Download OPNsense 23.7.5

The OPNsense package is a firewall with extensive possibilities. It is based on the FreeBSD operating system and is originally a fork of m0n0wall and pfSense. The package can be set up entirely via a web interface and has support for 2fa, openvpn, ipsec, carp and captive portal, among other things. In addition, it can apply packet filtering and has a traffic shaper. The developers have released OPNsense 23.7.5 and the release notes for that release can be found below.

OPNsense 23.7.5 released

Today introduces a change in MTU handling for parent interfaces mostly noticed by PPPoE use where the respective MTU values ​​need to fit the parent plus the additional header of the VLAN or PPPoE. Should the MTU already be misconfigured to a smaller value it will be used as configured so check your configuration and clear the MTU value if you want the system to decide about the effective parent MTU size.

Another change in far gateway handling is also included which prevents a monitoring failure if that particular gateway was not being designated as default during boot which made the routing table miss the essential interface route and monitoring would always report it as down. Now the interface route is ensured but not only when applying the default gateway so that it works all the time.

Also fixed was the problematic migration of the Unbound interfaces settings which now clears the possibly unknown interfaces in order to proceed and have Unbound up and running post update which was not the case for some users previously.

Other reliability improvements and third party security updates are included as well. We also continue our effort to clean up the interface handling code and audit the MVC model files for consistency. A missing change for out of the box DS-Lite support is also being tested on the development version now and will likely hit in 23.7.6.

Here are the full patch notes:

• system: pluginctl: allow -f mode to drop config properties
• system: switch to /usr/sbin/nologin as authoritative command location
• system: remove remaining spurious ifconfig data pass to Gateways class
• system: fix data cleansing issue in “column_count” and “sequence” values ​​on dashboard
• system: start gateway monitors after firewall rules are in place (contributed by Daggolin)
• system: refactor far gateway handling out of default route handling
• interfaces: use interfaces_restart_by_device() where appropriate
• interfaces: allow get_interface_ipv6() to return in all three IPv6 variants
• interfaces: add GRE/GIF/bridge/wlan return values
• interfaces: signal wlan device creation success/failure
• interfaces: update link functions for GIF/GRE
• interfaces: remove the ancient OpenVPN-tap-on-a-bridge magic on IPv4 reload
• interfaces: update read-only bridge member code
• interfaces: redirect after successful interface add
• interfaces: add interface return feature for use on bridges/assignment page
• interfaces: VIP model style update
• interfaces: implement interface_configure_mtu()
• firewall: fix cleanup issue when renaming an alias
• dhcp: make dhcrelay code use the Gateways class
• ipsec: add local_port and remote_port to connections (contributed by Monviech)
• openvpn: force instance interface down before handing it over to daemon
• openvpn: add missing up and down scripts to instances (contributed by Daggolin)
• unbound: properly set a default value for private address configuration
• unbound: allow disabled interfaces in interface field
• unbound: migrate active/outgoing interfaces discarding invalid values
• unbound: UX improvements on several pages
• unbound: update model
• mvc: update diagnostics models
• mvc: add isLinkLocal()
• interfaces: allow clean MVC access to primary IPv4 address (pluginctl -4 mode)
• plugins: os-upnp replaces calls to obsolete get_interface_ip()
• plugins: os-rfc2136 replaces calls to obsolete get_interface_ip[v6]()
• plugins: os-sunnyvalley 1.3 changes repository URL (contributed by Sunnyvalley)
• plugins: os-tinc adds missing subnet-down script (contributed by andrewhotlab)
• ports: curl 8.3.0
• ports: nss 3.93
• ports: openssl 1.1.1w
• ports: phalcon 5.3.1
• ports: phpseclib 3.0.23
• ports: sqlite 3.43.1
• ports: suricata 6.0.14