Software-update: OPNsense 25.1.6

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de zesde update voor versie 25.1 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 25.1.6 released

After some back and forth today we are rolling back a console default change done in FreeBSD 14.2 that we do not think is necessary at this particular point in time. The bridge configuration code was also refactored to introduce it to MVC/API in an upcoming stable release. A few more problems with the new captive portal backend have also been addressed in order to make it match the behaviour of the previous one. It is now possible to disable the automatic rules to further refine the desired captive portal behaviour.

Last but not least: Kea DHCPv6 is here. And with it full DHCP and router advertisement support in Dnsmasq to bridge the gap for ISC users who do not need or want Kea. We are going to make Dnsmasq DHCP the default in new installations starting with 25.7, too. ISC DHCP will still be around as a core component in 25.7 but likely moves to plugins for 26.1 next year.

Here are the full patch notes:

system: kill gateways states for failback scenario when a higher priority gateway goes back onlinesystem: update to latest tzdata content for time zones and ISO 3166 definitionssystem: clean up a number of unused functionssystem: refactor a VIP access in auth.incsystem: add field "boottime" to api/system/systemTime (contributed by eopo)reporting: replace insights totals chart with ChartJS variantreporting: minor style fixes and cleanups in health graphsinterfaces: refactor bridge configuration backendinterfaces: refactor wireless device assignmentinterfaces: allow literal comma by escape sequence in DHCP advanced option modifiersinterfaces: fix refresh button in ARP pageinterfaces: fix "(de)select all" button in packet captureinterfaces: rename ip_in_subnet() to reflect it is only for IPv4interfaces: remove unused get_vip_descr()firewall: prevent source/destination inversion when multiple nets are selectedfirewall: support comma separated alias targets in refactor() callfirewall: added multi-select for ICMP typefirewall: update user agent in alias URL fetchcaptive portal: fix display issue for pass rule when client not in zonecaptive portal: allow disabling automatic firewall rulescaptive portal: exclude portal table in destinationdnsmasq: add full DHCP/RA supportintrusion detection: fix a log reader regression in the alert viewipsec: copy "Split DNS name" to undocumented "25" optionipsec: fix more ACLs related to individual IPsec page useipsec: add DH Group 2 for basic Azure VPN gateway compatibilityipsec: fix trimming NULL valuesisc-dhcp: use "lease_type" to key lease map in addition to "iaid_duid" (contributed by Alex Goodkind)isc-dhcp: fix invalid FQDN generation from DHCPv4 static map domains (contributed by Steven Zimmermann)kea-dhcp: add DHCPv6 supportopenvpn: simplify the VIP handling in legacy pagesbackend: support "errors:no" clause on actionsmvc: allow referencing disabled interfaces in LinkAddressFieldmvc: fix scoping issue in CertificatesFieldplugins: os-ndproxy 1.1plugnis: os-squid 1.2plugins: os-theme-rebellion 1.9.3 (contributed by Team Rebellion)plugins: os-turnserver 1.0 (contributed by Frank Wall)src: caroot: update the root bundlesrc: openssl: import OpenSSL 3.0.16src: daemon: stop rebuilding the kqueue every restart of the childsrc: contrib/expat: update libexpat from 2.6.0 to 2.7.1src: contrib/tzdata: import tzdata 2025bsrc: pfctl: fix faulty rule anchor counter printsrc: pfctl: fix recursive printing of NAT rulessrc: pf: Use a macro to get the hash row in pf_find_state_byid()src: netinet6: work around synchronization issue in dying netgraph devicesrc: wg: Improve wg_peer_alloc() to simplify the callingsrc: bnxt_en: Retrieve maximum of 128 APP TLVssrc: Revert "amd64 GENERIC: Switch uart hints from isa to acpi"ports: curl 8.13.0ports: expat 2.7.1ports: kea 2.6.2ports: monit 5.35.1ports: nss 3.110ports: openssh 10.0p1ports: php 8.3.20ports: phalcon 5.9.3ports: python 3.11.12ports: unbound 1.23.0

system: kill gateways states for failback scenario when a higher priority gateway goes back online

system: update to latest tzdata content for time zones and ISO 3166 definitions

system: clean up a number of unused functions

system: refactor a VIP access in auth.inc

system: add field "boottime" to api/system/systemTime (contributed by eopo)

reporting: replace insights totals chart with ChartJS variant

reporting: minor style fixes and cleanups in health graphs

interfaces: refactor bridge configuration backend

interfaces: refactor wireless device assignment

interfaces: allow literal comma by escape sequence in DHCP advanced option modifiers

interfaces: fix refresh button in ARP page

interfaces: fix "(de)select all" button in packet capture

interfaces: rename ip_in_subnet() to reflect it is only for IPv4

interfaces: remove unused get_vip_descr()

firewall: prevent source/destination inversion when multiple nets are selected

firewall: support comma separated alias targets in refactor() call

firewall: added multi-select for ICMP type

firewall: update user agent in alias URL fetch

captive portal: fix display issue for pass rule when client not in zone

captive portal: allow disabling automatic firewall rules

captive portal: exclude portal table in destination

dnsmasq: add full DHCP/RA support

intrusion detection: fix a log reader regression in the alert view

ipsec: copy "Split DNS name" to undocumented "25" option

ipsec: fix more ACLs related to individual IPsec page use

ipsec: add DH Group 2 for basic Azure VPN gateway compatibility

ipsec: fix trimming NULL values

isc-dhcp: use "lease_type" to key lease map in addition to "iaid_duid" (contributed by Alex Goodkind)

isc-dhcp: fix invalid FQDN generation from DHCPv4 static map domains (contributed by Steven Zimmermann)

kea-dhcp: add DHCPv6 support

openvpn: simplify the VIP handling in legacy pages

backend: support "errors:no" clause on actions

mvc: allow referencing disabled interfaces in LinkAddressField

mvc: fix scoping issue in CertificatesField

plugins: os-ndproxy 1.1

plugnis: os-squid 1.2

plugins: os-theme-rebellion 1.9.3 (contributed by Team Rebellion)

plugins: os-turnserver 1.0 (contributed by Frank Wall)

src: caroot: update the root bundle

src: openssl: import OpenSSL 3.0.16

src: daemon: stop rebuilding the kqueue every restart of the child

src: contrib/expat: update libexpat from 2.6.0 to 2.7.1

src: contrib/tzdata: import tzdata 2025b

src: pfctl: fix faulty rule anchor counter print

src: pfctl: fix recursive printing of NAT rules

src: pf: Use a macro to get the hash row in pf_find_state_byid()

src: netinet6: work around synchronization issue in dying netgraph device

src: wg: Improve wg_peer_alloc() to simplify the calling

src: bnxt_en: Retrieve maximum of 128 APP TLVs

src: Revert "amd64 GENERIC: Switch uart hints from isa to acpi"

ports: curl 8.13.0

ports: expat 2.7.1

ports: kea 2.6.2

ports: monit 5.35.1

ports: nss 3.110

ports: openssh 10.0p1

ports: php 8.3.20

ports: phalcon 5.9.3

ports: python 3.11.12

ports: unbound 1.23.0

Source: Tweakers.net