New OPNsense Release

OPNsense 17.1.2 released


Hello everyone,

This update addresses a longstanding issue with the overall reliability of Realtek NICs by replacing the FreeBSD driver with its latest vendor driver equivalent. The results including inline intrusion prevention have been promising to say the least. We thank Realtek for its recent release of version 1.93 and our users for pursuing the unthinkable with us. ­čÖé

Speaking of intrusion prevention, Suricata and Hyperscan have been updated to their latest versions which will now prevent crashes with older 64 bit CPUs that do not have the SSSE3 instruction set.

Language updates have been plenty, with a new and very busy contributor for Chinese. Xie xie!

Furthermore, the shared forwarding between both packet filters introduced in OPNsense 17.1 has now been disabled by default and can be manually reenabled from the GUI on Firewall: Settings: Advanced.

Here are the full patch notes:

  • system: allow to issue reboots via cron
  • system: allow to change password for imported users
  • firmware: run autoremove on minor operations
  • firmware: plugin detection via configd
  • wizard: rework modelling and UX
  • interfaces: fix wlan probe to not yield an empty interface
  • interfaces: fix bug in subnet matching on tun interfaces on FreeBSD 11.0 (contributed by djGrrr)
  • interfaces: add VLAN Priority (PCP) setting to VLAN config (contributed by djGrrr)
  • firewall: shared forwarding is off by default, added advanced config option
  • captive portal: redirect using HTTP code 302
  • captive portal: add group enforcement
  • captive portal: fix transparent web proxy mode on FreeBSD 11.0
  • dhcp: do not link to WOL page if plugin is not installed (contributed by Frank Wall)
  • ipsec: add mobike switch, change leftsendcert to always, etc.
  • unbound: provide link local interface selection
  • lang: Chinese to 65% completed (contributed by Tianmo)
  • lang: Czech to 86% completed (contributed by Pavel Borecki)
  • lang: Portuguese (Brazil) to 100% completed (contributed by Thiago Basilio)
  • lang: Portuguese (Portugal) to 69% completed (contributed by Carlos Meireles)
  • lang: minor updates to French and German
  • src: net.pf.share_forward now off by default
  • src: HardenedBSD procfs hardening
  • src: HardenedBSD disable unprivileged process debugging
  • src: replace Realtek re(4) driver with vendor version 1.93
  • src: add AE3000 and AE6000 to supported run(4) devices
  • src: revert a crash candidate micro-optimisation in rwlock
  • plugins: introduce development plugin variants
  • plugins: os-tinc 1.2 with network mode selection
  • ports: switch to MIT Kerberos version 5 release 1.14.4
  • ports: open-vm-tools integrated authentication fix
  • ports: bind 9.11.0-P3[1]
  • ports: unbound 1.6.0[2]
  • ports: tinc 1.0.31[3]
  • ports: suricata 3.2.1[4]
  • ports: hyperscan 4.4.0[5]
  • ports: ca_root_nss 3.29

Stay safe,
Your OPNsense team


[1] https://ftp.isc.org/isc/bind9/9.11.0-P3/RELEASE-NOTES-bind-9.11.0-P3.html
[2] http://www.unbound.net/download.html
[3] https://www.tinc-vpn.org/news/
[4] https://suricata-ids.org/2017/02/15/suricata-3-2-1-available/
[5] https://github.com/01org/hyperscan/releases/tag/v4.4.0