New OPNsense Release

OPNsense® Business Edition 21.10 released

The OPNsense business edition successfully transitions to this 21.10 release
with a new installer including ZFS support, improved central management and
Intel network driver updates amongst others.

Download link is as follows.  An installation guide[1] and the checksums for
the images can be found below as well.

This business release is based on the OPNsense 21.7.3 community version
with additional reliability improvements.

Here are the full patch notes:

o system: allow automatic user creation on LDAP-based logins
o system: circular logs are now disabled by default
o system: default gateway failure state killing is now disabled by default
o system: allow cron-based restarts of all "restart" action providers
o system: allow more characters in the certificate/authority organization fields (contributed by Jan De Luyck)
o system: default RSS widget feed to forum announcements
o system: prevent use of client certificates in web GUI
o system: raised encryption standard for encrypted config.xml export
o system: reload FreeBSD services when reloading all services from console
o system: add missing ACL for Syslog targets page
o system: removed NextCloud backup from core functionality
o system: removed unused traffic API dashboard feed
o interfaces: add and use unified function is_interface_assigned() to prevent deleting assigned interfaces
o interfaces: add netstat tree search and improve page layout
o interfaces: allow interface-based overrides of hardware checksum settings
o interfaces: correct indent in dhclient configuration
o interfaces: clear PPPoE SLAAC addresses on linkdown
o interfaces: flush IPv6 addresses on the correct IPv6 interface when it differs from the IPv4 interface
o interfaces: improve GRE/GIF configuration handling and dynamic reload behaviour
o interfaces: packet capture quick select for all interfaces
o interfaces: refactor DNS lookup and add PTR to output (contributed by Maurice Walker)
o interfaces: refactored address removal into interfaces_addresses_flush()
o interfaces: remove duplicated handling of PPP IPv6 interface detection
o interfaces: replace opportunistic diagnostics IP address lookups with more robust variants
o interfaces: sync firewall groups after internal create/destroy operations
o interfaces: use -M option in rtsold invoke in preparation for 22.1
o firewall: MVC rewrite of the pfTop diagnostics pages under "Sessions"
o firewall: MVC rewrite of the states diagnostics pages under "States"
o firewall: add manual reply-to configuration to rules
o firewall: add quick link to states counter from firewall rule inspection
o firewall: aliases maximum entries progress bar
o firewall: allow to specify port ranges for outgoing NAT (contributed by Nikolay Denev)
o firewall: clarify match/set priority in rules
o firewall: delete related rules when an interface group is removed
o firewall: improve alias description/preview
o firewall: make sure and table-entries are always aligned
o firewall: only set state options on rules when state is being tracked
o firewall: rename source/destination networks when group name changes
o firewall: renamed "pfTables" diagnostics to "Aliases"
o firewall: use permanent promiscuous mode for pflog0
o dhcp: add shared dhcpd_leases() reader and use it in both lease pages
o dhcp: always deprecate prefixes in automatic router advertisements
o dhcp: assorted improvements surrounding dhcpd_staticmap() for real world operation
o dhcp: fix table header sorting in lease pages (contributed by vnxme)
o dhcp: lock access to settings pages when interface is not suitable for running a DHCP server
o dhcp: remove ::/0 route from router advertisements (contributed by Maurice Walker)
o firmware: also check plugins sync for up to date core package
o firmware: backend now supports reinstall like opnsense-bootstrap -q
o firmware: confirm plugin removal dialog
o firmware: introduced connectivity check
o firmware: opnsense-patch can now patch installer and updater files
o firmware: opnsense-update -c option now honours the -f option
o firmware: opnsense-update improvements for mirror manipulation options
o firmware: replace php version_compare() call with pkg-version shell command
o firmware: revoke 21.1 fingerprint
o firmware: static template for firmware upgrade message
o firmware: sync plugins in console update
o ipsec: add auto type for identities
o ipsec: adhere to system defaults for route-to and reply-to when creating automatic VPN rules
o ipsec: fix a regression in VTI handling
o ipsec: fix a regression in rightsubnets for non-mobile phase 2
o ipsec: identity quoting for ASN1DN and FQDN types with "#" characters
o ipsec: switched to explicit type selection for identities
o openvpn: CARP status read cleanups (contributed by vnxme)
o openvpn: do not create empty router file
o openvpn: validate tunnel prefix to avoid OpenVPN 2.5 start errors (contributed by kulikov-a)
o openvpn: improve the cipher parsing
o openvpn: increase consistency between export types
o openvpn: offer the ability to export a user without a certificate
o openvpn: simplify CIDR validation and remove trim() usage
o openvpn: tls-crypt support (contributed by vnxme)
o openvpn: untie server-ipv6 from server directive
o openvpn: use is_interface_assigned() to prevent deletion of assigned instances
o unbound: add "unbound check" backend action
o unbound: add qname-minimisation-strict option
o unbound: allow to retain cache on service reload
o unbound: automatically add "do-not-query-localhost: no" on DoT when needed
o unbound: fix /var MFS dilemma for DNSBL after boot
o unbound: fix domain overrides for private address reverse lookup zones (contributed by Maurice Walker)
o unbound: register DHCP leases with their matching IP range configured DHCP domain
o unbound: reject invalid cache data
o unbound: remove deprecated custom options setting
o unbound: renamed "blacklist" to "blocklist" for clarity
o unbound: support insecure-domain directive
o unbound: switch model to integrate full DNS over TLS support
o console: throw error when opnsense-importer encounters an encrypted config.xml
o mvc: allow to unset attribute via setAttributeValue()
o mvc: reduce differentials in config.xml when saving models
o rc: opnsense-beep melody database directory
o ui: improved JS hook_ipv4v6() to jump to /64 on IPv6 and back to /32 on IPv4
o ui: inject default tooltips into bootgrid formatters
o ui: work on unification of add buttons by minifying them and adding primary color markup
o ui: removed $main_buttons magic handler
o plugins: OPNcentral core requirements are now installed by default via os-OPNBEcore plugin
o plugins: os-OPNBEcore 1.0
o plugins: os-OPNcentral 1.3[2]
o plugins: os-acme-client 3.2[3]
o plugins: os-bind 1.18[4]
o plugins: os-chrony 1.4[5]
o plugins: os-collectd 1.4[6]
o plugins: os-dnscrypt-proxy 1.9[7]
o plugins: os-fetchmail 1.1[8]
o plugins: os-freeradius 1.9.16[9]
o plugins: os-frr 1.22[10]
o plugins: os-haproxy 3.5[11]
o plugins: os-net-snmp 1.5[12]
o plugins: os-nextcloud-backup 1.0
o plugins: os-nginx Phalcon 4 fixes
o plugins: os-postfix 1.20[13]
o plugins: os-radsecproxy 1.0 (contributed by Tobias Boehnert)
o plugins: os-realtek-re 1.0 adds Realtek vendor NIC driver module
o plugins: os-telegraf 1.12.1[14]
o plugins: os-tftp 1.0 (contributed by Michael Muenz)
o plugins: os-tor Phalcon 4 fix
o src: FreeBSD updates for Intel e1000, ixgbe and ixl drivers
o src: FreeBSD updates for the pf(4) and iflib(4) subsystems
o src: compatibility shim for upcoming rtsold "-M" command line option
o src: dhclient support for VLAN 0 decapsulation
o src: dhclient: skip_to_semi() consumes semicolon already
o src: fix libfetch out of bounds read[15]
o src: fix missing error handling in bhyve(8) device models[16]
o src: fix remote code execution in ggatec(8)[17]
o src: iflib: fix partial length accounting error in netmap mode
o src: lib: add libnetmap and related patches
o src: rtsold: slightly change address read
o src: runtime RSS code preparations and assorted related upstream patches
o src: separately log NAT and firewall rules in pf(4)
o ports: drop hardening options and switch to FreeBSD ports tree
o ports: curl 7.79.1[18]
o ports: dnsmasq 2.86[19]
o ports: filterlog 0.5 removes unused IPv6 options support
o ports: ifinfo 13.0
o ports: krb5 1.19.2[20]
o ports: monit 5.29.0[21]
o ports: mpd5 adds L2TP interoperability fix from upstream
o ports: nettle 3.7.3
o ports: nss 3.70[22]
o ports: openvpn 2.5.3[23]
o ports: pcre 8.45[24]
o ports: php 7.4.23[25]
o ports: phpseclib 2.0.32[26]
o ports: python 3.8.12[27]
o ports: strongswan 5.9.3[28]
o ports: sudo 1.9.8p1[29]
o ports: suricata 6.0.3[30]
o ports: syslog-ng 3.34.1[31]
o ports: unbound 1.13.2[32]

Known issues and limitations:

o NextCloud backup feature moved from core to plugins.  Please reinstall if needed.
o IPsec identities are now set using their explicit type.  See StrongSwan documentation[33] for the old automatic defaults.
o Unbound custom options setting has been discontinued.  Local override directory /usr/local/etc/unbound.opnsense.d exists.
o OpenVPN network input validation changed.  Check all clients and servers for GUI errors after upgrade by saving their configuration and removing stray whitespace on errors.
o OPNcentral plugin is no longer required on managed nodes after upgrade.

Stay safe,
Your OPNsense team