24.7 “Thriving Tiger” Series

For more than 9 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

24.7, nicknamed “Thriving Tiger”, features a new dashboard, system trust MVC/API support, GRE and GIF MVC/API support, NAT 1-to-1 MVC/API support, WireGuard QR code generator, dynamic IPsec VTI tunnel support, experimental OpenVPN DCO support, FreeBSD 14.1, Python 3.11 plus much more.

The upgrade path from 24.1.x will follow tomorrow. Do not be hasty. The major operating system upgrade has not happened in while and should be taken with the appropriate amount of care.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

• Europe: https://opnsense.c0urier.net/releases/24.7/

• US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.7/

• US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.7/

• South America: http://mirror.ueb.edu.ec/opnsense/releases/24.7/

• East Asia: https://mirror.ntct.edu.tw/opnsense/releases/24.7/

• Full mirror list: https://opnsense.org/download/

24.7.8 (November 06, 2024)

Minor update with FreeBSD security advisories and a number of stable branch patches for various Intel drivers. Two problems with the RRD rework are herby fixed as well.

Here are the full patch notes:

• system: add missing MinProtocol in OpenSSL config template from trust settings

• system: add SignatureAlgorithms option and fix minor form glitch in trust settings

• system: bring CRLs into bundles as well

• system: sync certctl to FreeBSD 14.1 base code et al

• reporting: isset() vs. empty() on RRD enable

• reporting: fix regression in RRD temperature readings

• interfaces: parse part of SFP module information in legacy_interfaces_details()

• firewall: add a note about stateless TCP during syncookie use

• firewall: enhance validation that group name can not start or end with a digit

• firmware: improve health script and use config.sh

• firmware: rework CRL check in config.sh

• firmware: use the trust store for CRL verification

• lang: update available translations

• ipsec: add swanctl.conf download button to settings page

• ipsec: add description field to pre-shared-keys

• isc-dhcp: safeguard output type for json_decode() in leases page

• unbound: allow RFC 2181 compatible names in overrides

• mvc: fix UpdateOnlyTextField incompatibility with DependConstraint (contributed by kumy)

• plugins: os-bind 1.33 [1]

• plugins: os-caddy 1.7.4 [2]

• plugins: os-etpro-telemetry lowers log level of collection invoke (contributed by doktornotor)

• plugins: os-iperf fixes JS TypeError when parsing result (contributed by Leo Huang)

• plugins: os-tinc removes “pipes” Python module dependency (contributed by andrewhotlab)

• src: multiple issues in the bhyve hypervisor [3]

• src: unbounded allocation in ctl(4) CAM Target Layer [4]

• src: XDG runtime directory file descriptor leak at login [5]

• src: assorted FreeBSD stable patches for Intel ixgbe, igb, igc and e1000 drivers

• src: cxgb: register ifmedia callbacks before ether_ifattach

• src: enc: use new KPI to create enc interface

• src: ifconfig: fix wrong indentation for the status of pfsync

• src: iflib: simplify iflib_legacy_setup

• src: iflib: use if_alloc_dev() to allocate the ifnet

• src: netmap: make memory pools NUMA-aware

• src: vlan: handle VID conflicts

• ports: libpfctl 0.14

• ports: nss 3.106 [6]

• ports: php 8.2.25 [7]

24.7.7 (October 23, 2024)

A small update to keep things moving forward while things are quietening down a little bit. Still working on improving the trust store integration and already tackling new MVC/API conversions on the development end.

Here are the full patch notes:

• system: add OpenSSH “RekeyLimit” with a limited set of choices

• system: fix certificate condition in setCRL() (contributed by richierg)

• system: untrusted directory changed in FreeBSD 14

• system: remove obsolete banners from static pages

• system: address CRL/cert subject hash mismatch during trust store rehash

• reporting: refactor existing RRD backend code

• firewall: throttle live logging on dashboard widget

• interfaces: fix VXLAN interface being busy when vxlanlocal or vxlanremote is changed

• interfaces: 6RD/6to4 route creation should be limited to IPv6

• firmware: remove escaped slashes workaround on mirror/flavour write

• firmware: CRL checking for business update mirror

• firmware: introduce config.sh and use it in launcher.sh and connection.sh

• firmware: restart cron on updates

• intrusion detection: reorganise settings page with headers

• intrusion detection: support configuration of eve-log for HTTP and TLS (contributed by Toby Chen)

• ipsec: fix advanced option “max_ikev1_exchanges”

• backend: cache file cleanup when TTL is reached

• backend: correct template helper exists() return type (contributed by kumy)

• mvc: fix config.xml file open mode in overwrite()

• mvc: add missing request->hasQuery()

• mvc: add missing request->getScheme()

• mvc: add missing request->getURI()

• mvc: extend sanity checks in isIPInCIDR()

• ui: fix tree view style targeting elements outside this view

• plugins: enforce defaults on devices

• plugins: os-caddy 1.7.3 [1]

• plugins: os-ddclient 1.25 [2]

• plugins: os-freeradius 1.9.26 [3]

• plugins: os-frr 1.42 [4]

• plugins: os-lldpd 1.2 [5]

• plugins: os-net-snmp 1.6 [6]

• plugins: os-upnp 1.7 [7]

• plugins: os-wazuh-agent 1.1 [8]

• ports: monit 5.34.2 [9]

• ports: nss 3.105 [10]

• ports: openssh 9.9.p1 [11]

• ports: pkg fix for for embedded libfetch when doing CRL verification

• ports: py-duckdb 1.1.2 [12]

• ports: syslog-ng 4.8.1 [13]

• ports: unbound 1.22.0 [14]

24.7.6 (October 09, 2024)

A few security and reliability issues this week. Most notably Suricata and Unbound. The dashboard rework seems to be concluded now as the ACL behaviour was aligned and should match the user expectation on the “Lobby” section privileges. Note not all widgets have separate ACLs as it aims to provide a minimal safe selection of system widgets associated with the access to the dashboard page in general.

We will, however, continue to improve the dashboard further while we also tackle other interesting areas for 25.1. That being said have a look at the new roadmap [1] we published recently.

You may notice the increased activity on the trust store side due to our LINCE certification efforts. Valuable feedback and code changes have come from this process that will also find their way into other related projects in the near future.

Here are the full patch notes:

• system: do not render non-reachable dashboard widget links

• system: handle picture deletion via hidden input on general settings page

• system: straighten out API ACL entries for several components

• system: remove unreachable “page-getstats” ACL entry

• system: adjust “page-system-login-logout” ACL entry to be used as a minimal dashboard privilege

• system: deprecate the “page-dashboard-all” ACL entry as it will be removed in 25.1

• system: add descriptions on CA and certificate downloads file names

• system: show user icon when certificate is not otherwise used (in case CN matches any of our registered users)

• system: add proper validation when certificates are being imported via CSR

• system: add missing CRL changed event when CRLs are saved in the GUI

• system: add a trust settings page and move existing trust settings there as well

• system: optionally fetch and store CRLs attached to trusted authorities

• system: improve and extend certctl.py script doing the trust store rehashing

• system: enforce CRL behaviour for existing revocations in the trust store when doing remove syslog sending over TLS

• interfaces: simplify and clarify pfsync reconfiguration hooks

• interfaces: non-functional refactors in PPP configuration

• interfaces: send IPv6 solicit immediately on WAN interfaces

• firewall: add gateway groups to the list of gateways in automation rules

• dhcrelay: refactor for plugins_argument_map() use

• ipsec: add “make_before_break” option to settings

• kea-dhcp: add configurable “max-unacked-clients” parameter and change its default to 2

• kea-dhcp: add missing constraint on IP address for reservations

• openvpn: register OpenVPN group immediately when setting up instances

• openvpn: push “data-ciphers-fallback” in client export when configured to align with legacy setup

• unbound: port to newwanip_map / plugins_interface_map()

• ui: remove bold text from tab headers for consistency

• plugins: os-acme-client 4.6 [2]

• plugins: os-caddy 1.7.2 [3]

• plugins: os-frr 1.41 [4]

• plugins: os-smart 2.3 adds new dashboard widget (contributed by Francisco Dimattia)

• src: pf: revert part of 39282ef3 to properly log the drop due to state limits

• src: pflog: pass the action to pflog directly

• src: various check removals for malloc(M_WAITOK) driver calls

• src: libpfctl: ensure we return useful error codes

• src: x86/ucode: add support for early loading of CPU ucode on AMD

• src: libfetch: improve optional CRL verification

• src: fetch: fix “–crl” option not working

• ports: curl 8.10.1 [5]

• ports: crowdsec fix for stuck service handling [6]

• ports: dhcp6c 20241008 properly handle NoAddrAvail status code

• ports: monit 5.34.1 [7]

• ports: php 8.2.24 [8]

• ports: dnspython 2.7.0

• ports: py-duckdb 1.1.1 [9]

• ports: suricata 7.0.7 [10]

• ports: unbound 1.21.1 [11]

24.7.5 (September 26, 2024)

This release removes significant processing overhead from larger setups due to being able to coalesce parallel configuration requests for the same component instead of iterating over the list of selected interfaces one by one. A number of third party software updates and FreeBSD security advisories are included as well.

This update also disables NUMA by default which can bring a boost in network throughput on affected systems. And of course we are still working on dashboard improvements so now the treasured picture widget is back with a better integration approach.

Also take note that the NTP default changes to “restrict noquery” so that the system cannot externally be queried for revealing system internals anymore unless explicitly allowed.

The technical stuff out of the way we would simply like to add that we had a great time at EuroBSDCon in Dublin over the weekend. Lots of good and productive conversations. Looking forward to more of those! :)

Here are the full patch notes:

• system: update default dashboard layout and include the services widget

• system: render header for failed active widgets to allow identification and removal

• system: add ability for widget referral links

• system: cleaned up ACL definitions and use thereof

• system: add a picture widget

• system: default to vm.numa.disabled=1

• system: handle log lines with no timestamp (contributed by Iain MacDonnell)

• system: use interface maps in system_routing_configure() and dpinger_configure_do()

• system: when only selecting TLS1.3 ciphers make sure to only allow 1.3 as well in web GUI

• system: move web GUI restart to newwanip_map / plugins_argument_map() use

• interfaces: move compatible event listeners to newwanip_map

• interfaces: decouple PPP configure/reset from IPv4/IPv6 modes

• interfaces: move legacy RFC2136 invoke to plugin hook

• interfaces: add “spoofmac” device option and enforce it

• interfaces: prevent CARP VIP removal when VHID group is in use by IP aliases

• interfaces: routing configuration on changed interfaces only during apply

• firmware: opnsense-update: support unescaped mirror input (contributed by Michael Gmelin)

• firmware: opnsense-verify: show repository priority while listing active repositories

• ipsec: convert to vpn_map event invoke and plugins_argument_map() use

• monit: fix undefined function error in CARP script

• network time: enable “restrict noquery” by default (contributed by doktornotor)

• openssh: port to plugins_argument_map()

• openvpn: validate “Auth Token Lifetime” to require a non-zero renegotiate time in instances

• openvpn: convert to vpn_map event invoke and plugins_argument_map() use

• wireguard: convert to vpn_map event invoke

• ui: refine cookie policies and make them explicit

• plugins: add plugins_argument_map() helper

• plugins: os-caddy 1.7.1 [1]

• src: bhyve: improve input validation in pci_xhci [2]

• src: libnv: correct the calculation of the size of the structure [3]

• src: ifnet: Remove if_getamcount()

• src: ifnet: Add handling for toggling IFF_ALLMULTI in ifhwioctl()

• src: ifconfig: Add an allmulti verb

• src: date: include old and new time in audit log

• src: bpf: Add IfAPI analogue for bpf_peers_present()

• src: pf: use AF_INET6 when comparing IPv6 addresses

• src: if_ovpn: ensure it is safe to modify the mbuf

• src: if_ovpn: declare our dependency on the crypto module

• ports: curl 8.10.0 [4]

• ports: dhcp6c 20240919 reintroduced fixed arc4random() usage

• ports: expat 2.6.3 [5]

• ports: libpfctl 0.13

• ports: libxml 2.11.9 [6]

• ports: nss 3.104 [7]

• ports: python 3.11.10 [8]

• ports: sudo 1.9.16 [9]

A hotfix release was issued as 24.7.5_3:

• system: due to observed timing issues avoid the use of closelog()

• openvpn: fix “auth-gen-token” being supplied in server mode

24.7.4 (September 12, 2024)

Since we are currently having a vivid discussion about what constitutes a downstream or upstream issue in the FreeBSD scope we will revert the FreeBSD-SA-24:05.pf advisory until further notice. As confirmed by many users this brings ICMPv6 and therefore IPv6 back to an uneventful stable state. We will be trying to work with FreeBSD on the issue as it seems unavoidable that we meet it again when working on FreeBSD 14.2 inclusion.

In other IPv6 news we found a strange regression in dhcp6c introduced in 24.7.2 and reverted the offending commits for now. What this tells us, though, is that we did uncover an inherent issue with the timeout value generation that may be present since two decades in the code at least.

Apart from smaller fixes for the dashboard, trust pages, this update also ships the first backwards-compatible PPP rework patch. The ultimate goal here is to offer IPv6-only connectivity which requires untangling old code to be IP family agnostic. Should you note any change in behaviour please do not hesitate to contact us.

BTW, the roadmap for 25.1 has been decided and will be published soon.

Here are the full patch notes:

• system: recover stuck monitors and offer a cron job

• system: use built-in controller logic for JSON decoding on dashboard

• system: map derivative field cert_type to expose purpose to the UI

• system: handle stale “pfsyncinterfaces” and improve workflow

• system: tweak the boot detection for code minimalism

• system: do not save x/y widget coordinates on smaller screens

• system: fix CARP widget on invalid CARP configuration

• system: fix storing private key when creating a CSR

• reporting: remove nonexistent 3G statistics

• interfaces: force regeneration of link-local on spoofed MAC

• interfaces: add proper validation for 6RD and 6to4

• interfaces: add new “vpn_map” event to deprecate “vpn”

• interfaces: unify PPP linkup/linkdown scripting

• interfaces: replace “newwanip” from interface apply with “early”

• interfaces: move IPv6 over IPv4 connectivity to a separate script

• interfaces: port VXLAN to newwanip_map event

• firewall: replace filter_(un)lock() with a FileObject lock

• isc-dhcp: allow to disable a DHCPv6 server with faulty settings

• firmware: remove auto-retry from fetch invokes

• firmware: allow auto-configure patching via full URL

• firmware: automatically handle most plugin conflicts

• openssh: convert to newwanip_map and rework the code

• openvpn: add username field to the status page

• openvpn: add close-on-exec flag to service lock file

• unbound: add discard-timeout (contributed by Nigel Jones)

• wireguard: fix widget display with public key reuse

• wireguard: add close-on-exec flag to service lock file

• ui: allow style tag on headers

• plugins: os-helloworld 1.4

• plugins: os-caddy 1.7.0 [1]

• src: revert FreeBSD-SA-24:05.pf until further notice to restore proper IPv6 behaviour [2]

• src: agp: Set the driver-specific field correctly

• src: cron(8) / periodic(8) session login [3]

• src: multiple vulnerabilities in libnv [4]

• src: bhyve(8) privileged guest escape via TPM device passthrough [5]

• src: multiple issues in ctl(4) CAM target layer [6]

• src: bhyve(8) privileged guest escape via USB controller [7]

• src: possible DoS in X.509 name checks in OpenSSL [8]

• src: umtx kernel panic or use-after-free [9]

• src: revert “ixl: fix multicast filters handling” [10]

• ports: dhcp6c 20240907 for now reverts instability regression in random number handling

• ports: openssl 3.0.15 [11]

• ports: php 8.2.23 [12]

A hotfix release was issued as 24.7.4_1:

• interfaces: fix PPP regression of empty gateway default

24.7.3 (August 29, 2024)

Today we are switching pf stateful tracking of ICMPv6 neighbour discoveries off in order to fix the previous instability with the FreeBSD security advisory first shipped in 24.7.1. We do this in order to provide the same reliable IPv6 functionality that was on all previous versions prior to 24.7.1 at the cost of resurfacing CVE-2024-6640 until a better solution has been devised. A link to the long and difficult upstream bug report is included below.

But that is not all. The GUI gains snapshot support on ZFS installations by implementing what is called “boot environments” which allows one to move seamlessly from one snapshot to another via reboot. This functionality can also be accessed from the boot loader menu option “8” for a quick recovery ensuring that at least one other snapshot was created to boot into. A very special thank you to Sheridan Computers for contributing this feature.

Here are the full patch notes:

• system: add snapshots (boot environments) support via MVC/API (contributed by Sheridan Computers)

• system: remove obsolete dashboard sync

• system: compact services widget on dashboard

• system: convert lock mode to edit mode on dashboard

• system: link certificates by subject on import

• system: unify how log search clauses work and add a search time constraint

• system: move to static imports for widget base classes on dashboard

• system: fix ACL check on dashboard restore and add safety check for save action

• system: change dashboard modify buttons to a bootstrap group (contributed by Jaka Prašnikar)

• interfaces: add “newwanip_map” event and deprecate old “newwanip” one

• interfaces: keep 24.7 backwards compatibility by allowing 6RD and 6to4 on PPP

• interfaces: add logging to PPP link scripts to check for overlap

• interfaces: return correct uppercase interface name in getArp()

• interfaces: fix issue with PPP port not being posted

• dhcrelay: start on “newwanip_map” event as well

• intrusion detection: update the default suricata.yaml (contributed by Jim McKibben)

• ipsec: move two logging settings to correct location misplaced in previous version

• ipsec: fix migration and regression during handling of “disablevpnrules” setting

• wireguard: support CARP VHID reuse on different interfaces

• mvc: when a hint is provided, also show them for selectpickers

• rc: fix banner HTTPS fingerprint

• plugins: os-ddclient 1.24 [1]

• plugins: os-theme-advanced 1.0 based on AdvancedTomato (contributed by Jaka Prašnikar)

• plugins: os-theme-cicada 1.38 (contributed by Team Rebellion)

• plugins: os-theme-vicuna 1.48 (contributed by Team Rebellion)

• plugins: os-upnp 1.6 [2]

• plugins: os-wol 2.5 adds widget for new dashboard (contributed by Michał Brzeziński)

• src: pf: fully annotated patch of disabling ND state tracking and issues for ICMPv6 [3]

• src: u3g: add SIERRA AC340U

• ports: dhcrelay 1.0 switches to official release numbering, but otherwise equal to 0.6

• ports: sqlite 3.46.1 [4]

A hotfix release was issued as 24.7.3_1:

• intrusion detection: fix indent in suricata.yaml

24.7.2 (August 21, 2024)

Today a follow-up for the FreeBSD security advisory for pf/ICMP ships that addresses the undesired traceroute behaviour. A few dashboard improvements are included as well as better IPv6 recovery for dhcp6c and assorted stability fixes.

As a special note we now have native CPU microcode update plugins for either AMD or Intel to install from the GUI. Apart from a reboot these plugins require no further user interaction and will keep the applicable microcode at the latest known version as shipped in the packages repository.

We are currently working on making PPP capable of running in IPv6-only deployments; additionally ZFS snapshots (a.k.a boot environments) are coming to the next stable release and can already be previewed in the bundled development version.

Last but not least, an “importmap” free dashboard version is also ready for testing in the development release. We hereby ask for feedback so that it can be included in a subsequent stable release.

Here are the full patch notes:

• system: CRL import ignored text input and triggered unrelated validations

• system: improve the locking during web GUI restart

• system: improve WireGuard and IPsec widgets

• system: add CPU widget graph selection

• system: reformat traffic graphs to bps

• system: add gateway widget item selection

• system: add table view to interface statistics widget on expansion

• system: improve widget error recovery

• system: fix wrong variable assignment in system log search backend

• system: add missing delAction() for proper CRL removal

• interfaces: require PPP interface to be in up state (contributed by Nicolai Scheer)

• interfaces: lock down PPP modes when editing interfaces

• interfaces: backport required interface_ppps_capable()

• interfaces: retire interfaces_bring_up()

• reporting: start using cron for RRD collection

• firmware: remove inactive mirrors from the list

• firmware: introduce sanity checks prior to upgrades

• firmware: cleanup package manager temporary files prior to upgrades

• kea-dhcp: fix privileges for page ACL

• ipsec: advanced settings MVC/API conversion

• ipsec: add retransmission settings in charon section in advanced settings

• openvpn: unhide server fields for DCO instances

• mvc: remove setJsonContent() and make sure Response->send() handles array types properly

• mvc: FileObject write() should sync by default

• rc: export default ZPOOL_IMPORT_PATH

• ui: sidebar submenu expand fix (contributed by Team Rebellion)

• plugins: os-caddy 1.6.3 [1]

• plugins: os-cpu-microcode-amd 1.0

• plugins: os-cpu-microcode-intel 1.0

• plugins: os-freeradius 1.9.25 [2]

• plugins: os-intrusion-detection-content-snort-vrt 1.2 switch to newer ruleset snapshot (contributed by Jim McKibben)

• plugins: os-theme-tukan 1.28 (contributed by Dr. Uwe Meyer-Gruhl)

• src: axgbe: implement ifdi_i2c_req for diagnostics information

• src: if_clone: allow maxunit to be zero

• src: if_pflog: limit the maximum unit via the new KPI

• src: pf: invert direction for inner icmp state lookups

• src: pf: fix icmp-in-icmp state lookup

• src: pf: vnet-ify pf_hashsize, pf_hashmask, pf_srchashsize and V_pf_srchashmask

• ports: dhcp6c 20240820 fixes two renewal edge cases

• ports: nss 3.103 [3]

• ports: phpseclib 3.0.41 [4]

• ports: unbound 1.21.0 [5]

24.7.1 (August 08, 2024)

This release includes a batch of dashboard changes due to the reliable feedback we have received from you all so far. There will be more dashboard changes in the future mostly relating to UX and sane default behaviour so just know we are aware.

A few smaller regressions due to the Phalcon module replacement efforts have been fixed as well. IPv6 behaviour has been adjusted for SLAAC and the web GUI.

Last but not least we found and fixed a number of issues with FreeBSD 14.1 and are including its security advisories from yesterday while at it.

MVC/API conversions are already being carried out in the development version and it seems that PPP-related connectivity will get a bigger makeover too. The roadmap for 25.1 will be discussed and likely published later this month.

Here are the full patch notes:

• system: guard destroy on traffic widget

• system: adjust address display in interfaces widget

• system: fix display of multiple sources in thermal sensor widget

• system: add load average back to system info widget

• system: remove dots from traffic widget graphs

• system: add publication date to announcement widget

• system: fix monit widget status code handling

• system: allow and persist vertical resize in widgets

• system: improve formatting of byte values in widgets

• system: update OpenVPN widget server status color

• system: add aggregated traffic information about connected children in IPsec widget

• system: remove animated transition from row hover for table widgets

• system: improve the styling of the widget lock button

• system: apply locked state to newly added widgets as well

• system: account for removal of rows in non-rotated widget tables with top headers

• system: use “importmap” to force cache safe imports of base classes for widgets

• system: allow custom fonts in the widgets with gauges (contributed by Jaka Prasnika)

• system: add monitor IP to gateway API result (contributed by Herman Bonnes)

• system: better define “in use” flag and safety guards in certificates section

• system: export p12 resulted in mangled binary blob in certificates section

• system: when using debug kernels prevent them from triggering unrelated panics on assertions

• system: switch Twitter to Reddit URL in message of the day

• system: fix API exception on empty CA selection

• system: skip tentative IPv6 addresses for binding in the web GUI (contributed by tionu)

• interfaces: avoid deprecating SLAAC address for now

• firewall: show inspect button on “xs” size screen

• firewall: fix parsing port alias names in /etc/services

• captive portal: fix client disconnect (contributed by Vivek Panchal)

• firmware: revoke old fingerprints

• ipsec: add aggregated traffic totals to phase 1 view

• kea-dhcp: ignore invalid hostnames in static mappings to prevent DNS services crashes

• openvpn: use new trust model to link users by common_name in exporter

• openvpn: DCO mode only supports UDP on FreeBSD

• openvpn: add “float” option to instances (contributed by Christian Kohlstedde)

• backend: patch -6 address support into pluginctl

• mvc: fix API endpoint sending data without giving the Response object the chance to flush its headers

• plugins: os-acme-client 4.5 [1]

• plugins: os-apcupsd 1.2 [2]

• plugins: os-caddy 1.6.2 [3]

• plugins: os-ddclient 1.23 [4]

• plugins: os-theme-rebellion 1.9.1 fixes more compatibility issues with new dashboard (contributed by Team Rebellion)

• src: pf incorrectly matches different ICMPv6 states in the state table [5]

• src: ktrace(2) fails to detach when executing a setuid binary [6]

• src: NFS client accepts file names containing path separators [7]

• src: xen/netfront: Decouple XENNET tags from mbuf lifetimes

• src: dummynet: fix fq_pie traffic stall

• src: mcast: fix leaked igmp packets on multicast cleanup

• src: wg: change dhost to something other than a broadcast address (contributed by Sunny Valley Networks)

• ports: curl 8.9.1 [8]

• ports: dhcrelay 0.6 [9]

• ports: kea 2.6.1 [10]

• ports: nss 3.102 [11]

• ports: php 8.2.22 [12]

• ports: rrdtool 1.9.0 [13]

• ports: syslog-ng 4.8.0 [14]

24.7 (July 25, 2024)

For more than 9 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

24.7, nicknamed “Thriving Tiger”, features a new dashboard, system trust MVC/API support, GRE and GIF MVC/API support, NAT 1-to-1 MVC/API support, WireGuard QR code generator, dynamic IPsec VTI tunnel support, experimental OpenVPN DCO support, FreeBSD 14.1, Python 3.11 plus much more.

The upgrade path from 24.1.x will follow tomorrow. Do not be hasty. The major operating system upgrade has not happened in while and should be taken with the appropriate amount of care.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

• Europe: https://opnsense.c0urier.net/releases/24.7/

• US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.7/

• US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.7/

• South America: http://mirror.ueb.edu.ec/opnsense/releases/24.7/

• East Asia: https://mirror.ntct.edu.tw/opnsense/releases/24.7/

• Full mirror list: https://opnsense.org/download/

Here are the full changes against version 24.1.10:

• system: remove “load_balancer” configuration remnants from core

• system: replace usage of mt_rand() with random_int()

• system: rewrote Trust configuration using MVC/API

• system: add XMLRPC option for OpenDNS

• system: rewrote the high availability settings page using MVC/API

• system: remove obsolete SSH DSA key handling

• system: replaced the dashboard with a modern alternative with streaming widgets

• system: harden a number of PHP settings according to best practices

• system: support streaming of log files for the new dashboard widget

• system: assorted dashboard widget tweaks

• system: sidebar optimisation and fixes (contributed by Team Rebellion)

• system: set short Cache-Control lifetime for widgets

• interfaces: rewrote GRE configuration using MVC/API

• interfaces: rewrote GIF configuration using MVC/API

• interfaces: temporary flush SLAAC addresses in DHCPv6 WAN mode to avoid using them primarily

• interfaces: add peer/peer6 options to CARP VIPs

• interfaces: allow to assign a prefix ID to WAN interface in DHCPv6 as well

• interfaces: allow to set manual interface ID in DHCPv6 and tracking modes

• firewall: performance improvements in alias handling

• firewall: refactor pftop output, move search to controller layer and implement cache for sessions page

• firewall: support streaming of filter logs for the new dashboard widget

• captive portal: add “Allow inbound” option to select interfaces which may enter the zone

• captive portal: remove defunct transparent proxy settings

• captive portal: clean up the codebase

• ipsec: prevent gateway when remote gateway family does not match selected protocol in legacy tunnel configuration

• isc-dhcp: do not reload DNS services when editing static mappings to match behaviour with Kea

• monit: expose HTTPD username and password settings to GUI

• openvpn: optionally support DCO devices for instances

• openvpn: remove duplicate and irrelevant data for the client session in question

• openvpn: add “remote_cert_tls” option to instances

• backend: add “cache_ttl” parameter to allow for generic caching of actions

• backend: run default action “configd actions” when none was specified

• backend: extended support for streaming actions

• installer: update the ZFS install script to the latest FreeBSD 14.1 code

• installer: prefer ZFS over UFS in main menu selection

• ui: assorted improvements for screen readers (contributed by Jason Fayre)

• ui: add “select all” to standard form selectors and remove dialog on “clear all” for tokenizers

• ui: lock save button while in progress to prevent duplicate input on Bootgrid

• ui: backport accessibility fix in Bootstrap

• mvc: replaced most of the Phalcon MVC use with a native band compatible implementation

• mvc: improve searchRecordsetBase() filtering capabilities

• mvc: improve container field cloning

• mvc: remove obsolete getParams() usage in ApiControllerBase

• mvc: hook default index action in API handler

• plugins: os-acme-client 4.4 [2]

• plugins: os-caddy 1.6.1 [3]

• plugins: os-dec-hw 1.1 replaces the dashboard widget

• plugins: os-etpro-telemetry 1.7 replaces dashboard widget

• plugins: os-freeradius 1.29.4 [4]

• plugins: os-nginx 1.34 [5]

• plugins: os-theme-cicada 1.37 fixes dropdown element style (contributed by Team Rebellion)

• plugins: os-theme-vicuna 1.47 fixes dropdown element style (contributed by Team Rebellion)

• src: FreeBSD 14.1-RELEASE [6]

• src: assorted backports from FreeBSD stable/14 branch

• ports: hostapd 2.11 [7]

• ports: libpfctl 0.12

• ports: phalcon 5.8.0 [8]

• ports: openvpn 2.6.12 [9]

• ports: wpa_supplicant 2.11 [10]

A hotfix release was issued as 24.7_5:

• system: fix disk widget byte unit “B” parsing crashing the whole widget

• interfaces: improve apply of the new peer/peer6 options to avoid unneeded reset

• firewall: fix one-to-one NAT migration with external address without a subnet set

• openvpn: disable DCO permanently in legacy client/server configuration

• mvc: fix API regression due to getParams() removal

• plugins: os-udpbroadcastrelay API error fixes (contributed by Team Rebellion)

A hotfix release was issued as 24.7_9:

• system: increase widget timeout to 5 seconds

• system: cores and threads flipped in system widget

• system: increase the PHP children count of the web GUI

• mvc: make Response->setContentType() second argument optional

• plugins: os-theme-rebellion 1.9 fixes compatibility issues with new dashboard (contributed by Team Rebellion)

Migration notes, known issues and limitations:

• The dashboard has been replaced. Widgets from the old format are no longer supported and need to be rewritten by the respective authors.

• ISC DHCP will no longer reload DNS services on static mapping edits. This is for feature parity with Kea DHCP and avoiding cross-service complications. If you expect your static mappings to show up in a particular DNS service please restart this service manually.

The public key for the 24.7 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAunCgLymz7ichjk+uZ4pR
# XwFX8FxG0KFBf4f6kCfQ+wNF9KTFBELzGg2tXPUmrJD/DzcMqQExP3WyTg0Z96ZW
# HofN2AbOCG84PpNlsKXpaUtm9Ow8kiYh7tn26eX7FaOEPtpJkMiwUymbCJJaPE0O
# smQbWGnJTvF8LTmuviPoiMrPv1cJ0kEyJvjDD0yMw1HrIgwPOazGmTQiuM3LoLOK
# F0KWf2p40c77QDOuGC7AIobQgDkZTabfU7PQUn6gDiKARYCst7y2xX3OQ7foXCJW
# nDDypfbfHixv77mVAeIED0h9ZsQaIHskL2dqqRbFHiY+OHjQTCAJP1Ptm/HGSCdj
# GOjpuD4WXvxru8AgcOCh6GpqO4IbByIHXu+67Ur3UBlxsp4x44lxBWXQzeemVhaS
# ZAmkJNemw51oRDTxYtpR7TF3OlgLAQBOB/0tqHmkbSBouQ6PK7HYzNglu9LStxo1
# uxgMss5q8GoZCkWKvRDz87YceeC75l0aWOVnkOMmC5Lf+fFMJp6TF7BzCi3ZC7CD
# DQchBlE2F98D3E7KiI4vGrLUj3qKwfwV41JSQ8OtwOV+KFGOmyHeNassTQHm1Mdn
# reTzHeusqUdAL7+pXH1XNwoFSZo7A6RoZzTzb0p7WYbKU9SV39DPytsYES7FsyY8
# l7+AsM+sBOY1ngeB/twBzyUCAwEAAQ==
# -----END PUBLIC KEY-----

# SHA256 (OPNsense-24.7-dvd-amd64.iso.bz2) = 4452df716417cac324bb06322fc4428870ac2a64fd6ae47675a421e8db0a18b5
# SHA256 (OPNsense-24.7-nano-amd64.img.bz2) = a44711b6c088d6d12434afef9a3ccadc4ef1b56e44babd13e4b199589170c51a
# SHA256 (OPNsense-24.7-serial-amd64.img.bz2) = a94207c3515389c3fab5c6d72eeda4951526f9f50f06794ad9a4c1478bc8e8d0
# SHA256 (OPNsense-24.7-vga-amd64.img.bz2) = 11031aecabce97f6d5502f943d347704b5a888ec213d7f9229200877d72f297c

24.7.r2 (July 19, 2024)

For more than 9 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3

Download links, an installation guide [1] and the checksums for the images can be found below as well.

• Europe: https://opnsense.c0urier.net/releases/24.7/

• US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.7/

• US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.7/

• South America: http://mirror.ueb.edu.ec/opnsense/releases/24.7/

• East Asia: https://mirror.ntct.edu.tw/opnsense/releases/24.7/

• Full mirror list: https://opnsense.org/download/

Here are the full changes against version 24.7-RC1:

• system: assorted dashboard widget tweaks

• system: sidebar optimisation and fixes (contributed by Team Rebellion)

• installer: update the ZFS install script to the latest FreeBSD 14.1 code

• mvc: remove obsolete getParams() usage in ApiControllerBase

• mvc: hook default index action in API handler

• src: assorted backports from FreeBSD stable/14 branch

• plugins: os-caddy 1.6.1 [2]

• plugins: os-dec-hw 1.1 replaces the dashboard widget

• plugins: os-nginx 1.34 [3]

• plugins: os-theme-cicada 1.37 fixes dropdown element style (contributed by Team Rebellion)

• plugins: os-theme-vicuna 1.47 fixes dropdown element style (contributed by Team Rebellion)

Migration notes, known issues and limitations:

• The dashboard has been replaced. Widgets from the old format are no longer supported and need to be rewritten by the respective authors.

• ISC DHCP will no longer reload DNS services on static mapping edits. This is for feature parity with Kea DHCP and avoiding cross-service complications. If you expect your static mappings to show up in a particular DNS service please restart this service manually.

The public key for the 24.7 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAunCgLymz7ichjk+uZ4pR
# XwFX8FxG0KFBf4f6kCfQ+wNF9KTFBELzGg2tXPUmrJD/DzcMqQExP3WyTg0Z96ZW
# HofN2AbOCG84PpNlsKXpaUtm9Ow8kiYh7tn26eX7FaOEPtpJkMiwUymbCJJaPE0O
# smQbWGnJTvF8LTmuviPoiMrPv1cJ0kEyJvjDD0yMw1HrIgwPOazGmTQiuM3LoLOK
# F0KWf2p40c77QDOuGC7AIobQgDkZTabfU7PQUn6gDiKARYCst7y2xX3OQ7foXCJW
# nDDypfbfHixv77mVAeIED0h9ZsQaIHskL2dqqRbFHiY+OHjQTCAJP1Ptm/HGSCdj
# GOjpuD4WXvxru8AgcOCh6GpqO4IbByIHXu+67Ur3UBlxsp4x44lxBWXQzeemVhaS
# ZAmkJNemw51oRDTxYtpR7TF3OlgLAQBOB/0tqHmkbSBouQ6PK7HYzNglu9LStxo1
# uxgMss5q8GoZCkWKvRDz87YceeC75l0aWOVnkOMmC5Lf+fFMJp6TF7BzCi3ZC7CD
# DQchBlE2F98D3E7KiI4vGrLUj3qKwfwV41JSQ8OtwOV+KFGOmyHeNassTQHm1Mdn
# reTzHeusqUdAL7+pXH1XNwoFSZo7A6RoZzTzb0p7WYbKU9SV39DPytsYES7FsyY8
# l7+AsM+sBOY1ngeB/twBzyUCAwEAAQ==
# -----END PUBLIC KEY-----

Please let us know about your experience!

# SHA256 (OPNsense-24.7.r2-dvd-amd64.iso.bz2) = 43617bcb97b40a4c681c9468e0f7837aef9e7ff3849377649ab350287ad4639b
# SHA256 (OPNsense-24.7.r2-nano-amd64.img.bz2) = 8fad59de6fdb07b9df2edb637a9d5f18a892d462d76118da6270dede90180a35
# SHA256 (OPNsense-24.7.r2-serial-amd64.img.bz2) = 5c4d9b6f7ef4baf555c43d949f5946b59856fea45303a4b32890c102909d9f75
# SHA256 (OPNsense-24.7.r2-vga-amd64.img.bz2) = 46f78b3fa40a429f52adbe1caf923cb8f4856e01ff61888b3db2658b43fe3f56

24.7.r1 (July 16, 2024)

If you have not heard: 24.7-RC1 is an online update. You can update from the 24.7-BETA and switch to the community release type for the stable track which leads into 24.7.x. The development version of the upcoming 24.1.11 release will also be able to update to the RC. An RC2 will follow up with the relevant images and additional information at the end of the week.

Here are the full changes against version 24.1.10:

• system: remove “load_balancer” configuration remnants from core

• system: replace usage of mt_rand() with random_int()

• system: rewrote Trust configuration using MVC/API

• system: add XMLRPC option for OpenDNS

• system: rewrote the high availability settings page using MVC/API

• system: remove obsolete SSH DSA key handling

• system: replaced the dashboard with a modern alternative with streaming widgets

• system: harden a number of PHP settings according to best practices

• system: support streaming of log files for the new dashboard widget

• interfaces: rewrote GRE configuration using MVC/API

• interfaces: rewrote GIF configuration using MVC/API

• interfaces: temporary flush SLAAC addresses in DHCPv6 WAN mode to avoid using them primarily

• interfaces: add peer/peer6 options to CARP VIPs

• interfaces: allow to assign a prefix ID to WAN interface in DHCPv6 as well

• interfaces: allow to set manual interface ID in DHCPv6 and tracking modes

• firewall: performance improvements in alias handling

• firewall: refactor pftop output, move search to controller layer and implement cache for sessions page

• firewall: support streaming of filter logs for the new dashboard widget

• captive portal: add “Allow inbound” option to select interfaces which may enter the zone

• captive portal: remove defunct transparent proxy settings

• captive portal: clean up the codebase

• ipsec: prevent gateway when remote gateway family does not match selected protocol in legacy tunnel configuration

• isc-dhcp: do not reload DNS services when editing static mappings to match behaviour with Kea

• monit: expose HTTPD username and password settings to GUI

• openvpn: optionally support DCO devices for instances

• openvpn: remove duplicate and irrelevant data for the client session in question

• openvpn: add “remote_cert_tls” option to instances

• backend: add “cache_ttl” parameter to allow for generic caching of actions

• backend: run default action “configd actions” when none was specified

• backend: extended support for streaming actions

• ui: assorted improvements for screen readers (contributed by Jason Fayre)

• ui: add “select all” to standard form selectors and remove dialog on “clear all” for tokenizers

• ui: lock save button while in progress to prevent duplicate input on Bootgrid

• ui: backport accessibility fix in Bootstrap

• mvc: replaced most of the Phalcon MVC use with a native band compatible implementation

• mvc: improve searchRecordsetBase() filtering capabilities

• mvc: improve container field cloning

• plugins: os-acme-client 4.4 [1]

• plugins: os-etpro-telemetry 1.7 replaces dashboard widget

• src: FreeBSD 14.1-RELEASE [2]

• ports: phalcon 5.8.0 [3]

Migration notes, known issues and limitations:

• The dashboard has been replaced. Widgets from the old format are no longer supported and need to be rewritten by the respective authors.

• ISC DHCP will no longer reload DNS services on static mapping edits. This is for feature parity with Kea DHCP and avoiding cross-service complications. If you expect your static mappings to show up in a particular DNS service please restart this service manually.

24.7.b (June 13, 2024)

Since OPNsense 24.7 will be based on a newer FreeBSD major version it is crucial for us to release these BETA images based on the latest development state. This is not meant for production use but all plugins are provided and future updates of installations based on these images will be possible.

https://pkg.opnsense.org/releases/24.7/

There is a bit more work to be done yet most of the milestones have already been reached. If you have a test deployment or would like to check out some of the new features these images are for you. Together we can make OPNsense better than it ever was.

The final release date for 24.7 is July 24. A release candidate will follow in early July.

Highlights over the current 24.1 series include:

• Dashboard replacement with streaming widgets

• System: High Availability: Settings page has been converted to MVC

• System: Trust section has been converted to MVC/API

• Interfaces: GIF section has been converted to MVC/API

• Interfaces: GRE section has been converted to MVC/API

• Firewall: NAT 1-to-1 has been converted to MVC/API

• Added experimental OpenVPN DCO device type support

• Added unicast CARP support to Virtual IPs

• DHCPv6 on WAN can now assign a prefix subnet to itself and support static interface identifiers

• Built-in cache capability for backend commands

• Captive portal backend refactor and new “Allow inbound interfaces” option

• Large portions of Phalcon MVC have been replaced by native PHP implementation

• FreeBSD 14.1

The public key for the 24.7 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAunCgLymz7ichjk+uZ4pR
# XwFX8FxG0KFBf4f6kCfQ+wNF9KTFBELzGg2tXPUmrJD/DzcMqQExP3WyTg0Z96ZW
# HofN2AbOCG84PpNlsKXpaUtm9Ow8kiYh7tn26eX7FaOEPtpJkMiwUymbCJJaPE0O
# smQbWGnJTvF8LTmuviPoiMrPv1cJ0kEyJvjDD0yMw1HrIgwPOazGmTQiuM3LoLOK
# F0KWf2p40c77QDOuGC7AIobQgDkZTabfU7PQUn6gDiKARYCst7y2xX3OQ7foXCJW
# nDDypfbfHixv77mVAeIED0h9ZsQaIHskL2dqqRbFHiY+OHjQTCAJP1Ptm/HGSCdj
# GOjpuD4WXvxru8AgcOCh6GpqO4IbByIHXu+67Ur3UBlxsp4x44lxBWXQzeemVhaS
# ZAmkJNemw51oRDTxYtpR7TF3OlgLAQBOB/0tqHmkbSBouQ6PK7HYzNglu9LStxo1
# uxgMss5q8GoZCkWKvRDz87YceeC75l0aWOVnkOMmC5Lf+fFMJp6TF7BzCi3ZC7CD
# DQchBlE2F98D3E7KiI4vGrLUj3qKwfwV41JSQ8OtwOV+KFGOmyHeNassTQHm1Mdn
# reTzHeusqUdAL7+pXH1XNwoFSZo7A6RoZzTzb0p7WYbKU9SV39DPytsYES7FsyY8
# l7+AsM+sBOY1ngeB/twBzyUCAwEAAQ==
# -----END PUBLIC KEY-----

Please let us know about your experience!

# SHA256 (OPNsense-devel-24.7.b-dvd-amd64.iso.bz2) = af740f12d4363d13e96ad95ac06dd1d659009c345af3e8ff6d544a66200ba93f
# SHA256 (OPNsense-devel-24.7.b-nano-amd64.img.bz2) = 394e150c3cb22b7f2d2b131fc2bcb545355e6a129b7d9afe2ced9c4364bfa862
# SHA256 (OPNsense-devel-24.7.b-serial-amd64.img.bz2) = a8770d247400859e66151aae177171f141ea7064de98728edfc22a77d8d5f447
# SHA256 (OPNsense-devel-24.7.b-vga-amd64.img.bz2) = 046bba7c48312578f819535a0f29210e24f9bcb1e8153256fb15a35a62f3d443