22.1 “Observant Owl” Series

For more than 7 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

22.1, nicknamed “Observant Owl”, features the upgrade to FreeBSD 13, switch to logging supporting RFC 5424 with severity filtering, improved tunable sysctl value integration, faster boot sequence and interface initiation and dynamic IPv6 host alias support amongst others.

On the flip side major operating system changes bear risk for regression and feature removal, e.g. no longer supporting insecure cryptography in the kernel for IPsec and switching the Realtek vendor driver back to its FreeBSD counterpart which does not yet support the newer 2.5G models. Circular logging support has also been removed. Make sure to read the known issues and limitations below before attempting to upgrade.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

Europe: https://opnsense.c0urier.net/releases/22.1/
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/22.1/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/22.1/
South America: http://mirror.ueb.edu.ec/opnsense/releases/22.1/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/22.1/
Full mirror list: https://opnsense.org/download/

22.1.10 (July 07, 2022)

Today we are shipping small reliability improvements and a few security updates for bundled packages. Of special note is the upgrade of Phalcon 5, Python 3.9 and move of the StrongSwan vici library into a separate package.

This release will be the last of the 22.1 series. The release candidate for 22.7 will be available next week and the release date for the final version is July 28. Users wishing to try the release candidate can reach it from the development version or reinstall from the provided images.

A hotfix will be issued on the 28th to enable the upgrade path, but depending on testing and mirror availability this might be up to 24 hours after the intial image release of 22.7.

Here are the full patch notes:

system: properly shut down removed interfaces in console port assignment
system: if no temperature sysctls are exposed do nothing
system: fix firmware command shortcut in opnsense-shell utility
system: log hard limit results in 9999 entries for grid output
system: move add_user script out of shell scripts
interfaces: move lo0 interface registration to loopback
interfaces: simplify bridge destroy on deletion
firmware: update repository silently on remote list if needed
firmware: add python version to crash report header
ipsec: move vici library from core to ports
opendns: update OpenDNS IPv6 servers (contributed by Johan Rylander)
backend: except configparser read (contributed by agh1467)
mvc: AutoNumberField: set minimum value to 1
mvc: IntegerFieldType: fix for negative numbers (contributed by xbb)
plugins: os-ddclient 1.8 [1]
plugins: os-firewall 1.2 fixes internal backup restore
plugins: os-postfix 1.23 [2]
plugins: os-stunnel 1.0.5 adds intermediates to server chain (contributed by Johnny S. Lee)
plugins: os-telegraf 1.12.5 [3]
ports: curl 7.84.0 [4]
ports: nss 3.80 [5]
ports: openssl 1.1.1q [6]
ports: phalcon 5.0.0RC2 [7]
ports: py-vici 5.9.3
ports: python 3.9.13 [8]
ports: sudo 1.9.11p3 [9]
ports: syslog-ng 3.37.1 [10]

A hotfix release was issued as 22.1.10_4:

system: disable flag was not removing static route
firmware: added 22.7 series fingerprint
unbound: prevent crash of DHCP lease watcher due to unhandled CalledProcessError exception
mvc: fix two regressions in BaseField for Phalcon 5

22.1.9 (June 23, 2022)

Today we are addressing kernel memory leaks that occur when reading firewall rule information from the system. It seems that these leaks even slipped into the FreeBSD 13.1 release so we are happy to see them fixed now.

22.7 is very much on track. Our final target is getting ready for the PHP 8 upgrade but the timing is unclear as we wait for an official Phalcon 5 release version that supports it.

Other than that please enjoy the summer and hydrate responsibly.

Here are the full patch notes:

system: improve gateway subnet validation to fix IPv6 edge cases
system: dpinger support for IPv6 aliases
system: support 1500000 baudrate selection for ARM
system: non-functional cleanups for upcoming move to PHP 8
interfaces: add unique constraint for tag+if on VLANs
firewall: bring back missing toggle button in aliases
firewall: exclude internal aliases on import
firewall: fix alias removal
captive portal: add missing validation message for empty interface selection
dhcp: revert back to not adding an IP to static lease creation from leases page
openvpn: add domain search option to servers and overrides
unbound: disabling the first DNS override entry invalidates config
unbound: make blocklist additions/removals dynamic to prevent a restart
unbound: zero_ttl is no longer a valid statistic (contributed by David Mora)
plugins: os-ddclient 1.7 [1]
plugins: os-debug 1.5 fixes deprecated xdebug syntax
plugins: os-frr 1.29 [2]
plugins: os-nginx 1.28 [3]
plugins: os-wireguard 1.11 [4]
src: pf: fix memory leaks in nvlist usage
src: pf: stop resolving hosts as dns that use “:” modifier
src: e1000: Increase rx_buffer_size to 32b
src: igc: Increase rx_buffer_size local variable to 32b
src: assorted non-functional cleanups and typo corrections
ports: krb5 1.20 [5]
ports: lighttpd 1.4.65 [6]
ports: nss 3.79 [7]
ports: openvpn 2.5.7 [8]
ports: php 7.4.30 [9]
ports: py-certifi 2022.5.18.1
ports: sqlite 3.38.5 [10]
ports: sudo 1.9.11p2 [11]
ports: unbound 1.16.0 [12]

A hotfix release was issued as 22.1.9_1:

system: prefer primary IPv6 in dpinger
plugins: os-ddclient fix for missing IP property
plugins: os-nginx fix for obsoleted syntax (contributed by kulikov-a)

22.1.8 (May 25, 2022)

Small reliability update which also includes a rework for firewall alias handling and preformance.

Later today we will also publish a call for testing for the upcoming 22.7 operating system base using FreeBSD 13.1. It is going to be compatible with this 22.1.x series and existing feedback about it is promising so far.

Here are the full patch notes:

system: only restore missing or zero size ACL files
system: support plugin device reconfiguration in pluginctl utility
system: prevent gateway monitoring from entering a “filter reload” loop
system: use password_verify() in authenticators (contributed by oittaa)
system: hide password from command line during config encryption
interfaces: add technical interface ID display to assignments page
firewall: various usability and visibility improvements for aliases
firewall: performance improvement for large numbers of port type aliases
firewall: simplify sort and add natural sorting in alias diagnostics
captive portal: add extendedPreAuthData for MAC address retrieval during authentication
dhcp: refactor IPv4 lease removal and purge static leases before starting service
dhcp: allow custom configuration from directories
firmware: bypass cache with timestamp in “upgradestatus” call (contributed by gibwar)
firmware: lowercase search in plugins/packages
intrusion detection: fix log file ACL mismatch
ipsec: squelch spurious errors on stderr for backend status action
unbound: add custom “destination address” as advanced option for blocklists
mvc: distinct between HTTP errors 401 and 403 during authentication
mvc: call microtime(true) only once during config save (contributed by csbyte)
plugins: os-acme-client 3.11 [1]
plugins: os-nginx 1.27 [2]
plugins: os-postfix 1.22 [3]
src: tcp: rewind erroneous RTO only while performing RTO retransmissions
src: bnxt: Allow bnxt interfaces to use VLANs
src: rc: use _pidcmd to determine pid for protect
ports: curl 7.83.1 [4]
ports: sqlite 3.38.2 [5]
ports: strongswan 5.9.6 [6]

A hotfix release was issued as 22.1.8_1:

firewall: ignore empty lines when reading current alias content using pfctl

22.1.7 (May 10, 2022)

This is a small maintenance release which fixes known vulnerabilities in OpenSSL et al. Note that we are preparing for upgrade of Phalcon 5 framework and PHP 8.0 inclusion on our way to 22.7.

Here are the full patch notes:

system: tunables without hierarchy are just “environment” variables
system: use PHP random_bytes() builtin (contributed by oittaa)
system: support cd9660 file system in opnsense-importer
reporting: fix validation in NetFlow settings
interfaces: interface_ppps_configure() remove boot-time side effect
interfaces: include VIPS for primary IPv4 detection
interfaces: DHCPv6 advanced has a different flag to disable NA
firewall: add missing range validation to alias host type
firewall: make rule parsing more consistent as x:any and any:y are valid port options
captive portal: simplify the voucher generation code (contributed by oittaa)
firmware: list locked packages in health audit
ipsec: mark non-sortable columns
openvpn: change filetype of export to text/ovpn
unbound: updated no coin list (contributed by Luis Nachtigall)
unbound: change overrides grid label when no results are returned
unbound: restore duplicate domain behaviour in overrides
mvc: safeguard multi_sort in searchRecordsetBase()
mvc: prevent silent crashes in legacy XML attribute emulation
mvc: Phalcon 5 migration layer to reduce dependencies on Phalcon builtins
mvc: fix two regressions and deprecate __items
plugins: os-acme-client 3.10 [1]
plugins: os-bind 1.23 [2]
plugins: os-dnscrypt-proxy 1.12 [3]
plugins: os-frr 1.28 [4]
plugins: os-relayd 2.7 adds listen address and port range to virtual servers
plugins: os-zabbix-agent 1.12 [5]
plugins: os-zabbix-proxy 1.8 [6]
ports: curl 7.83.0 [7]
ports: nss 3.78 [8]
ports: openssl 1.1.1o [9]
ports: pcre2 10.40 [10]
ports: php 7.4.29 [11]
ports: pkg 1.17.5 [12]
ports: suricata 6.0.5 [13]

A hotfix release was issued as 22.1.7_1:

mvc: add missing URL validator class
plugins: os-nginx fix for validation class

22.1.6 (April 13, 2022)

Since the Unbound migration for overrides surfaced a number of issues in the new code this is a follow-up release to ensure interoperability. Thank you for the honest feedback, bug reports and code submissions.

Here are the full patch notes:

system: obsolete plugins calling missing functions shall not produce fatal errors
system: added the correct content-type for the dashboard plugins feed (contributed by Bo Frederiksen)
reporting: do not rely on /var/run/booting test in system health backend code
firewall: adjust default deny label to include mention of possible state violation
firewall: fix sessions page ACL
interfaces: bring back strict reordering of VIPs during dynamic address acquire
dhcp: added reload action for cron use
dhcp: support supplying iPXE filename
firmware: use isolated directory for database update check
firmware: cross-version check was not using correct information
firmware: cross-version update should indicate base/kernel reinstall
unbound: domain override IP may contain port information
unbound: show combined hostname.domain description in new alias popup
unbound: properly support “_msdcs” domain override prefix
unbound: add missing alias description
unbound: fix overrides case sort order (contributed by NYOB)
unbound: fix ACL for overrides
unbound: fix handling of wildcard aliases (contributed by devin122)
mvc: add generic searchRecordsetBase() to match existing searchBase()
ports: phpseclib 2.0.37 [1]

22.1.5 (April 07, 2022)

Due to popular demand the user experience for the revamped VLAN handling was improved in several areas. Also incuded are a larger Unbound MVC rework and DNS system route apply changes from one single spot. Last but not least the zlib vulnerability was fixed in FreeBSD amongst others.

Here are the full patch notes:

system: set up all DNS system routes from system_resolvconf_generate()
system: properly clear legacy files when clearing log files
reporting: add ACPI and ARM temperature support to health data
interfaces: do not assume exclusive use of router file in IPv6 PPPoE case
interfaces: for symmetry with PPPoE do not reload WAN when address disappears
interfaces: VLAN UX changes include better tag and parent visibility and handling
interfaces: improve VLAN parent selection for batch changes to allow for a single apply
interfaces: hint at missing apply when trying to add a new interface in assignment page
captive portal: prevent cleansing password field
dhcp: give a hint on why an interface was ignored in radvd
firmware: exclude revision matching from latest changelog version check
unbound: add custom forwarding and overrides MVC pages
ui: omit total entries display for log grids
plugins: os-acme-client 3.9 [1]
plugins: os-chrony 1.5 [2]
plugins: os-ddclient 1.5 [3]
src: pf(4) tables may fail to load [4]
src: potential jail escape vulnerabilities in netmap [5]
src: bhyve e82545 device emulation out-of-bounds write [6]
src: mpr/mps/mpt driver ioctl heap out-of-bounds write [7]
src: 802.11 heap buffer overflow [8]
src: zlib compression out-of-bounds write [9]
ports: curl 7.82.0 [10]
ports: expat 2.4.8 [11]
ports: libxml 2.9.13 [12]
ports: monit 5.32.0 [13]
ports: nss 3.77 [14]
ports: python 3.8.13 [15]

22.1.4 (March 24, 2022)

QinQ support based on the FreeBSD 13 VLAN base functionality is finally here! To make the best use of it a MVC conversion of the GUI pages was carried out meaning these are now fully API-enabled as well. Two bugs in the previous GIF/GRE rework have also been reported and fixed.

Note while this does fix CVE-2022-0778 even for LibreSSL the security audit database by FreeBSD will falsely flag the 3.3.6 release as vulnerable when in fact it is not. Since build issues arise on LibreSSL 3.4 that involve plugin dependencies in all likelihood we will be refraining from updating to version 3.4 altogether and do not have much hope for the upcoming 3.5 either.

Here are the full patch notes:

system: prefer configured IP address family use earlier on boot
system: allow boot to perform generic UFS/ZFS grow using the /.probe.for.growfs marker file
system: import ZFS pools before mounting ZFS datasets
reporting: use asynchronous DNS resolver for reverse lookups on traffic page
interfaces: loopback “lo0” exists for VIPs
interfaces: only strip addresses on configured IP types
interfaces: use new ifctl utility for DHCPv6 IP type and add manual page
interfaces: adjust MTU configuration when parent also requires MTU changes
interfaces: VLAN MVC conversion with API and QinQ support
interfaces: cleanup surrounding LAGG function use
firewall: constrain default CARP allow rules to those defined in RFC 5798
firewall: make sure that rule use of gateways (route-to) and reply-to are mutually exclusive
firewall: tighten alias FQDN validation to avoid accepting mistypes such as “192.168.01.1”
firmware: revoke the 21.7 fingerprint
intrusion detection: improve row count on alerts page
backend: consolidate configctl utility into one location and add manual page
plugins: os-ddclient 1.4 [1]
plugins: os-theme-cicada 1.29
plugins: os-theme-vicuna 1.41
src: openssl: fix a bug in BN_mod_sqrt() that can cause it to loop forever [2]
src: zfs: fix handling of errors from dmu_write_uio_dbuf() [3]
src: debugnet: remove spurious message on boot
ports: ca_root_nss fix for faulty upstream file linking
ports: libressl 3.3.6 [4]
ports: openssl 1.1.1n [5]
ports: openvpn 2.5.6 [6]

A hotfix release was issued as 22.1.4_1:

mvc: properly root the model mount point to avoid unrelated XML node name overlap

22.1.3 (March 17, 2022)

This update includes groundwork for interface handling improvements making the boot more flexible in complex interface assignment scenarios involving GIF, GRE and bridge devices.

Please note this update does not include the current OpenSSL security advisory due to overlapping time schedules. 22.1.4 will include these and will likely be released next week.

Here are the full patch notes:

system: remove “all” group handling code forgotten in 2015
interfaces: resolve device/interface interdependency on boot
interfaces: do not update VIPs on dynamic address changes
interfaces: remove unused reference and return value from interface_carp_configure()
interfaces: remove unused reference from interface_ipalias_configure()
interfaces: stop IPv6 from reacting to simple stop/detach/down events via rc.linkup
interfaces: introduce ifctl helper for future use
firewall: allow per-rule adaptive timeouts (contributed by kulikov-a)
dhcp: stream-read log and leases files for “dhcpd update prefixes” action
firmware: use opnsense-update for version info in update checks
firmware: independently check for available upgrade sets
firmware: separate the “needs_reboot” and “upgrade_needs_reboot” check flags
firmware: add URL return feature to changelog script
firmware: improve the connectivity audit
ipsec: clean up stale CA certificates on reconfigure
plugins: os-ddclient 1.3 [1]
plugins: os-freeradius templating generation fix
ports: dnspython 2.2.1 [2]
ports: dpinger 3.2 [3]
ports: expat 2.4.7 [4]
ports: krb5 1.19.3 [5]
ports: nss 3.76 [6]
ports: openssh 8.9p1 [7]
ports: sudo 1.9.10 [8]
ports: syslog-ng 3.36.1 [9]

22.1.2 (March 01, 2022)

This release adds GUI support for Intel QuickAssist Technology (QAT) and syncookies as per virtue of the FreeBSD 13 operating system. The work to modernise the interfaces subsystem and improve the new ddclient dynamic DNS plugin are also progressing.

Due to signs of decay in the build infrastructure, license nitpicking in FreeBSD ports and the upcoming OpenSSL 3 release (which will complicate things most likely) we have decided to discontinue LibreSSL at the end of this year meaning there will be no more LibreSSL flavour starting with version 23.1. Non-essential software will no longer be manually fixed and provided as binary packages if broken by upstream from this point on.

Since 2015 we have been working on functional LibreSSL support with steady means, but 7 years later and OpenSSL making an effort through numerous ways we are sad to give up this alternative since we do not see LibreSSL being used and properly integrated in software projects as often anymore. It has been a slow but steady decline for the past 2 years that also has to do with a LibreSSL release cycle tailored for OpenBSD in particular and OpenSSL library integration quality, which is almost impossible to improve upon in complex third-party software projects. We simply cannot afford the time for it any longer.

All users are able to update to the OpenSSL flavour without issues now or at any later given point.

Here are the full patch notes:

system: Intel QuickAssist Technology (QAT) crypto module selection and support multiple selection
system: AESNI crypto module is a kernel-builtin since 22.1 and no longer needs to be selected to work
system: enable library support of PCRE JIT included since 22.1.1
system: limit rowCount in log viewer (contributed by kulikov-a)
system: unify system tunables handling and tweak UX of the respective GUI page
system: no longer default to hw.uart.console use in factory configuration
system: remove console mute use from boot sequence
reporting: fill missing insight data with zeros
interfaces: assignments should take OpenVPN into account
interfaces: only ever store nobind for ipalias/carp
interfaces: align IPv4 address statistics read with IPv6
interfaces: simplify device destroy code
interfaces: no longer use legacy_get_interface_addresses() in MAC address read
interfaces: remove unused opportunistic interface address functions
firewall: exclude localhost stateless traffic from default logging (contributed by kulikov-a)
firewall: using port type aliases the “enable” flag was ignored when not enabled
firewall: add support for syncookies
firmware: opnsense-code: support “-z” snapshot mode
firmware: opnsense-revert: support “-z” snapshot mode
firmware: opnsense-update: support version print for sets
firmware: check repository and plugin state in health audit
ipsec: pass protocol when resolving via ipsec_resolve() (contributed by FloMeyer)
ipsec: fix mobile property passing when creating a new phase 2 entry
ipsec: rename “My Certificate Authority” to “Remote Certificate Authority” to avoid ambiguity
openvpn: avoid use of find_interface_network() et al
openvpn: stop removing name server-related files never written
openvpn: improve gateway detection in topology mode
ipsec: avoid use of find_interface_network() et al
dhcp: avoid use of find_interface_network() et al
console: move console mute calls into port setting function
ui: sidebar 2nd submenu view fix (contributed by Team Rebellion)
mvc: refactor and extend HostnameField to add options to validate partial hostnames and root zones
plugins: os-bind 1.22 [1]
plugins: os-ddclient 1.2 [2]
plugins: os-freeradius 1.9.19 [3]
plugins: os-stunnel 1.0.4 fix connect format for IPv6 (contributed by Johnny S. Lee)
src: stand: add EFI support for MMIO serial consoles
src: apei: make sure event data fit into the buffer
ports: php 7.4.28 [4]
ports: unbound 1.15.0 [5]

A hotfix release was issued as 22.1.2_1:

ipsec: fix mobile switch logic
ports: cyrus-sasl 2.1.28

Images have been subsequently released as 22.1.2(_2):

system: fix return code on factory port assignment to prevent configuration loop

# SHA256 (OPNsense-22.1.2-OpenSSL-dvd-amd64.iso.bz2) = d066d5620e28c22ff1d8de18532b61f8c7317b3258d5bdafb6a7a8dbb1eea002
# SHA256 (OPNsense-22.1.2-OpenSSL-nano-amd64.img.bz2) = dea720e15e67063d839bbf48017d32eb27071d58afee36bec40029319f5cc47e
# SHA256 (OPNsense-22.1.2-OpenSSL-serial-amd64.img.bz2) = 1b32287c13cc445a9a7a365b7879d00d3413ea53faf4cb23b3ef77b7916a1b7c
# SHA256 (OPNsense-22.1.2-OpenSSL-vga-amd64.img.bz2) = c6bbc0755d9458cc6484a98f074b62beaa30c5f02bd728ee1b0e896d2613b4b4

22.1.1 (February 16, 2022)

The first stable release brings in minor fixes from FreeBSD and instant log file visibility for files without severity written which can happen for individual plugins.

We have also gone ahead to restructure the interface code further to resolve dependencies between configured devices and interfaces automatically and the bundled development version is worth a try for everyone having issues with GIF/GRE not coming up after boot.

Here are the full patch notes:

system: changing interface gateway was ignored during route reconfiguration
system: allow to configure SSH setting PubkeyAcceptedAlgorithms (contributed by Manuel Faux)
system: add backward compatibility for reading logs without severity by default (contributed by kulikov-a)
system: fix typo causing PHP warning on IPv6 login (contributed by ppascher)
system: cron command drop down size was extending below screen
system: add a sysctl cache to improve tuneable overview load time
system: replace obsolete find_interface_network*() use in GUI
system: allow severity levels in PHP log messages and mark authentication success messages as notice
interfaces: fix default handling for VIP nobind option
interfaces: allow VIP nobind feature on CARP addresses
interfaces: stop mpd5 daemon before starting
interfaces: always show interface in GIF and GRE overview even on VIP use
interfaces: fix GIF and GRE VIP use loading order in IP alias cases
interfaces: remove device creation side effect from bridge, LAGG, GIF, GRE and VLAN GUI pages
interfaces: prevent DHCP from installing name servers when not allowed
interfaces: get_interface_list() must exclude OpenVPN
interfaces: replace obsolete find_interface_network*() use in GUI
firewall: remove ruleset optimization support which did not work since rule labels are mandatory for live log
firewall: exclude external alias for nesting
firewall: encode rules names in aliases (contributed by kulikov-a)
firewall: check state before selecting categories (contributed by kulikov-a)
firewall: synchronise “disabled” flag on linked firewall rule of port forward
firewall: local file corruption might prevent alias to be loaded
firewall: default pass all loopback without state tracking
dhcp: change prefix watcher to work without circular logging now that it is gone
dhcp: replace obsolete find_interface_network*() use in GUI
dhcp: fix implode() call (contributed by Clement Moulin)
ipsec: replace obsolete find_interface_network*() use in GUI
firmware: opnsense-version: support reading lock files operated by opnsense-update
firmware: patch version / date header in consistently for backend scripts
mvc: overload __isset() magic method
plugins: os-bind 1.21 [1]
plugins: os-ddclient 1.1 [2]
plugins: os-dnscrypt-proxy 1.11 [3]
plugins: os-dyndns menu compatibility with os-ddclient
plugins: os-frr 1.27 [4]
plugins: os-mdns-repeater 1.1 [5]
plugins: os-rspamd 1.12 [6]
plugins: os-zabbix-agent 1.11 [7]
src: pf: set_prio was not set after nvlist conversion
src: if_vtnet: Restore the ability to set promisc mode
src: hn: disable Hyper-V vSwitch RSC support
ports: curl 7.81.0 [8]
ports: expat 2.4.4 [9]
ports: lighttpd 1.4.64 [10]
ports: monit 5.30.0 [11]
ports: nss 3.75 [12]
ports: pcre / pcre2 enable JIT support
ports: phpseclib 2.0.36 [13]
ports: strongswan 5.9.5 [14]
ports: sudo 1.9.9 [15]

A hotfix release was issued as 22.1.1_1:

interfaces: revert “prevent DHCP from installing name servers when not allowed”

A hotfix release was issued as 22.1.1_3:

interfaces: revert “get_interface_list() must exclude OpenVPN”
web proxy: fix a typo in extended logging parser (contributed by kulikov-a)

22.1 (January 27, 2022)

For more than 7 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

22.1, nicknamed “Observant Owl”, features the upgrade to FreeBSD 13, switch to logging supporting RFC 5424 with severity filtering, improved tunable sysctl value integration, faster boot sequence and interface initiation and dynamic IPv6 host alias support amongst others.

On the flip side major operating system changes bear risk for regression and feature removal, e.g. no longer supporting insecure cryptography in the kernel for IPsec and switching the Realtek vendor driver back to its FreeBSD counterpart which does not yet support the newer 2.5G models. Circular logging support has also been removed. Make sure to read the known issues and limitations below before attempting to upgrade.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

Europe: https://opnsense.c0urier.net/releases/22.1/
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/22.1/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/22.1/
South America: http://mirror.ueb.edu.ec/opnsense/releases/22.1/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/22.1/
Full mirror list: https://opnsense.org/download/

Here are the full patch notes against version 21.7.7:

system: improved visibility and flexibility of tunables
system: move multiple sysctl manipulations to tunables framework to allow overriding them
system: prevent more than one default route by default
system: sync recovery utility contents with FreeBSD 13
system: prevent syslog-ng from crashing after update due to “syslog-ng-ctl reload” use
system: add severity to syslog output and allow to filter for it
system: create latest.log links for easier log consumption
system: added opnsense-log utility to inspect logs on the console
system: removed circular logging support
system: background all cron backend command invokes
system: unified cron start between legacy and MVC components
system: improve the fallback after failing to look up specific IPv4 address match for dpinger
system: use correct IPv6 interface for dpinger gateway monitoring when using 6RD
system: default net.inet6.ip6.intr_queue_maxlen to 1000 like its IPv4 counterpart
system: default net.inet6.ip6.redirect to off like its IPv4 counterpart
system: fix potential issues with “search” syntax in resolv.conf
system: fix general settings PHP warnings that only appear when validation fails
system: allow additional search domain (Pierre Fevre)
system: make /var MFS work when /var directories are mount points, e.g. on ZFS
system: optionally disconnect PPP interfaces when going into CARP backup mode
system: fix new PPP CARP hook function call (contributed by Markus Reiter)
system: separate core and thread count in information widget
system: MSDOS file system awareness in information widget for new /boot/efi partition
system: no longer display duplicated mounted partitions on the dashboard
system: remove spurious XML validation that cannot cope with attributes from backup restore
system: refactor GUI rebind protection and remove its os-dyndns/os-rfc2136 references
reporting: fix display of total in/out traffic values
interfaces: LAGG support in console port assignment (contributed by sarthurdev)
interfaces: improve LAGG/VLAN assignments via console option
interfaces: repair get_interface_list() for console use
interfaces: aligned the name and use of special /tmp files for internal interface handling
interfaces: correctly write nameserverv6 and searchdomainv6 information on dhcp6c lease acquire
interfaces: make cache IP files exclusive to rc.newwan and rc.newwanv6 scripts to avoid missing IP changes
interfaces: refactored linkup event handler to avoid unnecessary recursion in the code
interfaces: removed opportunistic functions find_interface_ip(), find_interface_ipv6() and find_interface_ipv6_ll()
interfaces: get_interface_ip() and get_interface_ipv6() now return a valid IP address if one was given to support VIP aliases
interfaces: interfaces_addresses() can now map a configuration interface to returned addresses to track its origin
interfaces: VIPs now support the “no bind” option to exclude them from automatic service use when configured
interfaces: interfaces_primary_address() is now being used like its IPv6 equivalent throughout the code
interfaces: interfaces_primary_address6() is now considering addresses from tracking interfaces when needed
interfaces: interfaces_scoped_address6() is now being used throughout the code
interfaces: “tentative” state now leads to the address being ignored during configuration like “deprecated”
interfaces: removed unmaintained 3G statistics gathering for Huawei modems that could lock up other modems
interfaces: reworked interface creation on boot up
interfaces: spoof MAC now only applies to actual interface and not all of its VLAN siblings or parent
interfaces: added permanent promiscuous mode setting
interfaces: add the interface description via ifconfig to its respective device
interfaces: stop special treatment of bridge interfaces on linkup
interfaces: improve validations and fix defaults for bridges
interfaces: allow bridges to attach to VXLAN on boot
interfaces: background all interface reconfiguration script hooks
interfaces: no longer allow and apply media configuration for non-parent devices
interfaces: removed restriction from interfaces without configuration to not being able to hold VIPs
interfaces: remove defunct link support for GRE
interfaces: align GIF configuration with base system options
firewall: properly kill all connections from and to a WAN IPv4 on an address change
firewall: skip rule ID for NAT type log entries (contributed by kulikov-a)
firewall: display interface descriptions on normalisation rules (contributed by vnxme)
firewall: dynamic IPv6 host alias support (contributed by Team Rebellion)
firewall: removed obsolete kill states option on gateway failure
firewall: removed the $aliastable cache
firewall: support “no scrub” option in normalisation rules
firewall: correctly handle IPv6 NAT in states view
firewall: plain log default logging severity selection is now “informational”
firewall: improve maximum shaper value validation and add Gbit/s support
captive portal: prevent session removal crashing when no IP address was registered
dhcp: allow for ARM architectures in network boot options (contributed by Keith Cirkel)
dhcp: allow router advertisements to use a specific link-local VIP alias
dhcp: refactor the IPv4 and IPv6 configuration pages and add minimal subnet size requirement hints
dhcp: rework router advertisement “static” mode flags to separate advanced options
dnsmasq: fix all-server overwriting strict-order configuration directive (contributed by Christian Tramnitz)
dnsmasq: no-hosts option (contributed by agh1467)
firmware: add a “status_reboot” variable to API return data to make clear it belongs to the offered minor update or major upgrade
firmware: add random delays to existing firmware cron jobs to avoid update server load spikes
firmware: added an automatic cron job to fetch changelog daily to use it as a lightweight check for updates on the dashboard
firmware: implement cross-ABI reinstall of all packages for future use
firmware: opnsense-update: exclude /boot/efi permission reset from base set extract
firmware: removed obsolete business repository fingerprints and added 22.1 fingerprint
firmware: return product info for status endpoint even when no firmware check was done
installer: fix installation of rc.conf keymap setting selected earlier during installation
installer: add EFI partition as a default mount point
installer: increase EFI partition size to 260 MB
installer: improve disk and ZFS pool scan and display
intrusion detection: prevent config migration from crashing
intrusion detection: update to ET-Open to version 6
ipsec: update security of default settings when creating new phase 1 and 2
ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
ipsec: migrated tunnel settings page to MVC
lang: update translations for Chinese, French, German, Italian, Japanese, Norwegian, Spanish, and Turkish
lang: demote Italian to development-only language due to lowered translation ratio
monit: move logging to own target
network time: add “iburst” option and stop using it by default (contributed by Patrick M. Hausen)
network time: detach “limited” from “kod” option (contributed by Zsolt Zsiros)
network time: remove PID file use as it can be unreliable
openvpn: kill by common name when kill by address does not work
unbound: disable do-not-query-localhost on local address server use
unbound: update DNS with hostname-only static entries (contributed by Gareth Owen)
update: opnsense-bootstrap: -z snapshot mode
update: opnsense-bootstrap: improved type detection
update: opnsense-code: -r for repository removal
update: opnsense-fetch: emit error message of failed download
update: opnsense-update: handle kernel debug directory like /boot/kernel
update: opnsense-update: removed “firmware-upgrade” file support
update: opnsense-verify: synced shared code with FreeBSD 13
backend: unify use of configctl utility
images: removed deprecated os-dyndns plugin from default installation
mvc: fix logging of configd errors
mvc: add BlankDesc to ModelRelationField (contributed by agh1467)
mvc: emulation versioning empty nodes for the legacy configuration sections
mvc: add getInterfaceConfig endpoint to interface API (contributed by Paolo Asperti)
mvc: add hint support for text fields (contributed by agh1467)
ui: add support for terabytes, and petabytes to format_bytes() (contributed by agh1467)
ui: universal striping adjustment for MVC components (contributed by kulikov-a)
ui: move storing jQuery Bootgrid settings in browser from core to bootgrid (contributed by Manuel Faux)
src: FreeBSD 13-STABLE as of 4ee9fbcd853
src: migrated to LUA boot loader (contributed by Kyle Evans)
src: revert upstream permission change for /root directory
src: fix kernel build creating wrong linkers.hint file
src: carp: fix send error demotion recovery
src: ixgbe: prevent subsequent I2C bus read timeouts
src: reworked shared forwarding
plugins: os-acme-client 3.8 [2]
plugins: os-bind 1.20 [3]
plugins: os-ddclient 1.0 as an eventual replacement for os-dyndns
plugins: os-dyndns adds local copy of get_dyndns_ip()
plugins: os-freeradius 1.9.18 [4]
plugins: os-frr 1.26 [5]
plugins: os-haproxy 3.10 [6]
plugins: os-nginx 1.26 [7]
plugins: os-openconnect 1.4.2 [8]
plugins: os-postfix 1.21 [9]
plugins: os-rfc2136 adds local copy of get_dyndns_ip()
plugins: os-telegraf 1.12.4 [10]
plugins: os-wireguard 1.10 [11]
plugins: os-wol adds cron support for wake action (contributed by digitalshow)
plugins: os-zabbix-proxy 1.7 [12]
ports: expat 2.4.2 [13]
ports: filterlog 0.6 [14]
ports: flock 2.37.2
ports: hostapd 2.10 [15]
ports: lighttpd 1.4.63 [16]
ports: nss 3.74 [17]
ports: openssl 1.1.1m [18]
ports: openvpn 2.5.5 [19]
ports: pecl-psr 1.2.0 [20]
ports: phalcon 4.1.3 [21]
ports: php 7.4.27 [22]
ports: pkg fixes validation failures on HTTPS fetch in static binary [23]
ports: sqlite 3.37.2 [24]
ports: syslog-ng 3.35.1 [25]
ports: unbound 1.14.0 [26]
ports: wpa_supplicant 2.10 [27]

Known issues and limitations:

This release contains a new major operating system version and should be carried out with the necessary care. Despite extended test coverage changes made by FreeBSD may still affect operation without our knowledge. Except for ZFS boot environments rollbacks between major operating system versions are extremely fragile and a reinstall of an older version should be attempted in the worst case. For more information please consult the FreeBSD 13.0 release notes [28] .
IPsec hash and cipher removals in FreeBSD 13 can affect existing setups as insecure cryptographic options have been removed upstream. If you are using MD5, Blowfish, DES, 3DES, or CAST128 in your phase 2 please move to more secure settings prior to the upgrade. Note that phase 1 settings are unaffected, but insecure settings should still be avoided. For more information see the FreeBSD commit in question [29] .
The Realtek vendor driver is no longer bundled with the updated FreeBSD kernel. If unsure whether FreeBSD 13 supports your Realtek NIC please install the os-realtek-re plugin prior to upgrading to retain operability of your NICs.
MAC spoofing now only pertains to the configured interface and not the VLAN siblings or parent interface. This can introduce unwanted configuration due to previous side effects in the code. Make sure to assign and set the spoofed MAC for all interfaces that require a spoofed MAC or simply spoof the MAC on the parent and leave the VLAN sibling settings empty to let them follow the parent MAC automatically. If in doubt the parent interface can be set into promiscuous mode now to allow for mixed MAC address use across VLANs too.
Media and hardware offload settings are no longer shown for non-parent interfaces and need to be set individually on the parent interface to take effect. This can introduce unwanted configuration due to previous side effects in the code. If the parent interface was not previously assigned please assign it to reapply the required settings.
NTPD defaults changed to exclude the “iburst” option by default. “limited” setting was detached from “kod” option. In both cases configuration adjustments can achieve previous behaviour if required.
Rebind checks through os-dyndns or os-rfc2136 will no longer work due to the deprecation of both plugins. Please add your rebind hosts manually or disable rebind protection prior to the upgrade.
GRE link1 support has been removed and needs a static route to function now.
Circular logging support has been removed. No user interaction is required.

The public key for the 22.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1o1Bk31AcX5xsqgVAoWQ
# 1fTDznz22ojsK+qCkhW7MKSWlCyEZYEueUtq7hOt/gqttc3qT0WgHjhjI/WE2RQ4
# 53yfSw/2DDdt3v2WRoupaMzu2Px6I0A+dzo/DM0UWHHsjUaa1HnTvrC14W2vy9wY
# rdotDpp6vSA3WoBmpz+6cpAOlOMTboJouaZy2gSAAcFUmnmP6KDE+lQEqudENTpr
# wb/tIILTE3s6HMBrnmyTNz3Oyy77qH0Xq4mU0r+GS3If0LN+zIr3evt/hhS80otG
# 4WA2ifFeoZVUC//ArAqRiuOJKWvDe5455W1tOuoLkVKVwWMUd1YjaLq8/SRNtTVT
# jRWO6znUHJa7LKtwY7SJvJ8bl8kR8QnrEBRLqT3IA+FcRH+8RaeCivPV7oS1tMiV
# 7hUmu4yXkiMU9c/RrUj7UGZfPKa6K1yP2p3pRvHwCpMclhlVdaiAGNQ8X1GmUAmg
# 3hsoay1ximpj0Yzs+ynDdT1WPkjx8+mDWI08qTuVX+KN3xiohzjxUyD6kBbw2N4z
# EkKTu36KLxo+Hs2iHh4iPWV+EZ5pBn/BseUeHha+V76xM/fPU3H2htwF6/lAz3KH
# J6cevsMenCaYBAqpUsQMBjxhDgMmpCcjiZRPijFpe5zsNSUD1NJ8QMpecBZCE6Vt
# YHWiWxZTN13z4mPqA4uebakCAwEAAQ==
# -----END PUBLIC KEY-----

# SHA256 (OPNsense-22.1-OpenSSL-dvd-amd64.iso.bz2) = 72146dd3a8e57774ad12dbaa503c19111e5f1c43db63a32ad2dab6b3ea6f12f1
# SHA256 (OPNsense-22.1-OpenSSL-nano-amd64.img.bz2) = ec3b3c5fafc39e9d67c500a31d6c0be99566a130a158a2ae60904e6a6854bf1f
# SHA256 (OPNsense-22.1-OpenSSL-serial-amd64.img.bz2) = 418e4abc233a89c11e296f7e510e2074242dc2a285a042592171d45b257c4857
# SHA256 (OPNsense-22.1-OpenSSL-vga-amd64.img.bz2) = f791e9024888f5f668175a78cbbcd9eb96b36ba523f38d00cad9dd4d64243b4f

22.1.r2 (January 20, 2022)

Quick update on the 22.1 front includes feedback from the RC1 release, a FreeBSD package tool fix for its static binary failing to validate certain TLS certificates and a number of small improvements that do not fit into the former categories.

The 22.1 release is scheduled for January 27 which is next week already. ;)

Here are the full patch notes:

system: use correct IPv6 interface for dpinger gateway monitoring when using 6RD
system: remove spurious XML validation that cannot cope with attributes from backup restore
system: sync recovery utility contents with FreeBSD 13
system: fix new PPP CARP hook function call (contributed by Markus Reiter)
system: allow additional search domain (Pierre Fevre)
system: fix general settings PHP warnings that only appear when validation fails
system: move multiple sysctl manipulations to tunables framework to allow overriding them
system: prevent more than one default route by default
system: prevent syslog-ng from crashing after update due to “syslog-ng-ctl reload” use
system: MSDOS file system awareness in information widget for new /boot/efi partition
system: separate core and thread count in information widget
system: refactor GUI rebind protection and remove its os-dyndns/os-rfc2136 references
reporting: fix display of total in/out traffic values
interfaces: improve validations and fix defaults for bridges
interfaces: remove defunct link support for GRE
interfaces: align GIF configuration with base system options
interfaces: allow bridges to attach to VXLAN on boot
interfaces: repair get_interface_list() for console use
interfaces: improve LAGG/VLAN assignments via console option
firewall: plain log default logging severity selection is now “informational”
firewall: improve maximum shaper value validation and add Gbit/s support
dhcp: rework router advertisement “static” mode flags to separate advanced options
dnsmasq: no-hosts option (contributed by agh1467)
firmware: opnsense-update: exclude /boot/efi permission reset from base set extract
intrusion detection: prevent config migration from crashing
intrusion detection: update to ET-Open to version 6
network time: detach “limited” from “kod” option (contributed by Zsolt Zsiros)
network time: remove PID file use as it can be unreliable
mvc: fix logging of configd errors
mvc: add BlankDesc to ModelRelationField (contributed by agh1467)
ui: move storing jQuery Bootgrid settings in browser from core to bootgrid (contributed by Manuel Faux)
plugins: os-ddclient 1.0 as an eventual replacement for os-dyndns
plugins: os-dyndns adds local copy of get_dyndns_ip()
plugins: os-freeradius 1.9.18 [1]
plugins: os-nginx 1.26 [2]
plugins: os-rfc2136 adds local copy of get_dyndns_ip()
plugins: os-wol adds cron support for wake action (contributed by digitalshow)
src: revert upstream permission change for /root directory
src: fix kernel build creating wrong linkers.hint file
ports: hostapd 2.10 [3]
ports: nss 3.74 [4]
ports: pecl-psr 1.2.0 [5]
ports: pkg fixes validation failures on HTTPS fetch in static binary [6]
ports: sqlite 3.37.2 [7]
ports: syslog-ng 3.35.1 [8]
ports: wpa_supplicant 2.10 [9]

22.1.r1 (January 12, 2022)

For more than 7 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3

Download links, an installation guide [1] and the checksums for the images can be found below as well.

Europe: https://opnsense.c0urier.net/releases/22.1/
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/22.1/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/22.1/
South America: http://mirror.ueb.edu.ec/opnsense/releases/22.1/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/22.1/
Full mirror list: https://opnsense.org/download/

Here are the full patch notes against 21.7.7:

system: improved visibility and flexibility of tunables
system: create latest.log links for easier log consumption
system: added opnsense-log utility to inspect logs on the console
system: removed circular logging support
system: background all cron backend command invokes
system: unified cron start between legacy and MVC components
system: improve the fallback after failing to look up specific IPv4 address match for dpinger
system: default net.inet6.ip6.intr_queue_maxlen to 1000 like its IPv4 counterpart
system: default net.inet6.ip6.redirect to off like its IPv4 counterpart
system: fix potential issues with “search” syntax in resolv.conf
system: make /var MFS work when /var directories are mount points, e.g. on ZFS
system: optionally disconnect PPP interfaces when going into CARP backup mode
system: add severity to syslog output and allow to filter for it
system: no longer display duplicated mounted partitions on the dashboard
interfaces: LAGG support in console port assignment (contributed by sarthurdev)
interfaces: aligned the name and use of special /tmp files for internal interface handling
interfaces: removed opportunistic functions find_interface_ip(), find_interface_ipv6() and find_interface_ipv6_ll()
interfaces: get_interface_ip() and get_interface_ipv6() now return a valid IP address if one was given to support VIP aliases
interfaces: interfaces_addresses() can now map a configuration interface to returned addresses to track its origin
interfaces: VIPs now support the “no bind” option to exclude them from automatic service use when configured
interfaces: interfaces_primary_address() is now being used like its IPv6 equivalent throughout the code
interfaces: interfaces_primary_address6() is now considering addresses from tracking interfaces when needed
interfaces: interfaces_scoped_address6() is now being used throughout the code
interfaces: “tentative” state now leads to the address being ignored during configuration like “deprecated”
interfaces: removed unmaintained 3G statistics gathering for Huawei modems that could lock up other modems
interfaces: reworked interface creation on boot up
interfaces: spoof MAC now only applies to actual interface and not all of its VLAN siblings or parent
interfaces: added permanent promiscuous mode setting
interfaces: add the interface description via ifconfig to its respective device
interfaces: stop special treatment of bridge interfaces on linkup
interfaces: correctly write nameserverv6 and searchdomainv6 information on dhcp6c lease acquire
interfaces: background all interface reconfiguration script hooks
interfaces: refactored linkup event handler to avoid unnecessary recursion in the code
interfaces: make cache IP files exclusive to rc.newwan and rc.newwanv6 scripts to avoid missing IP changes
interfaces: no longer allow and apply media configuration for non-parent devices
interfaces: removed restriction from interfaces without configuration to not being able to hold VIPs
firewall: properly kill all connections from and to a WAN IPv4 on an address change
firewall: skip rule ID for NAT type log entries (contributed by kulikov-a)
firewall: display interface descriptions on normalisation rules (contributed by vnxme)
firewall: dynamic IPv6 host alias support (contributed by Team Rebellion)
firewall: removed obsolete kill states option on gateway failure
firewall: removed the $aliastable cache
dhcp: allow for ARM architectures in network boot options (contributed by Keith Cirkel)
dhcp: allow router advertisements to use a specific link-local VIP alias
dhcp: refactor the IPv4 and IPv6 configuration pages and add minimal subnet size requirement hints
dnsmasq: fix all-server overwriting strict-order configuration directive (contributed by Christian Tramnitz)
firmware: add a “status_reboot” variable to API return data to make clear it belongs to the offered minor update or major upgrade
firmware: add random delays to existing firmware cron jobs to avoid update server load spikes
firmware: added an automatic cron job to fetch changelog daily to use it as a lightweight check for updates on the dashboard
firmware: return product info for status endpoint even when no firmware check was done
firmware: removed obsolete business repository fingerprints and added 22.1 fingerprint
firmware: implement cross-ABI reinstall of all packages for future use
installer: fix installation of rc.conf keymap setting selected earlier during installation
installer: improve disk and ZFS pool scan and display
installer: increase EFI partition size to 260 MB
installer: add EFI partition as a default mount point
ipsec: update security of default settings when creating new phase 1 and 2
ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
ipsec: migrated tunnel settings page to MVC
lang: update translations for Chinese, French, German, Italian, Japanese, Norwegian, Spanish, and Turkish
lang: demote Italian to development-only language due to lowered translation ratio
monit: move logging to own target
network time: add iburst option and stop using it by default (contributed by Patrick M. Hausen)
openvpn: kill by common name when kill by address does not work
unbound: disable do-not-query-localhost on local address server use
unbound: update DNS with hostname-only static entries (contributed by Gareth Owen)
update: opnsense-bootstrap: -z snapshot mode
update: opnsense-bootstrap: improved type detection
update: opnsense-code: -r for repository removal
update: opnsense-fetch: emit error message of failed download
update: opnsense-update: handle kernel debug directory like /boot/kernel
update: opnsense-update: removed “firmware-upgrade” file support
update: opnsense-verify: synced shared code with FreeBSD 13
backend: unify use of configctl utility
images: removed deprecated os-dyndns plugin from default installation
mvc: emulation versioning empty nodes for the legacy configuration sections
mvc: add getInterfaceConfig endpoint to interface API (contributed by Paolo Asperti)
mvc: add hint support for text fields (contributed by agh1467)
ui: add support for terabytes, and petabytes to format_bytes() (contributed by agh1467)
ui: universal striping adjustment for MVC components (contributed by kulikov-a)
src: FreeBSD 13-STABLE as of 4ee9fbcd853
src: reworked shared forwarding
src: migrated to LUA boot loader (contributed by Kyle Evans)
plugins: os-acme-client 3.8 [2]
plugins: os-bind 1.20 [3]
plugins: os-frr 1.25 [4]
plugins: os-haproxy 3.9 [5]
plugins: os-nginx 1.25 [6]
plugins: os-openconnect 1.4.2 [7]
plugins: os-postfix 1.21 [8]
plugins: os-telegraf 1.12.4 [9]
plugins: os-zabbix-proxy 1.7 [10]
ports: expat 2.4.2 [11]
ports: filterlog 0.6 [12]
ports: flock 2.37.2
ports: lighttpd 1.4.63 [13]
ports: nss 3.73.1 [14]
ports: openssl 1.1.1m [15]
ports: openvpn 2.5.5 [16]
ports: phalcon 4.1.3 [17]
ports: php 7.4.27 [18]
ports: sqlite 3.37.1 [19]
ports: unbound 1.14.0 [20]

Known issues and limitations:

This release contains a new major operating system version and should be carried out with the necessary care. Despite extended test coverage changes made by FreeBSD may still affect operation without our knowledge.
MAC spoofing now only pertains to the configured interface and not the VLAN siblings or parent interface. This can introduces unwanted configuration due to previous side effects in the code. Make sure to assign and set the spoofed MAC for all interfaces that require a spoofed MAC.
Media settings are no longer shown for non-parent interfaces and need to be set individually to take effect. This can introduce unwanted configuration due to previous side effects in the code. If the parent interface was not previously assigned please assign it to reapply the required media settings.
Router advertisement static mode option is still subject to change in this release candidate series.
IPsec hash and cipher removals in FreeBSD 13 can affect existing setups as insecure cryptographic options have been removed upstream. For more information see the FreeBSD commit in question [21] . We will be adding an explict configuration check to 21.7 before its end of life.
Circular logging support has been removed. No user interaction is required.
The migration notes are subject to change and will be extended as needed in the upcoming weeks.

The public key for the 22.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1o1Bk31AcX5xsqgVAoWQ
# 1fTDznz22ojsK+qCkhW7MKSWlCyEZYEueUtq7hOt/gqttc3qT0WgHjhjI/WE2RQ4
# 53yfSw/2DDdt3v2WRoupaMzu2Px6I0A+dzo/DM0UWHHsjUaa1HnTvrC14W2vy9wY
# rdotDpp6vSA3WoBmpz+6cpAOlOMTboJouaZy2gSAAcFUmnmP6KDE+lQEqudENTpr
# wb/tIILTE3s6HMBrnmyTNz3Oyy77qH0Xq4mU0r+GS3If0LN+zIr3evt/hhS80otG
# 4WA2ifFeoZVUC//ArAqRiuOJKWvDe5455W1tOuoLkVKVwWMUd1YjaLq8/SRNtTVT
# jRWO6znUHJa7LKtwY7SJvJ8bl8kR8QnrEBRLqT3IA+FcRH+8RaeCivPV7oS1tMiV
# 7hUmu4yXkiMU9c/RrUj7UGZfPKa6K1yP2p3pRvHwCpMclhlVdaiAGNQ8X1GmUAmg
# 3hsoay1ximpj0Yzs+ynDdT1WPkjx8+mDWI08qTuVX+KN3xiohzjxUyD6kBbw2N4z
# EkKTu36KLxo+Hs2iHh4iPWV+EZ5pBn/BseUeHha+V76xM/fPU3H2htwF6/lAz3KH
# J6cevsMenCaYBAqpUsQMBjxhDgMmpCcjiZRPijFpe5zsNSUD1NJ8QMpecBZCE6Vt
# YHWiWxZTN13z4mPqA4uebakCAwEAAQ==
# -----END PUBLIC KEY-----

Please let us know about your experience!

# SHA256 (OPNsense-22.1.r1-OpenSSL-dvd-amd64.iso.bz2) = c6388b7960ec8e65a89dd8baf0a118410340f94b260bfea64faf3008c525376e
# SHA256 (OPNsense-22.1.r1-OpenSSL-nano-amd64.img.bz2) = 10aa979b754c8d4b0ffdad4c8befa1ab3b0bb146981333d5731ffa5c7b99b9b3
# SHA256 (OPNsense-22.1.r1-OpenSSL-serial-amd64.img.bz2) = e09addbab2a479cd5155926373c2bbe141d3f6aa057f044b43d9ad11fcc75e85
# SHA256 (OPNsense-22.1.r1-OpenSSL-vga-amd64.img.bz2) = 7f02135fdddf6227fd1ef4bb3012ce83b622bf7ec18baadaf03105792a38576c