Download OPNsense 21.1

The package OPNsense is a firewall with extensive opportunities. It is based on the FreeBSD operating system and is originally a fork of m0n0wall and pfSense. The package can be set up completely via a web interface and has support for 2fa, openvpn, ipsec, carp and captive portal, among others. In addition, it can apply packet filtering and has a traffic shaper. The developers have released OPNsense 21.1 with the following announcement:

OPNsense 21.1 released

For more than 6 years, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

21.1, nicknamed “Marvelous Meerkat”, is the relentless continuation of open source dedication. The last 6 years were not always easy, but we are happy to be where we are now and have the community to thank for it.

New and improved are the firewall rules and NAT categories, the traffic graphs supporting IPv6 along with a visual refresh, intrusion detection rule management by policies, an alias for MAC addresses and NAT over IPsec with all phase 2 you could ever want. Last but not least, the serial image now supports UEFI as well.

For those wondering, the WireGuard plugin has been available since 2019 and receives continuous improvements by its maintainer and various users alike. And that is unlikey to change in the future.

As we continue to deprecate custom configuration inputs for a number of reasons, Dnsmasq has been switched to a pluggable file-based approach with Unbound to follow in the upcoming 21.7 series.

Here are the full patch notes against 20.7.8:

• system: use authentication factory for web GUI login
• system: allow case-insensitive matching for LDAP user authentication
• system: removed unused gateway API dashboard feed
• system: removed spurious comma from certificate subject print and unified underlying code
• system: harden web GUI defaults to TLS 1.2 minimum and strong ciphers
• system: generate a better self-signed certificate for web GUI default
• system: allow self-signed renew for web GUI default (using “configctl webgui restart renew”)
• system: allow subdirectories in NextCloud backup
• system: first backup is same as current so ignore it on GUI and console
• system: optionally allow TOTP users to regenerate a token from the password page
• system: set hw.uart.console appropriately
• system: reconfigure routes on bootup
• system: relax gateway name validation
• system: ignore disabled gateways in dpinger services
• system: choose a better bind candidate for IPv4 in dpinger
• interfaces: defer IPv6 disable in interface code to ensure PPP interfaces do exist
• interfaces: no longer assume configuration-less interfaces can reach static setup code
• interfaces: fix PPP links not linking to its advanced configuration page
• interfaces: read deprecated flag, allow family spec in (-)alias calls
• interfaces: fix address removal in IPv6 CARP case
• interfaces: pick proper route for 6RD and 6to4 tunnels
• interfaces: support 6RD with single /64 prefix
• firewall: support category filters for firewall and NAT rules
• firewall: add live log “host”, “port” and “not” filters
• firewall: create an appropriate max-mss scrub rule for IPv6
• firewall: fix anti-spoof option for separate bridge interfaces
• firewall: display zeros and sort columns in pfTables
• firewall: relax schedule name validation
• reporting: prevent calling top talkers when no interfaces are selected
• reporting: cleanup deselected interface rows in top talkers
• dhcp: hostname validation now includes domain
• dhcp: use same logic as menu figuring out if DHCPv6 page is reachable from leases
• dhcp: correct DHCPv6 custom options unsigned integer field
• dhcp: added toggle for disabling RDNSS in router advertisements
• dhcp: removed the need for a static IPv4 being outside of the pool
• dhcp: add min-secs option for each subnet
• dnsmasq: remove advanced configuration in favor of plugin directory
• dnsmasq: use domain override for static hosts
• firmware: disable autoscroll if client position differs
• firmware: remove spurious *.pkgsave files and offload post install bits to rc.syshook
• firmware: repair display of removed packages during release type transition
• firmware: add ability to run audits from the console
• firmware: show repository in package and plugin overviews
• intrusion detection: replace file-based policy changes with detailed filters
• ipsec: NAT with multiple phase 2
• ipsec: prevent VTI interface to hit spurious 32768 limit
• ipsec: allow mixed IPv4/IPv6 for VTI
• openvpn: added toggle for block-outside-dns
• openvpn: hide “openvpn_add_dhcpopts” fields when not parsed via the backend
• unbound: allow /0 in ACL network
• unbound: default to SO_REUSEPORT
• web proxy: add GSuite and YouTube filtering
• mvc: do not discard valid application/json content type headers
• mvc: make sure isArraySequential() is only true on array input
• mvc: speed up processing time when over 2000 users are selected in a group
• mvc: add locking in JsonKeyValueStoreField type
• mvc: change LOG_LOCAL4 to LOG_LOCAL2 in base model
• images: use UFS2 as the default for nano, serial and vga
• images: support UEFI boot in serial image
• ui: add tooltips for service control widget
• ui: move sidebar stage from session to local storage
• ui: upgrade Tokenize2 to v1.3.3
• plugins: os-acme-client 2.3
• plugins: os-bind 1.16
• plugins: os-frr 1.21
• plugins: os-maltrail 1.6
• plugins: os-smart adds cron jobs for useful actions
• plugins: os-telegraf 1.8.3 adds ping6 ability
• src: fix AES-CCM requests with an AAD size smaller than a single block
• src: introduce HARDEN_KLD to ensure DTrace functionality
• src: refine pf_route* behavior in PF_DUPTO case for shared forwarding
• src: assorted upstream fixes for ipfw, iflib, multicast processing and pf
• src: netmap tun(4) support adds pseudo addresses to ethernet header emulation
• src: add a manual page for axp(4) / AMD 10G Ethernet driver
• src: fix traffic graph not showing bandwidth when IPS is enabled
• ports: dnsmasq 2.83
• ports: igmpproxy 0.3
• ports: nss 3.61
• ports: openldap 2.4.57
• ports: py-netaddr 0.8.0