Software Update: OPNsense 19.1

The package OPNsense is a firewall with extensive possibilities. It is based on the FreeBSD operating system and is originally a fork of m0n0wall and pfSense. The package can be set up completely via a web interface and has support for 2fa, openvpn, ipsec, carp and captive portal, among others. In addition, it can apply packet filtering and has a traffic shaper. The developers have released OPNsense 19.1 with the following announcement:

OPNsense 19.1 released

hi there,

For more than four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

The 19.1 release, nicknamed “Inspiring Iguana”, consists of a total of 620 individual changes since 18.7 came out 6 months ago, spread out over12 intermediate releases including the recent release candidates. That is the average of 2 stable releases per month, security updates and important bug fixes included! If we had to pick a few highlights it would be: The firewall alias API is finally in place. The migration to HardenedBSD 11.2 has been completed. 2FA now works with a remote LDAP / local TOTP combination. And the OpenVPN client export was rewritten for full API support as well.

These are the most prominent changes since version 18.7:

• fully functional firewall alias API
• PIE firewall shaper support
• firewall NAT rule logging support
• 2FA via LDAP-TOTP combination
• WPAD / PAC and parent proxy support in the web proxy
• P12 certificate export with custom passwords
• Dpinger is now the default gateway monitor
• ET Pro Telemetry edition plugin
• extended IPv6 DUID support
• Dnsmasq DNSSEC support
• OpenVPN client export API
• Realtek NIC driver version 1.95
• HardenedBSD 11.2, LibreSSL 2.7
• Unbound 1.8, Suricata 4.1
• Phalcon 3.4, Perl 5.28
• firmware health check extended to cover all OS files, HTTPS mirror default
• updates are browser cache-safe regarding CSS and JavaScript assets
• collapsible side bar menu in the default theme
• language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
• new plugins for API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat, Dnscrypt-proxy

Here are the full changes against version 19.1-RC2:

• ipsec: add firewall interface as soon as phase 1 is enabled
• ipsec: phase 1 selection GUI JavaScript compatibility fix
• monit: widget improvements and bug fix (contributed by Frank Brendel)
• ui: fix regression in single host or network subnet select in static pages
• plugins: os-frr 1.7 updates OSPF outbound rules (contributed by Fabian Franz)
• plugins: os-telegraf 1.7.4 fixes packet filter input
• plugins: os-theme-rebellion 1.8.2 adds image color invert
• plugins: os-vnstat 1.1
• plugins: os-zabbix-agent now uses Zabbix version 4.0
• src: revert mmc_calculate_clock() as HS200/HS400 support breaks legacy support
• src: update sqlite3-3.20.0 to sqlite3-3.26.0
• src: import tzdata 2018h, 2018i
• src: avoid unsynchronized updates to kn_status
• ports: ca_root_nss 3.42
• ports: dhcp6c 20190128 prevent rawops double-free (contributed by Team Rebellion)
• ports: sudo patch to fix listpw=never

Migration notes and minor incompatibilities to look out for:

• Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration. Apinger is no longer available.
• Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
• Quagga plugin has been superseded by FRR plugin. A binary quagga package has been preserved for the time being.
• Please read the FRR documentation with regard to the required system tunables.
• Bhyve UEFI boot may fail as a guest. The problem is being investigated.
• SNMP plugin has been superseded by Net-SNMP plugin.

stay safe,
Your OPNsense team