Software update: OPNsense 18.7




The OPNsense package is a firewall with extensive possibilities. It is based on the FreeBSD operating system and was originally a fork of m0n0wall and pfSense. The package can be set up completely via a web interface and includes support for 2fa, openvpn, ipsec, carp and captive portal. In addition, it can apply packet filtering and it has a traffic shaper . The developers have released OPNsen 18.7 with the following announcement:

OPNsense 18.7 released

Dear friends and followers,

For 3 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption or upstream software updates as well as clear and stable 2- Clause BSD licensing.

Another 6 months passed by ever so quickly! The main goal for 18.7, nicknamed “Happy Hippo”, is stability so we have not yet begun to adopt FreeBSD 11.2, but there are several of its Intel NIC driver updates included to bridge the gap until 19.1 comes out. The upgrade also includes a large amount of IPv6 improvements including 6RD support as well as authentication and backup framework consolidation. Please also note that QinQ is no longer included in this release.

These are the most prominent changes since version 18.1:
improved WAN DHCPv6 and SLAAC connectivity and tracking
functional IPv6 Rapid Deployment (6RD) support
improved default route handling and gateway switching
OpenVPN default setup improvements for IPv6 and RADIUS attribute support
Dpinger gateway monitoring integration
password policies for local authentication and coupled TOTP
Monit core integration to replace the legacy notifications
OpenSSH access via group and shell selection instead of privilege
pluggable backup framework with new Nextcloud option
sytem tunables are now also used as loader tunables
unrestricted VLAN usage for eg Xen
QinQ interface removal
firmware GUI speedup, improved error parsing and console reboot hint
ZFS on root boot support (installer support is pending, but recording-bootstrap works)
ZFS and MSDOS config import support
ISC DHCP version moves from 4.3 to 4.4
RRDtool version moves from 1.2 to 1.7
rework rc.syshook facility to use drop-in directories instead of suffixes
backports or FreeBSD 11.2 Intel NIC drivers
stand-alone frontend UI development tools
language updates for Czech, French, German, Portuguese (Brazil)
UI header security and SSL cipher hardening
extensive UI cleanups and menu consolidation
new and rewritten plugins: os-cache, os-lcdproc-sdeclcd, os-net-snmp, os-utility, os-openconnect, os-relayd 2.0, os-shadowsocks, os-theme-cicada, os-theme-rebellion, os-theme-tukan, os-wol 2.0
We thank you for helping test, shape and contribute to the project! We know it would not be the same without you.

Migration notes and minor incompetencies to look out for:
SSH access is now bound to the “wheel” group which is automatically added to “admins” group, which “root” is a member of. “root” is the only user that has a default shell, which is the subssept shell, which is the root console menu.
SSH access can be set for an arbitrary group as well under System: Administration for non-members or “admins” group. However, in both cases only SCP works due to a request in the forum for more proactive regarding yielding or shell access rights. If you want a user to gain true SSH you need to change their shell from “nologin” to an installed shell in their respective settings.
Web GUI HTTPS ciphers have been hardened. To gain access please use a recent browser.
The authentication fallback for the GUI / system has been removed in favor of selecting multiple authentication servers at once. Reassign your fallback as a primary authentication method or now use more than two methods.
It has found that although WAN interfaces require gateways to function, they do not have to be assigned in single-WAN scenarios to avoid interfering with WAN reply behavior. The “none” selection was therefore changed to “auto-detect” to reflect this and now is the recommended setting, unless multi-WAN is used.
In preparation for the firewall alias API the per-item descriptions have been removed with support for the deprecated types urltable_ports and url_ports.
OpenVPN / 31 tunnel network calculation is not exist. If you are affected, adjust your clients or export their configuration again. Additionally, / 32 tunnel networks are now prohibited.
Stay safe and happy,
Your OPNsense team
Version number 18.7
Release status Final
Operating systems BSD



In: A Technology & Gadgets Asked By: [22628 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »