New Release Candidate

OPNsense® 18.1 Release Candidate 1

No license cost Free Download Best Open Source Firewall

OPNsense®, High-end security made easy!


Hello good folks of the Internet,

For more than 3 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We humbly present to you the sum of another major iteration of the OPNsense firewall. Over the second half of 2017 well over 500 changes have made it into this first release candidate. Most notably, the firewall NAT rules have been reworked to be more flexible and usable via plugins, which is going to pave the way for subsequent API works on the core firewall functionality. For more details please find the attached list of changes below.

Meltdown and Spectre patches are currently being worked on in FreeBSD[1], but there is no reliable timeline. We will keep you up to date through the usual channels as more news become available. Hang in there!

Download links, an installation guide[2] and the checksums for the images can be found below as well.

Here is the full list of changes against version 17.7.11:

  • system: disabled AHCI MSI to prevent early mount failures with removable media
  • system: use correct crypto library to gather GUI SSL ciphers
  • system: added "save and go back" button to user edit page
  • system: removed obsolete host name routing support
  • system: do not wrap action buttons in tunables page
  • system: fix CA serial number decrement on save
  • system: added net.link.bridge.pfil_local_phys to tunables (contributed by David Harrigan)
  • system: routing configuration was converted to MVC/API (contributed by Fabian Franz)
  • firewall: enables shared forwarding in default configuration
  • firewall: enables sticky connections in default configuration
  • firewall: normal and dynamic log viewers have been superseded by live view
  • firewall: fold NAT reflection type selection into simple checkbox
  • firewall: added option for sticky outbound NAT for WAN VIPs
  • firewall: rewrite of the alias backend code
  • firewall: backend code cleanup
  • firewall: NAT rules have been made pluggable
  • firewall: add indicator for negated fields in shaper grid view (contributed by Fabian Franz)
  • firewall: better NAT formatting in states dump page
  • interfaces: DHCPv6 VLAN priority setting (contributed by Team Rebellion)
  • interfaces: DHCPv6 no release setting (contributed by Team Rebellion)
  • interfaces: only reload DHCPv6 upon correct reason (contributed by Team Rebellion)
  • interfaces: static IPv6 configuration over IPv4 link (contributed by Team Rebellion)
  • interfaces: allow persistent saving and customising of the system IPv6 DUID (contributed by Team Rebellion)
  • interfaces: automatic backup and restore of the system IPv6 DUID
  • interfaces: deferred reload of plugins and VPN upon new interface IP request
  • interfaces: DNS lookup API for firewall live log and insight reporting
  • interfaces: make level of detail stick in packet capture
  • interfaces: auto-lock problematic interfaces upon assignment
  • reporting: do not mark multiple sub-tabs in health page as active
  • firmware: allow to change the package release type
  • firmware: add a package health audit
  • firmware: list installed plugins at the top of the list
  • firmware: visibility for base and kernel sets in packages listing
  • firmware: allow base and kernel set reinstall and locking
  • firmware: remove the discontinued hotfix backend support
  • firmware: allow dot in package name during package action
  • installer: swap partition opt-out during guided installation
  • installer: root password reset tool for existing installations
  • installer: restore IPv6 DUID on config import
  • installer: limit swap partition size to 8 GB (contributed by Frank Wall)
  • ipsec: removed obsolete dynamic host name support
  • ipsec: local group authentication setting
  • ipsec: removed the obsolete "IPsec XAUTH dialin" privilege
  • network time: OPNsense NTP pool is now available and used in default configuration
  • network time: fix for valid negative offset in health graph
  • network time: fix parsing of overly overlong lines
  • openvpn: backend code cleanup
  • openvpn: multiple wizard fixes
  • power: reboot poll dialog
  • web proxy: proper reload on cache setting toggle
  • web proxy: use PID file instead of daemon name for status probe
  • web gui: strict interface binding
  • web gui: removed login autocomplete toggle, now off by design
  • wizard: add Unbound to wizard and unset DNSSEC by default
  • ui: reworked service control look and feel
  • ui: folded tabs for firewall rules, DHCP / RA interfaces and wireless status into menu
  • ui: HTML compliance fixes button in link usage (contributed by NOYB)
  • ui: auto-position menu when item list does not fit the screen
  • ui: reworked sub-tab look and feel
  • ui added menu cache
  • ui: unification of layout of MVC and static page headers
  • ui: migrated to jQuery 3
  • ui: eliminate 300 ms tap delay (contributed by NOYB)
  • mvc: added ACL cache
  • mvc: added code-based ACL extensions
  • mvc: reload syslog settings for plugins
  • mvc: allow input fields to render as read-only (contributed by David Harrigan)
  • mvc: proper target page redirect after login
  • mvc: added mutable service controller
  • mvc: added sub-tab layout partials
  • mvc: do not render empty toggle header
  • plugins: c-icap 1.4 with multiple UI improvements (contributed by Alexander Shursha)
  • plugins: clamav 1.4 with multiple UI improvements (contributed by Alexander Shursha)
  • plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB)
  • plugins: freeradius 1.5.0 with basic LDAP support (contributed by Michael Muenz)
  • plugins: frr 1.0 (contributed by Fabian Franz and Michael Muenz)
  • plugins: haproxy 2.3 allows disabling the introduction pages (contributed by Frank Wall)
  • plugins: helloworld 1.4
  • plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB)
  • plugins: quagga 1.4.4 is end of life, please use FRR instead
  • plugins: tinc 1.3 with path MTU discovery
  • plugins: tor 1.4 adds contact info (contributed by Fabian Franz)
  • plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft)
  • src: update Realtek driver to vendor version 1.94
  • src update FreeBSD to 11.1-RELEASE-p6 with HardenedBSD additions
  • src: shared forwarding for IPv6 and try-forward support
  • ports: libressl 2.6.4[3]

The list of currently known issues with 18.1-RC1:

  • The firewall NAT rule generation rewrite is not yet fully verified.
  • The web GUI recovery is not yet fully implemented.

All images are provided with SHA-256 signatures, which can be verified against the distributed public key:

# openssl base64 -d -in image.bz2.sig -out /tmp/image.sig
# openssl dgst -sha256 -verify rsa.pub -signature /tmp/image.sig image.bz2

The public key for the 18.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5kMyxEWUoyY3y8JLlOnz
# j2dE1QPYmWspn5Diqf1T6uSh0/HA8TwnRvI4m82dC2kgnafVB85zIS+rXQLiyJZI
# JEqmBS5f54kVcyJPVORe7NepJq372amAMTcpPwH4b0SS9ZETebAOyuHjdG/lCjKD
# yt5W5ZvaMiDMWLVuw1ZlTIxLgkRuCHsk66E1bdoiIMdZPoyk2Q9WQd3PynLRBVHC
# iT32cJ/NlHiLEALp0wcNr+FllmFQXahQ5R1uBcsE/IXa7Tg0QXlW7s5+d6NTwQ/d
# 7NVnfZzH8IiO0A/9O5jbBsD6HLmity5nMI+RBwFQ9OQoBNxl5aakkusizT6diMYb
# PG+zPZsWo/ADqsbg1U/MMLJXD8CDFjcerhIDrrWSIVlSmQKw97nMK/TdUsqnVl7N
# uDLl0RHe+N6ndmNGTQGg5HbrTmYKSEGBdS4xFtO60JCxubzfpvnkDnPCIJtxWukf
# TzhORJHj2vkGLDA5FocTSOY76lWUO4qJQBA2bB3GtGbCm/nM4TlHpL4Kbf10IUJk
# j1tRFi8gXNOhrdplFAR+lV/yy58/+ZOg61Yz7UvYG/A9rxGkyVmIjzB/4S6Wstye
# IA6vpfzHwHq82hMqafCSB2KJciuKVEgVO6DHLV03VLTPqkJVsCbWXHgNjK2fQCFX
# JeXNX68TcObIJzqbiegZYo8CAwEAAQ==
# -----END PUBLIC KEY-----

As always with our pre-releases, only OpenSSL is provided at this point, but can be switched for LibreSSL as soon as the release is available. This release candidate does update directly into the 18.1 stable track and subsequent release candidates. Please let us know about your experience!

Stay safe,
Your OPNsense team


[1] https://lists.freebsd.org/pipermail/freebsd-security/2018-January/009719.html
[2] https://docs.opnsense.org/manual/install.html
[3] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.6.4-relnotes.txt


# SHA256 (OPNsense-18.1.r1-OpenSSL-dvd-amd64.iso.bz2) = 2a92811d93bcad7de7752a650f9bf934a4d92b190c673bb8d0314474984a5b11
# SHA256 (OPNsense-18.1.r1-OpenSSL-nano-amd64.img.bz2) = e2a8026c20a3a91b63b1b1195eab689254dbfa80f05e98b8cd24d9b2b6c35356
# SHA256 (OPNsense-18.1.r1-OpenSSL-serial-amd64.img.bz2) = 944a05acefe1466a8189b2318faa48e39a2e5226853557397c0dcefff8023f26
# SHA256 (OPNsense-18.1.r1-OpenSSL-vga-amd64.img.bz2) = f8a763ad3b566be3bafa1291210145050431fc79c9f91d151166b57f6ff3e956

# SHA256 (OPNsense-18.1.r1-OpenSSL-dvd-i386.iso.bz2) = 0d29b20a9f806a1a8e443c7d0ebcab0edab8f5c7a9f8fb629fb136956c15994e
# SHA256 (OPNsense-18.1.r1-OpenSSL-nano-i386.img.bz2) = 65bcad5ebe84a7246a361638436fb1052647ab0b0de44ca57e6a7a1c2a143461
# SHA256 (OPNsense-18.1.r1-OpenSSL-serial-i386.img.bz2) = 751db8e6d94b7c453b8a37c856725e4299fb929fbf74ae7700fbbe9e56bff0b9
# SHA256 (OPNsense-18.1.r1-OpenSSL-vga-i386.img.bz2) = 9bb56ca458d54d6cf50c767c3e389e14aa26b27246ae5e266d2d689939c34137