New OPNsense Release

OPNsense® Business Edition 21.10 released

The OPNsense business edition successfully transitions to this 21.10 release
with a new installer including ZFS support, improved central management and
Intel network driver updates amongst others.

Download link is as follows.  An installation guide[1] and the checksums for
the images can be found below as well.

https://downloads.opnsense.com/

This business release is based on the OPNsense 21.7.3 community version
with additional reliability improvements.

Here are the full patch notes:

o system: allow automatic user creation on LDAP-based logins
o system: circular logs are now disabled by default
o system: default gateway failure state killing is now disabled by default
o system: allow cron-based restarts of all "restart" action providers
o system: allow more characters in the certificate/authority organization fields (contributed by Jan De Luyck)
o system: default RSS widget feed to forum announcements
o system: prevent use of client certificates in web GUI
o system: raised encryption standard for encrypted config.xml export
o system: reload FreeBSD services when reloading all services from console
o system: add missing ACL for Syslog targets page
o system: removed NextCloud backup from core functionality
o system: removed unused traffic API dashboard feed
o interfaces: add and use unified function is_interface_assigned() to prevent deleting assigned interfaces
o interfaces: add netstat tree search and improve page layout
o interfaces: allow interface-based overrides of hardware checksum settings
o interfaces: correct indent in dhclient configuration
o interfaces: clear PPPoE SLAAC addresses on linkdown
o interfaces: flush IPv6 addresses on the correct IPv6 interface when it differs from the IPv4 interface
o interfaces: improve GRE/GIF configuration handling and dynamic reload behaviour
o interfaces: packet capture quick select for all interfaces
o interfaces: refactor DNS lookup and add PTR to output (contributed by Maurice Walker)
o interfaces: refactored address removal into interfaces_addresses_flush()
o interfaces: remove duplicated handling of PPP IPv6 interface detection
o interfaces: replace opportunistic diagnostics IP address lookups with more robust variants
o interfaces: sync firewall groups after internal create/destroy operations
o interfaces: use -M option in rtsold invoke in preparation for 22.1
o firewall: MVC rewrite of the pfTop diagnostics pages under "Sessions"
o firewall: MVC rewrite of the states diagnostics pages under "States"
o firewall: add manual reply-to configuration to rules
o firewall: add quick link to states counter from firewall rule inspection
o firewall: aliases maximum entries progress bar
o firewall: allow to specify port ranges for outgoing NAT (contributed by Nikolay Denev)
o firewall: clarify match/set priority in rules
o firewall: delete related rules when an interface group is removed
o firewall: improve alias description/preview
o firewall: make sure net.pf.request_maxcount and table-entries are always aligned
o firewall: only set state options on rules when state is being tracked
o firewall: rename source/destination networks when group name changes
o firewall: renamed "pfTables" diagnostics to "Aliases"
o firewall: use permanent promiscuous mode for pflog0
o dhcp: add shared dhcpd_leases() reader and use it in both lease pages
o dhcp: always deprecate prefixes in automatic router advertisements
o dhcp: assorted improvements surrounding dhcpd_staticmap() for real world operation
o dhcp: fix table header sorting in lease pages (contributed by vnxme)
o dhcp: lock access to settings pages when interface is not suitable for running a DHCP server
o dhcp: remove ::/0 route from router advertisements (contributed by Maurice Walker)
o firmware: also check plugins sync for up to date core package
o firmware: backend now supports reinstall like opnsense-bootstrap -q
o firmware: confirm plugin removal dialog
o firmware: introduced connectivity check
o firmware: opnsense-patch can now patch installer and updater files
o firmware: opnsense-update -c option now honours the -f option
o firmware: opnsense-update improvements for mirror manipulation options
o firmware: replace php version_compare() call with pkg-version shell command
o firmware: revoke 21.1 fingerprint
o firmware: static template for firmware upgrade message
o firmware: sync plugins in console update
o ipsec: add auto type for identities
o ipsec: adhere to system defaults for route-to and reply-to when creating automatic VPN rules
o ipsec: fix a regression in VTI handling
o ipsec: fix a regression in rightsubnets for non-mobile phase 2
o ipsec: identity quoting for ASN1DN and FQDN types with "#" characters
o ipsec: switched to explicit type selection for identities
o openvpn: CARP status read cleanups (contributed by vnxme)
o openvpn: do not create empty router file
o openvpn: validate tunnel prefix to avoid OpenVPN 2.5 start errors (contributed by kulikov-a)
o openvpn: improve the cipher parsing
o openvpn: increase consistency between export types
o openvpn: offer the ability to export a user without a certificate
o openvpn: simplify CIDR validation and remove trim() usage
o openvpn: tls-crypt support (contributed by vnxme)
o openvpn: untie server-ipv6 from server directive
o openvpn: use is_interface_assigned() to prevent deletion of assigned instances
o unbound: add "unbound check" backend action
o unbound: add qname-minimisation-strict option
o unbound: allow to retain cache on service reload
o unbound: automatically add "do-not-query-localhost: no" on DoT when needed
o unbound: fix /var MFS dilemma for DNSBL after boot
o unbound: fix domain overrides for private address reverse lookup zones (contributed by Maurice Walker)
o unbound: register DHCP leases with their matching IP range configured DHCP domain
o unbound: reject invalid cache data
o unbound: remove deprecated custom options setting
o unbound: renamed "blacklist" to "blocklist" for clarity
o unbound: support insecure-domain directive
o unbound: switch model to integrate full DNS over TLS support
o console: throw error when opnsense-importer encounters an encrypted config.xml
o mvc: allow to unset attribute via setAttributeValue()
o mvc: reduce differentials in config.xml when saving models
o rc: opnsense-beep melody database directory
o ui: improved JS hook_ipv4v6() to jump to /64 on IPv6 and back to /32 on IPv4
o ui: inject default tooltips into bootgrid formatters
o ui: work on unification of add buttons by minifying them and adding primary color markup
o ui: removed $main_buttons magic handler
o plugins: OPNcentral core requirements are now installed by default via os-OPNBEcore plugin
o plugins: os-OPNBEcore 1.0
o plugins: os-OPNcentral 1.3[2]
o plugins: os-acme-client 3.2[3]
o plugins: os-bind 1.18[4]
o plugins: os-chrony 1.4[5]
o plugins: os-collectd 1.4[6]
o plugins: os-dnscrypt-proxy 1.9[7]
o plugins: os-fetchmail 1.1[8]
o plugins: os-freeradius 1.9.16[9]
o plugins: os-frr 1.22[10]
o plugins: os-haproxy 3.5[11]
o plugins: os-net-snmp 1.5[12]
o plugins: os-nextcloud-backup 1.0
o plugins: os-nginx Phalcon 4 fixes
o plugins: os-postfix 1.20[13]
o plugins: os-radsecproxy 1.0 (contributed by Tobias Boehnert)
o plugins: os-realtek-re 1.0 adds Realtek vendor NIC driver module
o plugins: os-telegraf 1.12.1[14]
o plugins: os-tftp 1.0 (contributed by Michael Muenz)
o plugins: os-tor Phalcon 4 fix
o src: FreeBSD updates for Intel e1000, ixgbe and ixl drivers
o src: FreeBSD updates for the pf(4) and iflib(4) subsystems
o src: compatibility shim for upcoming rtsold "-M" command line option
o src: dhclient support for VLAN 0 decapsulation
o src: dhclient: skip_to_semi() consumes semicolon already
o src: fix libfetch out of bounds read[15]
o src: fix missing error handling in bhyve(8) device models[16]
o src: fix remote code execution in ggatec(8)[17]
o src: iflib: fix partial length accounting error in netmap mode
o src: lib: add libnetmap and related patches
o src: rtsold: slightly change address read
o src: runtime RSS code preparations and assorted related upstream patches
o src: separately log NAT and firewall rules in pf(4)
o ports: drop hardening options and switch to FreeBSD ports tree
o ports: curl 7.79.1[18]
o ports: dnsmasq 2.86[19]
o ports: filterlog 0.5 removes unused IPv6 options support
o ports: ifinfo 13.0
o ports: krb5 1.19.2[20]
o ports: monit 5.29.0[21]
o ports: mpd5 adds L2TP interoperability fix from upstream
o ports: nettle 3.7.3
o ports: nss 3.70[22]
o ports: openvpn 2.5.3[23]
o ports: pcre 8.45[24]
o ports: php 7.4.23[25]
o ports: phpseclib 2.0.32[26]
o ports: python 3.8.12[27]
o ports: strongswan 5.9.3[28]
o ports: sudo 1.9.8p1[29]
o ports: suricata 6.0.3[30]
o ports: syslog-ng 3.34.1[31]
o ports: unbound 1.13.2[32]

Known issues and limitations:

o NextCloud backup feature moved from core to plugins.  Please reinstall if needed.
o IPsec identities are now set using their explicit type.  See StrongSwan documentation[33] for the old automatic defaults.
o Unbound custom options setting has been discontinued.  Local override directory /usr/local/etc/unbound.opnsense.d exists.
o OpenVPN network input validation changed.  Check all clients and servers for GUI errors after upgrade by saving their configuration and removing stray whitespace on errors.
o OPNcentral plugin is no longer required on managed nodes after upgrade.

Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://docs.opnsense.org/vendor/deciso/opncentral.html
[3] https://github.com/opnsense/plugins/blob/stable/21.7/security/acme-client/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/21.7/dns/bind/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/21.7/net/chrony/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/collectd/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/21.7/dns/dnscrypt-proxy/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/21.7/mail/fetchmail/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/21.7/net/freeradius/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/21.7/net/frr/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/21.7/net/haproxy/pkg-descr
[12] https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/net-snmp/pkg-descr
[13] https://github.com/opnsense/plugins/blob/stable/21.7/mail/postfix/pkg-descr
[14] https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/telegraf/pkg-descr
[15] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:15.libfetch.asc
[16] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:13.bhyve.asc
[17] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:14.ggatec.asc
[18] https://curl.se/changes.html#7_79_1
[19] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[20] https://web.mit.edu/kerberos/krb5-1.19/
[21] https://mmonit.com/monit/changes/
[22] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.70_release_notes
[23] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.3
[24] https://www.pcre.org/original/changelog.txt
[25] https://www.php.net/ChangeLog-7.php#7.4.23
[26] https://github.com/phpseclib/phpseclib/releases/tag/2.0.32
[27] https://docs.python.org/release/3.8.12/whatsnew/changelog.html
[28] https://github.com/strongswan/strongswan/releases/tag/5.9.3
[29] https://www.sudo.ws/stable.html#1.9.8p1
[30] https://suricata.io/2021/06/30/new-suricata-6-0-3-and-5-0-7-releases/
[31] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.34.1
[32] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-13-2
[33] https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing