21.10 Series

The OPNsense business edition successfully transitions to this 21.10 release with a new installer including ZFS support, improved central management and Intel network driver updates amongst others.

Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.


21.10.3 (February 10, 2022)

This business release is based on the OPNsense 21.7.8 community version with additional reliability improvements.

Here are the full patch notes:

  • system: remove spurious XML validation that cannot cope with attributes from backup restore

  • system: prevent syslog-ng from crashing after update due to “syslog-ng-ctl reload” use

  • system: changing interface gateway was ignored during route reconfiguration

  • system: cron command drop down size was extending below screen

  • reporting: fix display of total in/out traffic values

  • firewall: removed the $aliastable cache

  • firewall: correctly handle IPv6 NAT in states view

  • firewall: skip rule ID for NAT type log entries (contributed by kulikov-a)

  • firewall: support “no scrub” option in normalisation rules

  • firewall: exclude external alias for nesting

  • network time: remove PID file use as it can be unreliable

  • intrusion detection: update to ET-Open to version 6

  • intrusion detection: prevent config migration from crashing

  • lang: update translations for Chinese, French, German, Italian, Japanese, Norwegian, Spanish, and Turkish

  • captive portal: prevent session removal crashing when no IP address was registered

  • mvc: add getInterfaceConfig endpoint to interface API (contributed by Paolo Asperti)

  • mvc: fix logging of configd errors (contributed by kulikov-a)

  • plugins: os-acme-client 3.8 [1]

  • plugins: os-frr 1.26 [2]

  • plugins: os-openconnect 1.4.2 [3]

  • plugins: os-postfix 1.21 [4]

  • plugins: os-telegraf 1.12.4 [5]

  • plugins: os-wireguard 1.10 [6]

  • src: axgbe: validate contents of gpio expander

  • src: incorrect XSAVE state size [7]

  • src: vPCI compatibility improvements with certain Hyper-V releases [8]

  • src: vt console buffer overflow [9]

  • ports: expat 2.4.2 [10]

  • ports: filterlog 0.6 [11]

  • ports: flock 2.37.2

  • ports: hostapd 2.10 [12]

  • ports: lighttpd 1.4.63 [13]

  • ports: nss 3.74 [14]

  • ports: openssl 1.1.1m [15]

  • ports: openvpn 2.5.5 [16]

  • ports: php 7.4.27 [17]

  • ports: sqlite 3.37.2 [18]

  • ports: strongswan 5.9.5 [19]

  • ports: syslog-ng 3.35.1 [20]

  • ports: unbound 1.14.0 [21]

  • ports: wpa_supplicant 2.10 [22]

A hotfix release was issued as 21.10.3_1:

  • firmware: enable upgrade path to 22.4

  • plugins: os-OPNcentral 1.4 adds improved provisioning to allow unique local content [23]

  • plugins: os-OPNBEcore 1.0.1 supplemental update for os-OPNcentral

  • ports: cyrus-sasl 2.1.28

21.10.2 (January 13, 2022)

This business release is based on the OPNsense 21.7.7 community version with additional reliability improvements.

A new plugin called OPNWAF [1] is being added to this release to offer Apache web server for simple setup of load balancing and reverse proxy scenarios. It also offers ACME protocol support for Let’s Encrypt with a single click.

Here are the full patch notes:

  • system: move logging remnants of Relayd/HAProxy to plugin code

  • system: support XMLRPC authentication using API keys

  • system: system log widget auto-refresh (contributed by kulikov-a)

  • system: fix /etc/ssl/cert.pem permission on backend call

  • interfaces: make is_linklocal() properly detect all link-local addresses (contributed by Per von Zweigbergk)

  • firewall: properly translate “any” port to upper or lower port bound

  • firewall: support any-to-X ranges for rules port input (contributed by kulikov-a)

  • firewall: drop policy based routing validation on interface rules

  • firewall: typo in direction for session diagnostics (contributed by kulikov-a)

  • firewall: fix address direction for states diagnostics (contributed by kulikov-a)

  • firmware: added generic configuration support via opnsense-update.conf

  • firmware: modify the launcher to support -r and -s options

  • firmware: fix upgrade prompt hint

  • firmware: simplify repo file flush

  • captive portal: missing tooltip in session window

  • captive portal: “connected since” malformed due to datetime already being converted

  • dhcp: add current IPv4 address to static lease creation (contributed by Taneli Leppa)

  • intrusion detection: switch to ET-Open Suricata 5 rulesets

  • intrusion detection: support multiple policy property in metadata

  • intrusion detection: update severity of ruleset download skipped log message (contributed by kulikov-a)

  • intrusion detection: update embedded classification.config

  • ipsec: inline only caller of get_configured_vips_list()

  • ipsec: avoid VTI device recreation when using hostnames

  • backend: add configctl “-d” and “-q” options for future use

  • backend: configd profiler call fix

  • ui: prevent browser auto-fill for username/password (contributed by NOYB)

  • src: axgbe: fix I2C timeouts by reissuing command on errors

  • src: axgbe: fix possbile link instabilities

  • src: axgbe: log GPIO signals on EEPROM read fails

  • plugins: os-OPNWAF 1.0 [1]

  • plugins: os-acme-client 3.6 [2]

  • plugins: os-dyndns 1.27 [3]

  • plugins: os-etpro-telemetry 1.6 switches to Suricata 5 rulesets

  • plugins: os-fetchmail removed due to licensing restrictions

  • plugins: os-firewall 1.1 adds “Do not NAT” option

  • plugins: os-frr 1.24 [4]

  • plugins: os-haproxy 3.8 [5]

  • plugins: os-nginx 1.24 [6]

  • plugins: os-telegraf 1.12.3 [7]

  • plugins: os-wireguard 1.9 [8]

  • plugins: os-zabbix-agent 1.10 [9]

  • plugins: os-zabbix-proxy 1.6 [10]

  • ports: curl 7.80.0 [11]

  • ports: dnsmasq fixes multiple regressions

  • ports: nss 3.73 [12]

  • ports: php 7.4.26 [13]

  • ports: phpseclib 2.0.35 [14]

  • ports: suricata 6.0.4 [15]

21.10.1 (December 02, 2021)

This business release is based on the OPNsense 21.7.5 community version with additional reliability improvements.

Please note that OpenSSH was updated to version 8.8 which deprecates ssh-rsa usage which is mainly an issue for client access from the OPNsense system to the outside and can be amended as per the suggestions in the respective release notes.

Here are the full patch notes:

  • system: prevent expired or intermediate CA certificates from being added to trust store by default

  • system: prevent XSS in LDAP attribute return in authentication tester (reported by Orange CERT-CC)

  • system: add product title to auth pages

  • system: fix log search ignoring first character

  • system: add xc0 entry video console entry if node exists

  • system: add automatic outbound NAT logging option

  • system: remove support for obsolete “local” syslog socket plugin request

  • system: prevent setup wizard error in WAN-only configuration

  • system: properly extract keyid string (contributed by kulikov-a)

  • system: show all threads and correct WCPU in activity (contributed by kulikov-a)

  • system: fix display and sorting in activity (contributed by kulikov-a)

  • system: escape shell parameters in cron jobs

  • interfaces: remove obsolete link_interface_to_vlans() function

  • interfaces: inline legacy_interface_rename() function

  • interfaces: verbose output on test port (contributed by kulikov-a)

  • interfaces: let guess_interface_from_ip() find the best match on overlapping subnets (contributed by Jason Crowley)

  • interfaces: improve configurability with LAGG devices

  • firewall: fix non-sticky rule association in port forward

  • firewall: switch failover peer address acquire away from deprecated function

  • firewall: specify overload table on maximum new connections

  • firewall: add loaded item count and last update to aliases page

  • firewall: refactor getInterfaceGateway() to eliminate edge cases with IPsec route-to behaviour

  • firewall: allow alias to skip entry on EmptyLabel (contributed by James Golovich)

  • firewall: improve resolve performance by implementing asynchronous DNS lookups

  • firewall: add live view templates page to respective ACL (contributed by kulikov-a)

  • firewall: replace pfInfo with statistics page

  • firewall: add rules to statistics page (contributed by kulikov-a)

  • firewall: remove defunct “block carp from self” CARP rule

  • dhcp: automatically set AdvRASrcAddress for link-local CARP address

  • dhcp: exclude link-local subnet router advertisements

  • dhcp: show static leases without IP address assignments in the lease pages

  • firmware: do not remove obsolete base files on major upgrades

  • firmware: opnsense-code utility fix for “-d” option (contributed by Patrick M. Hausen)

  • firmware: opnsense-code utility now supports “-u” mode for automatic upgrade after fetch

  • firmware: opnsense-update utility adds separate clean option for obsolete base files

  • firmware: opnsense-update utility is now able to bootstrap its own configuration in “-d” mode

  • firmware: opnsense-update utility no longer assumes “-bkp” by default

  • firmware: opnsense-update utility now supports “-ct package-name” check for type change

  • firmware: opnsense-update utility assorted cleanups

  • firmware: opnsense-update: replace -A before -M and handle single directory -M independently

  • firmware: opnsense-verify: disable verification for repositories without signatures

  • firmware: opnsense-verify: let -l option properly discard duplicate repositories

  • firmware: opnsense-version: support -x effective ABI probing

  • firmware: support ABI hints in the file “firmware-upgrade”

  • ipsec: add charon.max_ikev1_exchanges parameter

  • ipsec: add closeaction parameter (contributed by Patrick M. Hausen)

  • ipsec: add sha256_96 flag (contributed by Patrick M. Hausen)

  • ipsec: rewrite netmask calculation for VTI tunnel setup

  • monit: add link event to alert settings (contributed by Frank Brendel)

  • monit: add polltime to service settings (contributed by Frank Brendel)

  • openvpn: remove obsolete remnants of tun-ipv6

  • unbound: add Abuse.ch ThreatFox list

  • unbound: make so-reuseport conditional upon RSS status

  • backend: static parameters ignored when no dynamic ones exist

  • mvc: replace __toString() calls with string casts

  • ui: prevent event propagation to avoid click() events being forwarded

  • plugins: os-acme-client 3.4 [1]

  • plugins: os-bind 1.19 [2]

  • plugins: os-c-icap log file fix (contributed by Michael Muenz)

  • plugins: os-dnscrypt-proxy 1.10 [3]

  • plugins: os-dyndns 1.26 [4]

  • plugins: os-freeradius 1.9.17 [5]

  • plugins: os-frr 1.23 [6]

  • plugins: os-haproxy 3.7 [7]

  • plugins: os-lldpd will now identify itself as Network Connectivity Device (contributed by Xeroxxx)

  • plugins: os-nut 1.8.1 [8]

  • plugins: os-openconnect 1.4.1 [9]

  • plugins: os-puppet-agent 1.0 [10]

  • plugins: os-qemu-guest-agent 1.1 [11]

  • plugins: os-relayd 2.6 [12]

  • plugins: os-telegraf 1.12.2 [13]

  • plugins: os-theme-rebellion 1.8.8 (contributed by Team Rebellion)

  • plugins: os-vnstat 1.3 [14]

  • plugins: os-wireguard 1.8 [15]

  • src: include RSS kernel support defaulting to off

  • src: axgbe: properly multiplex on reading module signals

  • src: libnetmap: reset errno in nmreq_register_decode()

  • src: pf: remove side effect from nat logging patch

  • src: dummynet: fix mbuf tag allocation failure handling

  • src: aesni: avoid a potential out-of-bounds load in aes_encrypt_icm()

  • src: axgbe: correctly enable RSS driver support by default

  • src: ixgbe: prevent subsequent I2C bus read timeouts

  • src: fix kernel panic in vmci driver initialization [16]

  • src: timezone database information update [17]

  • ports: dnspython 2.1.0 [18]

  • ports: jinja 3.0.1 [19]

  • ports: lighttpd 1.4.61 [20]

  • ports: nss 3.72 [21]

  • ports: openssh 8.8p1 [22]

  • ports: openvpn 2.5.4 [23]

  • ports: pcre2 10.39 [24]

  • ports: php 7.4.25 [25]

  • ports: phpseclib 2.0.34 [26]

  • ports: strongswan 5.9.4 [27]

  • ports: sudo 1.9.8p2 [28]

21.10 (October 14, 2021)

The OPNsense business edition successfully transitions to this 21.10 release with a new installer including ZFS support, improved central management and Intel network driver updates amongst others.

Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.


This business release is based on the OPNsense 21.7.3 community version with additional reliability improvements.

Here are the full patch notes:

  • system: allow automatic user creation on LDAP-based logins

  • system: circular logs are now disabled by default

  • system: default gateway failure state killing is now disabled by default

  • system: allow cron-based restarts of all “restart” action providers

  • system: allow more characters in the certificate/authority organization fields (contributed by Jan De Luyck)

  • system: default RSS widget feed to forum announcements

  • system: prevent use of client certificates in web GUI

  • system: raised encryption standard for encrypted config.xml export

  • system: reload FreeBSD services when reloading all services from console

  • system: add missing ACL for Syslog targets page

  • system: removed NextCloud backup from core functionality

  • system: removed unused traffic API dashboard feed

  • interfaces: add and use unified function is_interface_assigned() to prevent deleting assigned interfaces

  • interfaces: add netstat tree search and improve page layout

  • interfaces: allow interface-based overrides of hardware checksum settings

  • interfaces: correct indent in dhclient configuration

  • interfaces: clear PPPoE SLAAC addresses on linkdown

  • interfaces: flush IPv6 addresses on the correct IPv6 interface when it differs from the IPv4 interface

  • interfaces: improve GRE/GIF configuration handling and dynamic reload behaviour

  • interfaces: packet capture quick select for all interfaces

  • interfaces: refactor DNS lookup and add PTR to output (contributed by Maurice Walker)

  • interfaces: refactored address removal into interfaces_addresses_flush()

  • interfaces: remove duplicated handling of PPP IPv6 interface detection

  • interfaces: replace opportunistic diagnostics IP address lookups with more robust variants

  • interfaces: sync firewall groups after internal create/destroy operations

  • interfaces: use -M option in rtsold invoke in preparation for 22.1

  • firewall: MVC rewrite of the pfTop diagnostics pages under “Sessions”

  • firewall: MVC rewrite of the states diagnostics pages under “States”

  • firewall: add manual reply-to configuration to rules

  • firewall: add quick link to states counter from firewall rule inspection

  • firewall: aliases maximum entries progress bar

  • firewall: allow to specify port ranges for outgoing NAT (contributed by Nikolay Denev)

  • firewall: clarify match/set priority in rules

  • firewall: delete related rules when an interface group is removed

  • firewall: improve alias description/preview

  • firewall: make sure net.pf.request_maxcount and table-entries are always aligned

  • firewall: only set state options on rules when state is being tracked

  • firewall: rename source/destination networks when group name changes

  • firewall: renamed “pfTables” diagnostics to “Aliases”

  • firewall: use permanent promiscuous mode for pflog0

  • dhcp: add shared dhcpd_leases() reader and use it in both lease pages

  • dhcp: always deprecate prefixes in automatic router advertisements

  • dhcp: assorted improvements surrounding dhcpd_staticmap() for real world operation

  • dhcp: fix table header sorting in lease pages (contributed by vnxme)

  • dhcp: lock access to settings pages when interface is not suitable for running a DHCP server

  • dhcp: remove ::/0 route from router advertisements (contributed by Maurice Walker)

  • firmware: also check plugins sync for up to date core package

  • firmware: backend now supports reinstall like opnsense-bootstrap -q

  • firmware: confirm plugin removal dialog

  • firmware: introduced connectivity check

  • firmware: opnsense-patch can now patch installer and updater files

  • firmware: opnsense-update -c option now honours the -f option

  • firmware: opnsense-update improvements for mirror manipulation options

  • firmware: replace php version_compare() call with pkg-version shell command

  • firmware: revoke 21.1 fingerprint

  • firmware: static template for firmware upgrade message

  • firmware: sync plugins in console update

  • ipsec: add auto type for identities

  • ipsec: adhere to system defaults for route-to and reply-to when creating automatic VPN rules

  • ipsec: fix a regression in VTI handling

  • ipsec: fix a regression in rightsubnets for non-mobile phase 2

  • ipsec: identity quoting for ASN1DN and FQDN types with “#” characters

  • ipsec: switched to explicit type selection for identities

  • openvpn: CARP status read cleanups (contributed by vnxme)

  • openvpn: do not create empty router file

  • openvpn: validate tunnel prefix to avoid OpenVPN 2.5 start errors (contributed by kulikov-a)

  • openvpn: improve the cipher parsing

  • openvpn: increase consistency between export types

  • openvpn: offer the ability to export a user without a certificate

  • openvpn: simplify CIDR validation and remove trim() usage

  • openvpn: tls-crypt support (contributed by vnxme)

  • openvpn: untie server-ipv6 from server directive

  • openvpn: use is_interface_assigned() to prevent deletion of assigned instances

  • unbound: add “unbound check” backend action

  • unbound: add qname-minimisation-strict option

  • unbound: allow to retain cache on service reload

  • unbound: automatically add “do-not-query-localhost: no” on DoT when needed

  • unbound: fix /var MFS dilemma for DNSBL after boot

  • unbound: fix domain overrides for private address reverse lookup zones (contributed by Maurice Walker)

  • unbound: register DHCP leases with their matching IP range configured DHCP domain

  • unbound: reject invalid cache data

  • unbound: remove deprecated custom options setting

  • unbound: renamed “blacklist” to “blocklist” for clarity

  • unbound: support insecure-domain directive

  • unbound: switch model to integrate full DNS over TLS support

  • console: throw error when opnsense-importer encounters an encrypted config.xml

  • mvc: allow to unset attribute via setAttributeValue()

  • mvc: reduce differentials in config.xml when saving models

  • rc: opnsense-beep melody database directory

  • ui: improved JS hook_ipv4v6() to jump to /64 on IPv6 and back to /32 on IPv4

  • ui: inject default tooltips into bootgrid formatters

  • ui: work on unification of add buttons by minifying them and adding primary color markup

  • ui: removed $main_buttons magic handler

  • plugins: OPNcentral core requirements are now installed by default via os-OPNBEcore plugin

  • plugins: os-OPNBEcore 1.0

  • plugins: os-OPNcentral 1.3 [2]

  • plugins: os-acme-client 3.2 [3]

  • plugins: os-bind 1.18 [4]

  • plugins: os-chrony 1.4 [5]

  • plugins: os-collectd 1.4 [6]

  • plugins: os-dnscrypt-proxy 1.9 [7]

  • plugins: os-fetchmail 1.1 [8]

  • plugins: os-freeradius 1.9.16 [9]

  • plugins: os-frr 1.22 [10]

  • plugins: os-haproxy 3.5 [11]

  • plugins: os-net-snmp 1.5 [12]

  • plugins: os-nextcloud-backup 1.0

  • plugins: os-nginx Phalcon 4 fixes

  • plugins: os-postfix 1.20 [13]

  • plugins: os-radsecproxy 1.0 (contributed by Tobias Boehnert)

  • plugins: os-realtek-re 1.0 adds Realtek vendor NIC driver module

  • plugins: os-telegraf 1.12.1 [14]

  • plugins: os-tftp 1.0 (contributed by Michael Muenz)

  • plugins: os-tor Phalcon 4 fix

  • src: FreeBSD updates for Intel e1000, ixgbe and ixl drivers

  • src: FreeBSD updates for the pf(4) and iflib(4) subsystems

  • src: compatibility shim for upcoming rtsold “-M” command line option

  • src: dhclient support for VLAN 0 decapsulation

  • src: dhclient: skip_to_semi() consumes semicolon already

  • src: fix libfetch out of bounds read [15]

  • src: fix missing error handling in bhyve(8) device models [16]

  • src: fix remote code execution in ggatec(8) [17]

  • src: iflib: fix partial length accounting error in netmap mode

  • src: lib: add libnetmap and related patches

  • src: rtsold: slightly change address read

  • src: runtime RSS code preparations and assorted related upstream patches

  • src: separately log NAT and firewall rules in pf(4)

  • ports: drop hardening options and switch to FreeBSD ports tree

  • ports: curl 7.79.1 [18]

  • ports: dnsmasq 2.86 [19]

  • ports: filterlog 0.5 removes unused IPv6 options support

  • ports: ifinfo 13.0

  • ports: krb5 1.19.2 [20]

  • ports: monit 5.29.0 [21]

  • ports: mpd5 adds L2TP interoperability fix from upstream

  • ports: nettle 3.7.3

  • ports: nss 3.70 [22]

  • ports: openvpn 2.5.3 [23]

  • ports: pcre 8.45 [24]

  • ports: php 7.4.23 [25]

  • ports: phpseclib 2.0.32 [26]

  • ports: python 3.8.12 [27]

  • ports: strongswan 5.9.3 [28]

  • ports: sudo 1.9.8p1 [29]

  • ports: suricata 6.0.3 [30]

  • ports: syslog-ng 3.34.1 [31]

  • ports: unbound 1.13.2 [32]

Known issues and limitations:

  • NextCloud backup feature moved from core to plugins. Please reinstall if needed.

  • IPsec identities are now set using their explicit type. See StrongSwan documentation [33] for the old automatic defaults.

  • Unbound custom options setting has been discontinued. Local override directory /usr/local/etc/unbound.opnsense.d exists.

  • OpenVPN network input validation changed. Check all clients and servers for GUI errors after upgrade by saving their configuration and removing stray whitespace on errors.

  • OPNcentral plugin is no longer required on managed nodes after upgrade.

The public key for the 21.10 series is:

# -----BEGIN PUBLIC KEY-----
# +vJSn4N8Ex1afuZ/tyXnRwxQ7w0+Hr0Bs8Ygy2X67KQi/7pi5FQ/hIJyEnf5Tm/7
# 7sS6O6XPvu2fg7UN1RBi5VgFJh4vajwhVGUg+EpuMNIgZw7AkWNlULvQSLBHOX7S
# FAthJQQ957OU2RARQA+LVT3wyiLpEhQp0S9h/YAO1tITQKlsPjlU4+0Iv58JZuAG
# lek+FaZyBLqCUF4ItLxGjqO3L4cx5iy3yD7qIOR3dN7tncdEYxQweut8cA80hFUe
# Wy8DgPUKVZRRZnVWSZp9QXzoo9ACLebAv6DOzN17DrVdO0iH6iYr6s/7tDoxtN0G
# +r6huk0tTKQ0UJX7O9l5GAQe+HWFH1WxTU37Pb79BbxXW+9LCUtAZ35HKLmIaQyb
# 6t3Jr0FTX+LtJBMUpWtYIAYjQIH2dlBGbwFRbljsibbSTsi/E+1WW3ob1r5O5fML
# b734CktIXm3HFvQ0qZ4DyIQDZS0J8zoVO2wHjlh9MsxCJdDvDXe6Dbj/Y93SBXVr
# Az8T8YrEwjK0fPt8dB1p+Ue49eYXPs5lJPmB5iaiXlp1VTqUwH2Lm3BZG5bUKded
# zOjHavmTeTXuSKWEYh/UP7mLGeY1FQF0o7VHJfdiJLt/4s2ybM9DNUssjSDBqBRV
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-business-21.10-OpenSSL-dvd-amd64.iso.bz2) = 0060cb221ebc43f1685b12145736a1c2f6a5954fcdf4711cfdb8c820c396d36d
# SHA256 (OPNsense-business-21.10-OpenSSL-nano-amd64.img.bz2) = 6ed0f4aa20878a9fed5e1aa3bc2055c6eebec7363eee1477ced18c982404100e
# SHA256 (OPNsense-business-21.10-OpenSSL-serial-amd64.img.bz2) = bf892938acbbc4a91d8f4f0f0f9c7aee1e5587d7ac7a5b5dcf336f5915769050
# SHA256 (OPNsense-business-21.10-OpenSSL-vga-amd64.img.bz2) = 54ca32990238db54fd830daf787d3a35eaf2ad8dad383948bed3ea2f2d0ddf46