OPNsense 23.1 released

jan 26, 2023

OPNsense 23.1 released

Hi there,

For more than 8 years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD

23.1, nicknamed "Quintessential Quail", features Unbound DNS statistics with
a blocklist rewrite in Python, improved WAN SLAAC operability, firewall
alias BGP ASN type support, PHP 8.1, assorted FreeBSD networking updates,
MVC/API pages for packet capture/virtual IPs/IPsec connection management,
IPsec configuration file migration to swanctl.conf, new sslh plugin, ddclient
custom backend support (including Azure), WireGuard kernel module plugin
variant as the new default plus much more.

Download links, an installation guide[1] and the checksums for the images
can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/23.1/
o US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/
o South America: http://mirror.ueb.edu.ec/opnsense/releases/23.1/
o East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.1/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against 22.7.11:

o system: replaced log_error() use with log_msg() and adjusted logging levels accordingly
o system: introduced a service boot log
o system: the LibreSSL flavour has been discontinued
o system: simplify gateway monitoring setup code
o system: add option to skip gateway monitor host route
o system: populate /etc/hosts file with IPv6 addresses too
o system: simplify and guard host route creation
o system: merge system_staticroutes_configure() into system_routing_configure()
o system: do not yield process after calling shutdown command
o system: apply tunables during late boot in case a module was loaded depending on them to be set to a specific value
o system: show size of ZFS ARC (adaptive replacement cache) in system widget
o system: introduce support tier annotations for core and plugins[2]
o system: add cron tasks for scrubbing and trimming ZFS pools (contributed by Iain Henderson)
o system: fix 6rd/6to4 gateway interface detection (contributed by Frans J Elliott)
o reporting: add Unbound DNS statistics frontend including client drill-down
o interfaces: heavy cleanup of the wireless device integration
o interfaces: use 802.1ad protocol for stacked VLAN parent (QinQ)
o interfaces: GIF and GRE now support subnet-based IPv6 configurations instead of always falling back to a point-to-point (/128) setup
o interfaces: GIF and GRE now disable IPv6 on IPv4 tunnels (contributed by Maurice Walker)
o interfaces: add isolated PPPoEv6 mode to selectively enable IPv6 CP negotiation and turn it off when no IPv6 mode is set
o interfaces: add support for SLAAC WAN interfaces without DHCPv6 (contributed by Maurice Walker)
o interfaces: register LAGG, PPP, VLAN and wireless devices as plugins
o interfaces: simplified get_real_interface() function
o interfaces: removed obsolete "defaultgw" files
o interfaces: simplified rc.linkup script
o interfaces: improve IP address cache behaviour in rc.newwanip(v6) scripts
o interfaces: converted virtual IPs to MVC/API
o interfaces: add MAC filtering to packet capture
o interfaces: convert ARP/NDP pages to server-side searchable variant
o interfaces: create null route for DHCPv6 delegated prefix
o interfaces: tighten the concept of hardware interfaces and pull supported plugin devices into assignments page automatically
o firewall: remove deprecated "Dynamic state reset" mechanic
o firewall: invalidate port forward rule entry when no target is specified
o firewall: hide deprecated source OS rule setting under advanced
o firewall: add group option to prevent grouping in interfaces menu
o firewall: safeguard against missing name from the alias API call
o intrusion detection: keep grid to prevent widgets being removed
o intrusion detection: reload grid after log drop (contributed by kulikov-a)
o intrusion detection: add verbose logging mode selector
o ipsec: disable charon.install_routes completely in case upstream would implement it for FreeBSD later on
o ipsec: move user PSK (pre-shared key) and static PSK items to new MVC/API implementation
o ipsec: migrate existing configuration from ipsec.conf to swanctl.conf
o ipsec: add a new independent connections MVC/API component to manage IPsec in a layout matching swanctl.conf syntax more closely
o ipsec: rewrote lease status page in MVC/API
o ipsec: add configurable "unique" setting to phase 1
o ipsec: missing correct phase 1 to collect "Network List" option
o monit: support start timeout setting (contributed by spoutin)
o openvpn: add unique daemon name to each instance
o unbound: add statistics database backend
o unbound: add exact domain blocking
o mvc: call plugins_interfaces() optionally on service reconfigure
o mvc: match UUID for multiple values (contributed by kulikov-a)
o mvc: convert setBase() to an upsert operation
o mvc: change default sorting to case-insensitive
o mvc: add TextField tests (contributed by agh1467)
o mvc: implement required getRealInterface() variant
o ui: assorted improvements in bootgrid and form controls
o ui: switch to pure JSON data in bootgrids
o plugins: os-bind 1.25[3]
o plugins: os-ddclient 1.11[4]
o plugins: os-dyndns end of life note moves to 23.7
o plugins: os-freeradius 1.9.22[5]
o plugins: os-frr 1.32[6]
o plugins: os-haproxy 4.0[7]
o plugins: os-puppet-agent 1.1[8]
o plugins: os-sslh 1.0[9] (contributed by agh1467)
o plugins: os-theme-cicada 1.32 (contributed by Team Rebellion)
o plugins: os-upnp 1.5[10]
o plugins: os-wireguard switches to kernel module with a separate os-wireguard-go variant available for installation to keep the old behaviour
o src: assorted FreeBSD 13 stable fixes for e.g. bpf, bridge, bsdinstall ifconfig, iflib, ipfw, ipsec, lagg, netmap, pf, route and vlan components
o ports: php 8.1.14[11]
o ports: sudo 1.9.12p2[12]

Migration notes, known issues and limitations:

o LibreSSL flavour has been discontinued.  Switch to OpenSSL flavour to proceed with the upgrade.
o StrongSwan IPsec configuration now uses the preferred swanctl.conf instead of the deprecated ipsec.conf which could lead to connectivity issues in ambiguous cases.  Subtle bugs cannot be ruled out as well so please raise an issue on GitHub to be able to investigate each case.
o The new IPsec connections pages and API create an independent set of connections following the design of swanctl.conf.  Legacy tunnel settings cannot be managed from the API and are not migrated.

Stay safe,
Your OPNsense team

[1] https://docs.opnsense.org/manual/install.html
[2] https://docs.opnsense.org/support.html
[3] https://github.com/opnsense/plugins/blob/stable/23.1/dns/bind/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/23.1/dns/ddclient/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/23.1/net/freeradius/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/23.1/net/frr/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/23.1/sysutils/puppet-agent/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/23.1/net/sslh/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/23.1/net/upnp/pkg-descr
[11] https://www.php.net/ChangeLog-8.php#8.1.14
[12] https://www.sudo.ws/stable.html#1.9.12p2