23.10 Series¶
The OPNsense business edition transitions to this 23.10 release including numerous MVC/API conversions, the new OpenVPN “instances” configuration option, OpenVPN group alias support, deferred authentication for OpenVPN, FreeBSD 13.2, PHP 8.2, rewritten WireGuard kernel plugin plus much more.
Please make sure to read the migration notes before upgrading.
Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.
https://downloads.opnsense.com/
23.10.3 (March 28, 2024)¶
This business release is based on the OPNsense 23.7.12 community version with additional reliability improvements.
Here are the full patch notes:
system: fix handling of empty “serialusb” node set during import
system: fix assorted PHP deprecation warnings
system: add issuer and logo to OTP link
system: prevent empty “user” node to crash during boot
system: allow 0 length voucher passwords in authentication server
reporting: update traffic graph colors to be contrast and consistent (contributed by brotherla)
interfaces: add missing ACL entries for ARP/NDP tables
interfaces: prevent modal x-axis overflow on packet capture page
firewall: add optional advanced property “State policy” to influence state creation on a per rule base
firewall: change default traffic normalization behavior and choose “in” as standard direction for manual rules
firewall: refactor schedule matching and fix an end-of-the-month bug
firewall: fix incorrect packet counters statistics collection
firewall: fix virtual IP API use with subnet/subnet_bits usage
firewall: fix floating rule display (contributed by lin-xianming)
firewall: fix display of ICMP tooltip (contributed by lin-xianming)
firewall: make select width more consistent on alias diagnostics table selection
ipsec: show EAP-RADIUS settings only when legacy tunnels are being used
unbound: prevent os.write() on None when another thread closed the pipe in Python module
unbound: make atomic copies of root.hints file to hopefully appease Unbound startup problems
unbound: fix missing /lib nullfs mount in chroot
unbound: add aggressive-nsec option toggle (contributed by kulikov-a)
mvc: fix PHP_FLOAT_MIN being unreliable
ui: replace all > and < occurrences in treeview (contributed by lin-xianming)
ui: fix epoch support as number in bootgrid
plugins: os-OPNProxy 1.0.4 removes ident support
plugins: os-OPNWAF 1.3 adds SSLVerifyDepth
ports: curl 8.6.0 [1]
ports: suricata 6.0.17 [2]
ports: unbound 1.19.3 [3]
A hotfix release was issued as 23.10.3_1:
firmware: add fingerprint, migration notes and upgrade hint for 24.4
23.10.2 (February 02, 2024)¶
This business release is based on the OPNsense 23.7.12 community version with additional reliability improvements.
Here are the full patch notes:
system: add an optional random delay before executing remote backups
system: fix regression in log viewer level selector
system: implement relevant certctl tool functionality in Python to increase performance
system: fix log severity selector (contributed by kulikov-a)
system: include IPv6 link-local interface addresses for web GUI and OpenSSH (contributed by Maurice Walker)
system: update cron and gateways model
system: change ZFS transaction group defaults to avoid excessive disk wear [1]
system: handle case insensitivity while reading groups
system: shuffle authentication templates to the end of login configuration
system: add “maxfilesize” option to enforce a log rotate when files exceed their limit
reporting: OpenVPN server instances were missing from respective health graph
reporting: assorted tweaks for the firmware upgrade script handling Unbound DNS database migration
interfaces: add new backend jobs and extend with optional parameter
interfaces: obey menu group sequence when specified
firewall: improve alias write behaviour by checking for changes beforehand
firewall: fix preg_replace() to avoid truncated network display in rules listing
firewall: validate if GeoIP and BGP ASN targets contain at least 1 kb of data before assuming timestamp is correct
firewall: align GeoIP file check with documentation
firewall: add an ifconfig.debug file
captive portal: fix integer validation in vouchers
dhcp: cache backend action “interface list macdb” to increase responsiveness
dhcp: allow saving with invalid range when IPv4 server is disabled
dhcp: do not clobber $range_to / $range_from with the legacy test for lower 64 bit only input
dhcp: improve the parsing code of IPv6 leases
firmware: switch bogons/changelog set base URL to portable “opnsense-update -X” call
firmware: opnsense-update: avoid rewriting .cshrc and .profile files on base set updates
firmware: add audit messages for relevant API actions
firmware: implement “always reboot” option
firmware: add unlocked mode to launcher script
firmware: use pluggable package repository scripts
firmware: automatically install os-squid plugin install when web proxy is enabled before major upgrade
firmware: refactor export and scrub Unbound DNS database before major upgrade
firmware: disallow TLS lower than 1.3 on business mirror
intrusion detection: show rule origin in rule adjustments grid
ipsec: add support for RADIUS class groups in instances
ipsec: extend connection proposals tooltip to children and fix tooltip style issue
lang: assorted language updates
network time: prevent the service from listening on a wildcard when selecting specific interfaces (contributed by doktornotor)
openvpn: add virtual IPv6 address to widget and status page (contributed by cs-1)
openvpn: consider clients missing CARP VHID as disabled
openvpn: add validation for netmask greater than 29 exactly as specified in the OpenVPN source code
openvpn: add workaround for net30/p2p smaller than /29 networks
unbound: use tls-system-cert instead of tls-cert-bundle
unbound: replace JustDomains with Firebog blocklists (contributed by Amy Nagle)
unbound: update root hints
backend: support streaming output using the “stream_output” handler
backend: implement optional trust model and add extended logging
backend: support optional configd configuration files
backend: only parse stream results when configd socket could be opened
mvc: add an IPPortField type
mvc: split configdRun() in order to return a resource which the controller can stream with minimal memory consumption
ui: fix the missing dialog padding in some modals
ui: set a default data-size for increased readability in selectpickers
ui: show tooltip when grid td content does not fit
ui: add double click event to tree view to render a grid dialog
ui: upgrade jqTree to version 1.7.5
plugins: os-OPNBEcore 1.3 adds “any interface” floating rule support
plugins: os-OPNcentral 1.9 adds “any interface” floating rule support and fixes memory consumption with downloads
plugins: os-acme-client 3.20 [2]
plugins: os-bind 1.29 [3]
plugins: os-ddclient 1.20 [4]
plugins: os-dec-hw 1.0 is a Deciso hardware specific dashboard widget
plugins: os-frr 1.38 [5]
plugins: os-node_exporter 1.2 [6]
plugins: os-sunnyvalley 1.4 switches to new repository layout
plugins: os-telegraf 1.12.10 [7]
plugins: os-upnp now reloads on newwanip event
plugins: os-wireguard 2.6 [8]
ports: curl 8.5.0 [9]
ports: nss 3.95 [10]
ports: perl 5.36.3 [11]
ports: php 8.2.14 [12]
ports: phpseclib 3.0.34 [13]
ports: py-netaddr 0.10.1 [14]
ports: squid 6.6 [15]
ports: sudo 1.9.15p5 [16]
23.10.1 (December 13, 2023)¶
This business release is based on the OPNsense 23.7.9 community version with additional reliability improvements.
Here are the full patch notes:
system: rewrite trust integration for certctl use
system: improve UX on new configuration history page
system: update recovery pattern for /etc/ttys
system: improve service sync UX on high availability settings page
system: migrate gateways to model representation
system: improve backup restore area selection
system: keep polling if watcher cannot load a class to fetch status
system: add “Constraint groups” option to LDAP authentication
system: minor changes related to recent Gateway class refactoring
system: use unified style for “return preg_match” idiom so the caller receives a boolean
system: provide mismatching interface logic without reboot on configuration restore
system: allow new backup API to download latest configuration directly via /api/core/backup/download/this
system: extend restore to be able to migrate older configurations cleanly
system: make trust store reload conditional
system: add SHA-512 password hash compliance option
system: allow special selector for plugins_configure()
system: handle broken menu XML files more gracefully
system: fix PHP warnings and SSH fail on empty “ssh” XML node
system: fix a couple of PHP warnings in auth server pages
system: add support for Google Shared drives backup (contributed by Jeremy Huylebroeck)
system: change wait time to 1 second per round, total of 7 in console prompts
system: update syslog model
system: improve config revision audit ability
system: cleanse system_get_language_code() output
system: safeguard /tmp/PHP_errors.log file before usage
reporting: refactor RRD data retrieval and simplify health page UX
interfaces: make link-local VIPs unique per interface
interfaces: make VIPs sortable and searchable
interfaces: improve assignments page UX and simplify its bridge validation
interfaces: allow multiple IP addresses in DHCP reject clause (contributed by Csaba Kos)
interfaces: enable IPv6 early on trackers
interfaces: do not reload filter in rc.linkup
interfaces: add input validations to VXLAN model (contributed by Monviech)
interfaces: add NO_DAD flag to static IPv6 configurations
interfaces: fix config locking when deleting a VIP node
interfaces: assorted bridge handling improvements
interfaces: prefer GUAs over ULAs when returning addresses
interfaces: improve wireless channel parsing
interfaces: mark WireGuard devices as virtual
interfaces: update LAGG and loopback models
interfaces: improve VIP validation, fix broadcast generation
interfaces: add validation for proxy ARP strict subnet use
interfaces: move interface list widget link to assignments page
firewall: fix regression in BaseContentParser throwing an error
firewall: keep filtered items available longer in live log
firewall: port can be zero in automatic rule so render it accordingly
firewall: minor update to shaper model
firewall: make sure firewall log reading always emits a label
firewall: fix business bogons set fetch
firewall: add section for automatic rules being added at the end of the ruleset
firewall: allow multiple networks given to wrap in the GUI
captive portal: fix log target
firmware: stop using the “pkg+http(s)” scheme which breaks using newer pkg 1.20
firmware: invalidate GUI caches earlier since certctl blocks this longer now
firmware: add root file system to health audit
firmware: stop manually adjusting firmware config structure during factory reset
firmware: clear stray “pkgsave” and “pkgtemp” pkg-upgrade leftovers
firmware: changed LeaseWeb and NYC BUG mirrors to use HTTPS (contributed by jeremiah-rs)
firmware: opnsense-update: new “-X” mode for canonical bogons/changelog set fetch URL
firmware: opnsense-version: support base/kernel hash info
ipsec: count user in “Overview” tab and improve “Mobile Users” tab (contributed by Monviech)
ipsec: make description in connections required (contributed by Michael Muenz)
ipsec: connection proposal sorting and additions
ipsec: mute ipsec.conf related load errors
ipsec: fix typo in VTI protocol family parsing
ipsec: add secondary tunnel address pair for VTI dual-stack purposes
ipsec: add “aes256-sha256” proposal option (no PFS)
ipsec: move save button on mobile page into its own container
lang: assorted updates and completed French translation
lang: update Chinese, Czech, Italian, Korean, Polish and Spanish
monit: minor update to model
openvpn: change verify-client-cert to a server only setting and fix validation
openvpn: do not flush state table on linkdown
openvpn: host bits must not be set for IPv4 server directive in instances
openvpn: obey username_as_common_name setting
unbound: avoid dynamic reloads when possible
unbound: improved UX of the overrides page
unbound: minor update to model
unbound: remove localhost from automatically created ACL
web proxy: handle the major update to version 6 and update model
web proxy: fix setting unknown language directory
backend: pluginctl: improve listing plugins of selected type
backend: add physical_interface and physical_interfaces as template helper function
backend: add file_exists as template helper function
mvc: add hasChanged() to detect changes to the config file
mvc: allow empty value in UniqueConstraint if not required by field
mvc: improve field validation message handling
mvc: fix regression in PortField with setEnableAlias() that would lowercase alias names
mvc: style update in diagnostics, firewall, intrusion detection and ipsec models
mvc: enforce uniqueness and remove validation message in UnqiueIdField
mvc: config should be locked before calling checkAndThrowSafeDelete()
mvc: instead of failing invalidate a non-match in CSVListField
mvc: split tree-view template and javascript and hook via controllers
ui: fix the styling of the base form button when overriding the label
ui: trigger change message on toggle and delete
ui: prevent form submit for MVC pages
ui: improve default modal padding
ui: upgrade bootstrap-select to v1.13.18
ui: improve saveFormToEndpoint() UX
plugins: os-OPNBEcore configuration merge improvements
plugins: os-OPNProxy adds TLS client certificate validation
plugins: os-OPNcentral now passes “impersonated_by” revision attribute to connected node
plugins: os-bind 1.28 [1]
plugins: os-c-icap fix for upstream update syntax error (contributed by Andy Binder)
plugins: os-ddclient 1.17 [2]
plugins: os-frr 1.37 [3]
plugins: os-net-snmp fix for directory setup (contributed by doktornotor)
plugins: os-nginx 1.32.2 [4]
plugins: os-openconnect 1.4.5 [5]
plugins: os-rspamd 1.13 [6]
plugins: os-squid adds a meta package for web proxy core removal in 24.1
plugins: os-theme-ciada fix for previous regression
plugins: os-wireguard 2.5 [7]
plugins: os-wireguard-go fix for device registration
src: pf: enable the syncookie feature for IPv6
src: pflog: log packet dropped by default rule with drop
src: re: add Realtek Killer Ethernet E2600 IDs
src: libnetmap: fix interface name parsing restriction
src: tun/tap: correct ref count on cloned cdevs
src: bpf: fix writing of buffer bigger than PAGESIZE
src: net: check per-flow priority code point for untagged traffic
src: libpfctl: implement status counter accessor functions
src: pf: expose syncookie active/inactive status
src: iavf: add explicit ifdi_needs_reset for VLAN changes
src: vmxnet3: do restart on VLAN changes
src: iflib: invert default restart on VLAN changes
src: pf: fix state leak
src: pfctl: fix incorrect mask on dynamic address
src: libpfctl: assorted improvements
src: msdosfs: zero partially valid extended cluster [8]
src: copy_file_range: require CAP_SEEK capability [9]
src: fflush: correct buffer handling in __sflush [10]
src: cap_net: correct capability name from addr2name to name2addr [11]
src: regcomp: use unsigned char when testing for escapes [12]
src: clang: sanitizer failure with ASLR enabled [13]
src: dhclient: do not add 0.0.0.0 interface alias
src: ice: match irdma interface changes
src: ixv: separate VFTA table for each interface
src: pf: expose more syncookie state information to userspace
src: pf: fix mem leaks upon vnet destroy
src: pf: remove incorrect fragmentation check [14]
src: rc: fix restart _precmd issue with _setup
src: re: add support for 8168FP HW rev
src: zfs: check dnode and its data for dirtiness in dnode_is_dirty() [15]
ports: curl 8.4.0 [16]
ports: lighttpd 1.4.73 [17]
ports: nss 3.94 [18]
ports: openssl111 supersedes openssl package
ports: openvpn 2.6.8 [19]
ports: perl 5.36.1 [20]
ports: php 8.2.12 [21]
ports: sqlite 3.44.0 [22]
ports: squid 6.5 [23]
ports: strongswan 5.9.13 [24]
ports: sudo 1.9.15p2 [25]
ports: suricata 6.0.15 [26]
ports: unbound 1.19.0 [27]
A hotfix release was issued as 23.10.1_2:
firewall: fix traceback in OpenVPN group alias due to wrong return type
firewall: fix missing physical_interface() in shaper template
ports: openssh 9.6p1 [28]
23.10 (October 17, 2023)¶
The OPNsense business edition transitions to this 23.10 release including numerous MVC/API conversions, the new OpenVPN “instances” configuration option, OpenVPN group alias support, deferred authentication for OpenVPN, FreeBSD 13.2, PHP 8.2, rewritten WireGuard kernel plugin plus much more.
Please make sure to read the migration notes before upgrading.
Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.
https://downloads.opnsense.com/
This business release is based on the OPNsense 23.7.6 community version with additional reliability improvements.
Here are the full patch notes:
system: introduce a gateway watcher service and fix issue with unhandled “loss” trigger when “delay” is also reported
system: disable PHP deprecation notes due to Phalcon emitting such messages breaking the API responses
system: allow “.” DNS search domain override
system: on boot let template generation wait for configd socket for up to 10 seconds
system: improve configuration import when interfaces or console settings do not match
system: add severity filter in system log widget (contributed by kulikov-a)
system: enabled web GUI compression (contributed by kulikov-a)
system: close boot file after probing to avoid lock inheritance
system: fix lock() inheriting the lock state
system: give more context in process kill error case since we operate PID numbers only
system: improve monitoring of down gateways
system: clear all /var/run directories on bootup
system: fix missing config save when RRD data is supplied during backup import
system: defer config reload to SIGHUP in gateway watcher
system: handle “force_down” state correctly in gateway watcher
system: make Gateways class argument optional
system: correctly set RFC 5424 on remote TLS system logging
system: remove hasGateways() and write DHCP router option unconditionally
system: avoid plugin system for gateways monitor status fetch
system: remove passing unused ifconfig data to Gateways class on static pages
system: remove passing unused ifconfig data on gateway monitor status fetch
system: remove the unused “alert interval” option from the gateway configuration
system: pluginctl: allow -f mode to drop config properties
system: switch to /usr/sbin/nologin as authoritative command location
system: remove remaining spurious ifconfig data pass to Gateways class
system: start gateway monitors after firewall rules are in place (contributed by Daggolin)
system: refactor far gateway handling out of default route handling
system: do not mark “defunct” gateway as “disabled” as well
system: skip all unusable gateways for monitoring
system: simplify the code in dpinger_status()
system: rewrite configuration history using MVC/API
system: fix assorted PHP 8.2 deprecation notes
interfaces: rewrite LAGG pages via MVC/API
interfaces: extend/modify IPv6 primary address behaviour
interfaces: allow primary address function to emit device used
interfaces: fix special device name chars used in shell variables
interfaces: prevent IPv6 mismatches when using compressed format in VIP
interfaces: remove descriptive name from newwanip logging
interfaces: typo in MRU handling for PPP
interfaces: improve PPPoE MTU handling
interfaces: switch rtsold to -A mode
interfaces: tweak UX of interface settings page
interfaces: remove workaround to re-reload the routing during bootup for edge case that no longer exist
interfaces: calculate_ipv6_delegation_length() should take advanced and custom dhcp6c into account
interfaces: teach ifctl to dump all files and its data for an interface
interfaces: remove dead link/hint in GIF table
interfaces: introduce interfaces_restart_by_device()
interfaces: use interfaces_restart_by_device() where appropriate
interfaces: allow get_interface_ipv6() to return in all three IPv6 variants
interfaces: add GRE/GIF/bridge/wlan return values
interfaces: signal wlan device creation success/failure
interfaces: update link functions for GIF/GRE
interfaces: remove the ancient OpenVPN-tap-on-a-bridge magic on IPv4 reload
interfaces: update read-only bridge member code
interfaces: redirect after successful interface add
interfaces: add interface return feature for use on bridges/assignment page
interfaces: VIP model style update
interfaces: implement interface_configure_mtu()
interfaces: allow clean MVC access to primary IPv4 address (pluginctl -4 mode)
interfaces: drop obsolete PPP default route handling
interfaces: change GRE/GIF to split reload per address family on dynamic connectivity
interfaces: prevent reading stale configuration data in interfaces_has_prefix_only()
interfaces: for consistency bootstrap the implicit ‘none’ value of the IP address modes
interfaces: prevent extended array data from being passed in interface_bring_down()
interfaces: fix warning due to use of an unassigned variable
firewall: rewrote group handling using MVC/API
firewall: clean up AliasField to use new getStaticChildren()
firewall: cleanup port forward page and only show the associated filter rule for this entry
firewall: groups were not correctly parsed for menu post-migration
firewall: hide row command buttons for internal groups
firewall: add “ipv6-icmp” to protocol list in shaper
firewall: fix PHP warnings on the rules pages
firewall: do not clone “associated-rule-id”
firewall: missing interface group registration on group creation
firewall: fix group priority handling regression
firewall: improve filter functionality to combine multiple network clauses in states page
firewall: remove old __empty__ options trick from shaper model
firewall: update models for clarity
firewall: fix cleanup issue when renaming an alias
firewall: quote “a/n” protocol in pf.conf to avoid a syntax error
firewall: fix wrong link to virtual IP page
firewall: add “Interface / Invert” rule toggle
firewall: fix help button in dialog for categories
firewall: update alias and shaper models
firewall: sort auto-generated rules by priority set
captive portal: update model
dhcp: rewrote both IPv4 and IPv6 lease pages using MVC/API
dhcp: allow underscores in DNS names from DHCP leases in Dnsmasq and Unbound watchers (contributed by bugfixin)
dhcp: align router advertisements VIP code and exclude /128
dhcp: allow “.” for DNSSL in router advertisements
dhcp: print interface identifier and underlying device in “found no suitable address” warnings
dhcp: check if manufacturer exists for IPv4 lease page to prevent error
dhcp: use base16 for iaid_duid decode for IPv6 lease page to prevent error
dhcp: make dhcrelay code use the Gateways class
dhcp: add scope to link-local DHCPv6 static mapping when creating route for delegated prefix (contributed by Maurice Walker)
dhcp: merge_ipv6_address() was too intrusive
firmware: opnsense-version: remove obsolete “-f” option stub
firmware: fetch bogons/changelogs from amd64 ABI only
firmware: revoke 23.4 fingerprint
firmware: update model for clarity
intrusion detection: fix events originating from “int^” due to IPS mode use
intrusion detection: support “bypass” keyword in user-defined rules (contributed by Monviech)
intrusion detection: update model and persist values for transparency
intrusion detection: improve locking during sqlite database creation
ipsec: only write /var/db/ipsecpinghosts if not empty
ipsec: check IPsec config exists before use (contributed by agh1467)
ipsec: deprecating tunnel configuration in favour of new connections GUI
ipsec: clean up SPDField and VTIField types to use new getStaticChildren()
ipsec: add colon to supported character list for pre-shared key IDs
ipsec: reqid should not stick when copying a phase 1
ipsec: omit conditional authentication properties when not applicable on connections
ipsec: fix key pair generator for secp256k1 EC and add properer naming to GUI (contributed by Manuel Faux)
ipsec: allow the use of eap_id = %any in instances
ipsec: add local_port and remote_port to connections (contributed by Monviech)
ipsec: add IP4_DNS and IP6_DNS configuration payloads to connection pools (contributed by Monviech)
ipsec: require setting a connection pool name
ipsec: update models
monit: fix alert script includes
monit: fix empty timeout value (contributed by Michael Muenz)
monit: update model
network time: support pool directive and maxclock (contributed by Kevin Fason)
network time: fix “Soliciting pool server” regression (contributed by Allan Que)
openvpn: rewrote OpenVPN configuration as “Instances” using MVC/API available as a separate configuration option [2]
openvpn: rewrote client specific overrides using MVC/API
openvpn: fix static key delete
openvpn: fix “mode” typo and push auth “digest” into export config
openvpn: fix race condition when using CRLs in instances
openvpn: remove arbitrary upper bounds on some integer values in instances
openvpn: properly map user groups for authentication
openvpn: bring instances into server field
openvpn: fix separator for redirect-gateway attribute in instances and CSO
openvpn: fix mismatch issue when pinning a CSO to a specific instance
openvpn: add advanced option for optional CA selection
openvpn: fix certificate list for client export when optional CA specified (contributed by Manuel Faux)
openvpn: add CARP VHID tracking for client instances
openvpn: add tun-mtu/fragment/mssfix combo for instances
openvpn: add “route-gateway” advanced option to CSO
openvpn: use new File::file_put_contents() wrapper for instances
openvpn: updated model and clarified “auth” default option
openvpn: force instance interface down before handing it over to daemon
openvpn: add missing up and down scripts to instances (contributed by Daggolin)
openvpn: allow instances authentication without certificates when verify_client_cert is set to none
openvpn: add role to “proto” for TCP sessions as required for TAP type tunnels
openvpn: update model
unbound: rewrote general settings and ACL handling using MVC/API
unbound: add forward-tcp-upstream in advanced settings
unbound: add database import/export functions for when DuckDB version changes on upgrades
unbound: add cache-max-negative-ttl setting (contributed by hp197)
unbound: minor endpoint cleanups for DNS reporting page
unbound: migration of empty nodes failed from 23.1.11 to 23.7
unbound: fix regression when disabling first domain override
unbound: fixed configuration when custom blocks are used (contributed by Evgeny Grin)
unbound: fix concurrent session closing the handle while still writing data in Python module
unbound: properly set a default value for private address configuration
unbound: allow disabled interfaces in interface field
unbound: migrate active/outgoing interfaces discarding invalid values
unbound: UX improvements on several pages
unbound: update model
unbound: avoid dynamic reloads on newwanip events when possible
unbound: add support for wildcard domain lists
web proxy: remove long deprecated “dns_v4_first” setting from GUI
wizard: restrict to validating only IPv4 addresses
backend: template reload wildcard was returning “OK” on partial failures
lang: update translations and add Korean, Polish
mvc: allow legacy services to hook into ApiMutableServiceController
mvc: implement new Trust class usage in OpenVPN client export, captive portal and Syslog-ng
mvc: add generic static record definition for ArrayField
mvc: extend PortField to optionally allow port type aliases
mvc: remove “non-functional” hints from form input elements
mvc: uppercase default label in BaseListField is more likely
mvc: update diagnostics models
mvc: add isLinkLocal()
mvc: emit correct message on required validation in BaseField
mvc: throw on template reload issues in mutable service controller
mvc: inline one time use of $parentKey
mvc: set Required=Y for GroupNameField
mvc: remove special validation messages likely never seen
mvc: introduce isVolatile() for BaseModel
mvc: propagate isFieldChanged() from connected children in ArrayField
mvc: add hasChanged() to detect changes to the config file from other processes
ui: introduce collapsible table headers for MVC forms
ui: add bytes format to standard formatters list
ui: remove the bootstrap-select version from the provided file in the default theme
plugins: remove the bootstrap-select version from the provided file in all themes
plugins: os-OPNBEcore 1.2 (see firmware plugin info)
plugins: os-OPNProxy 1.0.3 bugfixes connect requests and improves logging
plugins: os-OPNWAF 1.0.1 (see firmware plugin info)
plugins: os-OPNcentral 1.7 (see firmware plugin info)
plugins: os-acme-client 3.19 [3]
plugins: os-bind 1.27 [4]
plugins: os-crowdsec 1.0.7 [5]
plugins: os-ddclient 1.16 [6]
plugins: os-dnscrypt-proxy 1.14 [7]
plugins: os-dyndns removed due to unmaintained code base
plugins: os-firewall 1.4 adds port alias support / allows floating rules without interface set (contributed by Michael Muenz)
plugins: os-frr 1.36 [8]
plugins: os-iperf adds rubygem-rexml dependency (contributed by Hannah Kiekens)
plugins: os-relayd 2.7 now supports newer upstream release of relayd
plugins: os-rfc2136 replaces calls to obsolete get_interface_ip[v6]()
plugins: os-smart reverts the use of smartctl to gather disks
plugins: os-sunnyvalley 1.3 changes repository URL (contributed by Sunny Valley Networks)
plugins: os-telegraf 1.12.9 [9]
plugins: os-theme-rebellion 1.8.9 fixes Unbound DNS reporting page
plugins: os-tinc 1.7 adds support for “StrictSubnets” variable (contributed by andrewhotlab)
plugins: os-upnp replaces calls to obsolete get_interface_ip()
plugins: os-wazuh-agent 1.0 [10]
plugins: os-wireguard 2.3 [11]
plugins: os-zabbix62-agent removed due to Zabbix 6.2 EoL
plugins: os-zabbix62-proxy removed due to Zabbix 6.2 EoL
src: FreeBSD 13.2-RELEASE [12]
src: amdtemp: Fix missing 49 degree offset on current EPYC CPUs
src: axgbe: LED control for A30 platform
src: axgbe: enable RSF to prevent zero-length packets while in Netmap mode
src: axgbe: gracefully handle i2c bus failures
src: axgbe: only set CSUM_DONE when IFCAP_RXCSUM enabled
src: bhyve: fully reset the fwctl state machine if the guest requests a reset [13]
src: bnxt: do not restart on VLAN changes
src: frag6: avoid a possible integer overflow in fragment handling [14]
src: gif: revert in{,6}_gif_output() misalignment handling
src: ice: do not restart on VLAN changes
src: if_vlan: always default to 802.1
src: iflib: fix panic during driver reload stress test
src: iflib: fix white space and reduce some line lengths
src: igc: sync srrctl buffer sizing with e1000
src: ip_output: ensure that mbufs are mapped if ipsec is enabled
src: ipsec: add PMTUD support
src: ixgbe: add support for 82599 LS
src: ixgbe: check for fw_recovery
src: ixgbe: define IXGBE_LE32_TO_CPUS
src: ixgbe: warn once for unsupported SFPs
src: ixl: add link state polling
src: ixl: port ice’s atomic API to ixl
src: libpfctl: ensure the initial allocation is large enough
src: net80211: fail for unicast traffic without unicast key [15]
src: net: do not overwrite VLAN PCP
src: net: remove VLAN metadata on PCP / VLAN encapsulation
src: pcib: allocate the memory BAR with the MSI-X table [16]
src: pf: handle multiple IPv6 fragment headers
src: rss: set pin_default_swi to 0 by default
src: rtsol: introduce an ‘always’ script
ports: curl 8.3.0 [17]
ports: dnspython 2.4.2
ports: filterlog fix to prevent crash on default rule number -1
ports: nss 3.93 [18]
ports: openldap 2.6.6 [19]
ports: openssl 1.1.1w [20]
ports: openvpn 2.6.6 [21]
ports: perl 5.34.1 [22]
ports: phalcon 5.3.1 [23]
ports: php 8.2.11 [24]
ports: phpseclib 3.0.23 [25]
ports: py-duckdb 0.8.1
ports: py-vici 5.9.11
ports: sqlite 3.43.1 [26]
ports: strongswan 5.9.11 [27]
ports: sudo 1.9.14p3 [28]
ports: suricata 6.0.14 with Netmmap V14 API support [29]
ports: syslog-ng 4.4.0 [30]
ports: unbound 1.18.0 [31]
A hotfix release was issued as 23.10_2:
system: detect a on/off password shift when syncing user accounts
firewall: when migrating aliases make sure that nesting does not fail
plugins: os-OPNWAF now requires a descrption for virtual servers
plugins: os-radsecproxy fixes for stale rc script / pidfile issues
Migration notes, known issues and limitations:
The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries. This was done to avoid connectivity issues on dynamic address setups – especially with VPN interfaces. If this is undesirable you can set it to default to block instead and add your manual entries to pass.
Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago. Delay and loss triggers have been fixed and logging was improved. The rc.syshook facility “monitor” still exists but is only provided for compatibility reasons with existing user scripts.
IPsec “tunnel settings” GUI is now deprecated and manual migration to the “connections” GUI is possible. There are currently no plans to remove the deprecated legacy component so it can be used without restriction.
The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.
The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient. Ddclient used to be EoL for a few months this year but currently a new release is being prepared. We have since maintained a copy of the software and fixed bugs and shipped upstream patches as they became available in the development version. Also, a native Python backend is available in the same plugin which covers the Dyndns2 protocol, AWS Route 53, Azure, Cloudflare and DuckDNS.
The public key for the 23.10 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu90d9OlhEEqfPTRC5tVp
# XK1KAtvzKPVf2jvmTtWgFRFCB3fuYQcO7oNefXJoK0LaHNQgiOsBTvepVMicl2aI
# zrehgdbljjNFmp6KzEM55x05zOfZV8Gi8AEaJzEbb3rkWLkiXHnANfhHGvtHOrGr
# Hct84NMCcfCZZerwaQMqi+SAjgUzA+asmhAvjN0fbdH2SLx/ZMNzDcyPRFGtGiC7
# RQCzgCGz39ppJP4qordzRSy5YiwCxNe/SL/4ZG04eMVti47BPTCtioBzuASHqALJ
# BVOFzZpr1WZ89PT/T5W6xYzoyWemOyv9Rh+rhaTAhnq+OO4yudaytpPCAtXBULr/
# VOlDOX//qaZR8qbQOC9y9kIETH8Iivis5tonBAQmYPIJiqcxfjM4/R7yP2Q7mEsr
# PLNyP6HNe77JGoW1axNZlB/OL1XUI3r+Kksc2woIqTQ5sq95tHbddNqGIDg4cEOX
# FM5Y7tdvVEwl/nutaAzP07sqEyF8uNScLGsQwpBxHwV/qGGc+PbGqmbmWg3+Kt+e
# UeNcMvrgayhRt+lpVCAorVVjUTp0Y2+1x+V/IpukOaS2oldPIF0iXLZsQ90KYP3X
# QtmuxbiC2Em+eGHB6nSg1UZgUEaAb3xP1fpuLbi9McoUPxMXxVdfihSfSfUFXJTH
# SmqdO1BdG7VSwiQq9Ekbu5UCAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-business-23.10-dvd-amd64.iso.bz2) = a021526f48239f13b954b51b2e4537f43923ed29e7ad85be72266a0887d8be32
# SHA256 (OPNsense-business-23.10-nano-amd64.img.bz2) = 0daa99954c17259f4edb25a58ab8d867670363385211e4d641403f7f3f4b6554
# SHA256 (OPNsense-business-23.10-serial-amd64.img.bz2) = 4f4b320cd2aa2833661ba64d6c8ec31e5f60f0040426cb2a6df729c00a247f8a
# SHA256 (OPNsense-business-23.10-vga-amd64.img.bz2) = f3e672e1e3c7b0fba1bc265688a81cd65ced5053e7751cebce27282dd480c227