New OPNsense Release

OPNsense 18.1.7 released

Hello, hello, hello!

It has been a while and judging by the extensive list of changes below one can easily see why. The impact footprint of this update, however, is relatively small. With this update we are also moving into the 18.7-BETA phase where avid users are invited to flip their release version from production to development in the firmware GUI settings.

Extensive work has been done for DHCPv6 connectivity by the wonderful folks of Team Rebellion, e.g. fixing the stale daemon issues that prevented connectivity after reconfiguration. OpenVPN was updated to version 2.4.6 and received a substantial server setup rejuvenation to allow out of the box IPv6 usage. LibreSSL received a bump in order to correctly speed up AESNI, something that was not working since its update to version 2.6.

Users of the web proxy with IDNA domains must take note that the previous implementation was removed in favour of a less intrusive approach that does not encoding and decoding domain names in the configuration. All domains are now stored verbatim and are only encoded during web proxy runtime setup. Formerly created and thus now wrongly encoded domains need to be deleted and added back. We are sorry for any inconvenience caused.

Here are the full patch notes:

o system: validate pfsync peer as IPv4-only
o system: flip order of arguments for system_routing_configure()
o system: convert cron to mutable model controller
o system: convert routing to mutable model controller
o system: log table header cleanup
o system: more aggressive factory reset and shut down after completion
o system: remove duplicate addresses before binding web GUI and OpenSSH
o system: fix Framed-Route parsing for RADIUS authentication
o system: properly translate save message on user language change
o interfaces: PPPoE link down script improvements
o interfaces: emit prefix-interface for trackers in advanced DHCPv6 configurations
o interfaces: DHCPv6 configuration creation breakout (contributed by Team Rebellion)
o interfaces: SIGHUP reload for dhcp6c (contributed by Team Rebellion)
o interfaces: wait for dhcp6c to be stopped by pending apply
o interfaces: only reconfigure VLAN interface after edit when necessary
o interfaces: create IPv4 and IPv6 tunnel gateways for GIF/GRE when the setup allows it
o interfaces: remove unused $flush argument from various functions
o interfaces: fixed creation of GIF/GRE tunnel with an outer IPv6 remote address (contributed by Christoph Engelbert)
o interfaces: fixed router advertisement setup of former static but now tracking interface  (contributed by Christoph Engelbert)
o interfaces: remove obsolete address requirement for CARP VIPs
o interfaces: back out get_dyndns_ip() IPv6 online detection and properly propagate a lookup error
o interfaces: no more spurious redirection for dhclient invoke
o firewall: remove a side effect from filter_delete_states_for_down_gateways()
o firewall: adjust maximum table entries for error-free bogonsv6 usage
o firewall: add buckets option to traffic shaper
o firewall: update help text for port ranges (contributed by Michael Muenz)
o power: power off modal to indicate that the GUI is no longer responsive
o captive portal: add traffic data and IP address to RADIUS accounting messages (contributed by CJ)
o captive portal: fix voucher table rendering issue seen in Firefox
o intrusion detection: add destination IP to alert search (contributed by Jeffrey Gentes)
o intrusion detection: add URLhaus rules
o ipsec: keep road warrior rightsubnet to default as stated by the docs
o ipsec: add missing phase 2 DH groups
o openvpn: switch to interface "any" for IPv6-friendly defaults
o openvpn: remove side-effects from configuration code
o openvpn: let CIDR validation tell us that only one network is expected
o openvpn: allow explicit selection of tcp4 and udp4
o openvpn: wizard can now set IPv4/IPv6 tunnel, local and remote addresses
o openvpn: improved automatic local port selection in wizard
o openvpn: bigger wizard button on server list page
o openvpn: allow IPv6-only tunnel setups
o openvpn: assorted cleanups in the associated GUI pages
o unbound: fix a faulty format string
o web proxy: use error_directory translation as set by system language (contributed by Smart-Soft)
o web proxy: add support for SNMP (contributed by Smart-Soft)
o web proxy: rewrite the IDN support to only affect the template write
o console: make tracking the default for LAN IPv6 during interface reconfiguration
o console: reset VLANs as stated during port reconfiguration
o mvc: track attached models of model relation fields
o mvc: remove obsoleted "page-" prefix check for ACL
o mvc: unit tests for DependConstraint
o mvc: only use configdpRun() when needed
o rc: generate and permanently save host ID
o rc: always reload VPN after filter to allow for better default gateway switching
o rc: reconfigure IPv4 and IPv6 only once after boot
o rc: do not run plugin reconfigure if a system configuration is not present
o ui: merge system activity and services diagnostics menu
o ui: move defaults page from firmware to configuration section
o ui: fix issue with typeahead selection in tokenizer
o ui: order reporting menu naturally
o lang: updates for Czech, French, German, Portuguese (Brazil)
o plugins: os-acme-client 1.14 adds support for CloudDNS (contributed by Frank Wall)
o plugins: os-freeradius 1.5.3_1 fixes form property auto-select
o plugins: os-monit 1.7_1 merges setup code into migration framework
o plugins: os-postfix 1.2 relax relay host validation (contributed by Michael Muenz)
o plugins: os-rspamd 1.3 adds file for milter headers (contributed by Fabian Franz)
o plugins: os-snmp 1.2 avoids usage of does_interface_exist()
o plugins: os-web-proxy-useracl 1.1._1 reworks IDN support
o plugins: os-zabbix-agent 1.3 adds working default values (contributed by Frank Wall)
o ports: enable previously defunct AES-NI acceleration in LibreSSL 2.6
o ports: switch from dhcp6 to our own lightweight dhcp6c[1]
o ports: sudo upstream patch to correct a FreeBSD issue[2]
o ports: openldap 2.4.46[3]
o ports: openssh 7.7p1[4]
o ports: openvpn 2.4.6[5]
o ports: perl 5.26.2[6]
o ports: php 7.1.17[7]
o ports: sqlite 3.23.0[8]

Stay safe,
Your OPNsense team