New OPNsense Release

OPNsense 17.1.1 released


Hey there,

This week we are introducing a number of reliability fixes especially with regard to our move to FreeBSD 11.0 and PHP 7.0; most prominently a NAT fix for the shared filter forwarding and repairing the CRL generation. You will also find a few interesting IPsec additions. 😉

In case the shared forwarding is still giving you trouble on 17.1.1, run the following command to use the old behaviour and report back to us:

# sysctl net.pf.share_forward=0

Here are the full patch notes:

  • system: LDAP picker CSRF error solved by introducing session-based security tokens
  • system: fixed CRL generation inside PHP OpenSSL module
  • system: fix a typo with Portuguese (Portugal) in language selector
  • system: do not interpret passed values in wizard
  • system: fix forum link in message of the day
  • firewall: direction “any” was not respected in floating rules
  • firewall: fix double encoding of NO NAT for NAT addresses (contributed by djGrrr)
  • firewall: improve validation between IPv4 and IPv6 to prevent faulty rule generation
  • firmware: opnsense-update utility now unlocks packages before performing major upgrades
  • firmware: opnsense-revoke utility now retains the automatic flag
  • firmware: revoked the 16.7 update fingerprints
  • dhcp: change relay text to make it clear multiple servers are supported (contributed by GurliGebis)
  • ipsec: add EAP-RADIUS support (contributed by GurliGebis)
  • ipsec: set filtertunnel sysctl values to fix TCP teardown
  • ipsec: fix hidden interface rules tab
  • ipsec: add AES-GCM support
  • openvpn: fixed CRL generation inside PHP OpenSSL module
  • openvpn: do not escape advanced options on export
  • openvpn: fix hidden interface rules tab
  • mvc: multiple tab usage CSRF errors solved by introducing session-based security tokens
  • mvc: fix HTTP status codes on CSRF errors
  • mvc: soft-fail on missing classes in ModelRelationField (contributed by Frank Wall)
  • plugins: os-acme-client 1.1[1] (contributed by Frank Wall)
  • plugins: os-haproxy 1.12[2] (contributed by Frank Wall)
  • src: pf(3) shared forwarding fix during NAT
  • src: pf(4) sysctl switch to disable shared forwarding
  • src: fix a panic with stf(4) interfaces
  • src: unhide hard disks under Hyper-V
  • ports: pkg 1.9.4[3][4]
  • ports: pcre 8.40[5]
  • ports: libressl 2.4.5[6]
  • ports. libevent 2.1.8[7]
  • ports: squid 3.5.24[8]

Stay safe,
Your OPNsense team


[1] https://github.com/opnsense/plugins/pull/71
[2] https://github.com/opnsense/plugins/pull/72
[3] https://github.com/freebsd/freebsd-ports/commit/9602cca88
[4] https://github.com/freebsd/freebsd-ports/commit/55c9964f3
[5] http://www.pcre.org/original/changelog.txt
[6] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.4.5-relnotes.txt
[7] https://raw.githubusercontent.com/libevent/libevent/release-2.1.8-stable/ChangeLog
[8] http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5.24-RELEASENOTES.html