New OPNsense Release

OPNsense 17.1.1 released

Hey there,

This week we are introducing a number of reliability fixes especially with regard to our move to FreeBSD 11.0 and PHP 7.0; most prominently a NAT fix for the shared filter forwarding and repairing the CRL generation. You will also find a few interesting IPsec additions. 😉

In case the shared forwarding is still giving you trouble on 17.1.1, run the following command to use the old behaviour and report back to us:

# sysctl

Here are the full patch notes:

  • system: LDAP picker CSRF error solved by introducing session-based security tokens
  • system: fixed CRL generation inside PHP OpenSSL module
  • system: fix a typo with Portuguese (Portugal) in language selector
  • system: do not interpret passed values in wizard
  • system: fix forum link in message of the day
  • firewall: direction “any” was not respected in floating rules
  • firewall: fix double encoding of NO NAT for NAT addresses (contributed by djGrrr)
  • firewall: improve validation between IPv4 and IPv6 to prevent faulty rule generation
  • firmware: opnsense-update utility now unlocks packages before performing major upgrades
  • firmware: opnsense-revoke utility now retains the automatic flag
  • firmware: revoked the 16.7 update fingerprints
  • dhcp: change relay text to make it clear multiple servers are supported (contributed by GurliGebis)
  • ipsec: add EAP-RADIUS support (contributed by GurliGebis)
  • ipsec: set filtertunnel sysctl values to fix TCP teardown
  • ipsec: fix hidden interface rules tab
  • ipsec: add AES-GCM support
  • openvpn: fixed CRL generation inside PHP OpenSSL module
  • openvpn: do not escape advanced options on export
  • openvpn: fix hidden interface rules tab
  • mvc: multiple tab usage CSRF errors solved by introducing session-based security tokens
  • mvc: fix HTTP status codes on CSRF errors
  • mvc: soft-fail on missing classes in ModelRelationField (contributed by Frank Wall)
  • plugins: os-acme-client 1.1[1] (contributed by Frank Wall)
  • plugins: os-haproxy 1.12[2] (contributed by Frank Wall)
  • src: pf(3) shared forwarding fix during NAT
  • src: pf(4) sysctl switch to disable shared forwarding
  • src: fix a panic with stf(4) interfaces
  • src: unhide hard disks under Hyper-V
  • ports: pkg 1.9.4[3][4]
  • ports: pcre 8.40[5]
  • ports: libressl 2.4.5[6]
  • ports. libevent 2.1.8[7]
  • ports: squid 3.5.24[8]

Stay safe,
Your OPNsense team