23.10 Series

The OPNsense business edition transitions to this 23.10 release including numerous MVC/API conversions, the new OpenVPN “instances” configuration option, OpenVPN group alias support, deferred authentication for OpenVPN, FreeBSD 13.2, PHP 8.2, rewritten WireGuard kernel plugin plus much more.

Please make sure to read the migration notes before upgrading.

Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.

https://downloads.opnsense.com/

23.10.3 (March 28, 2024)

This business release is based on the OPNsense 23.7.12 community version with additional reliability improvements.

Here are the full patch notes:

• system: fix handling of empty “serialusb” node set during import

• system: fix assorted PHP deprecation warnings

• system: add issuer and logo to OTP link

• system: prevent empty “user” node to crash during boot

• system: allow 0 length voucher passwords in authentication server

• reporting: update traffic graph colors to be contrast and consistent (contributed by brotherla)

• interfaces: add missing ACL entries for ARP/NDP tables

• interfaces: prevent modal x-axis overflow on packet capture page

• firewall: add optional advanced property “State policy” to influence state creation on a per rule base

• firewall: change default traffic normalization behavior and choose “in” as standard direction for manual rules

• firewall: refactor schedule matching and fix an end-of-the-month bug

• firewall: fix incorrect packet counters statistics collection

• firewall: fix virtual IP API use with subnet/subnet_bits usage

• firewall: fix floating rule display (contributed by lin-xianming)

• firewall: fix display of ICMP tooltip (contributed by lin-xianming)

• firewall: make select width more consistent on alias diagnostics table selection

• ipsec: show EAP-RADIUS settings only when legacy tunnels are being used

• unbound: prevent os.write() on None when another thread closed the pipe in Python module

• unbound: make atomic copies of root.hints file to hopefully appease Unbound startup problems

• unbound: fix missing /lib nullfs mount in chroot

• unbound: add aggressive-nsec option toggle (contributed by kulikov-a)

• mvc: fix PHP_FLOAT_MIN being unreliable

• ui: replace all > and < occurrences in treeview (contributed by lin-xianming)

• ui: fix epoch support as number in bootgrid

• plugins: os-OPNProxy 1.0.4 removes ident support

• plugins: os-OPNWAF 1.3 adds SSLVerifyDepth

• ports: curl 8.6.0 [1]

• ports: suricata 6.0.17 [2]

• ports: unbound 1.19.3 [3]

A hotfix release was issued as 23.10.3_1:

• firmware: add fingerprint, migration notes and upgrade hint for 24.4

23.10.2 (February 02, 2024)

This business release is based on the OPNsense 23.7.12 community version with additional reliability improvements.

Here are the full patch notes:

• system: add an optional random delay before executing remote backups

• system: fix regression in log viewer level selector

• system: implement relevant certctl tool functionality in Python to increase performance

• system: fix log severity selector (contributed by kulikov-a)

• system: include IPv6 link-local interface addresses for web GUI and OpenSSH (contributed by Maurice Walker)

• system: update cron and gateways model

• system: change ZFS transaction group defaults to avoid excessive disk wear [1]

• system: handle case insensitivity while reading groups

• system: shuffle authentication templates to the end of login configuration

• system: add “maxfilesize” option to enforce a log rotate when files exceed their limit

• reporting: OpenVPN server instances were missing from respective health graph

• reporting: assorted tweaks for the firmware upgrade script handling Unbound DNS database migration

• interfaces: add new backend jobs and extend with optional parameter

• interfaces: obey menu group sequence when specified

• firewall: improve alias write behaviour by checking for changes beforehand

• firewall: fix preg_replace() to avoid truncated network display in rules listing

• firewall: validate if GeoIP and BGP ASN targets contain at least 1 kb of data before assuming timestamp is correct

• firewall: align GeoIP file check with documentation

• firewall: add an ifconfig.debug file

• captive portal: fix integer validation in vouchers

• dhcp: cache backend action “interface list macdb” to increase responsiveness

• dhcp: allow saving with invalid range when IPv4 server is disabled

• dhcp: do not clobber $range_to / $range_from with the legacy test for lower 64 bit only input

• dhcp: improve the parsing code of IPv6 leases

• firmware: switch bogons/changelog set base URL to portable “opnsense-update -X” call

• firmware: opnsense-update: avoid rewriting .cshrc and .profile files on base set updates

• firmware: add audit messages for relevant API actions

• firmware: implement “always reboot” option

• firmware: add unlocked mode to launcher script

• firmware: use pluggable package repository scripts

• firmware: automatically install os-squid plugin install when web proxy is enabled before major upgrade

• firmware: refactor export and scrub Unbound DNS database before major upgrade

• firmware: disallow TLS lower than 1.3 on business mirror

• intrusion detection: show rule origin in rule adjustments grid

• ipsec: add support for RADIUS class groups in instances

• ipsec: extend connection proposals tooltip to children and fix tooltip style issue

• lang: assorted language updates

• network time: prevent the service from listening on a wildcard when selecting specific interfaces (contributed by doktornotor)

• openvpn: add virtual IPv6 address to widget and status page (contributed by cs-1)

• openvpn: consider clients missing CARP VHID as disabled

• openvpn: add validation for netmask greater than 29 exactly as specified in the OpenVPN source code

• openvpn: add workaround for net30/p2p smaller than /29 networks

• unbound: use tls-system-cert instead of tls-cert-bundle

• unbound: replace JustDomains with Firebog blocklists (contributed by Amy Nagle)

• unbound: update root hints

• backend: support streaming output using the “stream_output” handler

• backend: implement optional trust model and add extended logging

• backend: support optional configd configuration files

• backend: only parse stream results when configd socket could be opened

• mvc: add an IPPortField type

• mvc: split configdRun() in order to return a resource which the controller can stream with minimal memory consumption

• ui: fix the missing dialog padding in some modals

• ui: set a default data-size for increased readability in selectpickers

• ui: show tooltip when grid td content does not fit

• ui: add double click event to tree view to render a grid dialog

• ui: upgrade jqTree to version 1.7.5

• plugins: os-OPNBEcore 1.3 adds “any interface” floating rule support

• plugins: os-OPNcentral 1.9 adds “any interface” floating rule support and fixes memory consumption with downloads

• plugins: os-acme-client 3.20 [2]

• plugins: os-bind 1.29 [3]

• plugins: os-ddclient 1.20 [4]

• plugins: os-dec-hw 1.0 is a Deciso hardware specific dashboard widget

• plugins: os-frr 1.38 [5]

• plugins: os-node_exporter 1.2 [6]

• plugins: os-sunnyvalley 1.4 switches to new repository layout

• plugins: os-telegraf 1.12.10 [7]

• plugins: os-upnp now reloads on newwanip event

• plugins: os-wireguard 2.6 [8]

• ports: curl 8.5.0 [9]

• ports: nss 3.95 [10]

• ports: perl 5.36.3 [11]

• ports: php 8.2.14 [12]

• ports: phpseclib 3.0.34 [13]

• ports: py-netaddr 0.10.1 [14]

• ports: squid 6.6 [15]

• ports: sudo 1.9.15p5 [16]

23.10.1 (December 13, 2023)

This business release is based on the OPNsense 23.7.9 community version with additional reliability improvements.

Here are the full patch notes:

• system: rewrite trust integration for certctl use

• system: improve UX on new configuration history page

• system: update recovery pattern for /etc/ttys

• system: improve service sync UX on high availability settings page

• system: migrate gateways to model representation

• system: improve backup restore area selection

• system: keep polling if watcher cannot load a class to fetch status

• system: add “Constraint groups” option to LDAP authentication

• system: minor changes related to recent Gateway class refactoring

• system: use unified style for “return preg_match” idiom so the caller receives a boolean

• system: provide mismatching interface logic without reboot on configuration restore

• system: allow new backup API to download latest configuration directly via /api/core/backup/download/this

• system: extend restore to be able to migrate older configurations cleanly

• system: make trust store reload conditional

• system: add SHA-512 password hash compliance option

• system: allow special selector for plugins_configure()

• system: handle broken menu XML files more gracefully

• system: fix PHP warnings and SSH fail on empty “ssh” XML node

• system: fix a couple of PHP warnings in auth server pages

• system: add support for Google Shared drives backup (contributed by Jeremy Huylebroeck)

• system: change wait time to 1 second per round, total of 7 in console prompts

• system: update syslog model

• system: improve config revision audit ability

• system: cleanse system_get_language_code() output

• system: safeguard /tmp/PHP_errors.log file before usage

• reporting: refactor RRD data retrieval and simplify health page UX

• interfaces: make link-local VIPs unique per interface

• interfaces: make VIPs sortable and searchable

• interfaces: improve assignments page UX and simplify its bridge validation

• interfaces: allow multiple IP addresses in DHCP reject clause (contributed by Csaba Kos)

• interfaces: enable IPv6 early on trackers

• interfaces: do not reload filter in rc.linkup

• interfaces: add input validations to VXLAN model (contributed by Monviech)

• interfaces: add NO_DAD flag to static IPv6 configurations

• interfaces: fix config locking when deleting a VIP node

• interfaces: assorted bridge handling improvements

• interfaces: prefer GUAs over ULAs when returning addresses

• interfaces: improve wireless channel parsing

• interfaces: mark WireGuard devices as virtual

• interfaces: update LAGG and loopback models

• interfaces: improve VIP validation, fix broadcast generation

• interfaces: add validation for proxy ARP strict subnet use

• interfaces: move interface list widget link to assignments page

• firewall: fix regression in BaseContentParser throwing an error

• firewall: keep filtered items available longer in live log

• firewall: port can be zero in automatic rule so render it accordingly

• firewall: minor update to shaper model

• firewall: make sure firewall log reading always emits a label

• firewall: fix business bogons set fetch

• firewall: add section for automatic rules being added at the end of the ruleset

• firewall: allow multiple networks given to wrap in the GUI

• captive portal: fix log target

• firmware: stop using the “pkg+http(s)” scheme which breaks using newer pkg 1.20

• firmware: invalidate GUI caches earlier since certctl blocks this longer now

• firmware: add root file system to health audit

• firmware: stop manually adjusting firmware config structure during factory reset

• firmware: clear stray “pkgsave” and “pkgtemp” pkg-upgrade leftovers

• firmware: changed LeaseWeb and NYC BUG mirrors to use HTTPS (contributed by jeremiah-rs)

• firmware: opnsense-update: new “-X” mode for canonical bogons/changelog set fetch URL

• firmware: opnsense-version: support base/kernel hash info

• ipsec: count user in “Overview” tab and improve “Mobile Users” tab (contributed by Monviech)

• ipsec: make description in connections required (contributed by Michael Muenz)

• ipsec: connection proposal sorting and additions

• ipsec: mute ipsec.conf related load errors

• ipsec: fix typo in VTI protocol family parsing

• ipsec: add secondary tunnel address pair for VTI dual-stack purposes

• ipsec: add “aes256-sha256” proposal option (no PFS)

• ipsec: move save button on mobile page into its own container

• lang: assorted updates and completed French translation

• lang: update Chinese, Czech, Italian, Korean, Polish and Spanish

• monit: minor update to model

• openvpn: change verify-client-cert to a server only setting and fix validation

• openvpn: do not flush state table on linkdown

• openvpn: host bits must not be set for IPv4 server directive in instances

• openvpn: obey username_as_common_name setting

• unbound: avoid dynamic reloads when possible

• unbound: improved UX of the overrides page

• unbound: minor update to model

• unbound: remove localhost from automatically created ACL

• web proxy: handle the major update to version 6 and update model

• web proxy: fix setting unknown language directory

• backend: pluginctl: improve listing plugins of selected type

• backend: add physical_interface and physical_interfaces as template helper function

• backend: add file_exists as template helper function

• mvc: add hasChanged() to detect changes to the config file

• mvc: allow empty value in UniqueConstraint if not required by field

• mvc: improve field validation message handling

• mvc: fix regression in PortField with setEnableAlias() that would lowercase alias names

• mvc: style update in diagnostics, firewall, intrusion detection and ipsec models

• mvc: enforce uniqueness and remove validation message in UnqiueIdField

• mvc: config should be locked before calling checkAndThrowSafeDelete()

• mvc: instead of failing invalidate a non-match in CSVListField

• mvc: split tree-view template and javascript and hook via controllers

• ui: fix the styling of the base form button when overriding the label

• ui: trigger change message on toggle and delete

• ui: prevent form submit for MVC pages

• ui: improve default modal padding

• ui: upgrade bootstrap-select to v1.13.18

• ui: improve saveFormToEndpoint() UX

• plugins: os-OPNBEcore configuration merge improvements

• plugins: os-OPNProxy adds TLS client certificate validation

• plugins: os-OPNcentral now passes “impersonated_by” revision attribute to connected node

• plugins: os-bind 1.28 [1]

• plugins: os-c-icap fix for upstream update syntax error (contributed by Andy Binder)

• plugins: os-ddclient 1.17 [2]

• plugins: os-frr 1.37 [3]

• plugins: os-net-snmp fix for directory setup (contributed by doktornotor)

• plugins: os-nginx 1.32.2 [4]

• plugins: os-openconnect 1.4.5 [5]

• plugins: os-rspamd 1.13 [6]

• plugins: os-squid adds a meta package for web proxy core removal in 24.1

• plugins: os-theme-ciada fix for previous regression

• plugins: os-wireguard 2.5 [7]

• plugins: os-wireguard-go fix for device registration

• src: pf: enable the syncookie feature for IPv6

• src: pflog: log packet dropped by default rule with drop

• src: re: add Realtek Killer Ethernet E2600 IDs

• src: libnetmap: fix interface name parsing restriction

• src: tun/tap: correct ref count on cloned cdevs

• src: bpf: fix writing of buffer bigger than PAGESIZE

• src: net: check per-flow priority code point for untagged traffic

• src: libpfctl: implement status counter accessor functions

• src: pf: expose syncookie active/inactive status

• src: iavf: add explicit ifdi_needs_reset for VLAN changes

• src: vmxnet3: do restart on VLAN changes

• src: iflib: invert default restart on VLAN changes

• src: pf: fix state leak

• src: pfctl: fix incorrect mask on dynamic address

• src: libpfctl: assorted improvements

• src: msdosfs: zero partially valid extended cluster [8]

• src: copy_file_range: require CAP_SEEK capability [9]

• src: fflush: correct buffer handling in __sflush [10]

• src: cap_net: correct capability name from addr2name to name2addr [11]

• src: regcomp: use unsigned char when testing for escapes [12]

• src: clang: sanitizer failure with ASLR enabled [13]

• src: dhclient: do not add 0.0.0.0 interface alias

• src: ice: match irdma interface changes

• src: ixv: separate VFTA table for each interface

• src: pf: expose more syncookie state information to userspace

• src: pf: fix mem leaks upon vnet destroy

• src: pf: remove incorrect fragmentation check [14]

• src: rc: fix restart _precmd issue with _setup

• src: re: add support for 8168FP HW rev

• src: zfs: check dnode and its data for dirtiness in dnode_is_dirty() [15]

• ports: curl 8.4.0 [16]

• ports: lighttpd 1.4.73 [17]

• ports: nss 3.94 [18]

• ports: openssl111 supersedes openssl package

• ports: openvpn 2.6.8 [19]

• ports: perl 5.36.1 [20]

• ports: php 8.2.12 [21]

• ports: sqlite 3.44.0 [22]

• ports: squid 6.5 [23]

• ports: strongswan 5.9.13 [24]

• ports: sudo 1.9.15p2 [25]

• ports: suricata 6.0.15 [26]

• ports: unbound 1.19.0 [27]

A hotfix release was issued as 23.10.1_2:

• firewall: fix traceback in OpenVPN group alias due to wrong return type

• firewall: fix missing physical_interface() in shaper template

• ports: openssh 9.6p1 [28]

23.10 (October 17, 2023)

The OPNsense business edition transitions to this 23.10 release including numerous MVC/API conversions, the new OpenVPN “instances” configuration option, OpenVPN group alias support, deferred authentication for OpenVPN, FreeBSD 13.2, PHP 8.2, rewritten WireGuard kernel plugin plus much more.

Please make sure to read the migration notes before upgrading.

Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.

https://downloads.opnsense.com/

This business release is based on the OPNsense 23.7.6 community version with additional reliability improvements.

Here are the full patch notes:

• system: introduce a gateway watcher service and fix issue with unhandled “loss” trigger when “delay” is also reported

• system: disable PHP deprecation notes due to Phalcon emitting such messages breaking the API responses

• system: allow “.” DNS search domain override

• system: on boot let template generation wait for configd socket for up to 10 seconds

• system: improve configuration import when interfaces or console settings do not match

• system: add severity filter in system log widget (contributed by kulikov-a)

• system: enabled web GUI compression (contributed by kulikov-a)

• system: close boot file after probing to avoid lock inheritance

• system: fix lock() inheriting the lock state

• system: give more context in process kill error case since we operate PID numbers only

• system: improve monitoring of down gateways

• system: clear all /var/run directories on bootup

• system: fix missing config save when RRD data is supplied during backup import

• system: defer config reload to SIGHUP in gateway watcher

• system: handle “force_down” state correctly in gateway watcher

• system: make Gateways class argument optional

• system: correctly set RFC 5424 on remote TLS system logging

• system: remove hasGateways() and write DHCP router option unconditionally

• system: avoid plugin system for gateways monitor status fetch

• system: remove passing unused ifconfig data to Gateways class on static pages

• system: remove passing unused ifconfig data on gateway monitor status fetch

• system: remove the unused “alert interval” option from the gateway configuration

• system: pluginctl: allow -f mode to drop config properties

• system: switch to /usr/sbin/nologin as authoritative command location

• system: remove remaining spurious ifconfig data pass to Gateways class

• system: start gateway monitors after firewall rules are in place (contributed by Daggolin)

• system: refactor far gateway handling out of default route handling

• system: do not mark “defunct” gateway as “disabled” as well

• system: skip all unusable gateways for monitoring

• system: simplify the code in dpinger_status()

• system: rewrite configuration history using MVC/API

• system: fix assorted PHP 8.2 deprecation notes

• interfaces: rewrite LAGG pages via MVC/API

• interfaces: extend/modify IPv6 primary address behaviour

• interfaces: allow primary address function to emit device used

• interfaces: fix special device name chars used in shell variables

• interfaces: prevent IPv6 mismatches when using compressed format in VIP

• interfaces: remove descriptive name from newwanip logging

• interfaces: typo in MRU handling for PPP

• interfaces: improve PPPoE MTU handling

• interfaces: switch rtsold to -A mode

• interfaces: tweak UX of interface settings page

• interfaces: remove workaround to re-reload the routing during bootup for edge case that no longer exist

• interfaces: calculate_ipv6_delegation_length() should take advanced and custom dhcp6c into account

• interfaces: teach ifctl to dump all files and its data for an interface

• interfaces: remove dead link/hint in GIF table

• interfaces: introduce interfaces_restart_by_device()

• interfaces: use interfaces_restart_by_device() where appropriate

• interfaces: allow get_interface_ipv6() to return in all three IPv6 variants

• interfaces: add GRE/GIF/bridge/wlan return values

• interfaces: signal wlan device creation success/failure

• interfaces: update link functions for GIF/GRE

• interfaces: remove the ancient OpenVPN-tap-on-a-bridge magic on IPv4 reload

• interfaces: update read-only bridge member code

• interfaces: redirect after successful interface add

• interfaces: add interface return feature for use on bridges/assignment page

• interfaces: VIP model style update

• interfaces: implement interface_configure_mtu()

• interfaces: allow clean MVC access to primary IPv4 address (pluginctl -4 mode)

• interfaces: drop obsolete PPP default route handling

• interfaces: change GRE/GIF to split reload per address family on dynamic connectivity

• interfaces: prevent reading stale configuration data in interfaces_has_prefix_only()

• interfaces: for consistency bootstrap the implicit ‘none’ value of the IP address modes

• interfaces: prevent extended array data from being passed in interface_bring_down()

• interfaces: fix warning due to use of an unassigned variable

• firewall: rewrote group handling using MVC/API

• firewall: clean up AliasField to use new getStaticChildren()

• firewall: cleanup port forward page and only show the associated filter rule for this entry

• firewall: groups were not correctly parsed for menu post-migration

• firewall: hide row command buttons for internal groups

• firewall: add “ipv6-icmp” to protocol list in shaper

• firewall: fix PHP warnings on the rules pages

• firewall: do not clone “associated-rule-id”

• firewall: missing interface group registration on group creation

• firewall: fix group priority handling regression

• firewall: improve filter functionality to combine multiple network clauses in states page

• firewall: remove old __empty__ options trick from shaper model

• firewall: update models for clarity

• firewall: fix cleanup issue when renaming an alias

• firewall: quote “a/n” protocol in pf.conf to avoid a syntax error

• firewall: fix wrong link to virtual IP page

• firewall: add “Interface / Invert” rule toggle

• firewall: fix help button in dialog for categories

• firewall: update alias and shaper models

• firewall: sort auto-generated rules by priority set

• captive portal: update model

• dhcp: rewrote both IPv4 and IPv6 lease pages using MVC/API

• dhcp: allow underscores in DNS names from DHCP leases in Dnsmasq and Unbound watchers (contributed by bugfixin)

• dhcp: align router advertisements VIP code and exclude /128

• dhcp: allow “.” for DNSSL in router advertisements

• dhcp: print interface identifier and underlying device in “found no suitable address” warnings

• dhcp: check if manufacturer exists for IPv4 lease page to prevent error

• dhcp: use base16 for iaid_duid decode for IPv6 lease page to prevent error

• dhcp: make dhcrelay code use the Gateways class

• dhcp: add scope to link-local DHCPv6 static mapping when creating route for delegated prefix (contributed by Maurice Walker)

• dhcp: merge_ipv6_address() was too intrusive

• firmware: opnsense-version: remove obsolete “-f” option stub

• firmware: fetch bogons/changelogs from amd64 ABI only

• firmware: revoke 23.4 fingerprint

• firmware: update model for clarity

• intrusion detection: fix events originating from “int^” due to IPS mode use

• intrusion detection: support “bypass” keyword in user-defined rules (contributed by Monviech)

• intrusion detection: update model and persist values for transparency

• intrusion detection: improve locking during sqlite database creation

• ipsec: only write /var/db/ipsecpinghosts if not empty

• ipsec: check IPsec config exists before use (contributed by agh1467)

• ipsec: deprecating tunnel configuration in favour of new connections GUI

• ipsec: clean up SPDField and VTIField types to use new getStaticChildren()

• ipsec: add colon to supported character list for pre-shared key IDs

• ipsec: reqid should not stick when copying a phase 1

• ipsec: omit conditional authentication properties when not applicable on connections

• ipsec: fix key pair generator for secp256k1 EC and add properer naming to GUI (contributed by Manuel Faux)

• ipsec: allow the use of eap_id = %any in instances

• ipsec: add local_port and remote_port to connections (contributed by Monviech)

• ipsec: add IP4_DNS and IP6_DNS configuration payloads to connection pools (contributed by Monviech)

• ipsec: require setting a connection pool name

• ipsec: update models

• monit: fix alert script includes

• monit: fix empty timeout value (contributed by Michael Muenz)

• monit: update model

• network time: support pool directive and maxclock (contributed by Kevin Fason)

• network time: fix “Soliciting pool server” regression (contributed by Allan Que)

• openvpn: rewrote OpenVPN configuration as “Instances” using MVC/API available as a separate configuration option [2]

• openvpn: rewrote client specific overrides using MVC/API

• openvpn: fix static key delete

• openvpn: fix “mode” typo and push auth “digest” into export config

• openvpn: fix race condition when using CRLs in instances

• openvpn: remove arbitrary upper bounds on some integer values in instances

• openvpn: properly map user groups for authentication

• openvpn: bring instances into server field

• openvpn: fix separator for redirect-gateway attribute in instances and CSO

• openvpn: fix mismatch issue when pinning a CSO to a specific instance

• openvpn: add advanced option for optional CA selection

• openvpn: fix certificate list for client export when optional CA specified (contributed by Manuel Faux)

• openvpn: add CARP VHID tracking for client instances

• openvpn: add tun-mtu/fragment/mssfix combo for instances

• openvpn: add “route-gateway” advanced option to CSO

• openvpn: use new File::file_put_contents() wrapper for instances

• openvpn: updated model and clarified “auth” default option

• openvpn: force instance interface down before handing it over to daemon

• openvpn: add missing up and down scripts to instances (contributed by Daggolin)

• openvpn: allow instances authentication without certificates when verify_client_cert is set to none

• openvpn: add role to “proto” for TCP sessions as required for TAP type tunnels

• openvpn: update model

• unbound: rewrote general settings and ACL handling using MVC/API

• unbound: add forward-tcp-upstream in advanced settings

• unbound: add database import/export functions for when DuckDB version changes on upgrades

• unbound: add cache-max-negative-ttl setting (contributed by hp197)

• unbound: minor endpoint cleanups for DNS reporting page

• unbound: migration of empty nodes failed from 23.1.11 to 23.7

• unbound: fix regression when disabling first domain override

• unbound: fixed configuration when custom blocks are used (contributed by Evgeny Grin)

• unbound: fix concurrent session closing the handle while still writing data in Python module

• unbound: properly set a default value for private address configuration

• unbound: allow disabled interfaces in interface field

• unbound: migrate active/outgoing interfaces discarding invalid values

• unbound: UX improvements on several pages

• unbound: update model

• unbound: avoid dynamic reloads on newwanip events when possible

• unbound: add support for wildcard domain lists

• web proxy: remove long deprecated “dns_v4_first” setting from GUI

• wizard: restrict to validating only IPv4 addresses

• backend: template reload wildcard was returning “OK” on partial failures

• lang: update translations and add Korean, Polish

• mvc: allow legacy services to hook into ApiMutableServiceController

• mvc: implement new Trust class usage in OpenVPN client export, captive portal and Syslog-ng

• mvc: add generic static record definition for ArrayField

• mvc: extend PortField to optionally allow port type aliases

• mvc: remove “non-functional” hints from form input elements

• mvc: uppercase default label in BaseListField is more likely

• mvc: update diagnostics models

• mvc: add isLinkLocal()

• mvc: emit correct message on required validation in BaseField

• mvc: throw on template reload issues in mutable service controller

• mvc: inline one time use of $parentKey

• mvc: set Required=Y for GroupNameField

• mvc: remove special validation messages likely never seen

• mvc: introduce isVolatile() for BaseModel

• mvc: propagate isFieldChanged() from connected children in ArrayField

• mvc: add hasChanged() to detect changes to the config file from other processes

• ui: introduce collapsible table headers for MVC forms

• ui: add bytes format to standard formatters list

• ui: remove the bootstrap-select version from the provided file in the default theme

• plugins: remove the bootstrap-select version from the provided file in all themes

• plugins: os-OPNBEcore 1.2 (see firmware plugin info)

• plugins: os-OPNProxy 1.0.3 bugfixes connect requests and improves logging

• plugins: os-OPNWAF 1.0.1 (see firmware plugin info)

• plugins: os-OPNcentral 1.7 (see firmware plugin info)

• plugins: os-acme-client 3.19 [3]

• plugins: os-bind 1.27 [4]

• plugins: os-crowdsec 1.0.7 [5]

• plugins: os-ddclient 1.16 [6]

• plugins: os-dnscrypt-proxy 1.14 [7]

• plugins: os-dyndns removed due to unmaintained code base

• plugins: os-firewall 1.4 adds port alias support / allows floating rules without interface set (contributed by Michael Muenz)

• plugins: os-frr 1.36 [8]

• plugins: os-iperf adds rubygem-rexml dependency (contributed by Hannah Kiekens)

• plugins: os-relayd 2.7 now supports newer upstream release of relayd

• plugins: os-rfc2136 replaces calls to obsolete get_interface_ip[v6]()

• plugins: os-smart reverts the use of smartctl to gather disks

• plugins: os-sunnyvalley 1.3 changes repository URL (contributed by Sunny Valley Networks)

• plugins: os-telegraf 1.12.9 [9]

• plugins: os-theme-rebellion 1.8.9 fixes Unbound DNS reporting page

• plugins: os-tinc 1.7 adds support for “StrictSubnets” variable (contributed by andrewhotlab)

• plugins: os-upnp replaces calls to obsolete get_interface_ip()

• plugins: os-wazuh-agent 1.0 [10]

• plugins: os-wireguard 2.3 [11]

• plugins: os-zabbix62-agent removed due to Zabbix 6.2 EoL

• plugins: os-zabbix62-proxy removed due to Zabbix 6.2 EoL

• src: FreeBSD 13.2-RELEASE [12]

• src: amdtemp: Fix missing 49 degree offset on current EPYC CPUs

• src: axgbe: LED control for A30 platform

• src: axgbe: enable RSF to prevent zero-length packets while in Netmap mode

• src: axgbe: gracefully handle i2c bus failures

• src: axgbe: only set CSUM_DONE when IFCAP_RXCSUM enabled

• src: bhyve: fully reset the fwctl state machine if the guest requests a reset [13]

• src: bnxt: do not restart on VLAN changes

• src: frag6: avoid a possible integer overflow in fragment handling [14]

• src: gif: revert in{,6}_gif_output() misalignment handling

• src: ice: do not restart on VLAN changes

• src: if_vlan: always default to 802.1

• src: iflib: fix panic during driver reload stress test

• src: iflib: fix white space and reduce some line lengths

• src: igc: sync srrctl buffer sizing with e1000

• src: ip_output: ensure that mbufs are mapped if ipsec is enabled

• src: ipsec: add PMTUD support

• src: ixgbe: add support for 82599 LS

• src: ixgbe: check for fw_recovery

• src: ixgbe: define IXGBE_LE32_TO_CPUS

• src: ixgbe: warn once for unsupported SFPs

• src: ixl: add link state polling

• src: ixl: port ice’s atomic API to ixl

• src: libpfctl: ensure the initial allocation is large enough

• src: net80211: fail for unicast traffic without unicast key [15]

• src: net: do not overwrite VLAN PCP

• src: net: remove VLAN metadata on PCP / VLAN encapsulation

• src: pcib: allocate the memory BAR with the MSI-X table [16]

• src: pf: handle multiple IPv6 fragment headers

• src: rss: set pin_default_swi to 0 by default

• src: rtsol: introduce an ‘always’ script

• ports: curl 8.3.0 [17]

• ports: dnspython 2.4.2

• ports: filterlog fix to prevent crash on default rule number -1

• ports: nss 3.93 [18]

• ports: openldap 2.6.6 [19]

• ports: openssl 1.1.1w [20]

• ports: openvpn 2.6.6 [21]

• ports: perl 5.34.1 [22]

• ports: phalcon 5.3.1 [23]

• ports: php 8.2.11 [24]

• ports: phpseclib 3.0.23 [25]

• ports: py-duckdb 0.8.1

• ports: py-vici 5.9.11

• ports: sqlite 3.43.1 [26]

• ports: strongswan 5.9.11 [27]

• ports: sudo 1.9.14p3 [28]

• ports: suricata 6.0.14 with Netmmap V14 API support [29]

• ports: syslog-ng 4.4.0 [30]

• ports: unbound 1.18.0 [31]

A hotfix release was issued as 23.10_2:

• system: detect a on/off password shift when syncing user accounts

• firewall: when migrating aliases make sure that nesting does not fail

• plugins: os-OPNWAF now requires a descrption for virtual servers

• plugins: os-radsecproxy fixes for stale rc script / pidfile issues

Migration notes, known issues and limitations:

• The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries. This was done to avoid connectivity issues on dynamic address setups – especially with VPN interfaces. If this is undesirable you can set it to default to block instead and add your manual entries to pass.

• Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago. Delay and loss triggers have been fixed and logging was improved. The rc.syshook facility “monitor” still exists but is only provided for compatibility reasons with existing user scripts.

• IPsec “tunnel settings” GUI is now deprecated and manual migration to the “connections” GUI is possible. There are currently no plans to remove the deprecated legacy component so it can be used without restriction.

• The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.

• The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient. Ddclient used to be EoL for a few months this year but currently a new release is being prepared. We have since maintained a copy of the software and fixed bugs and shipped upstream patches as they became available in the development version. Also, a native Python backend is available in the same plugin which covers the Dyndns2 protocol, AWS Route 53, Azure, Cloudflare and DuckDNS.

The public key for the 23.10 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu90d9OlhEEqfPTRC5tVp
# XK1KAtvzKPVf2jvmTtWgFRFCB3fuYQcO7oNefXJoK0LaHNQgiOsBTvepVMicl2aI
# zrehgdbljjNFmp6KzEM55x05zOfZV8Gi8AEaJzEbb3rkWLkiXHnANfhHGvtHOrGr
# Hct84NMCcfCZZerwaQMqi+SAjgUzA+asmhAvjN0fbdH2SLx/ZMNzDcyPRFGtGiC7
# RQCzgCGz39ppJP4qordzRSy5YiwCxNe/SL/4ZG04eMVti47BPTCtioBzuASHqALJ
# BVOFzZpr1WZ89PT/T5W6xYzoyWemOyv9Rh+rhaTAhnq+OO4yudaytpPCAtXBULr/
# VOlDOX//qaZR8qbQOC9y9kIETH8Iivis5tonBAQmYPIJiqcxfjM4/R7yP2Q7mEsr
# PLNyP6HNe77JGoW1axNZlB/OL1XUI3r+Kksc2woIqTQ5sq95tHbddNqGIDg4cEOX
# FM5Y7tdvVEwl/nutaAzP07sqEyF8uNScLGsQwpBxHwV/qGGc+PbGqmbmWg3+Kt+e
# UeNcMvrgayhRt+lpVCAorVVjUTp0Y2+1x+V/IpukOaS2oldPIF0iXLZsQ90KYP3X
# QtmuxbiC2Em+eGHB6nSg1UZgUEaAb3xP1fpuLbi9McoUPxMXxVdfihSfSfUFXJTH
# SmqdO1BdG7VSwiQq9Ekbu5UCAwEAAQ==
# -----END PUBLIC KEY-----

# SHA256 (OPNsense-business-23.10-dvd-amd64.iso.bz2) = a021526f48239f13b954b51b2e4537f43923ed29e7ad85be72266a0887d8be32
# SHA256 (OPNsense-business-23.10-nano-amd64.img.bz2) = 0daa99954c17259f4edb25a58ab8d867670363385211e4d641403f7f3f4b6554
# SHA256 (OPNsense-business-23.10-serial-amd64.img.bz2) = 4f4b320cd2aa2833661ba64d6c8ec31e5f60f0040426cb2a6df729c00a247f8a
# SHA256 (OPNsense-business-23.10-vga-amd64.img.bz2) = f3e672e1e3c7b0fba1bc265688a81cd65ced5053e7751cebce27282dd480c227