjDD0yMw1HrIgwPOazGmTQiuM3LoLOK
# F0KWf2p40c77QDOuGC7AIobQgDkZTabfU7PQUn6gDiKARYCst7y2xX3OQ7foXCJW
# nDDypfbfHixv77mVAeIED0h9ZsQaIHskL2dqqRbFHiY+OHjQTCAJP1Ptm/HGSCdj
# GOjpuD4WXvxru8AgcOCh6GpqO4IbByIHXu+67Ur3UBlxsp4x44lxBWXQzeemVhaS
# ZAmkJNemw51oRDTxYtpR7TF3OlgLAQBOB/0tqHmkbSBouQ6PK7HYzNglu9LStxo1
# uxgMss5q8GoZCkWKvRDz87YceeC75l0aWOVnkOMmC5Lf+fFMJp6TF7BzCi3ZC7CD
# DQchBlE2F98D3E7KiI4vGrLUj3qKwfwV41JSQ8OtwOV+KFGOmyHeNassTQHm1Mdn
# reTzHeusqUdAL7+pXH1XNwoFSZo7A6RoZzTzb0p7WYbKU9SV39DPytsYES7FsyY8
# l7+AsM+sBOY1ngeB/twBzyUCAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
# SHA256 (OPNsense-devel-24.7.b-dvd-amd64.iso.bz2) = af740f12d4363d13e96ad95ac06dd1d659009c345af3e8ff6d544a66200ba93f
# SHA256 (OPNsense-devel-24.7.b-nano-amd64.img.bz2) = 394e150c3cb22b7f2d2b131fc2bcb545355e6a129b7d9afe2ced9c4364bfa862
# SHA256 (OPNsense-devel-24.7.b-serial-amd64.img.bz2) = a8770d247400859e66151aae177171f141ea7064de98728edfc22a77d8d5f447
# SHA256 (OPNsense-devel-24.7.b-vga-amd64.img.bz2) = 046bba7c48312578f819535a0f29210e24f9bcb1e8153256fb15a35a62f3d443