# Table of Contents
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [Welcome to OPNsense’s documentation! — OPNsense documentation](#welcome-to-opnsense-s-documentation-opnsense-documentation)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [404 Not Found](#404-not-found)
- [Introduction — OPNsense documentation](#introduction-opnsense-documentation)
- [Releases — OPNsense documentation](#releases-opnsense-documentation)
- [Security — OPNsense documentation](#security-opnsense-documentation)
- [Business Edition — OPNsense documentation](#business-edition-opnsense-documentation)
- [Installation and setup — OPNsense documentation](#installation-and-setup-opnsense-documentation)
- [Official hardware — OPNsense documentation](#official-hardware-opnsense-documentation)
- [Lobby — OPNsense documentation](#lobby-opnsense-documentation)
- [Reporting — OPNsense documentation](#reporting-opnsense-documentation)
- [System — OPNsense documentation](#system-opnsense-documentation)
- [Interfaces — OPNsense documentation](#interfaces-opnsense-documentation)
- [Firewall — OPNsense documentation](#firewall-opnsense-documentation)
- [Services — OPNsense documentation](#services-opnsense-documentation)
- [Community Plugins — OPNsense documentation](#community-plugins-opnsense-documentation)
- [Legal notices — OPNsense documentation](#legal-notices-opnsense-documentation)
- [Third-party Plugins — OPNsense documentation](#third-party-plugins-opnsense-documentation)
- [Troubleshooting — OPNsense documentation](#troubleshooting-opnsense-documentation)
- [Virtual Private Networking — OPNsense documentation](#virtual-private-networking-opnsense-documentation)
- [Development Manual — OPNsense documentation](#development-manual-opnsense-documentation)
- [Project Relations — OPNsense documentation](#project-relations-opnsense-documentation)
- [Support Options — OPNsense documentation](#support-options-opnsense-documentation)
- [History — OPNsense documentation](#history-opnsense-documentation)
- [Community Edition — OPNsense documentation](#community-edition-opnsense-documentation)
- [Business Edition — OPNsense documentation](#business-edition-opnsense-documentation)
- [Contribute — OPNsense documentation](#contribute-opnsense-documentation)
- [Central Management — OPNsense documentation](#central-management-opnsense-documentation)
- [Web Application Firewall — OPNsense documentation](#web-application-firewall-opnsense-documentation)
- [Updates — OPNsense documentation](#updates-opnsense-documentation)
- [Extended Blocklists — OPNsense documentation](#extended-blocklists-opnsense-documentation)
- [Included software — OPNsense documentation](#included-software-opnsense-documentation)
- [Hardware sizing & setup — OPNsense documentation](#hardware-sizing-setup-opnsense-documentation)
- [Virtual & Cloud based Installation — OPNsense documentation](#virtual-cloud-based-installation-opnsense-documentation)
- [Initial Installation & Configuration — OPNsense documentation](#initial-installation-configuration-opnsense-documentation)
- [Welcome to OPNsense’s documentation! — OPNsense documentation](#welcome-to-opnsense-s-documentation-opnsense-documentation)
- [Quickstart / getting started — OPNsense documentation](#quickstart-getting-started-opnsense-documentation)
- [SFP(+) Compatibility — OPNsense documentation](#sfp-compatibility-opnsense-documentation)
- [Serial Console connectivity — OPNsense documentation](#serial-console-connectivity-opnsense-documentation)
- [Default Configurations — OPNsense documentation](#default-configurations-opnsense-documentation)
- [Serial Access — OPNsense documentation](#serial-access-opnsense-documentation)
- [Changelogs — OPNsense documentation](#changelogs-opnsense-documentation)
- [Dashboard — OPNsense documentation](#dashboard-opnsense-documentation)
- [General User Interface — OPNsense documentation](#general-user-interface-opnsense-documentation)
- [Installing OPNsense AWS image — OPNsense documentation](#installing-opnsense-aws-image-opnsense-documentation)
- [BIOS updates / settings — OPNsense documentation](#bios-updates-settings-opnsense-documentation)
- [Password — OPNsense documentation](#password-opnsense-documentation)
- [Installing OPNsense OVA image — OPNsense documentation](#installing-opnsense-ova-image-opnsense-documentation)
- [OPNsense Azure Virtual Appliance — OPNsense documentation](#opnsense-azure-virtual-appliance-opnsense-documentation)
- [OPNsense Tools — OPNsense documentation](#opnsense-tools-opnsense-documentation)
- [System Health & Round Robin Data — OPNsense documentation](#system-health-round-robin-data-opnsense-documentation)
- [Netflow Export & Analyses — OPNsense documentation](#netflow-export-analyses-opnsense-documentation)
- [25.1 “Ultimate Unicorn” Series — OPNsense documentation](#25-1-ultimate-unicorn-series-opnsense-documentation)
- [Reporting Settings — OPNsense documentation](#reporting-settings-opnsense-documentation)
- [Using Insight - Netflow Analyzer — OPNsense documentation](#using-insight-netflow-analyzer-opnsense-documentation)
- [19.1 “Inspiring Iguana” Series — OPNsense documentation](#19-1-inspiring-iguana-series-opnsense-documentation)
- [Reporting: Traffic — OPNsense documentation](#reporting-traffic-opnsense-documentation)
- [24.1 “Savvy Shark” Series — OPNsense documentation](#24-1-savvy-shark-series-opnsense-documentation)
- [23.1 “Quintessential Quail” Series — OPNsense documentation](#23-1-quintessential-quail-series-opnsense-documentation)
- [24.7 “Thriving Tiger” Series — OPNsense documentation](#24-7-thriving-tiger-series-opnsense-documentation)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# Welcome to OPNsense’s documentation! — OPNsense documentation
* [](#)
* Welcome to OPNsense’s documentation!
* * *

* * *
Welcome to OPNsense’s documentation
==========================================================================================================
[OPNsense®](https://opnsense.org)
is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform.
**OPNsense** includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
Table of Contents[](#table-of-contents "Permalink to this heading")
---------------------------------------------------------------------
> * [Introduction](intro.html)
> * [Welcome to OPNsense’s documentation!](intro.html#welcome-to-opnsense-s-documentation)
>
> * [Mission Statement](intro.html#mission-statement)
>
> * [Reading guide](intro.html#reading-guide)
>
> * [Feature set](intro.html#feature-set)
>
> * [OPNsense Core Features](intro.html#opnsense-core-features)
>
> * [Security](security.html)
> * [Intro](security.html#intro)
>
> * [Staying ahead](security.html#staying-ahead)
>
> * [Upstream vulnerabilities](security.html#upstream-vulnerabilities)
>
> * [Reporting an incident](security.html#reporting-an-incident)
>
> * [Information handling policies](security.html#information-handling-policies)
>
> * [Third party security verification](security.html#third-party-security-verification)
>
> * [Releases](releases.html)
> * [Community Edition](CE_releases.html)
>
> * [Business Edition](BE_releases.html)
>
> * [Business Edition](be.html)
> * [Central Management](vendor/deciso/opncentral.html)
>
> * [Web Application Firewall](vendor/deciso/opnwaf.html)
>
> * [Extended Blocklists](vendor/deciso/extended_dnsbl.html)
>
> * [Installation and setup](setup.html)
> * [Hardware sizing & setup](manual/hardware.html)
>
> * [Initial Installation & Configuration](manual/install.html)
>
> * [Virtual & Cloud based Installation](manual/virtuals.html)
>
> * [Updates](manual/updates.html)
>
> * [Included software](manual/software_included.html)
>
> * [Setup guides](setup.html#setup-guides)
>
> * [Official hardware](vendor.html)
> * [Quickstart / getting started](hardware/quickstart.html)
>
> * [Default Configurations](hardware/defaults.html)
>
> * [Serial Console connectivity](hardware/serial_connectivity.html)
>
> * [BIOS updates / settings](hardware/bios.html)
>
> * [SFP(+) Compatibility](hardware/sfp_compatibility.html)
>
> * [Lobby](lobby.html)
> * [General User Interface](manual/gui.html)
>
> * [Dashboard](manual/dashboard.html)
>
> * [Password](manual/lobby_password.html)
>
> * [OPNsense Tools](manual/opnsense_tools.html)
>
> * [Reporting](reporting.html)
> * [System Health & Round Robin Data](manual/systemhealth.html)
>
> * [Using Insight - Netflow Analyzer](manual/how-tos/insight.html)
>
> * [Netflow Export & Analyses](manual/netflow.html)
>
> * [Reporting Settings](manual/reporting_settings.html)
>
> * [Reporting: Traffic](manual/reporting_traffic.html)
>
> * [Reporting: Unbound DNS](manual/reporting_unbound_dns.html)
>
> * [Setup guides](reporting.html#setup-guides)
>
> * [System](system.html)
> * [Access / User Management](manual/users.html)
>
> * [Configuration](manual/backups.html)
>
> * [Firmware](manual/firmware.html)
>
> * [Gateways](manual/gateways.html)
>
> * [Gateway groups / Multi WAN](manual/multiwan.html)
>
> * [High Availability](manual/hacarp.html)
>
> * [Routes](manual/routes.html)
>
> * [Settings](manual/settingsmenu.html)
>
> * [Snapshots](manual/snapshots.html)
>
> * [Trust](manual/certificates.html)
>
> * [Log Files](manual/logging_system.html)
>
> * [Diagnostics](manual/diagnostics_system.html)
>
> * [Setup guides](system.html#setup-guides)
>
> * [Interfaces](interfaces.html)
> * [Interface configuration](manual/interfaces.html)
>
> * [Devices](manual/other-interfaces.html)
>
> * [Overview](manual/interfaces_overview.html)
>
> * [Settings](manual/interfaces_settings.html)
>
> * [Neighbors](manual/neighbors.html)
>
> * [Virtual IPs](manual/firewall_vip.html)
>
> * [Wireless](manual/wireless.html)
>
> * [IPv6 setup](manual/ipv6.html)
>
> * [Diagnostics](manual/diagnostics_interfaces.html)
>
> * [Setup Guides](interfaces.html#setup-guides)
>
> * [Firewall](firewall.html)
> * [Generic info](manual/firewall_generic.html)
>
> * [Aliases](manual/aliases.html)
>
> * [Categories](manual/firewall_categories.html)
>
> * [\[Interface\] Groups](manual/firewall_groups.html)
>
> * [Network Address Translation](manual/nat.html)
>
> * [NPTv6](manual/nptv6.html)
>
> * [Rules](manual/firewall.html)
>
> * [Traffic Shaping](manual/shaping.html)
>
> * [(Advanced) Settings](manual/firewall_settings.html)
>
> * [Normalization](manual/firewall_scrub.html)
>
> * [Configure CARP](manual/how-tos/carp.html)
>
> * [Log Files](manual/logging_firewall.html)
>
> * [Diagnostics](manual/diagnostics_firewall.html)
>
> * [Setup guides](firewall.html#setup-guides)
>
> * [Virtual Private Networking](manual/vpnet.html)
> * [IPsec](manual/vpnet.html#ipsec)
>
> * [OpenVPN (SSL VPN)](manual/vpnet.html#openvpn-ssl-vpn)
>
> * [Wireguard](manual/vpnet.html#wireguard)
>
> * [Plugin VPN options](manual/vpnet.html#plugin-vpn-options)
>
> * [Services](services.html)
> * [Captive portal & GuestNET](manual/captiveportal.html)
>
> * [DHCP](manual/dhcp.html)
>
> * [Dnsmasq DNS](manual/dnsmasq.html)
>
> * [Intrusion Prevention System](manual/ips.html)
>
> * [Monit](manual/monit.html)
>
> * [Network Time](manual/ntpd.html)
>
> * [OpenDNS](manual/opendns.html)
>
> * [Unbound DNS](manual/unbound.html)
>
> * [Router Advertisements](manual/radvd.html)
>
> * [Log Files](manual/logging_services.html)
>
> * [Setup guides](services.html#setup-guides)
>
> * [Community Plugins](plugins.html)
> * [Routing](plugins.html#routing)
>
> * [DNS](plugins.html#dns)
>
> * [VPN](plugins.html#vpn)
>
> * [Web](plugins.html#web)
>
> * [Other](plugins.html#other)
>
> * [Reporting](plugins.html#reporting)
>
> * [Third-party Plugins](third_party_plugins.html)
> * [Sunnyvalley](third_party_plugins.html#sunnyvalley)
>
> * [Troubleshooting](troubleshooting.html)
> * [General issue workflow](troubleshooting.html#general-issue-workflow)
>
> * [Topics](troubleshooting.html#topics)
>
> * [Development Manual](develop.html)
> * [Development Workflow](development/workflow.html)
>
> * [Coding Guidelines](development/guidelines.html)
>
> * [Architecture](development/architecture.html)
>
> * [Backend](development/backend.html)
>
> * [Frontend](development/frontend.html)
>
> * [Components](development/components.html)
>
> * [API Reference](development/api.html)
>
> * [Examples](development/examples.html)
>
> * [How-tos](development/howtos.html)
>
> * [Sources](develop.html#sources)
>
> * [Project Relations](relations.html)
> * [Deciso B.V.](relations/deciso.html)
>
> * [FreeBSD®](relations/freebsd.html)
>
> * [M0n0wall](relations/m0n0wall.html)
>
> * [Open Source Initiative](relations/osi.html)
>
> * [Legal notices](legal.html)
> * [OPNsense License & Copyright](legal.html#opnsense-license-copyright)
>
> * [Packages and ports](legal.html#packages-and-ports)
>
> * [Documentation Copyright](legal.html#documentation-copyright)
>
> * [Pictures Copyright](legal.html#pictures-copyright)
>
> * [Logos Copyright](legal.html#logos-copyright)
>
> * [Trademark policy](legal.html#trademark-policy)
>
> * [Support Options](support.html)
> * [Software Support Levels](support.html#software-support-levels)
>
> * [Community](support.html#community)
>
> * [Commercial](support.html#commercial)
>
> * [List of available community plugins](support.html#list-of-available-community-plugins)
>
> * [Contribute](contribute.html)
> * [Financially](contribute.html#financially)
>
> * [Development](contribute.html#development)
>
> * [Translations](contribute.html#translations)
>
> * [Documentation & wiki articles](contribute.html#documentation-wiki-articles)
>
> * [Forum & IRC](contribute.html#forum-irc)
>
> * [Social media](contribute.html#social-media)
>
> * [Closing Words](contribute.html#closing-words)
>
> * [History](history.html)
> * [About the Fork](history/thefork.html)
>
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# 404 Not Found
Not Found
=========
The requested URL was not found on this server.
---
# Introduction — OPNsense documentation
* [](index.html)
* Introduction
* * *
Introduction[](#introduction "Permalink to this heading")
===========================================================
Welcome to the OPNsense documentation & wiki project! The documentation is work in progress and is updated frequently. If you would like to contribute in anyway, please take a look at our guide how to [Contribute](contribute.html)
.
[](_images/opnsense_logo_horizontaal.png)
Welcome to OPNsense’s documentation
----------------------------------------------------------------------------------------------------------
[OPNsense®](https://opnsense.org)
is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform.
**OPNsense** includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
Mission Statement[](#mission-statement "Permalink to this heading")
---------------------------------------------------------------------
> Give users, developers and businesses a friendly, stable and transparent environment. Make OPNsense the most widely used open source security platform. The project’s name is derived from open and sense and stands for: “Open (source) makes sense.”

Reading guide[](#reading-guide "Permalink to this heading")
-------------------------------------------------------------
While reading the documentation, it’s good to know how the various topics are structured, what their purpose is and how to find what you’re looking for. Maybe even more important is what this documentation doesn’t offer.
If you’re looking for deeper insights about networking and best practices in designing them, this might not be the best place to look. Most of our documents and how-to’s focus on how to use functionality included in our software and/or one of it’s plugins. Quite some books are written about networking, there are (online) courses available and wikipedia contains a lot of relevant articles as well. Some interesting reads include the fundamentals about the [OSI model](https://en.wikipedia.org/wiki/OSI_model)
, [IP addressing](https://en.wikipedia.org/wiki/IP_address)
, [routing](https://en.wikipedia.org/wiki/IP_routing)
and [network address translation](https://en.wikipedia.org/wiki/Network_address_translation)
. Likely these resources are more suitable for learning about general network concepts. Although we do try to include some context in our documents, there are often assumptions made about the readers knowledge on (basic) networking.
Like many products and projects, ours grows over time, functionality extends and changes, which sometimes makes it difficult to find what you need for the version you’re using. Although we try to keep our documentation up to date, sometimes text doesn’t reflect reality anymore. If that’s the case and you think you found an omission, don’t hestitate to open a report using one of our templates on [GitHub](https://github.com/opnsense/docs/issues/new/choose)
or a pull request of course if you’re able to.
Always assume the text is intended for the latest version of our product, in time we might add a version selector in the documentation, but given OPNsense is a security product, we advise to keep it up to date anyway to protect yourself against the latest threats.
The releases section contains the changelogs for all versions we published over the years, if there are remarks for an upgrade, this is a useful resource to collect the details.
Installation and setup is all about getting you started using one of the target options available.
The next sections should be quite familiair when working with OPNsense, as they reflect the options in the menu of the product. In case you’re not yet used to OPNsense, you can always use the search input in the left corner of the screen to find your topic.
Both community and third-party plugins have their own area available, although they eventually register into the same menu structure, it’s good to know about possible differences between add-ons and standard functionality. The level of support may differ between core functionality, as also explained in the “Support options” section, feature requests and bugs maybe treated different as well (a lot of questions for a plugin which is being developed by a single person, maybe less active than a group of people improving a plugin together for example).
When it comes to building software on top of OPNsense or extending existing functionality, the development chapter is the one to read. It explains all about our architecture, coding style, how to hook into available facilities and much more.
Some pointers when it comes to troubleshooting can be found in the section with the same name, it explains a bit about our issue workflow and some tips we collected over the years.
Last but not least our documentation includes some pages around project relations, legal guidelines and ways to contribute to the project.
* * *
Feature set[](#feature-set "Permalink to this heading")
---------------------------------------------------------
The feature set of OPNsense includes high-end features such as forward caching proxy, traffic shaping, intrusion detection and easy OpenVPN client setup. The latest release is based on a recent FreeBSD for long-term support and uses a newly developed MVC-framework based on Phalcon. OPNsense’s focus on security brings unique features such as easy to use one time password authentication for various components.
The robust and reliable update mechanism gives OPNsense the ability to provide important security updates in a timely fashion.
* * *
OPNsense Core Features[](#opnsense-core-features "Permalink to this heading")
-------------------------------------------------------------------------------
* Traffic Shaper
* Captive portal
* Voucher support
* Template manager
* Multi zone support
* Forward Caching Proxy
* Transparent mode supported
* Blacklist support
* Virtual Private Network
* Site to site
* Road warrior
* IPsec
* OpenVPN
* High Availability & Hardware Failover
* Includes configuration synchronization & synchronized state tables
* Moving virtual IPs
* Intrusion Detection and Inline Prevention
* Built-in support for Emerging Threats rules
* Simple setup by use of rule categories
* Scheduler for period automatic updates
* Built-in reporting and monitoring tools
* System Health, the modern take on RRD Graphs
* Packet Capture
* Netflow
* Support for plugins
* DNS Server & DNS Forwarder
* DHCP Server and Relay
* Dynamic DNS
* Backup & Restore
* Encrypted cloud backup to Google Drive and Nextcloud
* Configuration history with colored diff support
* Local drive backup & restore
* Stateful inspection firewall
* Granular control over state table
* 802.1Q VLAN support
* and more…
---
# Releases — OPNsense documentation
* [](index.html)
* Releases
* * *
Releases[](#releases "Permalink to this heading")
===================================================
[](_images/ideas_join_the_development.jpg)
* [Community Edition](CE_releases.html)
* [25.1 “Ultimate Unicorn” Series](releases/CE_25.1.html)
* [24.7 “Thriving Tiger” Series](releases/CE_24.7.html)
* [24.1 “Savvy Shark” Series](releases/CE_24.1.html)
* [23.7 “Restless Roadrunner” Series](releases/CE_23.7.html)
* [23.1 “Quintessential Quail” Series](releases/CE_23.1.html)
* [22.7 “Powerful Panther” Series](releases/CE_22.7.html)
* [22.1 “Observant Owl” Series](releases/CE_22.1.html)
* [21.7 “Noble Nightingale” Series](releases/CE_21.7.html)
* [21.1 “Marvelous Meerkat” Series](releases/CE_21.1.html)
* [20.7 “Legendary Lion” Series](releases/CE_20.7.html)
* [20.1 “Keen Kingfisher” Series](releases/CE_20.1.html)
* [19.7 “Jazzy Jaguar” Series](releases/CE_19.7.html)
* [19.1 “Inspiring Iguana” Series](releases/CE_19.1.html)
* [18.7 “Happy Hippo” Series](releases/CE_18.7.html)
* [18.1 “Groovy Gecko” Series](releases/CE_18.1.html)
* [17.7 “Free Fox” Series](releases/CE_17.7.html)
* [17.1 “Eclectic Eagle” Series](releases/CE_17.1.html)
* [16.7 “Dancing Dolphin” Series](releases/CE_16.7.html)
* [16.1 “Crafty Coyote” Series](releases/CE_16.1.html)
* [15.7 “Brave Badger” Series](releases/CE_15.7.html)
* [15.1 “Ascending Albatross” Series](releases/CE_15.1.html)
* [Business Edition](BE_releases.html)
* [24.10 Series](releases/BE_24.10.html)
* [24.4 Series](releases/BE_24.4.html)
* [23.10 Series](releases/BE_23.10.html)
* [23.4 Series](releases/BE_23.4.html)
* [22.10 Series](releases/BE_22.10.html)
* [22.4 Series](releases/BE_22.4.html)
* [21.10 Series](releases/BE_21.10.html)
* [21.4 Series](releases/BE_21.4.html)
* [20.7 “Legendary Lion” Series](releases/BE_20.7.html)
* [20.1 “Keen Kingfisher” Series](releases/BE_20.1.html)
* [19.7 “Jazzy Jaguar” Series](releases/BE_19.7.html)
* [19.1 “Inspiring Iguana” Series](releases/BE_19.1.html)
---
# Security — OPNsense documentation
* [](index.html)
* Security
* * *
[Security](#id2)
[](#security "Permalink to this heading")
============================================================
Index
* [Security](#security)
* [Intro](#intro)
* [Staying ahead](#staying-ahead)
* [Upstream vulnerabilities](#upstream-vulnerabilities)
* [Reporting an incident](#reporting-an-incident)
* [Information handling policies](#information-handling-policies)
* [Third party security verification](#third-party-security-verification)
* [Intro](#id1)
* [Business Edition](#business-edition)
* [Framework / Type of testing (LINCE)](#framework-type-of-testing-lince)
* [Steps in the process](#steps-in-the-process)
* [Timeline](#timeline)
* [Results](#results)
* [External references](#external-references)
[Intro](#id3)
[](#intro "Permalink to this heading")
------------------------------------------------------
As your trusted opensource security product, we do care a lot about security and with our regular release schedule we try to stay ahead of possible incidents. Even though we are cautious and stay informed, sometimes issues do occur, in which case it’s good to know what to do.
[Staying ahead](#id4)
[](#staying-ahead "Permalink to this heading")
----------------------------------------------------------------------
Even though we always encourage people to update regularly, sometimes it’s not possible to do so for various reasons.
Luckily OPNsense comes with an integrated security check for known vulnerabilities, which can be found in our firmware module. In which case you do have the opportunity to validate for yourself what the risk is to keep using the current version for a bit longer.
You can reach it via System -> Firmware in the status pane, the button “Run an Audit” will bring you right into the security report.
If all goes well, a report like the one below will be shown:
\*\*\*GOT REQUEST TO AUDIT SECURITY\*\*\*
Currently running OPNsense 22.1.8\_1 (amd64/OpenSSL) at Tue May 31 09:01:04 CEST 2022
vulnxml file up\-to\-date
0 problem(s) in 0 installed package(s) found.
\*\*\*DONE\*\*\*
Note
We do not offer community support on assessing if incidents on older versions do warrant an immediate upgrade on your end as this often depends on features used and settings configured. Our advise always will be to upgrade into the latest community or business version.
Warning
Please don’t report issues to us reported by the security health check, they are already known and highly likely a fix is pending for the next release.
[Upstream vulnerabilities](#id5)
[](#upstream-vulnerabilities "Permalink to this heading")
--------------------------------------------------------------------------------------------
Since OPNsense is a collection of opensource software, when finding an issue, it is always a good idea to inspect where is should be fixed first. In case you don’t know or aren’t sure, you can still ask on our end, just know that we don’t have the manpower to act as an intermediate between various projects.
[Reporting an incident](#id6)
[](#reporting-an-incident "Permalink to this heading")
--------------------------------------------------------------------------------------
Security incidents on our product can be reported to our security team available at **security** @ **opnsense.org**.
All reports should contain at least the following information:
* A clear description of the vulnerability at hand
* Which version(s) of our product seem to be affected
* Any known workaround
* When possible, some example code
[Information handling policies](#id7)
[](#information-handling-policies "Permalink to this heading")
------------------------------------------------------------------------------------------------------
As a general policy we do favor full disclosure of vulnerability information after a reasonable amount of time to permit safe analysis and correction as well as appropriate testing for the correction at hand.
In order to coordinate with other affected parties, we might share parts of the information provided to us to them as well or ask the reporter to do so.
When the submitter is interested in a coordinated disclosure process, this should be indicated in any submission to avoid discussions later on.
[Third party security verification](#id8)
[](#third-party-security-verification "Permalink to this heading")
--------------------------------------------------------------------------------------------------------------
### [Intro](#id9)
[](#id1 "Permalink to this heading")
Within the OPNsense team and community we spend a lot of time safeguarding our software and keeping up with the latest threats, like checking used software against CVE’s on every release, implementing best practices in our development methods and offering clear and transparent release engineering.
To even improve this further, we decided to bring a third party on board and mold a process around our security verification by trained security professionals.
### [Business Edition](#id10)
[](#business-edition "Permalink to this heading")
As our business edition is aimed at professional users, it does make sense to offer additional safeguards, like even more extensive testing on this product. Looking at the lifecycle of our software, this is also the most mature stage of what we do have to offer:
* Development version
* Available at every release, offers a glimpse of what to expect in the near future
* Community version
* When changes survive the development version, these are included in the community version, these are internally tested and feedback has been offered by community members.
* Business Edition
* Functional changes are being included in a more conservative manner, more feedback has been collected from development and community, leading to a mission critical version of your well known OPNsense firewall.
As security testing is quite time-consuming, we aim to offer a full qualification cycle at every major release.
### [Framework / Type of testing (LINCE)](#id11)
[](#framework-type-of-testing-lince "Permalink to this heading")
In our quest for a framework to use, we found the LINCE methodology.
LINCE is a lightweight methodology for evaluating and certifying ICT products, created by Spain’s National Cryptologic Center ([CCN](https://www.ccn.cni.es/index.php/en/menu-ccn-en)
), based on Common Criteria principles and oriented to vulnerability analysis and penetration tests.
LINCE strengths over other methodologies mainly consist of reduced effort and duration. However, the way in which it is applied also makes it possible to pay more attention to the critical points of each product, giving more weight to concrete and practical tests that combat real threats than to dense documentation or exhaustive functionality tests.
As most frameworks are not intended to be repeated very regularly, together with [jtsec](https://www.jtsec.es/)
we came up with an approach which makes it possible to pass the test twice a year, which is needed to align with our Business Edition releases.
During every cycle, there’s always a chance that (small) issues appear which should be fixed, in close accordance with jtsec, the OPNSense team prepares fixes for the findings and makes sure that these are included in a future (minor) release.
### [Steps in the process](#id12)
[](#steps-in-the-process "Permalink to this heading")
To better understand where a version of OPNsense is at in terms of verification, we distinct the following stages in the process, which we will also note on the version at hand.
1. In test - Software delivered to jtsec, in process (interaction between OPNsense and jtsec).
2. Tested - Software verified / tested, documentation not yet published.
3. LINCE Compliant - Test complete including summarised report (by jtsec)
4. Certification pending - Offered for formal certification. (as of 2023)
5. LINCE Certified - Certified by CCN (as of 2023)
The certification steps are planned to be executed once a year starting in 2023, this process is quite time consuming, but adds another independent party to the mix.
### [Timeline](#id13)
[](#timeline "Permalink to this heading")
The first fully certified product has been a community version (21.7.1), which offered us insights into the process and helped us improve the process which we would like to use for the business edition. We started this cycle with version 22.4 including full testing by jtsec and made plans for the future.
### [Results](#id14)
[](#results "Permalink to this heading")
Below you will find the versions that have been tested or are currently in test.
| Version | status | Download |
| --- | --- | --- |
| BE 24.10 | LINCE Compliant | [`BE24.10-STIC_OPNSENSE_HIGH-ETR-v1.0.pdf`](_downloads/a8b021f788748b9a2258f186bc5d5f39/BE24.10-STIC_OPNSENSE_HIGH-ETR-v1.0.pdf)
dfb3a7eceeace2302c8b7328602b959a9c3107c14395a591ddc08a704a8f0fdc |
| BE 24.04 | LINCE Compliant | [`BE24.04-STIC_OPNSENSE_CQ-ETR-v1.0.pdf`](_downloads/f32b1732c6ac7038d8591ccbe7a07a88/BE24.04-STIC_OPNSENSE_CQ-ETR-v1.0.pdf)
dd3a6aed7147ebfa64d4242a45001431e4de52d4faada6d5cdbbe0146bdd8790 |
| BE 23.10 | LINCE Compliant / Certification pending | [`BE23.10-STIC_OPNSENSE_CQ-ETR-v1.0.pdf`](_downloads/20ca4bb34ddad83c271bd5fe3c0e6719/BE23.10-STIC_OPNSENSE_CQ-ETR-v1.0.pdf)
3cd1135bee4c17299d4740c10ed9ef965b77be6e3899cc1c7587b9578930ea51 |
| BE 23.04 | LINCE Compliant | [`BR23.04-STIC_OPNSENSE_CQ-ETR-v3.1.pdf`](_downloads/75b0e08ec886ce5e3da2ca965f21b981/BE23.04-STIC_OPNSENSE_CQ-ETR-v3.1.pdf)
9cce20526a25de2f03b29dcb80df8277eac4eb02066e504396c07e0caffd104e |
| BE 22.10 | LINCE Compliant | [`BE22.10-STIC_OPNSENSE_CQ-ETR-v2.0.pdf`](_downloads/66b82066e7e09b1dafb0312f16fcffc1/BE22.10-STIC_OPNSENSE_CQ-ETR-v2.0.pdf)
6fae801d18c3c8574ab8cca9a6f03f8b898dbe8a22136ee8fc8aa01173539fb4 |
| BE 22.04 | LINCE Compliant | [`BE22.04-STIC_OPNSENSE_CQ-ETR-v1.0.pdf`](_downloads/3b90cf0147a3a805907f4b0e04f0a919/BE22.04-STIC_OPNSENSE_CQ-ETR-v1.0.pdf)
5b303285f3b9f9cd6290a623d7c509e48c59da4c678884a1513e84ee7d06d5d1 |
### [External references](#id15)
[](#external-references "Permalink to this heading")
* [https://www.jtsec.es/product-security-testing](https://www.jtsec.es/product-security-testing)
* [Standard definitions](https://www.jtsec.es/files/CCN-LINCE-001_v0.1_final_EN.pdf)
* [Evaluation methodology](https://www.jtsec.es/files/CCN-LINCE-002_v0.1_final_EN.pdf)
* [https://www.ccn.cni.es/index.php/en/menu-ccn-en](https://www.ccn.cni.es/index.php/en/menu-ccn-en)
* [https://oc.ccn.cni.es/en/certified-products/certified-products](https://oc.ccn.cni.es/en/certified-products/certified-products)
---
# Business Edition — OPNsense documentation
* [](index.html)
* Business Edition
* * *
Business Edition[](#business-edition "Permalink to this heading")
===================================================================
[](_images/pexels-field-engineer-442152.jpg)
A mission critical version of the well-known OPNsense firewall.
The Business Edition offers additional safeguards where functional changes are being included in a more conservative manner and feedback has been collected from development and community.
Offering specific business-oriented features and third party security verification. Currently, the only open source LINCE compliant firewall.
* Mission critical
* LINCE compliant (security verification by trained third party independent professionals)
* Commercial firmware repository
* Free GeoIP database
* Official OPNsense Open Virtualisation Image
* Central Management, including easy one click remote host access, provisioning and monitoring.
* Web Application Firewall
* Free E-Book (English & German)
More information:
* [Central Management](vendor/deciso/opncentral.html)
* [Web Application Firewall](vendor/deciso/opnwaf.html)
* [Extended Blocklists](vendor/deciso/extended_dnsbl.html)
---
# Installation and setup — OPNsense documentation
* [](index.html)
* Installation and setup
* * *
Installation and setup[](#installation-and-setup "Permalink to this heading")
===============================================================================
[](_images/architect-architecture-black-and-white-1537008.jpg)
When your device wasn’t shipped with OPNsense® [pre-installed](https://shop.opnsense.com)
, you can find how to install it yourself and which hardware platforms are supported in this chapter.
* * *
* [Hardware sizing & setup](manual/hardware.html)
* [Initial Installation & Configuration](manual/install.html)
* [Virtual & Cloud based Installation](manual/virtuals.html)
* [Updates](manual/updates.html)
* [Included software](manual/software_included.html)
Setup guides[](#setup-guides "Permalink to this heading")
-----------------------------------------------------------
* [Changelogs](manual/how-tos/changelog.html)
* [Serial Access](manual/how-tos/serial_access.html)
* [Installing OPNsense AWS image](manual/how-tos/installaws.html)
* [Installing OPNsense OVA image](manual/how-tos/installova.html)
* [OPNsense Azure Virtual Appliance](manual/how-tos/installazure.html)
---
# Official hardware — OPNsense documentation
* [](index.html)
* Official hardware
* * *
Official hardware[](#official-hardware "Permalink to this heading")
=====================================================================

This chapter contains topics around [official](https://shop.opnsense.com/)
OPNsense supplied equipment.
* [Quickstart / getting started](hardware/quickstart.html)
* [Default Configurations](hardware/defaults.html)
* [Serial Console connectivity](hardware/serial_connectivity.html)
* [BIOS updates / settings](hardware/bios.html)
* [SFP(+) Compatibility](hardware/sfp_compatibility.html)
---
# Lobby — OPNsense documentation
* [](index.html)
* Lobby
* * *
Lobby[](#lobby "Permalink to this heading")
=============================================
[](_images/architecture-building-ceiling-lamp-260931.jpg)
The lobby is the entrance to your (virtual) security appliance, where you can find your dashboard, change your password and end your session. After initial installation, this is the first place you will visit.
* * *
* [General User Interface](manual/gui.html)
* [Dashboard](manual/dashboard.html)
* [Password](manual/lobby_password.html)
* [OPNsense Tools](manual/opnsense_tools.html)
---
# Reporting — OPNsense documentation
* [](index.html)
* Reporting
* * *
Reporting[](#reporting "Permalink to this heading")
=====================================================
[](_images/freelance-graphs-laptop-34069.jpg)
Your firewall collects quite some information about its health and workload, the reporting section will provide insights into these.
* * *
* [System Health & Round Robin Data](manual/systemhealth.html)
* [Using Insight - Netflow Analyzer](manual/how-tos/insight.html)
* [Netflow Export & Analyses](manual/netflow.html)
* [Reporting Settings](manual/reporting_settings.html)
* [Reporting: Traffic](manual/reporting_traffic.html)
* [Reporting: Unbound DNS](manual/reporting_unbound_dns.html)
Setup guides[](#setup-guides "Permalink to this heading")
-----------------------------------------------------------
* [Configure Netflow Exporter](manual/how-tos/netflow_exporter.html)
---
# System — OPNsense documentation
* [](index.html)
* System
* * *
System[](#system "Permalink to this heading")
===============================================
[](_images/control-data-device-270700.jpg)
The system section in the menu houses all general settings for your firewall needed for its operation. This includes options like administrative access, network routing and diagnostics features to debug your devices current activities.
* * *
* [Access / User Management](manual/users.html)
* [Local Users & Groups](manual/how-tos/user-local.html)
* [Access / Servers / LDAP](manual/how-tos/user-ldap.html)
* [Access / Servers / Radius](manual/how-tos/user-radius.html)
* [Two-factor authentication](manual/two_factor.html)
* [Configuration](manual/backups.html)
* [Backups via secure copy (sftp)](manual/sftp-backup.html)
* [Traceability of configuration changes using Git](manual/git-backup.html)
* [Cloud Backup](manual/how-tos/cloud_backup.html)
* [Firmware](manual/firmware.html)
* [Gateways](manual/gateways.html)
* [Gateway groups / Multi WAN](manual/multiwan.html)
* [Multi WAN](manual/how-tos/multiwan.html)
* [High Availability](manual/hacarp.html)
* [Routes](manual/routes.html)
* [Settings](manual/settingsmenu.html)
* [Snapshots](manual/snapshots.html)
* [Trust](manual/certificates.html)
* [Log Files](manual/logging_system.html)
* [Diagnostics](manual/diagnostics_system.html)
Setup guides[](#setup-guides "Permalink to this heading")
-----------------------------------------------------------
* [Configure 2FA TOTP & Google Authenticator](manual/how-tos/two_factor.html)
* [Setup Self-Signed Certificate Chains](manual/how-tos/self-signed-chain.html)
---
# Interfaces — OPNsense documentation
* [](index.html)
* Interfaces
* * *
Interfaces[](#interfaces "Permalink to this heading")
=======================================================
[](_images/blur-close-up-connection-1624895.jpg)
All traffic flowing through your appliance is using (virtual) interfaces, this is where you manage most settings.
* * *
* [Interface configuration](manual/interfaces.html)
* [Devices](manual/other-interfaces.html)
* [Overview](manual/interfaces_overview.html)
* [Settings](manual/interfaces_settings.html)
* [Neighbors](manual/neighbors.html)
* [Virtual IPs](manual/firewall_vip.html)
* [Wireless](manual/wireless.html)
* [IPv6 setup](manual/ipv6.html)
* [Diagnostics](manual/diagnostics_interfaces.html)
Setup Guides[](#setup-guides "Permalink to this heading")
-----------------------------------------------------------
### Interfaces[](#id1 "Permalink to this heading")
* [VLAN and LAGG Setup](manual/how-tos/vlan_and_lagg.html)
* [LAN Bridge](manual/how-tos/lan_bridge.html)
* [VXLAN Bridge](manual/how-tos/vxlan_bridge.html)
* [Transparent Filtering Bridge](manual/how-tos/transparent_bridge.html)
### Wireless and Cellular[](#wireless-and-cellular "Permalink to this heading")
* [Interfaces: Wireless Networks (INTERNAL)](manual/how-tos/interface_wireless_internal.html)
* [Configuring Cellular Modems](manual/how-tos/cellular.html)
### IPv6 Guides[](#ipv6-guides "Permalink to this heading")
* [IPv6 For Zen UK](manual/how-tos/IPv6_ZenUK.html)
* [IPv6 for generic DSL dialup](manual/how-tos/ipv6_dsl.html)
* [IPv6 behind an AVM Fritz!Box](manual/how-tos/ipv6_fb.html)
* [IPv6 Tunnel Broker](manual/how-tos/ipv6_tunnelbroker.html)
### ISP Configuration[](#isp-configuration "Permalink to this heading")
* [Deutsche Telekom Germany IPTV (Magenta TV) setup](manual/how-tos/dt_ger_iptv.html)
* [Orange France FTTH IPv4 & IPv6](manual/how-tos/orange_fr_fttp.html)
* [Orange France IPTV setup](manual/how-tos/orange_fr_tvf.html)
* [SFR/RED France FTTH IPv4 & IPv6 & Phone](manual/how-tos/sfr_red_fr_ftth.html)
* [Setup for Sky UK ISP](manual/how-tos/SkyUK.html)
---
# Firewall — OPNsense documentation
* [](index.html)
* Firewall
* * *
Firewall[](#firewall "Permalink to this heading")
===================================================
[](_images/architecture-buildings-city-327345.jpg)
To manage traffic flowing through your security appliance, a broad range of filtering and shaping features is available. These are all combined in the firewall section.
* * *
* [Generic info](manual/firewall_generic.html)
* [Aliases](manual/aliases.html)
* [Categories](manual/firewall_categories.html)
* [\[Interface\] Groups](manual/firewall_groups.html)
* [Network Address Translation](manual/nat.html)
* [Reflection and Hairpin NAT](manual/how-tos/nat_reflection.html)
* [NPTv6](manual/nptv6.html)
* [Rules](manual/firewall.html)
* [Traffic Shaping](manual/shaping.html)
* [Reserve dedicated bandwidth](manual/how-tos/shaper_dedicated_bw.html)
* [Share internet bandwidth amongst users evenly](manual/how-tos/shaper_share_evenly.html)
* [Limit maximum internet bandwidth users can consume](manual/how-tos/shaper_limit_per_user.html)
* [Prioritize Applications (Weighted) using Queues](manual/how-tos/shaper_prioritize_using_queues.html)
* [Multi Interface shaping for a GuestNet](manual/how-tos/shaper_guestnet.html)
* [Fighting Bufferbloat with FQ\_CoDel](manual/how-tos/shaper_bufferbloat.html)
* [(Advanced) Settings](manual/firewall_settings.html)
* [Normalization](manual/firewall_scrub.html)
* [Configure CARP](manual/how-tos/carp.html)
* [Log Files](manual/logging_firewall.html)
* [Diagnostics](manual/diagnostics_firewall.html)
Setup guides[](#setup-guides "Permalink to this heading")
-----------------------------------------------------------
* [Organize PF Rules by Category](manual/how-tos/fwcategory.html)
* [Configure Spamhaus DROP](manual/how-tos/drop.html)
* [Security Zones](manual/how-tos/security-zones.html)
---
# Services — OPNsense documentation
* [](index.html)
* Services
* * *
Services[](#services "Permalink to this heading")
===================================================
[](_images/black-black-and-white-close-up-1496139.jpg)
Your security appliance comes with quite some services to ease network operation, these can be found in the services menu.
* * *
* [Captive portal & GuestNET](manual/captiveportal.html)
* [DHCP](manual/dhcp.html)
* [Dnsmasq DNS](manual/dnsmasq.html)
* [Intrusion Prevention System](manual/ips.html)
* [IPS SSLBlacklists & Feodo Tracker](manual/how-tos/ips-feodo.html)
* [IPS Block SSL certificates](manual/how-tos/ips-sslfingerprint.html)
* [IPS Bypass local traffic from inspection](manual/how-tos/ips-bypass.html)
* [Monit](manual/monit.html)
* [Network Time](manual/ntpd.html)
* [OpenDNS](manual/opendns.html)
* [Unbound DNS](manual/unbound.html)
* [Router Advertisements](manual/radvd.html)
* [Log Files](manual/logging_services.html)
Setup guides[](#setup-guides "Permalink to this heading")
-----------------------------------------------------------
* [Setup a Guest Network](manual/how-tos/guestnet.html)
---
# Community Plugins — OPNsense documentation
* [](index.html)
* Community Plugins
* * *
Community Plugins[](#community-plugins "Permalink to this heading")
=====================================================================
[](_images/manual_guy.png)
Plugins help extending your security product with additional functionality, some plugins are maintained and supported by the OPNsense team, a lot are supported by the community.
This section houses the documentation available for some of these plugins, not all come with documentation, some might not even need it given the complexity of the functionality.
Routing[](#routing "Permalink to this heading")
-------------------------------------------------
* [Dynamic Routing (FRR)](manual/dynamic_routing.html)
* [Dynamic Routing - RIP Tutorials](manual/how-tos/dynamic_routing_rip.html)
* [Dynamic Routing - OSPF Tutorials](manual/how-tos/dynamic_routing_ospf.html)
* [Dynamic Routing - BGP Tutorials](manual/how-tos/dynamic_routing_bgp.html)
* [Dynamic Routing - BFD Tutorials](manual/how-tos/dynamic_routing_bfd.html)
* [Tayga NAT64 how-to](manual/how-tos/tayga.html)
* [ndproxy (Neighbour Discovery Proxy)](manual/ndproxy.html)
DNS[](#dns "Permalink to this heading")
-----------------------------------------
* [Dynamic DNS](manual/dynamic_dns.html)
* [BIND Plugin](manual/how-tos/bind.html)
* [DNSCrypt-Proxy](manual/how-tos/dnscrypt-proxy.html)
* [Multicast DNS Proxy](manual/how-tos/multicast-dns.html)
VPN[](#vpn "Permalink to this heading")
-----------------------------------------
* [OpenConnect Setup](manual/how-tos/openconnect.html)
* [Stunnel](manual/how-tos/stunnel.html)
* [Zerotier Configuration](manual/how-tos/zerotier.html)
Web[](#web "Permalink to this heading")
-----------------------------------------
* [Reverse Proxy and Webserver](manual/reverse_proxy.html)
* [Anti Virus Engine](manual/antivirus.html)
* [c-icap](manual/how-tos/c-icap.html)
* [ClamAV](manual/how-tos/clamav.html)
* [nginx: Basic Load Balancing](manual/how-tos/nginx.html)
* [nginx: Header Hardening](manual/how-tos/nginx_header_hardening.html)
* [nginx: Local Website Hosting](manual/how-tos/nginx_hosting.html)
* [nginx: Basic Authentication & Authorization](manual/how-tos/nginx_basic_auth.html)
* [nginx: IP Based Access Control Lists](manual/how-tos/nginx_ip_acl.html)
* [nginx: TLS Fingerprints](manual/how-tos/nginx_tls_fingerprints.html)
* [nginx: TLS Authentication & Authorization](manual/how-tos/nginx_tls_auth.html)
* [nginx: Web Application Firewall](manual/how-tos/nginx_waf.html)
* [nginx: TCP And UDP Streams](manual/how-tos/nginx_streams.html)
* [Caddy: Reverse Proxy](manual/how-tos/caddy.html)
* [Caddy: Layer4 Proxy](manual/how-tos/caddy.html#caddy-layer4-proxy)
* [Caddy: Troubleshooting](manual/how-tos/caddy.html#caddy-troubleshooting)
Other[](#other "Permalink to this heading")
---------------------------------------------
* [CPU Microcode updates \[AMD/Intel\]](manual/cpu-microcode.html)
* [Caching Proxy](manual/proxy.html)
* [Advanced Proxy access management](manual/opnproxy.html)
* [Setup Caching Proxy](manual/how-tos/cachingproxy.html)
* [Setup a Guest Network](manual/how-tos/guestnet.html)
* [Setup WPAD / PAC](manual/how-tos/pac.html)
* [Setup Anti Virus Protection](manual/how-tos/proxyicapantivirus.html)
* [Setup Anti Virus Protection using OPNsense Plugins](manual/how-tos/proxyicapantivirusinternal.html)
* [Setup Transparent Proxy](manual/how-tos/proxytransparent.html)
* [Setup Web Filtering](manual/how-tos/proxywebfilter.html)
* [FreeRADIUS](manual/how-tos/freeradius.html)
* [Setup FreeRADIUS for accounting](manual/how-tos/accounting.html)
* [How To: Setting Up A Mail Gateway](manual/how-tos/mailgateway.html)
* [Traceability of configuration changes using Git](manual/git-backup.html)
* [Relayd](manual/relayd.html)
* [Wazuh Agent](manual/wazuh-agent.html)
* [Tor Configuration](manual/how-tos/tor.html)
Reporting[](#reporting "Permalink to this heading")
-----------------------------------------------------
* [ntopng](manual/how-tos/ntopng.html)
---
# Legal notices — OPNsense documentation
* [](index.html)
* Legal notices
* * *
Legal notices[](#legal-notices "Permalink to this heading")
=============================================================
[](_images/opnsense_logo_horizontaal.png)
The OPNsense project wants to be a project that is friendly for users, developers and partners. In this world with trademarks and copyright it is best to “keep things as simple as possible, but not simpler”. Below we pointed out the Licensing and Trademark rules we use.
OPNsense License & Copyright[](#opnsense-license-copyright "Permalink to this heading")
-----------------------------------------------------------------------------------------
OPNsense is licensed under an [Open Source Initiative approved license](http://opensource.org/licenses)
.
We like the BSD license, a simple two clause license that gives freedom to the audience we want to serve. It basically gives you the right to do whatever you want to do with the code, even fork it and take it from there.
OPNsense is available under the BSD 2-Clause “Simplified” license:
[OPNsense®](http://opnsense.org)
is Copyright © 2014 – 2024 by Deciso B.V. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
OPNsense is based on [FreeBSD](https://www.freebsd.org)
Copyright © The FreeBSD Project. All rights reserved.
OPNsense is a fork of [pfSense®](https://www.pfsense.org)
(Copyright © 2004-2014 Electric Sheep Fencing, LLC. All rights reserved.) a fork from [m0n0wall](http://m0n0.ch/wall/)
(Copyright © 2002-2013 Manuel Kasper).
Packages and ports[](#packages-and-ports "Permalink to this heading")
-----------------------------------------------------------------------
OPNsense includes various freely available software packages and ports. The current ports are listed in a file named ports.conf found in a directory with a version number [here](https://github.com/opnsense/tools/tree/master/config)
.
The authors of OPNsense would like to thank all contributors for their efforts.
Documentation Copyright[](#documentation-copyright "Permalink to this heading")
---------------------------------------------------------------------------------
The documentation is provided under a 2-clause BSD license:
3. Deciso B.V. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS DOCUMENTATION IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPNSENSE DOCUMENTATION PROJECT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Pictures Copyright[](#pictures-copyright "Permalink to this heading")
-----------------------------------------------------------------------
Some pictures are licensed under the Creative Commons Zero (CC0) license:
[https://creativecommons.org/publicdomain/zero/1.0/](https://creativecommons.org/publicdomain/zero/1.0/)
Logos Copyright[](#logos-copyright "Permalink to this heading")
-----------------------------------------------------------------
Logos may be subject to additional copyrights, property rights, trademarks etc. and may require the consent of a third party or the license of these rights. Deciso B.V. does not represent or make any warranties that it owns or licenses any of the mentioned, nor does it grant them.
Trademark policy[](#trademark-policy "Permalink to this heading")
-------------------------------------------------------------------
OPNsense is a trademark. If you wish to use the name or logo in any way, you must comply with this policy.
1. The name and logo may be used to promote OPNsense based products or services.
2. The name and logo may be used to promote or serve OPNsense or related projects and their communities.
3. When using the logo on online media like websites, social media and apps the logo should link to [https://opnsense.org](https://opnsense.org)
4. You must request our permission to use derivatives of the name and/or logo at **project** @ **opnsense.org** prior to any use of the derivative name and/or logo, and we may grant or withhold permission to use the derivative name and/or logo in our sole discretion.
5. You may not state or otherwise lead people to believe, that you represent the OPNsense project in any way other than as an individual or corporate contributor to the project.
The official OPNsense logo is available for download: [`OPNsense logo`](_downloads/4a483e070cca7069c9e539596de0a17b/OPNsense_Logo.ai)
.
If you have any questions about this policy, its interpretation, or want to ask for permission please email **project** @ **opnsense.org**.
---
# Third-party Plugins — OPNsense documentation
* [](index.html)
* Third-party Plugins
* * *
Third-party Plugins[](#third-party-plugins "Permalink to this heading")
=========================================================================
[](_images/architecture-blue-sky-business-2599538.jpg)
Like our community plugins in some cases software is delivered under a non-free license, the Third-party section contains the documentation for these packages as provided by Deciso or one of its partners.
For support on this software, please consult the vendor as found below.
Sunnyvalley[](#sunnyvalley "Permalink to this heading")
---------------------------------------------------------
* [Zenarmor (Sensei): Overview](vendor/sunnyvalley/zenarmor.html)
* [Zenarmor (Sensei): Hardware Requirements](vendor/sunnyvalley/zenarmor_hardwarerequirements.html)
* [Zenarmor (Sensei): Installing via Web Interface](vendor/sunnyvalley/zenarmor_install.html)
* [Zenarmor : Installing via Command Line](vendor/sunnyvalley/zenarmor_cmd_install.html)
---
# Troubleshooting — OPNsense documentation
* [](index.html)
* Troubleshooting
* * *
Troubleshooting[](#troubleshooting "Permalink to this heading")
=================================================================

Sometimes, even with all the hard work done to prepare your setup, issues occur. Generally it’s always good to check your logs (System ‣ Log Files or the ones found in the module your trying to setup), but sometimes more help is needed.
General issue workflow[](#general-issue-workflow "Permalink to this heading")
-------------------------------------------------------------------------------
Before reporting issues, please make sure yours still exists on the latest version. We generally advice to check the existing [issues](https://github.com/opnsense/core/issues)
and our [forum](https://forum.opnsense.org/)
before reporting new ones.
In case your issue was introduced after a (minor) upgrade, you can use [opnsense-revert](https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
to downgrade specific packages installed on the system.
Using the firmware section (System ‣ Firmware ‣ Status) you can perform a health check on the system, on the bottom of the status overview is a button named **Run an audit** which can be expanded to offer the **Health** selection.
When clicked this outputs something like the following:
\*\*\*GOT REQUEST TO AUDIT HEALTH\*\*\*
>>> Check installed kernel version
Version 19.7.3 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 19.7.3 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for and install missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: ....
opnsense-19.7.4\_1: checksum mismatch for /usr/local/etc/inc/auth.inc
Checking all packages...
Checking all packages......... done
\*\*\*DONE\*\*\*
When mismatches are reported, you can reinstall affected packages in the **Packages** section of the firmware screen. In the case above you would reinstall opnsense, since the `auth.inc` looks tainted.
Note
We advise to include the output of the health check if it seems to report issues when creating bug reports on GitHub.
Tip
Always try to be precise in issue reports, either if their about a possible bug or a feature request, it helps if intentions are absolutely clear. Our GitHub repositories use templates which should guide you through, we kindly ask you to use them (tickets not using our templates are treated as low priority).
Topics[](#topics "Permalink to this heading")
-----------------------------------------------
Some of the common mistakes we have seen over the years, combined with pointers where to look for solutions can be found in the list below.
* [Password reset](troubleshooting/password_reset.html)
* [WebGui access reset](troubleshooting/webgui.html)
* [Boot](troubleshooting/boot.html)
* [System hardening vs performance](troubleshooting/hardening.html)
* [Gateways and monitoring](troubleshooting/gateways.html)
* [Network](troubleshooting/network.html)
* [OpenVPN](troubleshooting/openvpn.html)
* [Performance](troubleshooting/performance.html)
---
# Virtual Private Networking — OPNsense documentation
* [](../index.html)
* Virtual Private Networking
* * *
Virtual Private Networking[](#virtual-private-networking "Permalink to this heading")
=======================================================================================
A virtual private network secures public network connections and in doing so it extends the private network into the public network such as internet. With a VPN you can create large secure networks that can act as one private network.
[](../_images/Virtual_Private_Network_overview.png)
(picture from [wikipedia](https://en.wikipedia.org/wiki/File:Virtual_Private_Network_overview.svg)
)
Companies use this technology for connecting branch offices and remote users (road warriors).
OPNsense supports VPN connections for branch offices as well as remote users.
Creating a single secured private network with multiple branch offices connecting to a single site can easily be setup from within the graphical user interface. For remote users, certificates can be created and revoked and a simple to use export utility makes the client configuration a breeze.
OPNsense offers a wide range of VPN technologies ranging from modern SSL VPNs to well known IPsec as well as WireGuard and Zerotier via the use of plugins.
[](../_images/vpn.png)
IPsec[](#ipsec "Permalink to this heading")
---------------------------------------------
Since IPsec is used in many different scenario’s and sometimes has the tendency to be a bit complicated, we will describe different usecases and provide some examples in this chapter.
### General context[](#general-context "Permalink to this heading")
The IPsec module incorporates different functions, which are grouped into various menu items. Since the start of our project we have been offering IPsec features based on the legacy `ipsec.conf` format, which we are migrating to [swantcl.conf](https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html)
as of version 23.1. While migrating the existing featureset we came to the conclusion that the world has changed quite a bit and in order to offer better (api) access to the featureset available we decided to plan for deprecation of the legacy “Tunnel settings” as they have existed since we started. No timeline has been set, only a feature freeze on tunnels using the “Tunnel settings” menu item.
One of the main goals for the long run is to better align the gui components so they reflect the reality underneath, as we use [strongswan](https://www.strongswan.org/)
, our aim is to follow their terminology more closely than we previously did.
The following functions are available in the menu (as of OPNsense 23.1):
* Connections
* New configuration tool offering access to the connections and pools sections of the `swanctl` configuration
* Tunnel Settings
* Legacy IPsec configuration tool
* Mobile Clients
* Offering access to various options of the [attr](https://docs.strongswan.org/docs/5.9/plugins/attr.html)
plugin and pool configurations for legacy tunnels
* Pre-Shared Keys
* Define [secrets](https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_secrets)
to be used for local authentication.
* Key Pairs
* For public key authentication collect public and private keys.
* Advanced Settings
* Define passthrough networks (to exclude from kernel traps), logging options and some generic options
* Status Overview
* Shows tunnel statusses
* Lease Status
* For mobile clients, show address leases for various pools configured
* Security Association Database
* Shows security associations, the fundamental concept of IPsec describing a relationship between two or more entities
* Security Policy Database
* Installed security policies describing which traffic is allowed to pass a tunnel
* Virtual Tunnel Interfaces
* Edit or create new `if_ipsec(4)` interfaces and show the ones created by legacy tunnels
* Log File
* Inspect log entries related to IPsec
### Migrating from tunnels to connections[](#migrating-from-tunnels-to-connections "Permalink to this heading")
Having used the tunnel settings from the early OPNsense days, some terminology might be a bit confusing when moving into the new options offered. This paragraph aims to explain some of the common terms from the tunnel section and their new place in the connections. For a full list of changes, the upstream migration [documentation](https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf)
is an interesting read as well.
* Phase 1 - The general connection settings, like local/remote addressess and general protocol settings. Choices in authentication to use are also part of this, they may involve multiple rounds.
* Phase 2 - Nowadays Strongswan calls these **children**, as these define the `CHILD_SA` subsections in play. This is where you can define the networks on both ends. When multiple segments are being added into the same child, these are being treated as one policy where all of them are able to communicate to eachother.
* Phase 1 / Tunnel Isolation - This option made sure every network defined in phase 2 would be treated as a child of it’s own (e.g. two phase 2’s would turn into two children)
* Phase 2 / Manual SPD entries - Manual SPD entries, this has been replaced with it’s own menu option (Security Policy Database) offering more flexibilty and visibilty.
Note
Using DNS for endpoints is possible, but will work a bit different than previously as in most cases the firewall tried to resolve the names and didn’t use the functionality provided by Strongswan. It is however currently not possible to use DNS entries for VTI tunnels due to restrictions in if\_ipsec(4) as these type of interfaces can’t be changed dynamically in a reliable way.
Note
When migrating Pre-Shared Key type tunnels to connections, make sure to add an entry in the “Pre-Shared Keys” module as well. If both ends should use their own identifier, fill in both local and remote values. The legacy module requested this information in the phase 1 page and wrote the same information to the secrets.
Since OPNsense uses the new Strongswan format also for legacy tunnels, it is rather easy to convert a tunnel manually when downloading the `swanctf.conf` file from the machine. You can download it via VPN -> IPsec -> Advanced Settings -> swanctl.conf. The format is almost identical to the connections gui available in OPNsense.
Let’s take a look at the following `swanctl.conf` that contains a legacy `con1` tunnel:
\# This file is automatically generated. Do not edit
connections {
con1 {
unique \= replace
aggressive \= no
version \= 2
mobike \= yes
local\_addrs \= 203.0.113.1
local\-0 {
id \= 203.0.113.1
auth \= psk
}
remote\-0 {
id \= 198.51.100.1
auth \= psk
}
encap \= no
remote\_addrs \= 198.51.100.1
proposals \= aes256\-sha256\-modp2048
children {
con1 {
start\_action \= start
policies \= yes
mode \= tunnel
sha256\_96 \= no
local\_ts \= 192.168.1.0/24
remote\_ts \= 172.16.100.0/24
reqid \= 1
esp\_proposals \= aes256\-sha256\-modp2048
}
}
}
}
pools {
}
secrets {
ike\-p1\-0 {
id\-0 \= 198.51.100.1
secret \= 0saGVsbG93b3JsZA\==
}
}
To convert this configuration:
* Go to VPN -> IPsec -> Connections
* Press **+** to add a new Tunnel and enable the advanced mode
ConnectionsLocal AuthenticationRemote AuthenticationChildren
| **Option** | **Value** | **swanctl.conf** |
| --- | --- | --- |
| **Proposals** | aes256-sha256-modp2048 (remove default) | proposals = aes256-sha256-modp2048 |
| **Unique** | Replace | unique = replace |
| **Version** | IKEv2 | version = 2 |
| **Local addresses** | 203.0.113.1 | local\_addrs = 203.0.113.1 |
| **Remote addresses** | 198.51.100.1 | remote\_addrs = 198.51.100.1 |
| **Description** | con1-phase1 | |
Press Save, then move to Local Authentication and press **+**
| **Option** | **Value** | **swanctl.conf** |
| --- | --- | --- |
| **Connection** | con1-phase1 | |
| **Round** | 0 | local-0 |
| **Authentication** | Pre-Shared Key | auth = psk |
| **Id** | 203.0.113.1 | id = 203.0.113.1 |
| **Description** | 203.0.113.1 | |
Press Save, then move to Remote Authentication and press **+**
| **Option** | **Value** | **swanctl.conf** |
| --- | --- | --- |
| **Connection** | con1-phase1 | |
| **Round** | 0 | remote-0 |
| **Authentication** | Pre-Shared Key | auth = psk |
| **Id** | 198.51.100.1 | id = 198.51.100.1 |
| **Description** | 198.51.100.1 | |
Press Save, then move to Children and press **+**
| **Option** | **Value** | **swanctl.conf** |
| --- | --- | --- |
| **Connection** | con1-phase1 | |
| **Mode** | Tunnel | mode = tunnel |
| **Policies** | X | policies = yes |
| **Start action** | Start | start\_action = start |
| **Reqid** | 1000 | reqid = 1 |
| **ESP proposals** | aes256-sha256-modp2048 (remove default) | esp\_proposals = aes256-sha256-modp2048 |
| **Local** | 192.168.1.0/24 | local\_ts = 192.168.1.0/24 |
| **Remote** | 172.16.100.0/24 | remote\_ts = 172.16.100.0/24 |
| **Description** | con1-phase2 | |
Press Save, then Save again to store the new Connection.
Note
Read about the reqid in the section [Combining legacy tunnels and connections](#vpnet-combining-legacy-connections)
Now we must configure a Pre-Shared Key that matches the Local Authentication and Remote Authentication:
* Go to VPN -> IPsec -> Pre-Shared Keys
* Press **+** to add a new Pre-Shared Key
Pre-Shared Key
| **Option** | **Value** | **swanctl.conf** |
| --- | --- | --- |
| **Local Identifier** | 203.0.113.1 (required now) | |
| **Remote Identifier** | 198.51.100.1 | id-0 = 198.51.100.1 |
| **Pre-Shared Key** | helloworld | secret = 0saGVsbG93b3JsZA== |
| **Type** | PSK | auth = psk |
| **Description** | con1-phase1 | |
Note
Gather the unhashed secret from VPN -> IPsec -> Tunnel Settings. Generally it is good practice to document these secrets in a password manager.
After the initial configuration, go to VPN -> IPsec -> Tunnel Settings and deactivate the con1 tunnel by unchecking Enabled in Phase1 and Phase2.
Go back to VPN -> IPsec -> Connections and ensure the new tunnel is Enabled. Press Apply and the new configuration will be active.
### Combining legacy tunnels and connections[](#combining-legacy-tunnels-and-connections "Permalink to this heading")
It is possible to combine tunnels and connections, but there are some constraints. As our legacy tunnels force a `reqid` for each configured child (phase 2), there is a risk the automated numbering from the new connection children overlaps. To prevent these overlaps, its required to set an unused `reqid` in the connection child.
### Security policies and routing[](#security-policies-and-routing "Permalink to this heading")
In order to pass traffic over an IPsec tunnel, we need a policy matching the traffic. By default when adding a phase 2 (or child) policy a “kernel route” is installed as well, which traps traffic before normal routing takes place.
Note
Without a policy in place for the tunnel, traffic won’t be accepted, in case a policy with a kernel route overlaps a local or locally routed network the traffic will not be received by the host in question.
Tip
When matching overlapping networks in a policy (VTI or overlapping networks), make sure to exclude your own network segments in the `Passthrough networks` option in VPN -> IPsec -> Advanced Settings to prevent traffic being blackholed.
### Firewall rules[](#firewall-rules "Permalink to this heading")
When using the legacy tunnels and `Disable Auto-added VPN rules` is not checked in VPN ‣ IPsec ‣ Advanced Settings some automatic firewall rules are created for remote hosts connecting to this one. The new connections feature does not offer this and (WAN) rules have to be specified manually in order to connect to IPsec on this host.
The relevant protocols and ports for IPsec are the following:
* Protocol: ESP ([https://en.wikipedia.org/wiki/IPsec#Encapsulating\_Security\_Payload](https://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload)
)
* Port: 500/UDP ([https://en.wikipedia.org/wiki/Internet\_Security\_Association\_and\_Key\_Management\_Protocol](https://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol)
)
* Port: 4500/UDP ([https://en.wikipedia.org/wiki/NAT\_traversal#IPsec](https://en.wikipedia.org/wiki/NAT_traversal#IPsec)
)
Note
One of the main reasons we are not offering automatic rules is that their either more open than expected (allow IPsec from anywhere) or too closed as the rule engine will “guess” the remote endpoint (in case of a fqdn).
The default behavior of our firewall is to block inbound traffic, which also means traffic using the tunnel should be allowed explicitly, the Firewall ‣ Rules ‣ IPsec menu items offer access to the IPsec traffic policies.
### Dead Peer Detection (DPD)[](#dead-peer-detection-dpd "Permalink to this heading")
Dead Peer Detection (DPD) is a method of detecting a dead IKE peer as specified by [RFC 3706](https://www.ietf.org/rfc/rfc3706.txt)
.
When a peer is assumed dead, an action may be specified, such as closing the CHILD\_SA or re-negotiate the CHILD\_SA under a fresh IKE\_SA.
Note
DPD is disabled by default, when using connections, make sure to specify a `DPD delay (s)` > 0 to enable the feature. Actions may be specified on its children.
When using IKEv1 a `dpdtimeout` can be specified to control when a peer is considered to be inaccesible. This setting has no effect on how IKEv2 handles retransmissions, in which case the general settings will be used as specified in the following [document](https://docs.strongswan.org/docs/5.9/config/retransmission.html)
.
Warning
By default for IKEv2 the timeout on connections triggering a dpd action takes at least a couple of minutes, when quicker interaction is needed the `charon` retransmit timings should be changed which applies to all tunnels. These settings can be changed via the Advanced settings, or when not yet supported on your version, a custom strongswan configuration.
### Implementation schemes[](#implementation-schemes "Permalink to this heading")
When setting up IPsec VPNs there are two main types of scenario’s with their own advantages and disadvantages.
#### Policy based[](#policy-based "Permalink to this heading")
The first one is the standard policy based tunnel, which guards the security of the tunnel with policies and installs kernel traps to send traffic over the tunnel in case it matches these policies. For example a local network `192.168.1.0/24` sending traffic to a remote location responsible for `192.168.2.0/24`. The advantage of this scenario is the ease of setup, no routes are needed to be configured, when in this example `192.168.1.10` contacts `192.168.2.10` the packets are seamlessly forwarded over the tunnel to the remote location.
When local traffic doesn’t match the policies in question due to the tunnel needing Network Address Translation, that’s also possible as long as policies are manually added to the security policy database, this is also referred to as “NAT before IPsec”.
#### Route based (VTI)[](#route-based-vti "Permalink to this heading")
Route based, also known as VTI, tunnels are using a virtual interface known as `if_ipsec(4)`, which can be found under VPN -> IPsec -> Virtual Tunnel Interfaces. This links two ends of the communication for routing purposes after which normal routing applies. The “(Install) Policies” checkmark needs to be disabled in this case for the child (phase 1 in the legacy tunnel configuration) definition. Usually the communication policy (phase 2 or child) is set to match all traffic (either `0.0.0.0/0` for IPv4 or `::/0` for IPv6).
So the same example as the policy based option would need (static) routes for the destinations in question (`192.168.1.0/24` needs a route to `192.168.2.0/24` and vice versa), peering happens over a small network in another subnet (for example `10.0.0.1` <-> `10.0.0.2`) bound to the tunnel interface.
The advantage of this type of setup is one can use standard or advanced routing technologies to forward traffic around tunnels.
Note
In order to filter traffic on the `if_ipsec(4)` device some tunables need to be set. Both `net.inet.ipsec.filtertunnel` and `net.inet6.ipsec6.filtertunnel` need to be set to `1` and `net.enc.in.ipsec_filter_mask` and `net.enc.out.ipsec_filter_mask` need to be set to `0` in order to allow rules on the device. The downside is that policy based tunnels (`enc0`) can not be filtered anymore as this changes the behaviour from filtering on the `enc0` device to the `if_ipsec(4)` devices.
Warning
Currently it does not seem to be possible to add NAT rules for `if_ipsec(4)` devices.
Warning
The most reliable VTI tunnel setups use static addresses on both ends of the tunnel as the `if_ipsec(4)` device matches both source and destination [\[#\]](https://github.com/freebsd/freebsd-src/blob/c8ee75f2315e8267ad814dc5b4645ef205f0e0e1/sys/net/if_ipsec.c#L479)
. In recent versions of our product it is possible to auto-detect and reconfigure the tunnel on connect by keeping both local and remote addresses of the VTI empty in VPN ‣ IPsec ‣ Virtual Tunnel Interfaces.
Tip
Since VTI tunnels are bound to requestid’s it is important CHILD\_SA’s are instantiated not more than once. To prevent duplicate children, configure Unique as Replace on the instance (advanced mode) and use a “trap” policy for the start action.
### Road Warriors / Mobile users[](#road-warriors-mobile-users "Permalink to this heading")
IPsec may also be used to service remote workers connecting to OPNsense from various clients, such as Windows, MacOS, iOS and Android. The type of client usually determines the authentication scheme(s) being used.
In case clients should be offered default settings, these can be configured from VPN -> IPsec -> Mobile Clients. Pool options (Virtual IPvX Address Pool) on this page will be used by the legacy tunnel configuration only, when using the new connections module one may configure different pools per connection.
Note
If you are configuring Radius authentication using the new Connections module, make sure to select the relevant Radius servers in VPN -> IPsec -> Mobile Clients under Radius (eap-radius). This pool of servers will be shared across all connections. This option will not be visibile if you have legacy Radius authentication methods configured.
The examples section contains various options available in OPNsense. When using the new “connections” option available as of OPNsense 23.1, different [examples from Strongswan](https://docs.strongswan.org/docs/5.9/interop/windowsClients.html)
are usually quite easy to implement as we follow the [swantcl.conf](https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html)
format quite closely in the new module.
### Examples[](#examples "Permalink to this heading")
This paragraph offers examples for some commonly used implementation scenarios.
#### New > 23.1 (VPN -> IPsec -> Connections)[](#new-23-1-vpn-ipsec-connections "Permalink to this heading")
* [IPsec - Policy based public key setup](how-tos/ipsec-s2s-conn.html)
* [IPsec - Route based (VTI) PSK setup](how-tos/ipsec-s2s-conn-route.html)
* [IPsec - NAT before IPsec](how-tos/ipsec-s2s-conn-binat.html)
* [IPsec - Roadwarriors IKEv2](how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html)
Tip
The number of examples for the new module on our end is limited, but for inspiration it’s often a good idea to walkthrough the examples provided by [Strongswan](https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation#Configuration-Examples)
. Quite some swanctl.conf examples are easy to implement in our new module as we do follow the same terminology.
#### Legacy (VPN -> IPsec -> Tunnel Settings)[](#legacy-vpn-ipsec-tunnel-settings "Permalink to this heading")
* [IPsec - Site to Site tunnel](how-tos/ipsec-s2s.html)
* [IPSec - BINAT (NAT before IPSec)](how-tos/ipsec-s2s-binat.html)
* [IPsec VTI - Route based setup](how-tos/ipsec-s2s-route.html)
* [IPsec VTI - connect to Microsoft Azure](how-tos/ipsec-s2s-route-azure.html)
* [Road Warriors - Setup Remote Access](how-tos/ipsec-rw.html)
* [IPsec: Setup OPNsense for IKEv2 EAP-RADIUS](how-tos/ipsec-rw-srv-eapradius.html)
* [IPsec: Setup OPNsense for IKEv2 EAP-TLS](how-tos/ipsec-rw-srv-eaptls.html)
* [IPsec: Setup OPNsense for IKEv1 using XAuth](how-tos/ipsec-rw-srv-ikev1xauth.html)
* [IPsec: Setup OPNsense for IKEv2 EAP-MSCHAPv2](how-tos/ipsec-rw-srv-mschapv2.html)
* [IPsec: Setup OPNsense for IKEv2 Mutual RSA + MSCHAPv2](how-tos/ipsec-rw-srv-rsamschapv2.html)
The following client setup examples are available in our documentation:
* [IPsec: Setup Android Remote Access](how-tos/ipsec-rw-android.html)
* [IPsec: Setup Linux Remote Access](how-tos/ipsec-rw-linux.html)
* [IPsec: Setup Windows Remote Access](how-tos/ipsec-rw-w7.html)
Note
Using Network Address Translation in policy based tunnels is different, due to the fact that the installed IPsec policy should accept the traffic in order to encapsulate it. The IPSec BINAT document will explain how to apply translations.
### CARP considerations[](#carp-considerations "Permalink to this heading")
When using IPsec in a high availability setup, it is important to understand the implications of the setup. Without assuming what the remote gateway looks like (which may be a single device or a high availability setup as well), the following considerations should be taken into account:
* For IKEv2, MOBIKE should be disabled. Due to the nature of CARP, a virtual IP in backup state will “disappear”, which will trigger MOBIKE to try to re-establish the connection from a different available IP, thus overriding your “Local address” configuration. In a lot of cases this will be the primary IP of the WAN interface.
* In all cases (initiator, responder or both) the “Local Address” must be set to a CARP virtual IP.
* DPD must at least be configured on the peer to detect a non-responsive peer and reauthenticate the connection. DPD is usually the limiting factor in failover response time and is therefore the primary functionality to adjust to allow for faster failover. See the DPD section for more information and constraints.
* IPsec connections never failover seamlessly between primary and backup and always need a fresh IKE\_SA. If quicker failover is required, dynamic routing with route-based tunnels is likely a better solution.
### Tuning considerations[](#tuning-considerations "Permalink to this heading")
Depending on the workload (many different IPsec flows or a single flow), it might help to enable multithreaded crypto mode on `ipsec`, in which case cryptographic packets are dispatched to multiple processors (especially when only a single tunnel is being used).
In order to do so, add or change the following tunable in System ‣ Settings ‣ Tunables:
Note
`net.inet.ipsec.async_crypto` = **1**
To distribute load better over available cores in the system, it may help to enable [receive side scaling](../troubleshooting/performance.html)
. In which case the following tunables need to be changed:
Note
* `net.isr.bindthreads` = **1**
* `net.isr.maxthreads` = **\-1** <– equal the number of cores in the machine
* `net.inet.rss.enabled` = **1**
* `net.inet.rss.bits` = **X** <– see [rss](../troubleshooting/performance.html)
document.
### Miscellaneous variables[](#miscellaneous-variables "Permalink to this heading")
#### Path MTU Discovery[](#path-mtu-discovery "Permalink to this heading")
When trying to enforce path mtu discovery ([PMTU](https://en.wikipedia.org/wiki/Path_MTU_Discovery)
), you need to make sure packets leave the network with the `DF` set. The kernel offers a tunable `net.inet.ipsec.dfbit` which offers 3 options, `0`, clear the bit on packets leaving the firewall (default), `1`, set the DF bit or `2` to copy the bit from the inner header.
### Diagnostics[](#diagnostics "Permalink to this heading")
In order to keep track of the connected tunnels, you can use the VPN -> IPsec -> Status Overview to browse through the configured tunnels.
The VPN -> IPsec -> Security Policy Database is also practical to gain insights in the registered policies, when NAT is used, the additional SPD entries should be visible here as well.
When troubleshooting problems with your firewall, it is very likely you have to check the logs available on your system. In the UI of OPNsense, the log files are generally grouped with the settings of the component they belong to. The log files can be found in the “Log file” menu item.
Tip
When trying to debug various issues, the amount of log information gathered can be configured using the settings in VPN -> IPsec -> Advanced Settings.
### Custom configurations[](#custom-configurations "Permalink to this heading")
In some (rare) cases one might want to add custom configuration options not available in the user interface, for this reason we do support standard includes.
While the `swanctl.conf` and the legacy `ipsec.conf` configuration files are well suited to define IPsec-related configuration parameters, it is not useful for other strongSwan applications to read options from these files. To configure these other components, it is possible to manually append options to our default template, in which case files may be placed in the directory `/usr/local/etc/strongswan.opnsense.d/` using the file extention `.conf`
IPsec configurations are managed in [swantcl.conf](https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html)
format (as of 23.1), merging your own additions is possible by placing files with a `.conf` extension in the directory `/usr/local/etc/swanctl/conf.d/`.
Warning
Files added to these directories will not be mainted by the user interface, if you’re unsure if you need this, it’s likely a good idea to skip adding files here as it might lead to errors difficult to debug.
Note
Prior to version 23.1 it was also possible to add secrets and ipsec configurations in `/usr/local/etc/ipsec.secrets.opnsense.d/` and `/usr/local/etc/ipsec.opnsense.d/`, with the switch to 23.1 these files are deprecated and should be manually migrated into swanctl.conf format.
OpenVPN (SSL VPN)[](#openvpn-ssl-vpn "Permalink to this heading")
-------------------------------------------------------------------
One of the main advantages of OpenVPN in comparison to IPsec is the ease of configuration, there are fewer settings involved and it’s quite simple to export settings for clients.
### General context[](#id1 "Permalink to this heading")
The OpenVPN module incorporates different functions to setup secured networks for roadwarriors and side to side connections. Since the start of our project we organized the openvpn menu section into servers and clients, which actually is a role for the same OpenVPN process. As our legacy system has some disadvantages which are difficult to fix in a migration, we have chosen to add a new component named `Instances` in version 23.7 which offers access to OpenVPN’s configuration in a similar way as the upstream [documentation](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/)
describes it. This new component will eventually replace the existing client and server options in a future version of OPNsense, leaving enough time to migrate older setups.
Tip
When upgrading into a new major version of OPNsense, always make sure to read the release notes to check if your setup requires changes.
Note
OpenVPN on OPNsense can also be used to create a tunnel between two locations, similar to what IPsec offers. Generally the performance of IPsec is higher which usually makes this a less common choice. Mobile usage is really where OpenVPN excells, with various (multifactor) authentication options and a high flexibility in available network options.
The following functions are available in the menu (as of OPNsense 23.7):
* Instances
* New instances tool offering access to server and client setups
* Servers
* Legacy server configuration tool
* Clients
* Legacy client configuration tool
* Client Specific Overrides
* Set client specific configurations based on the client’s X509 common name.
* Client Export
* Export tool for client configurations, used for server type instances
* Connection Status
* Show tunnel statusses
* Log File
* Inspect log entries related to OpenVPN
### Public Key Infrastructure (X.509)[](#public-key-infrastructure-x-509 "Permalink to this heading")
OpenVPN is most commonly used in combination with a public key infrastructure, where we use a certificate autority which signs certificates for both server and clients (Also know as TLS Mode). More information about this topic is available in our [Trust section](certificates.html)
.
Tip
As of version 24.1 OPNsense is able to use OCSP to validate client certificates when using the new Instances. Make sure `Use OCSP (when available)` is enabled in the trust section of the server instance and the CA used contains a proper `AuthorityInfoAccess` extension as described in our [Trust section](certificates.html)
.
### Firewall rules[](#id2 "Permalink to this heading")
To allow traffic to the tunnel on any interface, a firewall rule is needed to allow the tunnel being established. The default port for OpenVPN is `1194` using protocol `UDP`.
After communication has been established, it’s time to allow traffic inside the tunnel. All OpenVPN interfaces defined in OPNsense are [grouped](firewall_groups.html)
as OpenVPN.
Tip
In order to use features as policy based routing or manual routes, you can [assign](interfaces.html)
the underlying devices and use them in a similar fashion as physical interfaces.
### High availability \[CARP\][](#high-availability-carp "Permalink to this heading")
When operating an OpenVPN server, there’s not much needed to allow an active/passive setup for your environment other then using a virtual (CARP) address. As the server will stop receiving traffic when the virtual address doesn’t it, the backup will eventually become out of service automatically.
In client mode, the OpenVPN instance needs to stop trying to reconnect when it’s not in `MASTER` mode, the legacy client module shutsdown all instances directly attached to the interface. Our new instances module allows to select the `vhid` to track. In most cases an explicit bind isn’t needed for a client, the default for a client is to use the `nobind` option.
Note
It’s not possible to move between machines fully seamless as the client will have to reconnect in order to reach a valid state again.
### Examples[](#id3 "Permalink to this heading")
This paragraph offers examples for some commonly used implementation scenarios.
Note
When using a site to site example with `SSL/TLS` instead of a shared key, make sure to configure “client specific overrides” as well to correctly bind the remote networks to the correct client.
#### Legacy (VPN -> OpenVPN -> Client|Server)[](#legacy-vpn-openvpn-client-server "Permalink to this heading")
* [Setup SSL VPN site to site tunnel](how-tos/sslvpn_s2s.html)
* [Setup SSL VPN Road Warrior](how-tos/sslvpn_client.html)
#### New (VPN -> OpenVPN -> Instances)[](#new-vpn-openvpn-instances "Permalink to this heading")
* [Setup SSL VPN site to site tunnel](how-tos/sslvpn_instance_s2s.html)
* [Setup SSL VPN Road Warrior](how-tos/sslvpn_instance_roadwarrior.html)
### Client Specific Overrides[](#client-specific-overrides "Permalink to this heading")
The mechanism of client overrides utilises OpenVPN `client-config-dir` option, which offer the ability to use specific client configurations based on the client’s X509 common name.
It is possible to specify the contents of these configurations in the gui under VPN -> OpenVPN -> Client Specific Overrides. Apart from that, an authentication server (System -> Access -> Servers) can also provide client details in special cases when returning `Framed-IP-Address`, `Framed-IP-Netmask` and `Framed-Route` properties.
Note
Client specific overwrites will be written **after** authentication or client connect (depending on the type of setup). This in order for authentication services like RADIUS to be able to provision additional properties, such as tunnel and local networks.
A selection of the most relevant settings can be found in the table below.
| | |
| --- | --- |Client Specific Overrides[](#id6 "Permalink to this table")
| Parameter | Purpose |
| --- | --- |
| Disabled | Set this option to disable this client-specific override without removing it from the list |
| Servers | Select the OpenVPN servers where this override applies to, leave empty for all |
| Common name | The client’s X.509 common name, which is where this override matches on |
| IPv\[4\|6\] Tunnel Network | The tunnel network to use for this client per protocol family, when empty the servers will be used |
| IPv\[4\|6\] Local Network | The networks that will be accessible from this particular client per protocol family. |
| IPv\[4\|6\] Remote Network | These are the networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. |
| Redirect Gateway | Force the clients default gateway to this tunnel |
Note
When configuring tunnel networks, make sure they fit in the network defined on the server tunnel itself to allow the server to send data back to the client. For example in a `10.0.0.0/24` network you are able to define a client specific one like `10.0.0.100/30`.
To reduce the chances of a collision, also make sure to reserve enough space at the server as the address might already be assigned to a dynamic client otherwise.
Tip
When using topology “subnet” the netmask usually equals the one defined in the instance itself as the gateway being pushed to the client is the first adress in the network and otherwise unreachable.
**Troubleshooting common issues**
The most common causes for non functional overwrites are caused by mismatches, in order to debug these, make sure to check the logs for messages like the following:
* `Locate overwrite for 'XXX' using server 'XXX' (vpnid: XXX)` << trying to find an overwrite (user authentication))
* Usually followed by `user 'XXX' authenticated using 'XXX' XXX` showing username, authenticator used and optionally the overwrite type and filename.
* `client config created @ XXX` << file written on client connect (without user authentication)
* `unable to write client config for XXX, missing target filename` << no matching overwrite found (without user authentication)
By default overwrites are matched by certificate common name, when `Force CSO Login Matching` (legacy) or `Username as CN` (instances) are set the username will be used instead.
Wireguard[](#wireguard "Permalink to this heading")
-----------------------------------------------------
### General context[](#id4 "Permalink to this heading")
WireGuard® is a simple yet fast and modern VPN solution, which in some cases is more convenient than IPsec or OpenVPN, certainly in terms of options you need to configure. In our experience IPsec is the fastest solution for site-to-site connections, but Wireguard is the simplest option to setup.
A wireguard setup on our end exists of the following main components:
* Instances: in the wireguard configuration these are called “interfaces” and they describe how the virtual `wgX` device on our end is configured in terms of addressing and cryptography.
* Peers: these are the clients that are allowed to connect to us, described by their optional remote address including the networks that are allowed to pass through the tunnel. Peers belong to one or more instances.
### Instances[](#instances "Permalink to this heading")
In order to configure an instance, we start by adding one in the gui and generate a keypair. The public key is usually required for the other end of the tunnel (peer). An unused port to listen on is required as well. The tunnel addresses are configured on the `wgX` device (which is always visible in Interfaces ‣ Overview).
By default, when “_Disable routes_” is not set, routes are created for each connected peer to the networks selected in “_Allowed IPs_”, optionally only a single gateway route might be configured as well.
Note
When choosing tunnel addresses, make sure the network defined includes the addresses being used by the peers. For example when choosing `10.10.0.1/24` the `wgX` instance has this address configured and is able to accept a peer using `10.10.0.2/32`.
Tip
Remember to create a firewall rule to allow traffic to the configured port and inside the tunnel.
### Peers[](#peers "Permalink to this heading")
Peers define the hosts that we exchange information with, which might be a road-warrior type or a static destination, in which case you either provide or omit an “_Endpoint Address and Port_”. At minimum you need the public key of the other party, optionally you may offer a pre-shared key as additional security measure. The “_Allowed IPs_” define the networks that are allowed to pass the tunnel.
Note
In most cases the “_Allowed IPs_” list contains the networks used on the remote host and the peer ip address (instance/tunnel address) configured on the other end.
Tip
When NAT and firewall traversal persistence is required, the :code:\` Keepalive interval\` can be used to exchange packets every defined interval ensuring states will not expire.
### Peer generator[](#peer-generator "Permalink to this heading")
When creating login credentials for multiple clients, a more practical method is also available to generate these. The peer generator offers you a simple selection for the instance you wish to generate credentials for and stores relevant fields like endpoint location for future use. It also helps to assign IP addresses to clients based on the network defined in the instance.
Warning
Since IP addresses are only stored when the user saves the profile (and calculated upfront), it’s not possible to create users for the same instance concurrently.
Each newly created client will receive a keypair, for which the public key will be stored on the firewall in the peers section.
Note
The private key will not be stored on the firewall as this only belongs to the device your installing the profile on. Regenerating a config file, automatically means you will need to import it again in the client as well to avoid trust being broken.
After providing the relevant information for the client to login, you can copy the qrcode or the text in the `Config` text box to configure the client.
Don’t forget to press the “Store and generate next” button to actually store the public information in the firewall and click “Apply” on the “Peers” page so the client is able to login.
### High availability (using CARP)[](#high-availability-using-carp "Permalink to this heading")
When using wireguard on active/passive high availability clusters, only one instance at a time is allowed to communicate to the other party. In OPNsense this can be reached by selecting a `vhid` to track as instance dependancy {Depend on (CARP)}.
If an instance depends on a CARP vhid, it will query the current status and determine if the interface should be usable (when MASTER), the interface status (up/down) will be toggled accordingly.
Note
As the interface itself will not change, all of its addresses and routes remain when not being active. This ensures a relatively quick switch between roles.
Tip
Because the carp dependancy is managed per instance, you are able to keep tunnels available selectively, for example to manage the machines remotely.
### Diagnostics and debugging[](#diagnostics-and-debugging "Permalink to this heading")
In VPN ‣ WireGuard ‣ Status you can find the configured instances and peers including their last known handshake and the amount of data being exchanged. For Instances you are also able to see if the device underneath (`wgX`) is up or down, depending on the carp status described in the previous chapter.
Tip
Althought wireguard itself offers very limit logging, our setup process will make a note of errors and signal about certain events. When having issues configuring an instance or peer, always make sure to check the logs in VPN ‣ WireGuard ‣ Log File first.
Warning
When having issues exchanging packets between both ends of the tunnel, always make sure to check if the “_Allowed IPs_” in the peer configurations contain the proper networks. In case traffic is not allowed when traveling **in**, its dropped silently (a capture will not show it), roughly the same happens when traveling **out**, a capture will show it, but nothing will be send out.
Note
Runtime debugging from the console is possible using the `ifconfig` command, for more information see the upstream [manual page](https://man.freebsd.org/cgi/man.cgi?wg(4))
### Examples[](#id5 "Permalink to this heading")
This paragraph offers examples for some commonly used implementation scenarios.
* [WireGuard Site-to-Site Setup](how-tos/wireguard-s2s.html)
* [WireGuard Road Warrior Setup](how-tos/wireguard-client.html)
* [WireGuard AzireVPN Road Warrior Setup](how-tos/wireguard-client-azire.html)
* [WireGuard MullvadVPN Road Warrior Setup](how-tos/wireguard-client-mullvad.html)
* [WireGuard ProtonVPN Road Warrior Setup](how-tos/wireguard-client-proton.html)
* [WireGuard Selective Routing to External VPN Endpoint](how-tos/wireguard-selective-routing.html)
Plugin VPN options[](#plugin-vpn-options "Permalink to this heading")
-----------------------------------------------------------------------
Via plugins additional VPN technologies are offered, including:
* **OpenConnect** - SSL VPN client, initially build to connect to commercial vendor appliances like Cisco ASA or Juniper.
* **Stunnel** - Provides an easy to setup universal TLS/SSL tunneling service, often used to secure unencrypted protocols.
* **Tinc** - Automatic Full Mesh Routing
* **WireGuard** - Simple and fast VPN protocol working with public and private keys.
* **Zerotier** - seamlessly connect everything, requires account from zerotier.com, free for up to 100 devices.
* [OpenConnect Setup](how-tos/openconnect.html)
* [Stunnel](how-tos/stunnel.html)
* [Zerotier Configuration](how-tos/zerotier.html)
---
# Development Manual — OPNsense documentation
* [](index.html)
* Development Manual
* * *
Development Manual[](#development-manual "Permalink to this heading")
=======================================================================

The OPNsense® project invites developers to start developing with OPNsense: “For your own purpose or even better to join us in creating the best open source firewall available!” The development workflow & build process have been redesigned to make it more straightforward and easy for developers to build OPNsense.
Being able to get the sources and build it yourself is one of the key factors of open source software. One reason that for starting the OPNsense project is that the team believes sources and build tools should be freely available and as easy to use as possible.
* [Development Workflow](development/workflow.html)
* [Coding Guidelines](development/guidelines.html)
* [Basics and Future](development/guidelines/basics.html)
* [PSR-1 Basic Coding Standard](development/guidelines/psr1.html)
* [PSR-2 Coding Style Guide](development/guidelines/psr2.html)
* [PSR-12 Coding Style Guide](development/guidelines/psr12.html)
* [Python PEPs](development/guidelines/peps.html)
* [Architecture](development/architecture.html)
* [Backend](development/backend.html)
* [Overview](development/backend/overview.html)
* [Bootup / autorun options](development/backend/autorun.html)
* [CARP status](development/backend/carp.html)
* [Using configd](development/backend/configd.html)
* [Using plugins](development/backend/legacy.html)
* [Using Templates](development/backend/templates.html)
* [Frontend](development/frontend.html)
* [Creating Models](development/frontend/models.html)
* [Creating Models / Field types](development/frontend/models_fieldtypes.html)
* [Routing](development/frontend/routing.html)
* [Using controllers and views](development/frontend/controller.html)
* [View construction (and tools)](development/frontend/view_js_helpers.html)
* [Dashboard widgets](development/frontend/dashboard.html)
* [Components](development/components.html)
* [Menu System](development/components/menusystem.html)
* [Access Control List](development/components/acl.html)
* [Authentication](development/components/authentication.html)
* [API Reference](development/api.html)
* [Auth](development/api/core/auth.html)
* [Captiveportal](development/api/core/captiveportal.html)
* [Core](development/api/core/core.html)
* [Cron](development/api/core/cron.html)
* [Dhcp](development/api/core/dhcp.html)
* [Dhcpv4](development/api/core/dhcpv4.html)
* [Dhcpv6](development/api/core/dhcpv6.html)
* [Dhcrelay](development/api/core/dhcrelay.html)
* [Diagnostics](development/api/core/diagnostics.html)
* [Firewall](development/api/core/firewall.html)
* [Firmware](development/api/core/firmware.html)
* [Ids](development/api/core/ids.html)
* [Interfaces](development/api/core/interfaces.html)
* [Ipsec](development/api/core/ipsec.html)
* [Kea](development/api/core/kea.html)
* [Menu](development/api/core/menu.html)
* [Monit](development/api/core/monit.html)
* [Openvpn](development/api/core/openvpn.html)
* [Proxy](development/api/core/proxy.html)
* [Routes](development/api/core/routes.html)
* [Routing](development/api/core/routing.html)
* [Syslog](development/api/core/syslog.html)
* [Trafficshaper](development/api/core/trafficshaper.html)
* [Trust](development/api/core/trust.html)
* [Unbound](development/api/core/unbound.html)
* [Wireguard](development/api/core/wireguard.html)
* [Acmeclient](development/api/plugins/acmeclient.html)
* [Apcupsd](development/api/plugins/apcupsd.html)
* [Backup](development/api/plugins/backup.html)
* [Bind](development/api/plugins/bind.html)
* [Caddy](development/api/plugins/caddy.html)
* [Chrony](development/api/plugins/chrony.html)
* [Cicap](development/api/plugins/cicap.html)
* [Clamav](development/api/plugins/clamav.html)
* [Collectd](development/api/plugins/collectd.html)
* [Crowdsec](development/api/plugins/crowdsec.html)
* [Dechw](development/api/plugins/dechw.html)
* [Diagnostics](development/api/plugins/diagnostics.html)
* [Dnscryptproxy](development/api/plugins/dnscryptproxy.html)
* [Dyndns](development/api/plugins/dyndns.html)
* [Fetchmail](development/api/plugins/fetchmail.html)
* [Forms](development/api/plugins/forms.html)
* [Freeradius](development/api/plugins/freeradius.html)
* [Ftpproxy](development/api/plugins/ftpproxy.html)
* [Gridexample](development/api/plugins/gridexample.html)
* [Haproxy](development/api/plugins/haproxy.html)
* [Helloworld](development/api/plugins/helloworld.html)
* [Hwprobe](development/api/plugins/hwprobe.html)
* [Iperf](development/api/plugins/iperf.html)
* [Lldpd](development/api/plugins/lldpd.html)
* [Maltrail](development/api/plugins/maltrail.html)
* [Mdnsrepeater](development/api/plugins/mdnsrepeater.html)
* [Muninnode](development/api/plugins/muninnode.html)
* [Ndproxy](development/api/plugins/ndproxy.html)
* [Netdata](development/api/plugins/netdata.html)
* [Netsnmp](development/api/plugins/netsnmp.html)
* [Nginx](development/api/plugins/nginx.html)
* [Nodeexporter](development/api/plugins/nodeexporter.html)
* [Nrpe](development/api/plugins/nrpe.html)
* [Ntopng](development/api/plugins/ntopng.html)
* [Nut](development/api/plugins/nut.html)
* [Openconnect](development/api/plugins/openconnect.html)
* [Postfix](development/api/plugins/postfix.html)
* [Proxy](development/api/plugins/proxy.html)
* [Proxysso](development/api/plugins/proxysso.html)
* [Proxyuseracl](development/api/plugins/proxyuseracl.html)
* [Puppetagent](development/api/plugins/puppetagent.html)
* [Qemuguestagent](development/api/plugins/qemuguestagent.html)
* [Quagga](development/api/plugins/quagga.html)
* [Radsecproxy](development/api/plugins/radsecproxy.html)
* [Redis](development/api/plugins/redis.html)
* [Relayd](development/api/plugins/relayd.html)
* [Rspamd](development/api/plugins/rspamd.html)
* [Shadowsocks](development/api/plugins/shadowsocks.html)
* [Siproxd](development/api/plugins/siproxd.html)
* [Smart](development/api/plugins/smart.html)
* [Softether](development/api/plugins/softether.html)
* [Sslh](development/api/plugins/sslh.html)
* [Stunnel](development/api/plugins/stunnel.html)
* [Tailscale](development/api/plugins/tailscale.html)
* [Tayga](development/api/plugins/tayga.html)
* [Telegraf](development/api/plugins/telegraf.html)
* [Tftp](development/api/plugins/tftp.html)
* [Tinc](development/api/plugins/tinc.html)
* [Tor](development/api/plugins/tor.html)
* [Udpbroadcastrelay](development/api/plugins/udpbroadcastrelay.html)
* [Vnstat](development/api/plugins/vnstat.html)
* [Wazuhagent](development/api/plugins/wazuhagent.html)
* [Wireguard](development/api/plugins/wireguard.html)
* [Wol](development/api/plugins/wol.html)
* [Zabbixagent](development/api/plugins/zabbixagent.html)
* [Zabbixproxy](development/api/plugins/zabbixproxy.html)
* [Zerotier](development/api/plugins/zerotier.html)
* [OPNBECore](development/api/be/OPNBEcore.html)
* [Examples](development/examples.html)
* [Hello world module & plugin](development/examples/helloworld.html)
* [Using grids module & plugin](development/examples/using_grids.html)
* [API enable standard services](development/examples/api_enable_services.html)
* [How-tos](development/howtos.html)
* [Use the API](development/how-tos/api.html)
* [Profiling/Debugging the kernel](development/how-tos/dtrace.html)
* [Remote debugging the kernel](development/how-tos/kernel_debugging.html)
Sources[](#sources "Permalink to this heading")
-------------------------------------------------
Just looking for the sources? See: [OPNsense repository](https://github.com/opnsense)
---
# Project Relations — OPNsense documentation
* [](index.html)
* Project Relations
* * *
Project Relations[](#project-relations "Permalink to this heading")
=====================================================================
The OPNsense® development team believes that sharing knowledge makes better products. The team is proud of its relations with other projects & organizations and likes to mention them and their hard work. More details may be found on these pages.
* [Deciso B.V.](relations/deciso.html)
* [FreeBSD®](relations/freebsd.html)
* [M0n0wall](relations/m0n0wall.html)
* [Open Source Initiative](relations/osi.html)
---
# Support Options — OPNsense documentation
* [](index.html)
* Support Options
* * *
Support Options[](#support-options "Permalink to this heading")
=================================================================

Software Support Levels[](#software-support-levels "Permalink to this heading")
---------------------------------------------------------------------------------
OPNsense is used in infrastructures of all sizes, in some cases it is very important to know what to expect when running into issues, certainly if part of the knowledge to maintain the infrastructure needs to be acquired from third parties.
Our platform is easily extendable, which encourages people to work on components not directly supported by us but very valuable to our users.
In order to offer clarity for all involved, we decided to explain how we treat the components available in this chapter.
We currently distinct three different tiers of support, ranging from Critical to Community, where critical is always directly supported by the OPNsense® Core Team and Community you may safely assume the core team has no (or very limited) involvement.
Tip
When designing infrastructures and in need of commercial support from the creators of OPNsense for community plugins, you can always contact us and discuss options.
If community plugins are very popular it is possible to promote in terms of support options, but in order to grow out of the community tier some conditions have to be met.
* The software should be usable and understandable.
* Maintainability of the plugin should be good (code quality, following best practices)
* Documentation should be available and at least explain the purpose of the component including the most common settings.
These are the tiers in question:
### Critical (Tier 1)[](#critical-tier-1 "Permalink to this heading")
* Core team develops and supports
* Compiler errors or functional failures block git merges and releases
* Functionality is part of the standard installation or an officially supported plugin
### Supplemental (Tier 2)[](#supplemental-tier-2 "Permalink to this heading")
* Core team develops and supports or the functionality is deemed to be important enough to invest their time into bringing the plugin to its desired state in the long run.
* Compiler errors or functional failures block git merges
* Functionality problems such as ‘known issues’ might still go into releases
* Features require user to install the plugin / functionality not installed by default
### Community (Tier 3)[](#community-tier-3 "Permalink to this heading")
* Tier 3 is community supported, this means the OPNsense core development team won’t support it to avoid overloading the team
* When accepting a Tier 3 feature into the code base, it will come with a number of limits and conditions:
* Submitter must commit to maintaining it:
> * Make sure code compiles and correctly functions after OPNsense and/or external (e.g. library) changes
>
> * Support users when they encounter problems (forum / git issue tracker – all related issues will be assigned to the maintainer)
>
* The code is offered as plugin and will not be part of the default OPNsense installation. The OPNsense core team will not be responsible for QA
* If the feature get lots of traction, and/or if the team just considers it very useful, it may get ‘promoted’ to being officially supported (Tier 2)
* The feature will be removed if the submitter stops maintaining it and no-one steps up to take over
Community[](#community "Permalink to this heading")
-----------------------------------------------------
If you need help with OPNsense you can always try the community options first. When resorting to community support it is important to understand that anyone helping you is doing so for free and at their own time. Even though your issue or question may not be answered fully, it would be nice to thank the people who help you.
To receive community support, the following options are available:
* Start searching this documentation & wiki
* The [OPNsense forum](https://forum.opnsense.org)
* Ask online users on [IRC Libera Chat](https://libera.chat/)
#opnsense
* Open a GitHub ticket ([core](https://github.com/opnsense/core/issues)
, [plugins](https://github.com/opnsense/plugins/issues)
) using one of our templates
Note
When a Github ticket is opened, it often is being tagged “support”, but its status may change over time when more details are known. Triaging issues takes time, the easier one can replicate an issue on a clean install, the higher the chance tickets are being solved.
Commercial[](#commercial "Permalink to this heading")
-------------------------------------------------------
As we build and maintain the software used by individuals and companies all around the globe, we are able to help you out when it comes to network design choices, solving issues and custom development around OPNsense.
Extended professional support services are available for an annual fee. You can find our options in [the OPNsense webshop](https://shop.opnsense.com/product-categorie/support/)
or you may [contact us](https://shop.opnsense.com/contact-us/)
directly.
List of available community plugins[](#list-of-available-community-plugins "Permalink to this heading")
---------------------------------------------------------------------------------------------------------
Below you will find the plugins available in the standard (community) version of OPNsense categorised by support tier as described at the support levels section.
| | |
| --- | --- |Tier 2[](#id3 "Permalink to this table")
| Name | Description |
| --- | --- |
| devel/debug | Add several debugging tools to enable full stack traces on crash reports and extended syntax checks for development activities. |
| net/frr | FRRouting (FRR) is an IP routing protocol suite for Linux and Unix platforms which includes protocol daemons for BGP, IS-IS, LDP, OSPF, PIM, and RIP. |
| net/relayd | relayd is a daemon to relay and dynamically redirect incoming connections to a target host. Its purposes is to run as a load-balancer. The daemon is able to monitor groups of hosts for availability, which is determined by checking for a specific service common to a host group. When availability is confirmed, Layer 3 and/or layer 7 forwarding services are set up by relayd. |
| security/etpro-telemetry | Todays cybersecurity engineers need timely and accurate data about eminent threats and how they spread around the globe. With this data cybersecurity researchers and analysts can improve the detection of malicious network traffic. The times when we could rely on just firewall rules for our protection are long gone. Additional layers of security are desperately needed to guard against these attacks. |
| security/stunnel | Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs’ code. |
| security/tinc | tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet. |
| sysutils/dec-hw | This package allows fetching the current power status for Deciso appliances with dual power supplies via an API call and includes a simple dashboard widget. |
| sysutils/git-backup | This package adds a backup option using git version control. |
| sysutils/vmware | The Open Virtual Machine Tools (open-vm-tools) are the open source implementation of VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines. As virtualization technology rapidly becomes mainstream, each virtualization solution provider implements their own set of tools and utilities to supplement the guest virtual machine. However, most of the implementations are proprietary and are tied to a specific virtualization platform. |
| www/OPNProxy | OPNsense proxy additions to support more fine grained access management |
| www/squid | Squid is a fully-featured HTTP, HTTPS, FTP, etc. proxy offering rich access control, authorization and logging environment to develop web proxy and content serving applications. |
| | |
| --- | --- |Tier 3[](#id4 "Permalink to this table")
| Name | Description |
| --- | --- |
| benchmarks/iperf | iperf3 is a tool for measuring the achievable TCP, UDP, and SCTP throughput along a path between two hosts. It allows the tuning of various parameters such as socket buffer sizes and maximum attempted throughput. It reports (among other things) bandwidth, delay jitter, and datagram loss. iperf was originally developed by NLANR/DAST. |
| databases/redis | Redis is an open source, advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. |
| devel/grid\_example | The goal of the ‘grid\_example’ plugin is to showcase the capabilities of the OPNsense plugin framework in relation to the grid/table system. |
| devel/helloworld | The goal of the ‘Hello world’ plugin is to showcase the capabilities of the OPNsense plugin framework. It will control a program on the system named ‘testConnection.py’. It will send an email using plain SMTP and will respond with a JSON message about the result of the attempt. |
| dns/bind | BIND implements the DNS protocols. The DNS protocols are part of the core Internet standards. They specify the process by which one computer can find another computer on the basis of its name. The BIND software distribution contains all of the software necessary for asking and answering name service questions. |
| dns/ddclient | ddclient is a Perl client used to update dynamic DNS entries for accounts on many dynamic DNS services. |
| dns/dnscrypt-proxy | A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2 and DNS-over-HTTPS. |
| dns/rfc2136 | Support for RFC-2136 based dynamic DNS updates using Bind |
| emulators/qemu-guest-agent | QEMU Guest Agent for FreeBSD |
| ftp/tftp | tftp-hpa is portable, BSD derived tftp server. It supports advanced options such as blksize, blksize2, tsize, timeout, and utimeout. It also supported rulebased security options. |
| mail/postfix | Postfix attempts to be fast, easy to administer, and secure. The outside has a definite Sendmail-ish flavor, but the inside is completely different. |
| mail/rspamd | Rspamd is fast, modular and lightweight spam filter. It is designed to work with big amount of mail and can be easily extended with own filters written in lua. |
| misc/theme-cicada | The cicada theme - grey/orange - Designed and created by [remic-webdesign@chello.at](mailto:remic-webdesign%40chello.at) |
| misc/theme-rebellion | A suitably dark theme. |
| misc/theme-tukan | The tukan theme - blue/white - Designed and created by [remic-webdesign@chello.at](mailto:remic-webdesign%40chello.at) |
| misc/theme-vicuna | The vicuna theme - dark anthrazit - Designed and created by [rene@team-rebellion.net](mailto:rene%40team-rebellion.net) |
| net-mgmt/collectd | collectd is a daemon which collects system and application performance metrics periodically and provides mechanisms to store the values in a variety of ways, for example in RRD files. |
| net-mgmt/lldpd | LLDP is an industry standard protocol designed to supplant proprietary Link-Layer protocols such as EDP or CDP. The goal of LLDP is to provide an inter-vendor compatible mechanism to deliver Link-Layer notifications to adjacent network devices. |
| net-mgmt/net-snmp | Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment (eg. routers), computer equipment and even devices like UPSs. Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and SNMP v3 using both IPv4 and IPv6. |
| net-mgmt/netdata | Netdata is distributed, real-time, performance and health monitoring for systems and applications. It is a highly optimized monitoring agent you install on all your systems and containers. |
| net-mgmt/nrpe | nrpe is used to execute Nagios plugins on remote hosts and report the results to the main Nagios server. From the Nagios homepage: |
| net-mgmt/telegraf | Telegraf is the Agent for Collecting & Reporting Metrics & Data. Telegraf has plugins or integrations to source a variety of metrics directly from the system it’s running on, pull metrics from third-party APIs, or even listen for metrics via a StatsD and Kafka consumer services. It also has output plugins to send metrics to a variety of other datastores, services, and message queues, including InfluxDB, Graphite, OpenTSDB, Datadog, Librato, Kafka, MQTT, NSQ, and many others. |
| net-mgmt/zabbix-agent | Zabbix is an enterprise-class open source distributed monitoring solution. |
| net-mgmt/zabbix-proxy | Zabbix is an enterprise-class open source distributed monitoring solution. |
| net/chrony | An alternative to native ntpd daemon. In some edge cases chrony works better in virtual environments. |
| net/freeradius | FreeRADIUS includes a RADIUS server, a BSD licensed client library, a PAM library, and an Apache module. In most cases, the word FreeRADIUS refers to the RADIUS server. |
| net/ftp-proxy | Ftp-proxy is a proxy for the Internet File Transfer Protocol. FTP control connections are being redirected into the proxy, after which the proxy connects to the server on behalf of the client. |
| net/google-cloud-sdk | This plugin installs the Google Cloud SDK. The SDK may be used on the CLI or in conjunction with the Let’s Encrypt plugin. |
| net/haproxy | HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer7 processing. |
| net/igmp-proxy | Igmpproxy is a simple multicast routing daemon based on mrouted. It uses IGMP forwarding to dynamically route multicast traffic. |
| net/mdns-repeater | mdns-repeater is a Multicast DNS repeater. Multicast DNS uses the 224.0.0.251 address, which is ‘administratively scoped’ and does not leave the subnet. |
| net/ntopng | ntopng is the next generation version of the original ntop, a network traffic probe that monitors network usage. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well. |
| net/radsecproxy | A generic RADIUS proxy that in addition to usual RADIUS UDP transport, also supports TLS (RadSec), as well as RADIUS over TCP and DTLS. The aim is for the proxy to have sufficient features to be flexible, while at the same time to be small, efficient and easy to configure. |
| net/realtek-re | This is the official driver from Realtek and can be loaded instead of the FreeBSD driver built into the GENERIC kernel if you experience issues with it (eg. watchdog timeouts), or your card is not supported. |
| net/shadowsocks | A secure socks5 proxy, designed to protect your Internet traffic. |
| net/siproxd | Siproxd is a proxy/masquerading daemon for the SIP protocol. It handles registrations of SIP clients on a private IP network and performs rewriting of the SIP message bodies to make SIP connections work via an masquerading firewall (NAT). It allows SIP software clients (like kphone, linphone) or SIP hardware clients (Voice over IP phones which are SIP-compatible, such as those from Cisco, Grandstream or Snom) to work behind an IP masquerading firewall or NAT router. |
| net/sslh | Manage SSLH, the SSL/SHH multiplexer via the OPNsense web UI. |
| net/tayga | TAYGA is an out-of-kernel stateless NAT64 implementation that uses the TUN driver to exchange IPv4 and IPv6 packets with the kernel. It is intended to provide production-quality NAT64 service for networks where dedicated NAT64 hardware would be overkill. |
| net/udpbroadcastrelay | udpbroadcastrelay is a UDP multicast relayer. Its intended use is to rebroadbcast udp packets on a specific port across interfaces, be those interfaces physical or VLAN. |
| net/upnp | MiniUPnPd is a lightweight implementation of a UPnP IGD & PCP/NAT-PMP daemon. This is supposed to be run on your gateway machine to allow client systems to map ports and punch holes in the firewall. |
| net/vnstat | vnStat is a console-based network traffic monitor for Linux and BSD that keeps a log of network traffic for the selected interface(s). It uses the network interface statistics provided by the kernel as information source. This means that vnStat won’t actually be sniffing any traffic and also ensures light use of system resources. |
| net/wol | wol implements Wake-On-LAN functionality in a small program. It wakes up hardware that is Magic Packet compliant. |
| net/zerotier | ZeroTier can be used for on-premise network virtualization, as a peer to peer VPN for mobile teams, for hybrid or multi-data-center cloud deployments, or just about anywhere else secure software defined virtual networking is useful. |
| security/acme-client | This plugin contains a full ACME protocol implementation based on the acme.sh project. According to the authors, it’s probably ‘the easiest and smallest and smartest shell script’ to automatically issue and renew the free certificates from Let’s Encrypt. |
| security/clamav | ClamAV(r) is an open source (GPL) anti-virus engine used in a variety of situations including email scanning, web scanning, and end point security. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and an advanced tool for automatic database updates. |
| security/crowdsec | Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user friendly design and assistance offers a low technical barrier of entry and nevertheless a high security gain. |
| security/intrusion-detection-content-et-open | IDS Proofpoint ET open full ruleset to complement ET Pro Telemetry edition. This plugin will trigger duplicate rules warnings in Suricata logs when selecting the same categories for both ET open and ET Telemetry. |
| security/intrusion-detection-content-et-pro | Proofpoint ET Pro is a timely and accurate rule set for detecting and blocking advanced threats using your existing network security appliances, such as next generation firewalls (NGFW) and network intrusion detection / prevention systems (IDS/IPS) |
| security/intrusion-detection-content-snort-vrt | The Snort Subscriber Rule Set refer to rules that have been developed, tested and approved by the Talos Security Intelligence and Research Team (Talos). The Snort Subscriber Ruleset released after March 7th, 2005 are governed by the Snort Subscriber Rule Set License Agreement. |
| security/maltrail | Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name, URL, IP address or HTTP User-Agent header value. Also, it uses advanced heuristic mechanisms that can help in discovery of unknown threats. |
| security/openconnect | OpenConnect is an SSL VPN client initially created to support Cisco’s AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure. |
| security/softether | SoftEther VPN (‘SoftEther’ means ‘Software Ethernet’) is one of the world’s most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris. |
| security/tor | Tor is a connection-based low-latency anonymous communication system which addresses many flaws in the original onion routing design. |
| security/wazuh-agent | Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. |
| sysutils/apcupsd | Apcupsd, short for APC UPS daemon, can be used for controlling all APC UPS models. It can monitor and log the current power and battery status, perform automatic shutdown, and can run in network mode in order to power down other hosts on a LAN. |
| sysutils/apuled | LED control for PC Engines APU platform OPNsense plugin Cloudfence 2019 - JCC |
| sysutils/dmidecode | Dmidecode reports information about your system’s hardware as described in your system BIOS according to the SMBIOS/DMI standard. This information typically includes system manufacturer, model name, serial number, BIOS version, asset tag as well as a lot of other details of varying level of interest and reliability depending on the manufacturer. This will often include usage status for the CPU sockets, expansion slots (e.g. AGP, PCI, ISA) and memory module slots, and the list of I/O ports (e.g. serial, parallel, USB). |
| sysutils/hw-probe | Send anonymized hardware diagnostics to [https://bsd-hardware.info](https://bsd-hardware.info) |
| sysutils/lcdproc-sdeclcd | LCDproc setup for SDEC LCD devices found in Watchguard FireBox firewall appliances. |
| sysutils/mail-backup | Send a config.xml via mail, optionally encrypted via PGP. |
| sysutils/munin-node | Munin network-wide graphing framework (node) |
| sysutils/nextcloud-backup | This package adds a backup option using an existing NextCloud instance. |
| sysutils/node\_exporter | Prometheus exporter for hardware and OS metrics exposed by [\*](#id1)
NIX kernels, written in Go with pluggable metric collectors. |
| sysutils/nut | The primary goal of the Network UPS Tools (NUT) project is to provide support for Power Devices, such as Uninterruptible Power Supplies, Power Distribution Units, Automatic Transfer Switch, Power Supply Units and Solar Controllers. |
| sysutils/puppet-agent | Puppet lets you centrally manage every important aspect of your system using a cross-platform specification language that manages all the separate elements normally aggregated in different files, like users, cron jobs, and hosts, along with obviously discrete elements like packages, services, and files. |
| sysutils/smart | The smartmontools package contains two utility programs (smartctl and smartd) to control and monitor storage systems using the Self-Monitoring, Analysis and Reporting Technology System (S.M.A.R.T.) built into most modern ATA and SCSI hard disks. It is derived from the smartsuite package, and includes support for ATA/ATAPI/SATA disks and SCSI disks and tape devices. |
| sysutils/virtualbox | These additions are for installation inside a FreeBSD guest. |
| sysutils/xen | FreeBSD VM tools for Citrix XenServer and XCP |
| vendor/sunnyvalley | This plugin adds a proprietary repository to install Zenarmor (previously Sensei), a plugin for OPNsense, complementing the firewall with state of the art next generation firewall features. |
| www/c-icap | c-icap is an implementation of an ICAP server. It can be used with HTTP proxies that support the ICAP protocol to implement content adaptation and filtering services. |
| www/cache | Add and enable caching for the web GUI to accelerate requests. |
| www/caddy | Caddy - The Ultimate Server - makes your sites more secure, more reliable, and more scalable than any other solution. By default, Caddy automatically obtains and renews TLS certificates for all your sites. It’s the most advanced HTTPS server in the world. |
| www/nginx | NGINX is a high performance edge web server with the lowest memory footprint and the key features to build modern and efficient web infrastructure. |
| www/web-proxy-sso | Allow to use the web proxy with Single Sign-On against an Active Directory instead of using a bundled authentication. |
---
# History — OPNsense documentation
* [](index.html)
* History
* * *
History[](#history "Permalink to this heading")
=================================================
* [About the Fork](history/thefork.html)
---
# Community Edition — OPNsense documentation
* [](index.html)
* [Releases](releases.html)
* Community Edition
* * *
Community Edition[](#community-edition "Permalink to this heading")
=====================================================================
[](_images/ideas_join_the_development.jpg)
As of January 2015 there have been _308_ releases leading to the latest version _25.1.4_ named “Ultimate Unicorn”.
The list below contains all releases, ordered by version number categorized by major version.
* [25.1 “Ultimate Unicorn” Series](releases/CE_25.1.html)
* [24.7 “Thriving Tiger” Series](releases/CE_24.7.html)
* [24.1 “Savvy Shark” Series](releases/CE_24.1.html)
* [23.7 “Restless Roadrunner” Series](releases/CE_23.7.html)
* [23.1 “Quintessential Quail” Series](releases/CE_23.1.html)
* [22.7 “Powerful Panther” Series](releases/CE_22.7.html)
* [22.1 “Observant Owl” Series](releases/CE_22.1.html)
* [21.7 “Noble Nightingale” Series](releases/CE_21.7.html)
* [21.1 “Marvelous Meerkat” Series](releases/CE_21.1.html)
* [20.7 “Legendary Lion” Series](releases/CE_20.7.html)
* [20.1 “Keen Kingfisher” Series](releases/CE_20.1.html)
* [19.7 “Jazzy Jaguar” Series](releases/CE_19.7.html)
* [19.1 “Inspiring Iguana” Series](releases/CE_19.1.html)
* [18.7 “Happy Hippo” Series](releases/CE_18.7.html)
* [18.1 “Groovy Gecko” Series](releases/CE_18.1.html)
* [17.7 “Free Fox” Series](releases/CE_17.7.html)
* [17.1 “Eclectic Eagle” Series](releases/CE_17.1.html)
* [16.7 “Dancing Dolphin” Series](releases/CE_16.7.html)
* [16.1 “Crafty Coyote” Series](releases/CE_16.1.html)
* [15.7 “Brave Badger” Series](releases/CE_15.7.html)
* [15.1 “Ascending Albatross” Series](releases/CE_15.1.html)
---
# Business Edition — OPNsense documentation
* [](index.html)
* [Releases](releases.html)
* Business Edition
* * *
Business Edition[](#business-edition "Permalink to this heading")
===================================================================
[](_images/architecture-blue-sky-business-2599538.jpg)
OPNsense Business Edition is intended for companies, enterprises and professionals looking for a more selective upgrade path (lags behind the community edition), additional commercial features and who want to support the project in a more commercial way compared to donating.
The list below contains all releases, ordered by version number categorized by major version.
* [24.10 Series](releases/BE_24.10.html)
* [24.4 Series](releases/BE_24.4.html)
* [23.10 Series](releases/BE_23.10.html)
* [23.4 Series](releases/BE_23.4.html)
* [22.10 Series](releases/BE_22.10.html)
* [22.4 Series](releases/BE_22.4.html)
* [21.10 Series](releases/BE_21.10.html)
* [21.4 Series](releases/BE_21.4.html)
* [20.7 “Legendary Lion” Series](releases/BE_20.7.html)
* [20.1 “Keen Kingfisher” Series](releases/BE_20.1.html)
* [19.7 “Jazzy Jaguar” Series](releases/BE_19.7.html)
* [19.1 “Inspiring Iguana” Series](releases/BE_19.1.html)
---
# Contribute — OPNsense documentation
* [](index.html)
* Contribute
* * *
Contribute[](#contribute "Permalink to this heading")
=======================================================
OPNsense is an open source community project that depends on your contributions for its continuing development & success.
There are plenty of opportunities to contribute and help OPNsense reach its goal of becoming the most widely used open source security & firewall platform. Financial contributions are always welcome and will allow us to develop parts of the system that may otherwise stay untouched.
The OPNsense core team wants to thank everyone who contributed already.
* * *
Financially[](#financially "Permalink to this heading")
---------------------------------------------------------
“_An open source project can only thrive by the community around it._” We are grateful of all the kind words and support the users of OPNsense are giving us.
Frequently users ask us how they can contribute to the project. To make the software better we need your involvement in testing and providing feedback and if you can spare a few bucks that would be great.
* * *
### Donations[](#donations "Permalink to this heading")
To enable us to continue development and keep on improving the project you can contribute by donating to the project, this a simple non recurring - no strings attached - way of supporting the project. Any amount will be gratefully accepted!
**Why wait? Donate today !**
* * *
### Partner program[](#partner-program "Permalink to this heading")
The OPNsense project offers a partner program where businesses receive project benefits while supporting the project financially.
Main benefits include:
* Listing on our [OPNsense partner page](https://opnsense.org/partners/)
* Access to the core team
To get enlisted as partner of the OPNsense project means a minimum annual investment of € 2500.Partners that made an exceptional contribution to the project are assigned the Platinum Partner status.
* * *
### Support Contract[](#support-contract "Permalink to this heading")
with a support contract we support you and you support us as OPNsense is fully supported by Deciso.
For support options see [OPNsense Commercial Support](https://opnsense.org/support-overview/commercial-support/)
* * *
Development[](#development "Permalink to this heading")
---------------------------------------------------------
Contributing to the ongoing development of OPNsense can be done by:
* Testing a development version and
* Report issues and/or
* Help fixing issues as well as by
* Contributing new functionality
* Share your code with the project by manner of a pull request.
Note
Before you send in your pull request, please read our [Coding Guidelines](development/guidelines.html)
and see the community support levels in the [Support Options](support.html)
. It is important for plugin developers to maintain their plugin and interact with users for QA.
* * *
### Testing[](#testing "Permalink to this heading")
Contribute by testing the latest development version to make the next release even better than the last. If you like to test a development version then the easiest way is to login to the console and type:
pkg install \-y opnsense\-devel
And to revert back to the production version:
pkg install \-y opnsense
That is all there is to it to test the latest development release. Development releases are usually built at the same day the latest production release comes available.
* * *
### Reporting an issue[](#reporting-an-issue "Permalink to this heading")
Issues can be easily reported on github, please consider carefully if the issue could be a configuration or user error before reporting it. If you are unsure, report your issue on the [forum](https://forum.opnsense.org)
or on [IRC](https://web.libera.chat/#opnsense)
.
* * *
### Fixing issues[](#fixing-issues "Permalink to this heading")
If you are a programmer or just know how to fix a certain issue then you can help by either sharing your ideas on or send in a pull request on github.
* * *
### Designing new features[](#designing-new-features "Permalink to this heading")
If you like to help designing new features then start with reading the [Development manual](develop.html)
and checkout our [roadmap](https://opnsense.org/about/road-map/)
as well as our [issue tracker](https://github.com/opnsense/core/issues)
. Before starting it is always a good to share your idea first with a core developer, to do so you can use either:
* [github](https://github.com/opnsense/core/)
and [create a issue](https://github.com/opnsense/core/issues/new)
and mention you volunteer for taking on the development task (we will correctly label it as enhancement or feature)
* find one of us on IRC/Libera Chat (#opnsense) and see if we are available to discuss your idea.
* * *
Translations[](#translations "Permalink to this heading")
-----------------------------------------------------------
OPNsense has an active [translation project](https://translate.opnsense.org/projects/)
, currently supporting:
* Czech
* English
* French
* German
* Japanese
* Portuguese
* Russian
* Simplified Chinese
Working on translations is time consuming, but if you feel up to it and would like to help adding another language, then please contact us via email (contact @ opnsense.org).
* * *
Documentation & wiki articles[](#documentation-wiki-articles "Permalink to this heading")
-------------------------------------------------------------------------------------------
The easiest way to help with documentation is to write how-to type articles. As the wiki & documentation project itself is written in **reStructuredText** you can offer your content in this format (preferably as a [pull request](https://github.com/opnsense/docs)
). Other formats are also possible, such as:
* markup with ./images/directory including the used images (if any)
* word document with embedded images (if any)
To include you documentation send it to contact @ opnsense.org. Make sure that:
* Your content does not include copyrighted material if you do not own the copyright yourself
* State that we may use the content under our Documentation Copyright as listed in the [Legal notices](legal.html)
section.
* * *
Forum & IRC[](#forum-irc "Permalink to this heading")
-------------------------------------------------------
If you are an experienced network engineer, know a lot about firewall technology or if you are excited about OPNsense, then you can contribute to the project by helping others on the [forum](https://forum.opnsense.org)
or on [IRC](https://web.libera.chat/#opnsense)
.
* * *
Social media[](#social-media "Permalink to this heading")
-----------------------------------------------------------
Contribute to the success of the project by letting others know how OPNsense helped solving your network or security challenges. Let others know about OPNsense and/or follow us & retweet our messages on [Twitter](https://twitter.com/opnsense)
.
Anything you can do to spread the word about OPNsense will help to reach our goal to become the most widely used open source security & firewall platform.
* * *
Closing Words[](#closing-words "Permalink to this heading")
-------------------------------------------------------------
If you have suggestions on how others can contribute to OPNsense and it is not yet listed on this page, then let us know. You can reach us at contact @ opnsense.org.
---
# Central Management — OPNsense documentation
* [](../../index.html)
* [Business Edition](../../be.html)
* Central Management
* * *
[Central Management](#id2)
[](#central-management "Permalink to this heading")
================================================================================
As part of the OPNsense Business Edition, Deciso offers a plugin to keep all your firewalls up to date and have an easy entry point to manage them.
Index
* [Central Management](#central-management)
* [Installation](#installation)
* [Register new hosts](#register-new-hosts)
* [Central WebGui certificate management](#central-webgui-certificate-management)
* [Alter generic host settings](#alter-generic-host-settings)
* [Centralized backups](#centralized-backups)
* [Multi tenancy using host groups](#multi-tenancy-using-host-groups)
* [Connect to managed machine](#connect-to-managed-machine)
* [Machine firmware status / upgrade](#machine-firmware-status-upgrade)
* [Machine service status and control](#machine-service-status-and-control)
* [Machine resource status](#machine-resource-status)
* [Provisioning / sharing settings](#provisioning-sharing-settings)
* [Provisioning classes](#provisioning-classes)
* [Users & Groups](#users-groups)
* [Aliases (Firewall)](#aliases-firewall)
* [Firewall rules](#firewall-rules)
* [NAT (Firewall)](#nat-firewall)
* [Firewall categories](#firewall-categories)
* [WebGui (Administration)](#webgui-administration)
* [Configuration Tutorials](#configuration-tutorials)
* [Automatic WebGUI Login](#automatic-webgui-login)
[Installation](#id3)
[](#installation "Permalink to this heading")
--------------------------------------------------------------------
After acquiring a license, you can switch to the commercial software repository containing OPNcentral. In order to install, just go to System->Firmware->Plugins and search for `os-OPNcentral`.
[Register new hosts](#id4)
[](#register-new-hosts "Permalink to this heading")
--------------------------------------------------------------------------------
Before adding a host, you need to generate an API key and secret from the machine you will grant accesss to. API keys are managed in the user manager (system\_usermanager.php), go to the user manager page and select a user. Somewhere down the page you will find the API section for this user.
Click on the + sign to add a new key. When the key is created, you will receive a (single download) with the credentials in one text file (ini formatted). The contents of this file look like this:
key\=w86XNZob/8Oq8aC5r0kbNarNtdpoQU781fyoeaOBQsBwkXUt
secret\=XeD26XVrJ5ilAc/EmglCRC+0j2e57tRsjHwFepOseySWLM53pJASeTA3
Next go to the Hosts section of the management menu in Management ‣ Host ‣ Configuration and add a new host, copy the url from the machine and the API key and secret generated above.
Note
You can disable certificate validation if your using a self-signed certificate, although we advise to generate proper certificates for the machines.
[](../../_images/OPNcentral_hosts.png)
**Icons**
Group membership
Download configuration (or all as a zip file)
Edit host configuration
Clone host configuration
Delete host configuration
### [Central WebGui certificate management](#id5)
[](#central-webgui-certificate-management "Permalink to this heading")
The host configuration offers an option to link a central certificate to the managed host, in which case the certificate will be distributed to the host (if `WebGui` is being provisioned).
Using this feature, you’re able to centrally manage certificates (manually or using ACME) easily.
Tip
Add `OPNcentral - provision / reconfigure remote hosts` in System ‣ Settings ‣ Cron with a daily schedule to automatically provision all attached firewalls on a daily basis.
Attention
Do not synchronize `Certificates` and `WebGUI` at the same time. [Provisioning classes WebGUI](#provisioning-classes-webgui)
### [Alter generic host settings](#id6)
[](#alter-generic-host-settings "Permalink to this heading")
The second tab in the screen contains the setting page which configures defaults for all hosts where applicable.
| Option | Description |
| --- | --- |
| Interfaces | Select the interfaces of the central node that would be used when merging settings on the remote firewall, only applicable on part of the configuration sections (such as the firewall). See the provisioning section for more details. |
| Enable backups | Enable centralized backups. |
| Backups: | |
| * Sequential count | Number of sequential backups to preserve from remote host (per host), copy of local history to a maximum of X per host. |
| * Interval type | When an interval is provided, this option determines the period for the interval. e.g. when weekly is specified, each last record of the week is preserved to a maximum of the number of intervals |
| * Interval count | Non sequential number of backups to keep, last backup of specified interval type is preserved for the number of items specified here. |
[Centralized backups](#id7)
[](#centralized-backups "Permalink to this heading")
----------------------------------------------------------------------------------
When “Enable backups” is checked in the generic host settings tab OPNcentral will perform a nighly backup of all configured hosts. The host overview (Management ‣ Host ‣ Configuration) shows the number of backups with their related size and last modification date for each host.
Note
The modification date defines the last time the remote host was changed, so if a host hasn’t been changed for a longer period of time this value would show an older date.
Tip
It is possible to execute the backup manually from the gui. In order to do that, go to Management ‣ Host ‣ Configuration and press the `Execute backup` button.
Tip
If more frequent backups are desired, just add a cron job in System‣Settings‣Cron for the task `OPNcentral - backup remote hosts`.
[Multi tenancy using host groups](#id8)
[](#multi-tenancy-using-host-groups "Permalink to this heading")
----------------------------------------------------------------------------------------------------------
Hosts can be organised in groups using the Management ‣ Host ‣ Groups menu option. By default hosts are accessible by all users having access to the specified OPNcentral menu options. You can change that behaviour by linking a host into one or more groups, where you can constrain access.
[](../../_images/blockdiag-92b1f550c721b0d0baefd967cdfb81ac849a4b6e.png)
Warning
When attaching a host to multiple host groups and want to constraint access, make sure you limit all host groups to avoid accidental access for all OPNcentral users.
[Connect to managed machine](#id9)
[](#connect-to-managed-machine "Permalink to this heading")
------------------------------------------------------------------------------------------------
On various management pages there are direct links available to login to the firewall in question. Usually connected nodes are shown with a link which opens in a new tab when clicking.
The example below shows a link in the firmware status page which will open `https://node1.opnsense.local`.
[](../../_images/OPNcentral_status_uptodate.png)
When the management server is allowed to access the OPNcentral components on the connected node it will automatically login after the link is clicked with the proper credentials assigned to the api token user.
If the latests Business Edition is installed on the managed machine, but access prohibits automatic logins, you will be redirected to the login page.
When the connected machine is not using the business edition, it’s not possible to use the link, a message such as the following will be presented to the user:
[](../../_images/OPNcentral_auto_login_unavailable.png)
Note
Make sure your browser trusts the remote node otherwise the browser can’t access the machine and will signal an issue with the software version.
[Machine firmware status / upgrade](#id10)
[](#machine-firmware-status-upgrade "Permalink to this heading")
-------------------------------------------------------------------------------------------------------------
All connected and enabled machines can be contacted using the Management ‣ Status ‣ Firmware page, when visiting the page all connected machines will automatically be contacted to report their status and installed version.
[](../../_images/OPNcentral_status_toupdate.png)
When an update is available, it will be shown in the list, including if this upgrade requires a reboot. The upgrade button starts the upgrade procedure, but will only upgrade machines that will require a reboot if **Enable reboot** is checked.
Tip
Use the refresh button to request status again.
The upgrade wheel starts spinning when an upgrade was requested, since the upgrade itself can consume some time, you can revisit the status page later (or press refresh) to show the new status.
[Machine service status and control](#id11)
[](#machine-service-status-and-control "Permalink to this heading")
-----------------------------------------------------------------------------------------------------------------
The service status and control page provides an overview on all managed OPNsense firewalls connected to OPNcentral and offers the ability to restart services when needed.
[](../../_images/OPNcentral_service_status_overview.png)
In the screenshot above there are 7 machines managed by OPNcentral, for every configured service there’s an icon reflecting the status of the service.
Stopped (inactive, but configured)
Running (active)
Host unreachable or misconfigured
When you click one of the service icons, the icon changes into a checkbox which can be used to restart the selected services with the button below the table.
Tip
The link in the host column brings you directly into the service control page of the selected firewall.
[Machine resource status](#id12)
[](#machine-resource-status "Permalink to this heading")
-------------------------------------------------------------------------------------------
In order to gain insights into the managed machines there is a resource page available which queries all connected firewalls and reports aggregated status about them.
While collecting data for a machine there’s a spinner visible, as soon as information is collected you can view relevant information per node.
[](../../_images/OPNcentral_resources_host.png)
From left to right the following information is available:
* Host information
* Host name (description)
* Version installed
* Processor type
* Most recent configuration change (tooltip uncovers who made the change and from which module)
* General statistics
* Current cpu usage (total percentage)
* Total memory usage
* Swap file usage
* Total interfaces configured (up/down)
* Aggregated HA status (when configured), MASTER when all interfaces are, BACKUP when at least one is demoted to BACKUP
* Root file system usage
* Gateway status including maximum delay
* Firewall
* State table usage
* Alias usage (when over 100% the requested entries don’t fir in memory)
* Source tracking table usage
* Current traffic in/out, tooltip the piechart to show protocol name (or number) with current rate
Tip
When headings are underlined, a click brings you to the relevant module of the firewall in question.
[Provisioning / sharing settings](#id13)
[](#provisioning-sharing-settings "Permalink to this heading")
---------------------------------------------------------------------------------------------------------
The provisioning tool offers the ability to configure some settings in a more centralised manner. Inspired by the functionality that is offered for high-availability setups, you can distribute global settings among all connected firewalls for various configuration options. The central host acts as a template in this case.
In order to configure the settings that should be shared, you can configure the “classes” to synchronize in the host settings Management ‣ Host ‣ Configuration.
[](../../_images/OPNcentral_provisioning_host_classes_setup.png)
Here you will find the same options as are available under System->High Availability->Settings. After configuring the desired parameters, you can use the Provisioning page (Management ‣ Provisioning) to inspect status and push options to the attached firewalls.
Warning
Be **very** careful pushing settings to your connected firewall which may disconnect your session, such as firewall and routing related options. The central management host can’t predict if settings you plan to make lead to an inaccesible firewall.
Tip
Add `OPNcentral - provision / reconfigure remote hosts` in System ‣ Settings ‣ Cron with a daily schedule to automatically provision all attached firewalls on a daily basis.
All provisioning classes known by the management machine will be shown in the table, combined with the status of each section. OPNcentral calculates if settings are equal, keeps track of changes and restarts related services when needed.
[](../../_images/OPNcentral_provisioning_status.png)
You can either selectlively reconfigure specific hosts with the checkbox or reconfigure all at once on command.
Collecting status
Class equals this machine (nothing todo)
Changes ready to commit
Unknown yet configured class
Unable to connect
[Provisioning classes](#id14)
[](#provisioning-classes "Permalink to this heading")
-------------------------------------------------------------------------------------
By default merging configuration items from the central firewall overwrites the settings on the target machine, but in some cases we need a more practical approach to deal with local modifications.
In this chapter we are going to describe how classes with special implemenations are being treated on synchronisation and how to utilise this behaviour to ease management.
### [Users & Groups](#id15)
[](#users-groups "Permalink to this heading")
When users and groups are synchronized, the existing api key+secret is merged into the user with the same name to prevent access issues after reconfigure. To avoid issues, make sure there’s a unique username with proper credentials before using the synchronization.
Note
Although quite some setups will likely use external authentication options available in OPNsense, sometimes it’s practical to share the same user database among different firewalls. This option allows for sharing, without the need to sue the same key+secret on all connected firewalls.
### [Aliases (Firewall)](#id16)
[](#aliases-firewall "Permalink to this heading")
Since various firewall sections depend on aliases, OPNcentral checks if aliases are used before removing local aliases from the remote firewall.
Due to this powerful feature, after synchronisation of the central aliases you can also use nesting to combine remote aliases into new local ones.
For example, when the local machine has `local_alias_1` and the central location offers `central_alias_1` when both are combined into `local_alias_2` and `local_alias_2` is used in firewall/nat rules it will automatically merge central changes after a reconfigure action from the dashboard.

Note
As long as `local_alias_2` is used, both `local_alias_1` and `local_alias_2` will be preserved after provisioning.
### [Firewall rules](#id17)
[](#firewall-rules "Permalink to this heading")
Merging the firewall rules will keep the interfaces unaltered which don’t exists on the central node as these are being provided to the target firewall. In case you want to exclude some interfaces (for all remote firewalls), you can easily override the known interfaces in Management -> Host configuration on the General settings tab.
Since there’s an explicit order in which different types of rules are being handled, you can choose if you want to prefer central rules being matched first or last depending on the type of “interface” to use.

Tip
When forcing interface groups to the backup node, these will precede interface rules such as LAN and WAN, when only sending over interface groups the remote firewall is able to allow traffic which would otherwise be rejected.
Note
When multiple interfaces are attached to a (floating) rule, these will be removed by the provisioning algorithm as the intend isn’t fully clear in these matters.
Note
Rules on the central node which do apply to all interfaces or a selection of interfaces are always being send to the remote firewall. When this isn’t intentional, best not use these options in the “floating” rules.
### [NAT (Firewall)](#id18)
[](#nat-firewall "Permalink to this heading")
Merging the nat rules will keep the interfaces unaltered which don’t exists on the central node as these are being provided to the target firewall. In case you want to exclude some interfaces (for all remote firewalls), you can easily override the known interfaces in Management -> Host configuration on the General settings tab.
Note
All NAT type rules (`Port Forward`, `One-to-One`, `Outbound`, `NPTv6`) are treated similar.
Note
When multiple interfaces are attached to a rule, which is possible for port forwards. These will be removed by the provisioning algorithm.
Note
Port forwarding rules on the central node which do apply on a selection of interfaces are always being send to the remote firewall. When this isn’t intentional, best prevent the usage of these forwards.
### [Firewall categories](#id19)
[](#firewall-categories "Permalink to this heading")
Merging categories will preserve the ones that are currently used on the remote firewall.
### [WebGui (Administration)](#id20)
[](#webgui-administration "Permalink to this heading")
To prevent breakage after synchronisation, the certificate used by the webgui will be preserved after synchronisation (or the one provided in the host configuration will be shipped).
Attention
Currently it’s not possible to merge certificates and webgui admin settings, as the certificate store will potentially be overwritten in that case.
[Configuration Tutorials](#id21)
[](#configuration-tutorials "Permalink to this heading")
-------------------------------------------------------------------------------------------
In this section we will show example configurations of some of the features that OPNcentral Central Management offers.
### [Automatic WebGUI Login](#id22)
[](#automatic-webgui-login "Permalink to this heading")
For the automatic login feature to work, the following infrastructure is required:
* One OPNsense with Business Edition and OPNcentral installed, which will be used as the Central Host for configuration. Using this OPNsense for no other tasks than configuration and administration is recommended.
* One or several other OPNsense with Business Edition and OPNcentral installed, which will be managed by the Central Host.
* Either your own PKI (Public Key Infrastructure) or using the OPNsense provided one in System ‣ Trust
* A DNS infrastructure or public DNS provider, that manages the FQDNs (Full Qualified Domain Names) of each OPNsense
We assume that we have this example infrastructure:
| FQDN | IP Address | Task |
| --- | --- | --- |
| `central-host.opnsense.local` | 203.0.113.1 | Central Host for administration |
| `node-a1.opnsense.local` | 198.51.100.1 | Firewall Node site A |
| `node-b1.opnsense.local` | 192.0.2.1 | Firewall Node site B |
#### 1\. Add Firewall Nodes to the Central Host[](#add-firewall-nodes-to-the-central-host "Permalink to this heading")
* Go to Management ‣ Host ‣ Configuration.
* Follow the steps described here [Register new hosts](#register-new-hosts)
.
* If there are connection problems, check if the Central Host can resolve the FQDNs of the Firewall Nodes. They have to be added via their FQDN and _not_ via IP address. Otherwise the SAN of the certificates will not match the FQDN.
Tip
When using a custom WebGUI port, specify the socket like this: `https://node-a1.opnsense.local:8443`
Note
Only add the Firewall Nodes to the Central Host. Do not add the Central Host to itself to prevent configuration loops.
#### 2\. Create a PKI on the Central Host[](#create-a-pki-on-the-central-host "Permalink to this heading")
For more information read [Setup Self-Signed Certificate Chains](/manual/how-tos/self-signed-chain.html)
* Go to System ‣ Trust ‣ Authorities and press _+_ to Create an internal Certificate Authority.
* Leave all the populated fields on their default values.
* As State, City, Organization and Email Address, add your own.
* As Descriptive name and Common Name, use `opncentral-ca`.
* Press _Save_.
Note
Export the CA certificate, and import it into the Trusted Root Certificate Store of each client that should use the automatic WebGUI login. It will only work if the Browser trusts the connection.
#### 3\. Create Server Certificates for all Hosts[](#create-server-certificates-for-all-hosts "Permalink to this heading")
* Go to System ‣ Trust ‣ Certificates and press _+_ to Create an internal Certificate.
* Leave all the populated fields on their default values.
* As Type choose Server Certificate.
* As Common Name and Alternative Names Type DNS (SAN) choose the FQDNs of the Firewall; e.g., `central-host.opnsense.local`
* Press _Save_ and repeat this until there are certificates for the Central Host and the Firewall Nodes.
#### 4\. Change WebGUI certificate of Central Host[](#change-webgui-certificate-of-central-host "Permalink to this heading")
* Go to System ‣ Settings ‣ Administration.
* Make sure the Protocol is HTTPS and choose the certificate with the FQDN of the Central Host; e.g., `central-host.opnsense.local`
* Press _Save_ and press the link that appears, which will redirect the session to a new browser tab.
Note
The browser should automatically trust the connection to the Central Host now. If not, make sure the `opncentral-ca` certificate has been imported as described in Step 2. It is mandatory that the browser trust is established before continuing.
#### 5\. Provision Certificates and WebGUI to Firewall Nodes[](#provision-certificates-and-webgui-to-firewall-nodes "Permalink to this heading")
* Go to Management ‣ Host ‣ Configuration.
* Select a Firewall Node, e.g., `node-a1.opnsense.local` and edit it.
* Make sure that Validate SSL is not selected right now.
* Select the correct certificate in Push WebUI certificate, in this case `node-a1.opnsense.local`
* In Provision classes, select `Web GUI`. Please be careful _not_ to select `Certificates`, only `Web GUI` is needed as Provision classes.
* Press _Save_ and repeat the same for all other Firewall Nodes.
* Go to Management ‣ Provisioning and select all Hosts, then press Reconfigure.
* After the provisioning has succeeded, go back to Management ‣ Host ‣ Configuration and enable Validate SSL for all Firewall Nodes.
#### 6\. Test the Automatic Login[](#test-the-automatic-login "Permalink to this heading")
* Go to Management ‣ Provisioning and click on any of the Host links. An additional browser tab will open with the selected Firewall Node and the session is automatically logged in.
Tip
This feature is especially useful for Network Administrators that centrally manage a large amount of OPNsense Firewalls.
---
# Web Application Firewall — OPNsense documentation
* [](../../index.html)
* [Business Edition](../../be.html)
* Web Application Firewall
* * *
[Web Application Firewall](#id3)
[](#web-application-firewall "Permalink to this heading")
============================================================================================
Index
* [Web Application Firewall](#web-application-firewall)
* [Prerequisites](#prerequisites)
* [Installation](#installation)
* [General](#general)
* [Virtual servers](#virtual-servers)
* [Locations](#locations)
* [Web protection](#web-protection)
* [Setup](#setup)
* [Configure virtual servers](#configure-virtual-servers)
* [Configure locations](#configure-locations)
* [ProxyPass](#proxypass)
* [Redirect](#redirect)
* [Exchange Server](#exchange-server)
* [Prerequisites](#id1)
* [Setup](#id2)
* [Test web protection](#test-web-protection)
* [Secure WebDav and HTTP File Servers](#secure-webdav-and-http-file-servers)
* [Protect a local server with certificates](#protect-a-local-server-with-certificates)
As part of the OPNsense Business Edition, Deciso offers a plugin to easily protect webservices against all sort of injection attacks and provides encryption for traffic to and from the outside world.
Our Web Application Firewall plugin offers some functionality which can also be found in community plugins available, but in a more user friendly manner. It combines the features most commonly used in [reverse proxies](https://en.wikipedia.org/wiki/Reverse_proxy)
, such as TLS offloading and load balancing.
To ease maintenance the `OPNWAF` plugin offers usage of both internal certificates or newly generated using the ACME protocol via [Let’s Encrypt](https://letsencrypt.org/)
with a single click.
[Prerequisites](#id4)
[](#prerequisites "Permalink to this heading")
----------------------------------------------------------------------
Before using this plugin in combination with Let’s Encrypt, make sure port 443 isn’t being used for the web gui of this firewall (System->Settings->Administration).
Note
When using Let’s Encrypt, The Web Application Firewall uses the tls-alpn-01 challenge type for easy domain verification, this requires the virtual server to listen on port 443. Make sure the firewall allows incoming HTTPS connections on port 443. If the client connects via a custom port, you can forward these requests to port 443, and configure the virtual server to forward these requests to the correct internal port.
[Installation](#id5)
[](#installation "Permalink to this heading")
--------------------------------------------------------------------
To install this plugin, go to System ‣ Firmware ‣ Plugins and search for **os-OPNWAF**, the \[+\] button downloads and installs the software.
Next go to Firewall ‣ Web Application ‣ Settings to enable it.
[General](#id6)
[](#general "Permalink to this heading")
----------------------------------------------------------
Before deep diving into the settings pages, we will explain the most important terminology used in this module.
### [Virtual servers](#id7)
[](#virtual-servers "Permalink to this heading")
A virtual server (also known as a virtual host) is a a concept which allows the use of multiple domains on a single webserver using the same port. In our case it offers the possibility to host various webservers inside your network and forward traffic to them in a secure fashion.
### [Locations](#id8)
[](#locations "Permalink to this heading")
Locations reside in virtual servers and describe on a path level how requests are being handled, if for example one would like to forward only a subdirectory (like `/api`) to a server in the network, the location is where to configure this.
### [Web protection](#id9)
[](#web-protection "Permalink to this heading")
The web protection options offer easy access to the [OWASP ModSecurity ruleset](https://owasp.org/www-project-modsecurity-core-rule-set/)
, which offers a set of generic attack detection rules against a wide range attacks including the [OWASP Top Ten](https://owasp.org/www-project-top-ten/)
.
[Setup](#id10)
[](#setup "Permalink to this heading")
-------------------------------------------------------
Before configuring virtual servers, let’s take a look at the general settings pages (Firewall ‣ Web Application ‣ Settings). After installation, the module itself should be enabled by default.
In order to use the integrated ACME client (for Let’s Encrypt), the ACME enable checkbox needs to be set, the certificate agreement needs to be accepted (next checkbox) and contact email needs to be specified.
Optionally a permanent redirect from HTTP to HTTPS can be enabled for all virtual servers. The HTTP port can be customized if necessary by enabling the advanced mode. Do not forget to create an additional firewall rule to allow access to the HTTP Port. When it is non standard, a port forward is necessary (e.g., listen on 8080, forward 80 to 8080).
[](../../_images/OPNWAF_settings.png)
Web protection is not enabled by default, but you can enable it in the Web protection tab. This is also the place to configure the module and settings which apply for all virtual hosts.
### [Configure virtual servers](#id11)
[](#configure-virtual-servers "Permalink to this heading")
With the general settings in place, we can start adding virtual servers to offload traffic to machines in our network. First go to Firewall ‣ Web Application ‣ Gateways and click on the \[+\] in the top section of the screen, which defines the virtual servers.
| Option | Description |
| --- | --- |
| Enabled | Enable this virtual server. |
| LogLevel | (advanced mode) Log verbosity level |
| ServerName | Fully qualified hostname for this server. |
| Port | Port number this vhost will listen on, can easily be combined with firewall nat rules to map traffic to non standard ports when origination from remote destinations. (e.g., listen on 8443, forward 443 to 8443). |
| Description | User friendly description for this vhost (optional). |
| **Trust** | |
| Enable ACME | Enable the ACME protocol to automatically provision certificates using Let’s Encrypt, when set will ignore the selected certificate (and enable SSL on this virtual server). |
| Certificate | When using a certificate available in the system trust store, select it here. |
| SSL Proxy check peer | This directive configures host name checking for server certificates when mod\_ssl is acting as an SSL client. The check will succeed if the host name from the request URI matches one of the CN attribute(s) of the certificate’s subject, or matches the subjectAltName extension. If the check fails, the SSL request is aborted and a 502 status code (Bad Gateway) is returned. |
| **Access** | |
| CA for client auth | Require a client certificate signed by the provided authority before allowing a connection. |
| CRL for client auth | Attach the (first) found certificate revocation list for the selected CA to this virtual host. Please note when no CRL is offered all clients are rejected. |
| Verify depth for client auth | The depth actually is the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are max allowed to be followed while verifying the client certificate. |
| **Security** | |
| Header Security | Header security, by default several privacy and security related headers are set, in some cases (old applications for example) you might want to disable sending default headers to clients. HSTS can be disabled here if necessary. |
| TLS Security profile | TLS security profile as documented by [Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS) |
| Disable Security Rules by ID | Select one or multiple Web Protection rules to disable via their IDs. This can help to selectively disable rules that cause false positives, without disabling the Web Protection completely. |
| Web Protection | When Web Protection is enabled for the host you may disable it for specific destinations here, or set it to detection only for logging purposes. |
The section above defines the port the virtual server will listen on. Remember, in order to use ACME (Let’s encrypt) this should either be 443 or the traffic should be forwarded from port 443 to the port defined here.
Note
Port numbers can be reused. Multiple virtual servers can share the same port. Hostnames must be unique. They are used to identify the virtual server via SNI (Server Name Indication).
Warning
The ALPN protocol (the challenge type used by Let’s Encrypt) will resolve the FQDNs specified in the virtual host entry to the IP address of the firewall. If your DNS records point to both IPv4 and IPv6 addresses, IPv6 will be preferred by the challenge, so make sure your firewall is reachable via IPv6 as well if this is the case.
When supplying a certificate manually via the system trust store you can assign it in this dialog as well.
### [Configure locations](#id12)
[](#configure-locations "Permalink to this heading")
The virtual server itself doesn’t provide much content to the user other than offering a page telling access is prohibited, so the next step is to map directories to external locations. These can be defined in the Locations grid underneath the Virtual servers.
There are different types of locations:
1. ProxyPass, which Reverse Proxies the HTTP traffic
2. Redirect, which creates a HTTP redirect
3. Exchange Server, a template for Microsoft Exchange Server® with Outlook Anywhere® passthrough
#### [ProxyPass](#id13)
[](#proxypass "Permalink to this heading")
| Option | Description |
| --- | --- |
| Enabled | Enable this location |
| VirtualServer | The server this location belongs to |
| Path | Path of the HTTP request to match (e.g. `/` for all paths). You can also create multiple location entries, each with their own specific path (e.g. `/docs`). They will be processed in the order of their creation. |
| Type | ProxyPass |
| Remote destinations | Locations to forward requests to, when more than one is provided, requests will be loadbalanced in a round robin fashion. Supports `http`, `https`, `ws` and `wss` destinations. When your webapp uses websockets and https requests, use `wss://` |
| Access control | List of networks allowed to access this path (empty means any) |
| Description | User friendly description for this location |
| **Proxy Options** | |
| TLS header passthrough | Select which headers to passthrough to the client, all headers will be prefixed with X- to distinct them more easily from the applications perspective. The original headers use underscores (\_) these will be replaced for minus (-) signs to prevent applications dropping them. |
| Unset Request Headers | Select which request headers to unset before they get passed from the client to the server. Unsetting some of these headers can increase security, e.g., unsetting Accept-Encoding can help preventing BREACH attacks. |
| Preserve Host | When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the hostname specified in the location. This option should normally be turned Off. It is mostly useful in special configurations like proxied mass name-based virtual hosting, where the original Host header needs to be evaluated by the backend server. |
| Connection timeout | Connect timeout in seconds. The number of seconds the server waits for the creation of a connection to the backend to complete. |
The options here are quite simple, first you define a path on your end (`/` in our example), next you define one or more destinations this path should map to (for example you could point to a public server here, like [https://opnsense.org](https://opnsense.org)
).
Note
When more than one destination is provided, the load will be balanced automatically.
Tip
Constraining access to allow only specific networks or hosts can be arranged using the `Access control` input.
#### [Redirect](#id14)
[](#redirect "Permalink to this heading")
| Option | Description |
| --- | --- |
| Enabled | Enable this location |
| VirtualServer | The server this location belongs to |
| Path | Path of the HTTP request to match (e.g. `/` for all paths). You can also create multiple location entries, each with their own specific path (e.g. `/docs`). They will be processed in the order of their creation. |
| Type | Redirect |
| HTTP redirection message | Choose the HTTP redirection message. The default is 307, but others like 301 and 308 are also available. |
| Remote destinations | Locations to redirect requests to, only one is allowed per location per redirect |
| Access control | List of networks allowed to access this path (empty means any) |
| Description | User friendly description for this location |
When setting up a redirect, it will also match HTTP if Redirect HTTP to HTTPS in General Settings has been enabled. If not, only HTTPS is matched.
Note
When a `/` location with a Redirect has been created, there can’t be any additional ProxyPass locations that match the same `/` location, nor a more specific `/docs` location. The redirect will match first, since it will catch and redirect all traffic of the virtual server location. What is possible though, is that there is a `/docs` location that redirects, and an additional `/html` location that proxies traffic, in the scope of the same virtual server.
#### [Exchange Server](#id15)
[](#exchange-server "Permalink to this heading")
| Option | Description |
| --- | --- |
| Enabled | Enable this location |
| VirtualServer | The server this location belongs to |
| Type | Exchange Server |
| Remote destinations | Locations to redirect requests to, only one is allowed per location per redirect |
| Restrict Exchange Paths | Restrict Exchange Server specific paths to networks provided in the Access control field. If paths are selected, exactly these paths will have the Access control attached. Access to path / is filtered per default with a redirect to /owa. All non-selected paths will be allowed from all networks. |
| Access control | Constrain access to networks provided in this list, when not provided no constraints apply. When type is Exchange Server, it will restrict access to paths selected in Restrict Exchange Paths. |
| Description | User friendly description for this location |
##### [Prerequisites](#id16)
[](#id1 "Permalink to this heading")
To successfully reverse proxy an Exchange Server, a few conditions must be met:
* The Exchange Server should be 2013, 2016 or 2019 and fully patched.
* The communication between Apache and the Exchange Server must happen via HTTPS.
* The Exchange Server must have its internal and external URLs set correctly, preferably to the same hostnames that will be set as virtual servers.
Common hostname/path combinations are:
| VirtualDirectory | Internal and external URL of Exchange Server |
| --- | --- |
| OwaVirtualDirectory | `mail.example.com/owa` |
| EcpVirtualDirectory | `mail.example.com/ecp` |
| WebServicesVirtualDirectory | `mail.example.com/EWS/Exchange.asmx` |
| ActiveSyncVirtualDirectory | `mail.example.com/Microsoft-Server-ActiveSync` |
| OabVirtualDirectory | `mail.example.com/OAB` |
| MapiVirtualDirectory | `mail.example.com/mapi` |
| OutlookAnywhere | `mail.example.com/rpc` - ExternalClientAuthenticationMethod set to Negotiate |
| ClientAccessService | `autodiscover.example.com/Autodiscover/Autodiscover.xml` |
When using a self-signed certificate, the authority for the certificate must be imported into System->Trust->Authorities. The certificate must include `mail.example.com` and `autodiscover.example.com` in its SAN. Without trust established between the OPNsense and the Exchange Server, the connection will fail since only encrypted connections are allowed to an Exchange Server.
##### [Setup](#id17)
[](#id2 "Permalink to this heading")
Create two virtual servers with the hostnames of the Exchange Server, e.g., `autodiscover.example.com` and `mail.example.com`. Select Enable ACME or use your own certificate, set Header Security to `Off / compatibility mode`, set Web Protection to `Detection Only`. Adjust these later once the Exchange Server works correctly through the reverse proxy.
Create a Location with the Type `Exchange Server` for each of these virtual servers. As Remote destinations use the internal IP address of the Exchange Server, e.g., `https://192.168.10.10`. If the virtual servers use the same hostnames as the Exchange Server, trust is automatically established with host header passthrough.
These new Locations will create all virtual directories the Exchange Server requires automatically, and activate Outlook Anywhere® passthrough. With the options Restrict Exchange Paths and Access control, access to specific paths can be restricted. This is recommended for the `/ecp` path.
The finished configuration should look like this:
**Virtual Server**
| Option | Description |
| --- | --- |
| Enabled | `X` |
| ServerName | `mail.example.com` (create another virtual server for `autodiscover.example.com`) |
| **Trust** | |
| Enable ACME | `X` |
| SSL Proxy check peer | `X` |
| **Security** | |
| Header Security | Off / compatibility mode |
| TLS Security profile | Intermediate |
| Web Protection | Detection Only |
**Location**
| Option | Description |
| --- | --- |
| Enabled | `X` |
| VirtualServer | `mail.example.com` (create another location for `autodiscover.example.com`) |
| Type | Exchange Server |
| Remote destinations | `https://192.168.10.10` |
| Restrict Exchange Paths | `/ecp` |
| Access control | `192.168.0.0/16 172.16.0.0/12 10.0.0.0/8` |
Note
In case an internal hostname is used in Remote destinations, ensure this name is in the SAN and common name of the self-signed certificate of the Exchange Server. This hostname must be resolvable from the OPNsense. Do not use the same hostname for Virtual servers and Remote destinations to avoid creating a reverse proxy loop.
### [Test web protection](#id18)
[](#test-web-protection "Permalink to this heading")
When web protection was enabled, we always advise to test if it’s actually functional. Luckily this is quite easy to test using a webbrowser. For this example we will try to inject some sql code in the url, which should be blocked when properly configured:
`https://your.example.domain/?id=100 or 'x'='y'`
This should show a page similar to the one below:
[](../../_images/OPNWAF_forbidden.png)
When deploying web protection for virtual servers, start with the Detection Only setting that can be set per virtual server. This way, you can evaluate the Web Security log file, and look for rules that match.
This will reveal if the web application might be outdated and needs patching, because several web protection rules match and would block connections.
If they are false positives, the rule IDs can be set as excemptions with the option Disable Security Rules by ID. Search the rules in the dropdown, and select multiple ones you want to exclude.
After this configuration, set the Web Protection to On (default) to enable it. The web application should now be configured for production. If there are still errors, repeat the above steps.
Attention
Do not exclude too many rules. These matches could be a potential misconfiguration of the web application behind the WAF. Only exclude rules that totally break the functionality of the web application.
### [Secure WebDav and HTTP File Servers](#id19)
[](#secure-webdav-and-http-file-servers "Permalink to this heading")
These servers have specific requirements to work through a WAF. They need an extended set of HTTP Verbs, and higher thresholds for the Request and Response Body.
A popular example for a WebDAV Server is Nextcloud or Owncloud.
Go to the Web Protection Settings, and set the Allowed HTTP Verbs to:
COPY, DELETE, GET, HEAD, LOCK, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, TRACE, UNLOCK.
To allow large file uploads, set Request Body Limit Action to Process Partial. If you want to process as much content of the file as possible, enable the advanced mode and set custom values for the Request Body and Response Body limits.
If the file is larger than the configured limits, it will only be processed partially. This means, the whole file will be uploaded, but only a portion of the file is analyzed by the web application parser. Rejecting can improve security, yet will make large files fail completely if they exceed the configured hard limits.
Note
Increasing the Body limits will increase the log file sizes, and will eventually use the disk of the OPNsense to write files upon inspection. For this, the Request Body in Memory Limit can be increased to 1GB to focus on RAM usage. If you want to use the least ressources, logging and disk I/O, leave all settings on default, and set Request Body Limit Action to Process Partial.
Tip
If many different file extensions are hosted on the WebDAV server, some of these will be blocked by default rules. In that case, disable the rule: `920440 (URL file extension is restricted by policy)`
### [Protect a local server with certificates](#id20)
[](#protect-a-local-server-with-certificates "Permalink to this heading")
In the above virtual host configuration there are a couple of parameters related to client authentication. The advantage of using these is that you can prevent unauthorized access to services using certificates signed by a (local) certificate authority.
To use this functionality, first make sure you have a certificate authority defined in System ‣ Trust ‣ Authorities which you are going to use to create certificates for your clients.
Next step is to add a VirtualServer which contains at least the following information:
| Option | Description |
| --- | --- |
| ServerName | The fully qualified domain name this host listens to |
| Port | Port number to bind to, you can use [Port forwarding](../../manual/nat.html)
to redirect traffic from standard ports to non standard ones when needed |
| Certificate / Enable ACME | Either use an ACME certificate or define one yourself, this one should be trusted by the browser connecting to this host |
| CA for client auth | select the Authority created earlier |
Followed by a location, which maybe as simple as binding path `/` to a local machine without certificate at `http://10.0.0.1`.
Tip
You can use revocation lists to pull back access rights for selected clients, just make sure to restart the service in order to make the changes effective.
After this step, clients should not be able to access the virtual host, next you can create a certificate for the client and import it in the trust store. Usually browsers automatically pick these up when allowed by the client.
---
# Updates — OPNsense documentation
* [](../index.html)
* [Installation and setup](../setup.html)
* Updates
* * *
Updates[](#updates "Permalink to this heading")
=================================================
The OPNsense update schedule consists of two major releases each year, which receive minor updates about every two weeks. The major release version number consists of the year and months of release (e.g. 25.1 for the January 2025 release), with the fortnightly minor updates adding a third number (e.g. 25.1.3 for the third update to 25.1).
Update settings[](#update-settings "Permalink to this heading")
-----------------------------------------------------------------
By navigating to System ‣ Firmware ‣ Settings, you can influence the firmware update settings:
* **Fimware Mirror:** this influences where OPNsense tries to get its updates from. If you have troubles updating or searching for updates, or if your current mirror is running slowly, you can change it here.
* **Release Type:** With this setting, you can switch between the regular fortnightly schedule of tested releases (Production) or the newest, not fully tested code (Development). **Please leave this setting on “Production”, unless you fully understand the implications of switching.**
Tip
The settings page is also the place where you can run audits which help debugging common connectivitty issues, just press the “Run an audit” and choose “Connectivity” from the list.
Minor updates[](#minor-updates "Permalink to this heading")
-------------------------------------------------------------
Updates can be installed from the web interface, by going to System ‣ Firmware ‣ Status. On this page, you can click **Check for updates** to search for updates. If they are available, a button will appear to install them.
Major Upgrades[](#major-upgrades "Permalink to this heading")
---------------------------------------------------------------
Major upgrades are recommended to do via VGA display or serial console because you can see what is going on.
Note
You can find some documentation about serial access under [Serial Access](how-tos/serial_access.html)
Warning
Major updates are installed offline. So no web interface or SSH is running to monitor the upgrade. If something fails, you need a second connection or direct access to revert the VM or repair the installation.
If you choose option 12 on the console menu on latest release, you are asked if you want to upgrade to the newest version or to the next major release. Type in the major release number (for example “19.1”) and press enter. OPNsense will download all release files for an offline upgrade (kernel, packages etc.) and will reboot afterwards.
After a reboot, it will install all updates and when it is done, it will reboot again, then you should be on the desired release.
Troubleshooting updates[](#troubleshooting-updates "Permalink to this heading")
---------------------------------------------------------------------------------
The connectivity audit offers a direction where to look for issues during updates and the following causes are in our experience most common:
* Misconfigured DNS settings, check System ‣ Settings ‣ General for configured servers the firewall is allowed to use
* Misconfigured IPv6, in which case “Prefer IPv4 over IPv6” in System ‣ Settings ‣ General might help to prevent the system from using IPv6 in these cases
* In HA (carp) setups, using the wrong extrenal IPaddress, usually caused by a misconfigued outbound nat rule, easy to check by disabling manual outbound nat rules in Firewall ‣ NAT ‣ Outbound.
The heath audit can also help with uncovering installation and disk / file system issues. Additionally, major ugpgrades may not pass certain sanity checks that need to be corrected first which may include the command line:
* “Could not determine core package name.” can indicate that the local package manager database was lost. See opnsense-bootstrap command to fix.
* “No package manager is installed to perform upgrades.” can indicate a broken installation. Try to reinstall the “pkg” package via System –> Firmware –> Packages.
* “The Package manager is incompatible and needs a reinstall.” can indicate misuse of the FreeBSD repository. Try to reinstall the “pkg” package via System –> Firmware –> Packages.
* “Core package not known to package database.” can mean that the mirror settings are wrong, the main mirror no longer holds any packages or that the mirror is unreachable for other reasons.
The forum is a good place to post your update and upgrade issues if you get stuck despite the best effort.
---
# Extended Blocklists — OPNsense documentation
* [](../../index.html)
* [Business Edition](../../be.html)
* Extended Blocklists
* * *
Extended Blocklists[](#extended-blocklists "Permalink to this heading")
=========================================================================
As part of the OPNsense Business Edition, Deciso offers the extended blocklists module as part of the standard Business Edition installation. With this module you are able to configure DNS blocking policies in a more fine-grained manner by specifying networks on which the blocklists should apply.
The extended blocklists can be found under Services->Unbound DNS->Extended Blocklists.
Blocklists[](#blocklists "Permalink to this heading")
-------------------------------------------------------
Blocklists are configured in the same manner as with regular blocklists, except they are listed in a grid, where multiple blocklists and multiple networks may be defined per grid entry to ease administration for a large amount of networks. An optional description may be provided for your own reference.
Source networks are provided as IP addresses in CIDR notation, or singular IP addresses. The validation for this field is strict, meaning that setting host bits in a CIDR notation is not allowed.
Note
If you’d like to use the extended blocklists module, keep in mind that the regular blocklists, if configured, are still active. They define a policy for all networks, and are given preference above the extended blocklists. Therefore it’s possible that a conflict arises between blocklists for a specific network and regular blocklists. Please verify that the relevant blocklists are not configured in Services->Unbound DNS->Blocklist.
If you’re not sure if a policy would overlap in this manner, please use the tester as described below.
Custom[](#custom "Permalink to this heading")
-----------------------------------------------
In the Custom tab you are able to configure custom domains to block, also per source network. The domains can either be exact matches, or entered as a wildcard in a separate field. Wildcard entries will block every subdomain of the configured domain name. It’s not possible to block a first-level domain such as ‘com’.
To prevent cluttering in the grid, the relevant domains and wildcards are not shown in the grid. Therefore it’s mandatory to add a description for your own reference so you can easily locate a custom policy. You can view the blocked domains/wildcards by clicking “edit” on the grid entry.
Tester[](#tester "Permalink to this heading")
-----------------------------------------------
If you’d like to verify whether a specified domain is correctly being blocked, or if you want to know if a domain is part of a specific list, you can use the tester to see the policy that’s applied to a DNS request. Here you’re able to enter a domain, as well as a source IP address to simulate a request from a specific address. Note that no actual DNS request is sent if a domain were to pass, it’s kept isolated as part of the blocklisting mechanism.
It’s also possible to verify whether a domain overlaps with another policy. For example, if you configured the facebook blocklist, the output would look something like this:
{
"status": "OK",
"action": "Block",
"policy": {
"bl": "ext\_blf0",
"wildcard": false,
"source\_net": \[\
"192.168.2.0/24",\
"192.168.1.0/24",\
"10.0.0.0/8"\
\]
}
}
However, if you also enabled the facebook blocklist in the regular blocklist section, you would get:
{
"status": "OK",
"action": "Block",
"policy": {
"bl": "blf0",
"wildcard": false,
"collisions": \[\
{\
"bl": "ext\_blf0",\
"wildcard": false,\
"source\_net": \[\
"192.168.2.0/24",\
"192.168.1.0/24",\
"10.0.0.0/8"\
\]\
}\
\],
"source\_net": \[\]
}
}
which would tell you that a regular list is conflicting with an extended blocklist policy.
---
# Included software — OPNsense documentation
* [](../index.html)
* [Installation and setup](../setup.html)
* Included software
* * *
Included software[](#included-software "Permalink to this heading")
=====================================================================
OPNsense® comes with a lot of features included in the base system, for some situations you may need additional software, which is either provided via a plugin or only as a binary package (without user interface).
This chapter aims to provide some details on the components included in the system, where to find them and how to install them when not installed by default.
The operating system[](#the-operating-system "Permalink to this heading")
---------------------------------------------------------------------------
The basic ( [FreeBSD](https://www.freebsd.org/)
) system contains a kernel and a base package, which provide the bare essentials for the system to be able to boot and do its work.
Both components are updated using `opnsense-update`, which is explained in more detail [here](https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-update)
.
Plugins[](#plugins "Permalink to this heading")
-------------------------------------------------
Plugins are packages offered by OPNsense®, which can be installed directly via the user interface and often come with setup options accessible for the end-user.
Since OPNsense® is a community driven project, the amount of (community/commercial) support available on these plugins can be different.
Note
The plugin repository is maintained by the project, when plugins are not kept up to date by its maintainer, they will be removed at some point in time. (a good example for such a plugin would be if one requires python 2 and we stop shipping it due to upstream deprecation)
Packages (pkg)[](#packages-pkg "Permalink to this heading")
-------------------------------------------------------------
Binary software is installed using pkg, which uses our software repository (available via multiple mirrors). All installed software can be found via the user interface System -> Firmware ->Packages, but in some situations people want to install additional software via the command line of the machine itself.
To find a full list of all software available, you can use the following command:
pkg rquery '%n (%v)'
If, for example you would like to install the gnu [nano](https://www.nano-editor.org/)
editor, you can do so using the following command:
pkg install nano
Note
OPNsense® is a firewall distribution, we aim to keep our footprint as small as possible. This means that we don’t build all the software available in the world. If you need a specific package for your use-case, you could always ask via a support ticket on [GitHub](https://github.com/opnsense/tools/issues)
, but note that packages not used by our core system or a supported plugin would not be guaranteed in the future (build contents may change over time).
Warning
Adding (FreeBSD, ..) repositories in `/usr/local/etc/pkg/repos/` manually is not supported and usually lead to unexpected issues. Before reporting any type of issue with such setups, we kindly ask you to revert to a standard setup first.
The ports tree[](#the-ports-tree "Permalink to this heading")
---------------------------------------------------------------
In case you are using software, which is not supplied by us, you can always build these packages yourself. It’s best to use our build system to facilitate this, you can do so using the following commands
opnsense-code ports
cd /usr/ports/your/port
make install
To update a package, the following command can be used instead:
opnsense-code ports
cd /usr/ports/your/port
make reinstall
It might be necessary for some ports to also install the source tree:
opnsense-code src
Note
There are a lot of resources available about building ports packages, such as [https://www.freebsd.org/ports/](https://www.freebsd.org/ports/)
and the pointers in our documentation and tools. We consider building custom software a feature not usable for beginners, before creating support tickets, make sure you have the necessary skillsets needed to perform such tasks.
---
# Hardware sizing & setup — OPNsense documentation
* [](../index.html)
* [Installation and setup](../setup.html)
* Hardware sizing & setup
* * *
Hardware sizing & setup[](#hardware-sizing-setup "Permalink to this heading")
===============================================================================
The **hardware setup** requires a careful preparation and selection of the standard PC hardware components for the intended installation of OPNsense.
⚠ Computer hardware with the open source security software OPNsense® pre-installed can be purchased directly from various (online) stores.
Tip
The OPNsense development team encourage everyone looking for a turn-key solution to buy from [Deciso](https://www.deciso.com)
or one of the other partners listed at our partner page. **Listed partners make significant contributions back to the project.**
Supported hardware architectures[](#supported-hardware-architectures "Permalink to this heading")
---------------------------------------------------------------------------------------------------
OPNsense® is available for [x86-64](https://en.wikipedia.org/wiki/X86-64)
(amd64) bit microprocessor architectures. Full installs on [SD memory cards](https://en.wikipedia.org/wiki/Secure_Digital)
, [solid-state disks (SSD)](https://en.wikipedia.org/wiki/Solid-state_drive)
or [hard disk drives (HDD)](https://en.wikipedia.org/wiki/Hard_disk_drive)
are intended for OPNsense.
While the range of supported devices are from embedded systems to rack mounted servers, the hardware must be capable of running 64-bit [operating systems](https://en.wikipedia.org/wiki/operating_system)
.
Hardware requirements[](#hardware-requirements "Permalink to this heading")
-----------------------------------------------------------------------------
For substantially narrowed OPNsense® functionality there is the basic specification. For full functionality there are minimum, reasonable and recommended specifications.
Minimum
The minimum specification to run all OPNsense standard features that do not need disk writes, means you can run all standard features, except for the ones that require disk writes, e.g. a caching proxy (cache) or intrusion detection and prevention (alert database).
| | |
| --- | --- |
| Processor | 1 GHz dual core cpu |
| RAM | 2 GB |
| Install method | Serial console or video (vga) |
| Install target | SD or CF card with a minimum of 4 GB, use nano images for installation. |
Table: _Minimum hardware requirements_
Reasonable
The reasonable specification to run all OPNsense standard features, means every feature is functional, but perhaps not with a lot of users or high loads.
| | |
| --- | --- |
| Processor | 1 GHz dual core cpu |
| RAM | 4 GB |
| Install method | Serial console or video (vga) |
| Install target | 40 GB SSD, a minimum of 2 GB memory is needed for the installer to run. |
Table: _Reasonable hardware requirements_
Recommended
The recommended specification to run all OPNsense standard features, means every feature is functional and fits most use cases.
| | |
| --- | --- |
| Processor | 1.5 GHz multi core cpu |
| RAM | 8 GB |
| Install method | Serial console or video (vga) |
| Install target | 120 GB SSD |
Table: _Recommended hardware requirements_
Hardware guide
The hardware required for your local OPNsense, will be determined by the intended minimum [throughput](#throughput)
and the feature set.
Impact of Feature set[](#impact-of-feature-set "Permalink to this heading")
-----------------------------------------------------------------------------
While most features do not affect hardware dimensioning, a few features have massive impact on it. The candidates are:
[Squid](https://en.wikipedia.org/wiki/Squid_(software))
a caching web proxy which can be used for web-content control, respectively. These packages rely strongly on CPU load and disk-cache writes.
[Captive portal](https://en.wikipedia.org/wiki/Captive_portal)
settings with hundreds of simultaneously served captive portal users will require more CPU power in all the hardware specifications displayed below.
[State transition tables](https://en.wikipedia.org/wiki/State_transition_table)
it is a known fact, that each state table entry requires about 1 kB (kilobytes) of RAM. The average state table, filled with 1000 entries will occupy about ~1 MB (megabytes) of [RAM](https://en.wikipedia.org/wiki/Random-access_memory)
. OPNsense usage settings with hundred of thousands of connections will require memory accordingly.
Throughput[](#throughput "Permalink to this heading")
-------------------------------------------------------
The main hardware-factors of the OPNsense setup involved are CPU, RAM, mass storage (disc), the number and quality of network interfaces.
| Throughput (Mbps) | Hardware requirements | Feature set | Users / Networks |
| --- | --- | --- | --- |
| 11-150 | Basic spec. | narrowed | adjusted (10-30) |
| 11-150 | Minimum spec. | reduced | adjusted (10-30) |
| 151-350 | Reasonable spec. | all | substantial (30-50) |
| 350-750+ | Recommended spec. | all | substantial+ (50-150+) |
| Mbps (Mbit/s or Mb/s) - Megabit per second - 1,000,000 bits per second | | | |
Network interface cards
As the FreeBSD hardware-lists and -recommendations say, Intel® network interface cards (NIC) for [LAN](https://en.wikipedia.org/wiki/Local_area_network)
connections are reliable, fast and not error-prone. Intel chipset NICs deliver higher throughput at a reduced [CPU load](https://en.wikipedia.org/wiki/Load_(computing))
.
Supported hardware
FreeBSD is the base of OPNsense. All FreeBSD drivers are included in the OPNsense kernel, and the hardware compatibility is the same.
Tip
If you are looking to buy new hardware then take a look at our [partner page](https://opnsense.org/partners)
as these partners contribute back to OPNsense and sell hardware that is know to work well.
For further help and support, see
* [FreeBSD 14.1 Hardware Compatibility List](https://www.freebsd.org/releases/14.1R/hardware/)
* [OPNsense Forum](https://forum.opnsense.org/)
List of references
* Schellevis, Jos; _Hardware requirements_; [OPNsense > Get started](https://opnsense.org/users/get-started/)
(2015)
* McKusick, Marshall; Neville-Neil, George V; Warson, Robert NM; _The Design and Implementation of the FreeBSD Operating System_ (2015); Addison-Wesley, New Jersey; ISBN 978-0321968975
---
# Virtual & Cloud based Installation — OPNsense documentation
* [](../index.html)
* [Installation and setup](../setup.html)
* Virtual & Cloud based Installation
* * *
Virtual & Cloud based Installation[](#virtual-cloud-based-installation "Permalink to this heading")
=====================================================================================================
Local/Server[](#local-server "Permalink to this heading")
-----------------------------------------------------------
Installing OPNsense on a virtual machine can be done by using the DVD ISO image. Full instructions are available in chapter [Initial Installation & Configuration](install.html)
.
### General tips[](#general-tips "Permalink to this heading")
For optimum performance and compatibility, these guides are given:
* Minimum required RAM is 1 GB
* Minimum recommended virtual disk size of 8 GB
* Disable all off-loading settings in Interfaces ‣ Settings

### VMware ESXi[](#vmware-esxi "Permalink to this heading")
VMware offers full instructions for installing FreeBSD, these can be found [here](https://partnerweb.vmware.com/GOSIG/FreeBSD_14x.html)
.
To install the VMware tools just goto System ‣ Firmware ‣ Plugins and install **os-vmware** by clicking on the **+** sign next to it.

Note
While other network setups may work fine, the VMXNET 3 is the recommended one according to VMware’s Compatibility Guide.
### Xen[](#xen "Permalink to this heading")
To install the Xen tools just goto System ‣ Firmware ‣ Plugins and install **os-xen** by clicking on the **+** sign next to it.

### HyperV[](#hyperv "Permalink to this heading")
HyperV Generation 1 and 2 are supported out of the box, no additional drivers or tools are needed.
* Secure Boot setting must be un-ticked in the Hardware > Security section for the VM.
### KVM[](#kvm "Permalink to this heading")
**i440FX chipset** OPNsense on KVM works with virtio disks and network devices (confirmed on QEMU 5.0).
**Q35 chipset** As of 22.1.x, OPNsense is based on FreeBSD 13.0, which includes support for the virtualized Q35 chipset and newer generation of KVM virtio devices. Note that this was a relatively recent addition to FreeBSD, so it may not be as well tested as the i440 support.
### Others[](#others "Permalink to this heading")
OPNsense can be installed on all virtual machines that support FreeBSD (such as Bhyve, VirtualBox).
### Hosted[](#hosted "Permalink to this heading")
For hosted installations where you can’t install using the DVD ISO an alternative approach is available in the form of **opnsense-bootstrap**.
### opnsense-bootstrap[](#opnsense-bootstrap "Permalink to this heading")
opnsense-bootstrap(8) is a tool that can completely reinstall a running system in place for a thorough factory reset or to restore consistency of all the OPNsense files. It can also wipe the configuration directory, but won’t do that by default.
It will automatically pick up the latest available version and build a chain of trust by using current package fingerprints -> CA root certificates -> HTTPS -> OPNsense package fingerprints.
What it will also do is turn a supported stock FreeBSD release into an OPNsense installation. Both UFS and ZFS installations are supported.
opnsense bootstrap is available for our [github source repository](https://github.com/opnsense/update/tree/master/bootstrap)
Amazon AWS EC2 Cloud[](#amazon-aws-ec2-cloud "Permalink to this heading")
---------------------------------------------------------------------------
[](../_images/amazon-web-services.png)
Installing OPNsense into the Amazon cloud can be a daunting task as no console is offered. Luckily an easy to install AMI is also available in the aws marketplace.
See also our how-to for [Installing OPNsense AWS image](how-tos/installaws.html)
.
Microsoft Azure[](#microsoft-azure "Permalink to this heading")
-----------------------------------------------------------------
[](../_images/Azure.png)
OPNsense is also available in the Microsoft Azure Marketplace as an easy installable virtual appliance.
See also our how-to for [OPNsense Azure Virtual Appliance](how-tos/installazure.html)
.
Common Issues[](#common-issues "Permalink to this heading")
-------------------------------------------------------------
Some common issues have been reported for different virtual environments. You can find known solutions to these problems below.
If your problem is not listed always try the General tips mentioned in the article first.
### File copy failed during installation[](#file-copy-failed-during-installation "Permalink to this heading")
This issue is most likely caused by low memory setting. Make sure your virtual OPNsense installation has a minimum of 1 GB of RAM.
### Disk Errors on VMware[](#disk-errors-on-vmware "Permalink to this heading")
This issue can be caused by a defective drive. Changing the drive mode to IDE has been reported to help for certain ESXi versions.
### NAT issues on XenServer[](#nat-issues-on-xenserver "Permalink to this heading")
This issue has been reported to be solved by disabling checksum offloading on both OPNsense domU and Vifs.
### Traffic Shaper does not work on VMware[](#traffic-shaper-does-not-work-on-vmware "Permalink to this heading")
If you are using vmxnet3 drivers try to switch to E1000.
---
# Initial Installation & Configuration — OPNsense documentation
* [](../index.html)
* [Installation and setup](../setup.html)
* Initial Installation & Configuration
* * *
[Initial Installation & Configuration](#id1)
[](#initial-installation-configuration "Permalink to this heading")
==================================================================================================================
Note
Just looking on how to invoke the installer? When the live environment has been started just login with user **installer** and password **opnsense**.
Index
* [Initial Installation & Configuration](#initial-installation-configuration)
* [Architecture](#architecture)
* [Embedded vs Full](#embedded-vs-full)
* [Installation Images](#installation-images)
* [Image Filename Composition](#image-filename-composition)
* [Download and Verification](#download-and-verification)
* [Installation Media](#installation-media)
* [System Boot Preparation](#system-boot-preparation)
* [Installation Instructions](#installation-instructions)
* [OPNsense Importer](#opnsense-importer)
* [Live Environment](#live-environment)
* [OPNsense Installer](#opnsense-installer)
* [Nano Image](#nano-image)
* [Initial Configuration](#initial-configuration)
[Architecture](#id2)
[](#architecture "Permalink to this heading")
--------------------------------------------------------------------
The **software setup** and installation of OPNsense® is available for the [x86-64](https://en.wikipedia.org/wiki/X86-64)
microprocessor architecture only.
[Embedded vs Full](#id3)
[](#embedded-vs-full "Permalink to this heading")
----------------------------------------------------------------------------
OPNsense offers two Image types with all major releases: embedded and full images. The Embedded Image is intended for environments where preinstalling the storage media is required due to a lack of local resources on the firewall like storage, and/or console access (VGA/Serial). The image is tailored to reduce write cycles as well, but the image can be used anywhere. Another reason for the Embedded Image is to eliminate the need for local console access for installing OPNsense. Installation is managed by prewriting the image to a storage device, installing the storage device, and booting the system.
Full Images provide installation tools like OPNsense Importer, Live Environment, and Installer. Full Images are released to support different console/hardware installation requirements.
Both image types can be installed and run from virtual disks (VM), [SD memory cards](https://en.wikipedia.org/wiki/Secure_Digital)
, USB disks, [solid-state disks (SSD)](https://en.wikipedia.org/wiki/Solid-state_drive)
, or [hard disk drives (HDD)](https://en.wikipedia.org/wiki/Hard_disk_drive)
.
The main differences between embedded and full images are:
| Embedded | Full |
| --- | --- |
| Writes to RAM disk | Writes to local disk |
| No log data retention after reboot | Log data retention after reboot |
| Not intended for local disk writes | Suitable for disk writes. |
| Embedded only use, SWAP file is optional | Can enable RAM disk for embedded mode. |
Embedded image store logging and cache data in memory only, while full versions will keep the data stored on the local drive. A full version can mimic the behavior of an embedded version by enabling RAM disks, this is especially useful for SD memory card installations.
Warning
See the chapter [Hardware Sizing & Setup](hardware.html)
for further information on hardware requirements prior to an install.
[Installation Images](#id4)
[](#installation-images "Permalink to this heading")
----------------------------------------------------------------------------------
Depending on your hardware and use case, different installation options are available:
| Type | Description | Image Type |
| --- | --- | --- |
| dvd | ISO image boots into a live environment in VGA-only mode with UEFI support | Full |
| vga | USB image boots into a live environment in VGA-only mode with UEFI support | Full |
| serial | USB image boots into live environment running in serial console (115200) mode only with UEFI support | Full |
| nano | Image for preinstalling onto >=4 GB USB drives, SD, or CF cards for use with embedded devices running in serial console (115200) mode with secondary VGA support (no kernel messages though) | Embedded |
Note
All Full Image types can run both [OPNsense Importer](https://docs.opnsense.org/manual/install.html#opnsense-importer)
before booting into the Live environment and also run [Installer](https://docs.opnsense.org/manual/install.html#install-to-target-system)
once booted into the Live environment.
Warning
Flash memory cards will only tolerate a limited number of writes and re-writes. For Nano image memory disks for **/var/log** and **/tmp** are applied by default to prolong CF (flash) card lifetimes.
To enable non-embedded versions: Go to System ‣ Settings ‣ Miscellaneous ‣ Disk / Memory Settings, change the setting, then reboot. Consider enabling an external syslog server as well.
[Image Filename Composition](#id5)
[](#image-filename-composition "Permalink to this heading")
------------------------------------------------------------------------------------------------

Note
**Please** be aware that the latest installation media does not always correspond with the latest released version available. OPNsense installation images are provided on a scheduled basis with major release versions in January and July. More information on our release schedule is available from our package repository, see [README](https://pkg.opnsense.org/releases/mirror/README)
. We are encouraged to update OPNsense after installation to be on the latest release available, see [Update Page](https://docs.opnsense.org/manual/updates.html)
.
[Download and Verification](#id6)
[](#download-and-verification "Permalink to this heading")
----------------------------------------------------------------------------------------------
The OPNsense distribution can be [downloaded](https://opnsense.org/download)
from one of our [mirrors](https://opnsense.org/download)
.
OpenSSL is used for image file verification. 4 files are needed for verification process:
* The SHA-256 checksum file (.sha256)
* The bzip compressed image file (..bz2)
* The signature file for the uncompressed image file (..sig)
* The openssl public key (.pub)
Use one of the OPNsense mirrors to download these files:
1. Go to the bottom of OPNSense [download](https://opnsense.org/download)
page.
2. Click one of the available mirrors closest to your location.
3. Download one of each file mentioned above for your Image type.
The OpenSSL public key (.pub) is required to verify against. Although the file is available on the mirror’s repository, you should not trust the copy there. Download it, open it up, and verify the public key matches the one from other sources. If it does not, the mirror may have been hacked, or you may be the victim of a man-in-the-middle attack. Some other sources to get the public key from include:
* [https://pkg.opnsense.org/releases/mirror/README](https://pkg.opnsense.org/releases/mirror/README)
* [https://forum.opnsense.org/index.php?board=11.0](https://forum.opnsense.org/index.php?board=11.0)
* [https://opnsense.org/blog/](https://opnsense.org/blog/)
* [https://github.com/opnsense/changelog/tree/master/community](https://github.com/opnsense/changelog/tree/master/community)
* [https://pkg.opnsense.org](https://pkg.opnsense.org)
(/://sets/changelog.txz)
Note
Only major release announcements for images contain the public key, and update release announcements will not. i.e. 22.1 will have a copy of the public key in the release announcement, but 22.1.9 will not.
Once you download all the required files and verify that the public key matches the public key found in one of the alternate sources listed above, you can be relatively confident that the key has not been tampered with. To verify the downloaded image, run the following commands (substituting the filenames in brackets for the files you downloaded):
openssl sha256 OPNsense\-.bz2
Match the checksum command output with the checksum values in the file `OPNsense--OpenSSL-checksums-amd64.sha256`. If the checksums don’t match, redownload your image file.
If checksums match continue with the verification commands.
openssl base64 \-d \-in OPNsense\-..sig \-out /tmp/image.sig
openssl dgst \-sha256 \-verify OPNsense\-.pub \-signature /tmp/image.sig OPNsense\-.
Warning
Make sure to unpack the image using `bunzip2` before verifying. Our signatures are generated before compressing them (as of OPNsense version 24.1)
If the output of the second command is “**Verified OK**”, your image file was verified successfully, and its safe to install from it. Any other outputs, and you may need to check your commands for errors, or the image file may have been compromised.
[Installation Media](#id7)
[](#installation-media "Permalink to this heading")
--------------------------------------------------------------------------------
Now that you have downloaded and verified the installation image from above. You must unpack the image file before you can write the image to disk. For Unix-like OSes use the following command:
bzip2 \-d OPNsense\-.bz2
For Windows use an application like [7zip](https://www.7-zip.org/download.html)
. The `.bz2` will be removed from the end of the filename after command/application completes.
After unpacking the image you can create the installation media. The easiest method to install OPNsense is to use the USB “[vga](https://docs.opnsense.org/manual/install.html#installation-media)
” Image. If your target platform has a serial console interface choose the “[serial](https://docs.opnsense.org/manual/install.html#installation-media)
” image. If you need to know more about using the serial console interface, consult the [serial access how-to](how-tos/serial_access.html)
.
Write the image to a USB flash drive (>=1 GB) or hard disk, using either dd for Unix-like OSes and for Windows use physdiskwrite, [Etcher](https://www.balena.io/etcher#download-etcher)
, or [Rufus](https://rufus.ie/)
.
**FreeBSD**
dd if\=OPNsense\-##.#.##-\[Type\]-\[Architecture\].img of=/dev/daX bs=16k
Where X = the device number of your USB flash drive (check `dmesg`)
**OpenBSD**
dd if\=OPNsense\-##.#.##-\[Type\]-\[Architecture\].img of=/dev/rsd6c bs=16k
The device must be the ENTIRE device (in Windows/DOS language: the ‘C’ partition), and a raw I/O device (the ‘r’ in front of the device “sd6”), not a block mode device.
**Linux**
sudo dd if\=OPNsense\-##.#.##-\[Type\]-\[Architecture\].img of=/dev/sdX bs=16k
where X = the IDE device name of your USB flash drive (check with hdparm -i /dev/sdX) (ignore the warning about trailing garbage - it’s because of the digital signature)
**macOS**
sudo dd if\=OPNsense\-##.#.##-\[Type\]-\[Architecture\].img of=/dev/rdiskX bs=64k
where r = raw device, and where X = the disk device number of your CF card (check Disk Utility) (ignore the warning about trailing garbage - it’s because of the digital signature)
**Windows**
physdiskwrite \-u OPNsense\-##.#.##-\[Type\]-\[Architecture\].img
(use v0.3 or later!)
[System Boot Preparation](#id8)
[](#system-boot-preparation "Permalink to this heading")
------------------------------------------------------------------------------------------
After preparing the installation media, we need to make sure we can access the console (either via keyboard and \[virtual\]monitor or [serial connectivity](how-tos/serial_access.html)
). Next we need to know how to access the boot menu or the system bios (UEFI) to boot from the installation media. Most times will be a function (F#), Del, or ESC key that needs to pressed immediately after powering on (or rebooting) the system. Usually within the first 2 to 3 seconds from powering up.
Tip
OPNsense devices from the [OPNsense shop](https://shop.opnsense.com/)
use `` to enter the bios and boot selection options.
Note
Serial connectivity settings for DECXXXX devices can be found [here](../hardware/serial_connectivity.html)
[Installation Instructions](#id9)
[](#installation-instructions "Permalink to this heading")
----------------------------------------------------------------------------------------------
Install Instructions
OPNsense installation boot process allows us to run several optional configuration steps. The boot process was designed to always boot into the live environment, allowing us to access the GUI or even SSH directly. If a timeout was missed, restart the boot procedure.
### [OPNsense Importer](#id10)
[](#opnsense-importer "Permalink to this heading")
All Full Images have the OPNsense Importer feature that offers flexibility in recovering failed firewalls, testing new releases without overwriting the current installation by running the new version in memory with the existing configuration or migrating configurations to new hardware installations. Using Importer is slightly different between previous installs with existing configurations on disk vs new installations/migrations.
For systems that have OPNsense installed, and the configuration intact. Here is the process:
1. Boot the system with installation media
2. Press any key when you see **“Press any key to start the configuration importer”**.
1. If you see OPNsense logo you have past the Importer and will need to reboot.
3. Type the device name of the existing drive that contains the configuration and press enter.
4. If Importer is successful, the boot process will continue into the Live environment using the stored configuration on disk.
5. If Importer was unsuccessful, we will returned to the device selection prompt. Confirm the device name is correct and try again. Otherwise, there maybe possible disk corruption and restoring from backup.
At this point the system will boot up with a fully functional firewall in Live enironment using existing configuration but will not overwrite the previous installation. Use this feature for safely previewing or testing upgrades.
For New installations/migrations follow this process:
1. We must have a 2nd USB drive formatted with FAT or FAT32 File system.
1. Preferable non-bootable USB drive.
2. Create a **conf** directory on the root of the USB drive
3. Place an _unencrypted_ .xml into /conf and rename the file to **config.xml** (`/conf/config.xml`)
4. Put both the Installation media and the 2nd USB drive into the system and power up / reboot.
5. Boot the system from the OPNsense Installation media via Boot Menu or BIOS (UEFI).
6. Press aany key when you see: **“Press any key to start the configuration importer”**
7. Type the device name of the 2nd USB Drive, e.g. da0 or nvd0 , and press Enter.
1. If Importer is successful, the boot process will continue into the Live environment using the configuration stored on the USB drive.
2. If unsuccessful, importer will error and return us to the device selection prompt. Suggest repeating steps 1-3 again.
### [Live Environment](#id11)
[](#live-environment "Permalink to this heading")

After booting with an OPNsense Full Image (DVD, VGA, Serial), the firewall will be in the Live environment with and without the use of OPNsense Importer. We can interact with the Live environment via Local Console, GUI (HTTPS), or SSH.
By default, we can log into the shell using the user `root` with the password `opnsense` to operate the live environment via the local console.
The GUI is accessible at [https://192.168.1.1/](https://192.168.1.1/)
using Username: `root` Password: `opnsense` by default (unless a previous configuration was imported).
Using SSH we can access the firewall at IP **192.168.1.1** . Both the **root** and **installer** users are available with the password specified above.
Note
That the installation media is read-only, which means your current live configuration will be lost after reboot.
Continue to [OPNsense Installer](#opnsense-installer)
to install OPNsense to the local storage device.
### [OPNsense Installer](#id12)
[](#opnsense-installer "Permalink to this heading")
Note
To invoke the installer login with user **installer** and password **opnsense**
After successfully booting up with the OPNsense Full Image (DVD, VGA, Serial), the firewall will be at the Live Environment’s login: prompt. To start the installation process, login with the user `installer` and password `opnsense`. If Importer was used to import an existing configuration, the installer and root user password would be the root password from the imported configuration.
If the installer user does not work, log in as user root and select: `8) Shell` from the menu and type `opnsense-installer`. The `opnsense-importer` can also be run this way should you require to rerun the import.
The installer can always be run to clone an existing system, even for Nano images. This can be useful for creating live backups for later recovery.
Tip
The installer can also be started from an inside host using ssh. Default ip address is `192.168.1.1`
The installation process involves the following steps:
1. Keymap selection - The default configuration should be fine for most Occasions.
2. Install (UFS|ZFS) - Choose UFS or ZFS filesystem. ZFS is in most cases the best option as it is the most reliable option, but it does require enough capacity (a couple of gigabytes at least).
3. Partitioning (ZFS) - Choose a device type. The default option (stripe) is usually acceptable when using a single disk.
4. Disk Selection (ZFS) - Select the Storage device e.g. `da0` or `nvd0`
5. Last Chance! - Select Yes to continue with partitioning and to format the disk. However, doing so will **destroy** the contents of the disk.
6. Continue with recommended swap (UFS) - Yes is usually fine here unless the install target is very small (< 16GB)
7. Select Root Password - Change and confirm the new root password
8. Select Complete Install - Exits the installer and reboots the machine. The system is now installed and ready for initial configuration.
Warning
You will lose all files on the installation disk. If another disk is to be used then choose a Custom installation instead of the Quick/Easy Install.
### [Nano Image](#id13)
[](#nano-image "Permalink to this heading")
To use the nano image follow this process:
1. Create the system disk with using the nano image. See [Installation Media](#installation-media)
how to write the nano image to disk.
2. Install the system disk drive into the system.
3. Configure the system (BIOS) to boot from this disk.
4. After the system boots, the firewall is ready to be configured.
Using the nano image for embedded systems, your firewall is already up and running. The configuration settings to enable Memory Disks (RAM disks) that minimize write cycles to relevant partitions by mounting these partitions in system memory and reporting features are disabled by default.
[Initial Configuration](#id14)
[](#initial-configuration "Permalink to this heading")
---------------------------------------------------------------------------------------
After installation the system will prompt you for the interface assignment, if you ignore this then default settings are applied. Installation ends with the login prompt.
By default you have to log in to enter the console.
**Welcome message**
\* \* \* Welcome to OPNsense \[OPNsense 15.7.25 (amd64/OpenSSL) on OPNsense \* \* \*\
\
WAN (em1) \-> v4/DHCP4: 192.168.2.100/24\
LAN (em0) \-> v4: 192.168.1.1/24\
\
FreeBSD/10.1 (OPNsense.localdomain) (ttyv0)\
\
login:\
\
Tip\
\
A user can login to the console menu with his credentials. The default credentials after a fresh install are username “root” and password “opnsense”.\
\
VLANs and assigning interfaces\
\
If choose to do manual interface assignment or when no config file can be found then you are asked to assign Interfaces and VLANs. VLANs are optional. If you do not need VLANs then choose **no**. You can always configure VLANs at a later time.\
\
LAN, WAN and optional interfaces\
\
The first interface is the LAN interface. Type the appropriate interface name, for example “em0”. The second interface is the WAN interface. Type the appropriate interface name, eg. “em1” . Possible additional interfaces can be assigned as OPT interfaces. If you assigned all your interfaces you can press \[ENTER\] and confirm the settings. OPNsense will configure your system and present the login prompt when finished.\
\
Minimum installation actions\
\
In case of a minimum install setup (i.e. on CF cards), OPNsense can be run with all standard features, except for the ones that require disk writes, e.g. a caching proxy like Squid. Do not create a swap slice, but a RAM Disk instead. In the GUI enable System ‣ Settings ‣ Miscellaneous ‣ RAM Disk Settings and set the size to 100-128 MB or more, depending on your available RAM. Afterwards reboot.\
\
**Enable RAM disk manually**\
\
[](../_images/Screenshot_Use_RAMdisks.png)\
\
Then via console, check your /etc/fstab and make sure your primary partition has **rw,noatime** instead of just **rw**.\
\
Console\
\
The console menu shows 13 options.\
\
0) Logout 7) Ping host\
1) Assign interfaces 8) Shell\
2) Set interface(s) IP address 9) pfTop\
3) Reset the root password 10) Filter logs\
4) Reset to factory defaults 11) Restart web interface\
5) Reboot system 12) Upgrade from console\
6) Halt system 13) Restore a configuration\
\
Table: _The console menu_\
\
opnsense-update\
\
OPNsense features a command line interface (CLI) tool “opnsense-update”. Via menu option **8) Shell**, the user can get to the shell and use opnsense-update.\
\
For help, type _man opnsense-update_ and press \[Enter\].\
\
Upgrade from console\
\
The other method to upgrade the system is via console option **12) Upgrade from console**\
\
GUI\
\
An update can be done through the GUI via System ‣ Firmware ‣ Updates.\
\
[](../_images/firmware-update.png)
---
# Welcome to OPNsense’s documentation! — OPNsense documentation
* [](#)
* Welcome to OPNsense’s documentation!
* * *

* * *
Welcome to OPNsense’s documentation
==========================================================================================================
[OPNsense®](https://opnsense.org)
is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform.
**OPNsense** includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
Table of Contents[](#table-of-contents "Permalink to this heading")
---------------------------------------------------------------------
> * [Introduction](intro.html)
> * [Welcome to OPNsense’s documentation!](intro.html#welcome-to-opnsense-s-documentation)
>
> * [Mission Statement](intro.html#mission-statement)
>
> * [Reading guide](intro.html#reading-guide)
>
> * [Feature set](intro.html#feature-set)
>
> * [OPNsense Core Features](intro.html#opnsense-core-features)
>
> * [Security](security.html)
> * [Intro](security.html#intro)
>
> * [Staying ahead](security.html#staying-ahead)
>
> * [Upstream vulnerabilities](security.html#upstream-vulnerabilities)
>
> * [Reporting an incident](security.html#reporting-an-incident)
>
> * [Information handling policies](security.html#information-handling-policies)
>
> * [Third party security verification](security.html#third-party-security-verification)
>
> * [Releases](releases.html)
> * [Community Edition](CE_releases.html)
>
> * [Business Edition](BE_releases.html)
>
> * [Business Edition](be.html)
> * [Central Management](vendor/deciso/opncentral.html)
>
> * [Web Application Firewall](vendor/deciso/opnwaf.html)
>
> * [Extended Blocklists](vendor/deciso/extended_dnsbl.html)
>
> * [Installation and setup](setup.html)
> * [Hardware sizing & setup](manual/hardware.html)
>
> * [Initial Installation & Configuration](manual/install.html)
>
> * [Virtual & Cloud based Installation](manual/virtuals.html)
>
> * [Updates](manual/updates.html)
>
> * [Included software](manual/software_included.html)
>
> * [Setup guides](setup.html#setup-guides)
>
> * [Official hardware](vendor.html)
> * [Quickstart / getting started](hardware/quickstart.html)
>
> * [Default Configurations](hardware/defaults.html)
>
> * [Serial Console connectivity](hardware/serial_connectivity.html)
>
> * [BIOS updates / settings](hardware/bios.html)
>
> * [SFP(+) Compatibility](hardware/sfp_compatibility.html)
>
> * [Lobby](lobby.html)
> * [General User Interface](manual/gui.html)
>
> * [Dashboard](manual/dashboard.html)
>
> * [Password](manual/lobby_password.html)
>
> * [OPNsense Tools](manual/opnsense_tools.html)
>
> * [Reporting](reporting.html)
> * [System Health & Round Robin Data](manual/systemhealth.html)
>
> * [Using Insight - Netflow Analyzer](manual/how-tos/insight.html)
>
> * [Netflow Export & Analyses](manual/netflow.html)
>
> * [Reporting Settings](manual/reporting_settings.html)
>
> * [Reporting: Traffic](manual/reporting_traffic.html)
>
> * [Reporting: Unbound DNS](manual/reporting_unbound_dns.html)
>
> * [Setup guides](reporting.html#setup-guides)
>
> * [System](system.html)
> * [Access / User Management](manual/users.html)
>
> * [Configuration](manual/backups.html)
>
> * [Firmware](manual/firmware.html)
>
> * [Gateways](manual/gateways.html)
>
> * [Gateway groups / Multi WAN](manual/multiwan.html)
>
> * [High Availability](manual/hacarp.html)
>
> * [Routes](manual/routes.html)
>
> * [Settings](manual/settingsmenu.html)
>
> * [Snapshots](manual/snapshots.html)
>
> * [Trust](manual/certificates.html)
>
> * [Log Files](manual/logging_system.html)
>
> * [Diagnostics](manual/diagnostics_system.html)
>
> * [Setup guides](system.html#setup-guides)
>
> * [Interfaces](interfaces.html)
> * [Interface configuration](manual/interfaces.html)
>
> * [Devices](manual/other-interfaces.html)
>
> * [Overview](manual/interfaces_overview.html)
>
> * [Settings](manual/interfaces_settings.html)
>
> * [Neighbors](manual/neighbors.html)
>
> * [Virtual IPs](manual/firewall_vip.html)
>
> * [Wireless](manual/wireless.html)
>
> * [IPv6 setup](manual/ipv6.html)
>
> * [Diagnostics](manual/diagnostics_interfaces.html)
>
> * [Setup Guides](interfaces.html#setup-guides)
>
> * [Firewall](firewall.html)
> * [Generic info](manual/firewall_generic.html)
>
> * [Aliases](manual/aliases.html)
>
> * [Categories](manual/firewall_categories.html)
>
> * [\[Interface\] Groups](manual/firewall_groups.html)
>
> * [Network Address Translation](manual/nat.html)
>
> * [NPTv6](manual/nptv6.html)
>
> * [Rules](manual/firewall.html)
>
> * [Traffic Shaping](manual/shaping.html)
>
> * [(Advanced) Settings](manual/firewall_settings.html)
>
> * [Normalization](manual/firewall_scrub.html)
>
> * [Configure CARP](manual/how-tos/carp.html)
>
> * [Log Files](manual/logging_firewall.html)
>
> * [Diagnostics](manual/diagnostics_firewall.html)
>
> * [Setup guides](firewall.html#setup-guides)
>
> * [Virtual Private Networking](manual/vpnet.html)
> * [IPsec](manual/vpnet.html#ipsec)
>
> * [OpenVPN (SSL VPN)](manual/vpnet.html#openvpn-ssl-vpn)
>
> * [Wireguard](manual/vpnet.html#wireguard)
>
> * [Plugin VPN options](manual/vpnet.html#plugin-vpn-options)
>
> * [Services](services.html)
> * [Captive portal & GuestNET](manual/captiveportal.html)
>
> * [DHCP](manual/dhcp.html)
>
> * [Dnsmasq DNS](manual/dnsmasq.html)
>
> * [Intrusion Prevention System](manual/ips.html)
>
> * [Monit](manual/monit.html)
>
> * [Network Time](manual/ntpd.html)
>
> * [OpenDNS](manual/opendns.html)
>
> * [Unbound DNS](manual/unbound.html)
>
> * [Router Advertisements](manual/radvd.html)
>
> * [Log Files](manual/logging_services.html)
>
> * [Setup guides](services.html#setup-guides)
>
> * [Community Plugins](plugins.html)
> * [Routing](plugins.html#routing)
>
> * [DNS](plugins.html#dns)
>
> * [VPN](plugins.html#vpn)
>
> * [Web](plugins.html#web)
>
> * [Other](plugins.html#other)
>
> * [Reporting](plugins.html#reporting)
>
> * [Third-party Plugins](third_party_plugins.html)
> * [Sunnyvalley](third_party_plugins.html#sunnyvalley)
>
> * [Troubleshooting](troubleshooting.html)
> * [General issue workflow](troubleshooting.html#general-issue-workflow)
>
> * [Topics](troubleshooting.html#topics)
>
> * [Development Manual](develop.html)
> * [Development Workflow](development/workflow.html)
>
> * [Coding Guidelines](development/guidelines.html)
>
> * [Architecture](development/architecture.html)
>
> * [Backend](development/backend.html)
>
> * [Frontend](development/frontend.html)
>
> * [Components](development/components.html)
>
> * [API Reference](development/api.html)
>
> * [Examples](development/examples.html)
>
> * [How-tos](development/howtos.html)
>
> * [Sources](develop.html#sources)
>
> * [Project Relations](relations.html)
> * [Deciso B.V.](relations/deciso.html)
>
> * [FreeBSD®](relations/freebsd.html)
>
> * [M0n0wall](relations/m0n0wall.html)
>
> * [Open Source Initiative](relations/osi.html)
>
> * [Legal notices](legal.html)
> * [OPNsense License & Copyright](legal.html#opnsense-license-copyright)
>
> * [Packages and ports](legal.html#packages-and-ports)
>
> * [Documentation Copyright](legal.html#documentation-copyright)
>
> * [Pictures Copyright](legal.html#pictures-copyright)
>
> * [Logos Copyright](legal.html#logos-copyright)
>
> * [Trademark policy](legal.html#trademark-policy)
>
> * [Support Options](support.html)
> * [Software Support Levels](support.html#software-support-levels)
>
> * [Community](support.html#community)
>
> * [Commercial](support.html#commercial)
>
> * [List of available community plugins](support.html#list-of-available-community-plugins)
>
> * [Contribute](contribute.html)
> * [Financially](contribute.html#financially)
>
> * [Development](contribute.html#development)
>
> * [Translations](contribute.html#translations)
>
> * [Documentation & wiki articles](contribute.html#documentation-wiki-articles)
>
> * [Forum & IRC](contribute.html#forum-irc)
>
> * [Social media](contribute.html#social-media)
>
> * [Closing Words](contribute.html#closing-words)
>
> * [History](history.html)
> * [About the Fork](history/thefork.html)
>
---
# Quickstart / getting started — OPNsense documentation
* [](../index.html)
* [Official hardware](../vendor.html)
* Quickstart / getting started
* * *
Quickstart / getting started[](#quickstart-getting-started "Permalink to this heading")
=========================================================================================
Intro[](#intro "Permalink to this heading")
---------------------------------------------
After opening the box of your just delivered appliance, there should be a quickstart included. Your OPNsense® appliance has been pre-installed with the OPNsense® Business Edition software
This quickstart applies to all of the devices acquired from the OPNsense® Shop ([https://shop.opnsense.com/](https://shop.opnsense.com/)
), which includes the following series:
| Serie | Formfactor | Range | Network driver(s) |
| --- | --- | --- | --- |
| DEC6XX | Desktop | Entry level | igb |
| DEC7XX | Desktop | Midrange | igb, ax |
| DEC8XX | Desktop | Enterprise | igb, ax |
| DEC26XX | Rack | Entry level | igb |
| DEC27XX | Rack | Midrange | igb, ax |
| DEC38XX | Rack | Enterprise | igb, ax |
| DEC40XX | Rack | Enterprise / Datacenter | igb, ax, \[ice\] |
Port assignments[](#port-assignments "Permalink to this heading")
-------------------------------------------------------------------
The Ethernet ports of the appliance are assigned as follows:
Port **0** is assigned to LAN with IP address `192.168.1.1` and has a DHCP Server running with IP range from `192.168.1.100` to `192.168.1.199`.
Port **1** is assigned to WAN and uses DHCP Client to obtain an IP-address.
Additional ports available on the device are left unconfigured, you can assign them later using Interfaces->Assignments.
Note
Ports on the devices are all numbered, 0-**X** (e.g. 0,1,2) for all 1 gbps standard ethernet ports, X0-X**X** for SFP+ ports (e.g. X0, X1), XXV0-XXV**X** for SFP28 ports (e.g. XXV0, XXV1). The numbering corresponds with the driver numbering, e.g. port **0** is usually `igb0`, see the product range for drivers used in the different models
Console connectivity[](#console-connectivity "Permalink to this heading")
---------------------------------------------------------------------------
The supplied USB-cable can be used to gain console access (settings are: 115200 8N1). Console access is restricted with a login. Use the following credentials:
* user : **root**
* password : **opnsense**
Web interface[](#web-interface "Permalink to this heading")
-------------------------------------------------------------
To gain access to the web interface (default IP: `192.168.1.1`) use the following credentials:
* user : **root**
* password : **opnsense**
Next steps[](#next-steps "Permalink to this heading")
-------------------------------------------------------
After performing basic setup, apply your OPNsense Business Edition license token and then update your system or change to community when not planning to use the supplied license. (The firmware update module is located at System>Firmware>Settings)
**Option 1**: use Business Edition license
[](../_images/quickstart_be.png)
**Option 2**: use Community Edition
[](../_images/quickstart_community.png)
Note
The OPNsense Business Edition license token is sent by email including instructions on how to apply.
Tip
Always update your device after gaining access to the internet, updates are usually available once the device reaches your destination. Just go to the status tab in the firmware section, press “check for updates” and install the pending updates.
---
# SFP(+) Compatibility — OPNsense documentation
* [](../index.html)
* [Official hardware](../vendor.html)
* SFP(+) Compatibility
* * *
SFP(+) Compatibility[](#sfp-compatibility "Permalink to this heading")
========================================================================
Most OPNsense® appliances feature 10 Gigabit SFP+ cages powered by AMD® axgbe to allow for flexible connectivity. Different SFP(+) transceiver modules can be used to connect to different types of media (e.g. copper or fiber) depending on your needs.
Our enterprise & datacenter OPNsense® appliances may also feature 25 Gigabit capable SFP28 cages powered by Intel® ice.
Below you can find some general information as well as a list of tested SFP(+)/SFP28 transceiver modules that are verified to work with OPNsense® appliances.
Tip
If you are using an SFP(+)/SFP28 module on one of the OPNsense® appliances that is not listed below but is working properly, consider submitting a Pull Request to [our documentation](https://github.com/opnsense/docs)
to extend the list. Any contribution is welcome!
* * *
Table of Contents
* [**General Information**](#general-information)
* [**Axgbe**](#axgbe)
* [1G Single-mode optical fiber](#g-single-mode-optical-fiber)
* [1G Multi-mode optical fiber](#g-multi-mode-optical-fiber)
* [10G Single-mode optical fiber](#id1)
* [10G Multi-mode optical fiber](#id2)
* [1G Copper RJ45](#g-copper-rj45)
* [10G Copper RJ45](#id3)
* [10G Direct-Attach](#g-direct-attach)
* [10G Active Optical Cable](#g-active-optical-cable)
* [**ICE**](#ice)
* [25G Single-mode optical fiber](#id4)
* [25G Multi-mode optical fiber](#id5)
* [25G Direct-Attach](#id6)
[**General Information**](#id7)
[](#general-information "Permalink to this heading")
--------------------------------------------------------------------------------------
There are a lot of transceiver modules available on the market and they are usually one of the following types:
* Copper RJ45
Often used for connectivity up to a distance of 100 meters maximum and are relatively inexpensive.
Warning
RJ45 SFP+ modules (10GBASE-T) can run at high operating temperatures in comparison to Fiber or DAC modules. Only the datacenter level OPNsense® appliances are equipped with passive cooling for the SFP+ cages. If the ambient temperature does not exceed 50°C, RJ45 SFP+ modules can be used in all OPNsense® appliances without issue.
* Single-mode optical fiber (SMF)
Often used for communication across large distances (100+km) and usually connected with either Simplex-LC or Duplex-LC OS2 patch cords. It can potentially carry more bandwidth than Multi-mode fiber, but the equipment needed to use SMF is often more expensive in comparison to MMF.
* Multi-mode optical fiber (MMF)
Multi-mode fiber is the alternative for SMF (up to 550M for 10Gb/s), often used for backbone applications in buildings and usually connected with OM3 Duplex-LC patch cords.
* Direct-Attach Copper (DAC)
For short ranges (up to 10M), often a popular choice due to low cost and low latency.
* Active Optical Cable (AOC)
An alternative to DAC with lower latency, longer reach, electromagnetic interference (EMI) immunity and smaller, more manageable cable. An economical option compared to using MMF patch cable and network interface modules.
Attention
Most transceiver modules are available for purchase with a variety of different programming options for compatibility with different vendors. Unless specified otherwise, all modules are assumed to have the generic / MSA standard default programming.
[**Axgbe**](#id8)
[](#axgbe "Permalink to this heading")
----------------------------------------------------------
Note
10 Mbit/s is currently not supported by Axgbe.
Note
When using SFP+Modules, do not mix 2.5/5Gbps and 10Gbps link-speed as the hardware does not support mixing these due to different frequencies.
### [1G Single-mode optical fiber](#id9)
[](#g-single-mode-optical-fiber "Permalink to this heading")
| Vendor | Type | Speed | Notes |
| --- | --- | --- | --- |
| BeanField | 100BASE-BX0-D53 | 100Mb | |
| FlexOptix | S.B1312.20.DL BiDi LX | 1G | Tested module rated for 20km, other distances are assumed to function properly |
| FlexOptix | S.B1312.10.D | 1G | Tested module rated for 10km, other distances are assumed to function properly |
| FS | SFP-FE-BX | 100Mb | |
| FS | SFP-GE-BX | 1G | |
| MikroTik | S-53LC20D | 1G | |
| TP-Link | 1000Base-BX WDM Bi-Directional | 1G | |
| Ubiquiti | UACC-OM-SM-1G-S | 1G | |
### [1G Multi-mode optical fiber](#id10)
[](#g-multi-mode-optical-fiber "Permalink to this heading")
| Vendor | Type | Speed | Notes |
| --- | --- | --- | --- |
| FlexOptix | S.8512.02.D | 1G | |
### [10G Single-mode optical fiber](#id11)
[](#id1 "Permalink to this heading")
| Vendor | Type | Speed | Notes |
| --- | --- | --- | --- |
| FlexOptix | P.1396.10 SMF 1310nm Duplex-LC | 10G | Tested module rated for 10km, other distances are assumed to function properly |
| FlexOptix | P.B1696.10.DA + P.B1696.10.AD | 10G | Simplex-LC. Two complementary modules are needed. |
| FS | XGS-ONU-25-20NI | 10G | XGSPON |
| Zaram | ZXOS11NPI | 10G | XGSPON |
### [10G Multi-mode optical fiber](#id12)
[](#id2 "Permalink to this heading")
| Vendor | Type | Speed | Notes |
| --- | --- | --- | --- |
| Cisco-Finisar | SFP-10G-SR | 10G | |
| FS | SFP-10GSR-85 | 10G | |
| FS | SFP-10/25GR-85 | 10G | |
| IBM-Finisar | FTLX8571D3BCL-IC | 10G | |
| Intel | AFBR-709DMZ-IN2 | 10G | |
| Mellanox | MFM1T01A-SR | 10G | |
| Ubiquiti | UF-MM-10G | 10G | |
| Uptimed | UP-TR-SR-CI 10G | 10G | |
### [1G Copper RJ45](#id13)
[](#g-copper-rj45 "Permalink to this heading")
| Vendor | Type | Speed | Notes |
| --- | --- | --- | --- |
| FS | SFP-GB-GE-T | 10/100/1000Mb | |
| HP (Aruba) | Instant On | 1G | |
| MikroTik | S-RJ01 | 10/100/1000Mb | |
| StarTech | GLCTST | 1G | |
| Ubiquiti | UF-RJ45-1G | 10/100/1000Mb | |
### [10G Copper RJ45](#id14)
[](#id3 "Permalink to this heading")
| Vendor | Type | Speed | Notes |
| --- | --- | --- | --- |
| FS | SFP-10G-T | 10G | |
| Uptimed | UP-TR-10G-RJ45-CI | 1/2.5/5/10G | Will always link at 10G on axgbe, maximum speed is determined by link partner |
| FlexOptix | T.C96.02.KMF | 1/2.5/5/10G | Will always link at 10G on axgbe, maximum speed is determined by link partner |
### [10G Direct-Attach](#id15)
[](#g-direct-attach "Permalink to this heading")
| Vendor | Type | Speed | Notes |
| --- | --- | --- | --- |
| Aruba | SFP+ DAC | 10G | |
| Cisco | SFP-H10GB-CU1M | 10G | |
| FS | SFPP-PC02 | 10G | |
| MikroTik | XS+DA0001 | 10G | Rated for 1/10/25G, only links on 10G |
| Netgear | AXC761 | 10G | |
| Startech | DACSFP10G1M | 10G | |
| Ubiquiti | UniFi 1m DAC | 10G | |
### [10G Active Optical Cable](#id16)
[](#g-active-optical-cable "Permalink to this heading")
| Vendor | Type | Speed | Notes |
| --- | --- | --- | --- |
| Cisco-Finisar | SFP-10G-AOC3M | 10G | |
[**ICE**](#id17)
[](#ice "Permalink to this heading")
-------------------------------------------------------
### [25G Single-mode optical fiber](#id18)
[](#id4 "Permalink to this heading")
| Vendor | Type | Speed | Notes |
| --- | --- | --- | --- |
| FlexOptix | P.B1625G.10.ADI | 25G | Tested module rated for 10km, other distances are assumed to function properly |
### [25G Multi-mode optical fiber](#id19)
[](#id5 "Permalink to this heading")
| Vendor | Type | Speed | Notes |
| --- | --- | --- | --- |
| FlexOptix | P.8525G.01 | 25G | |
| FS | SFP28-25GSR-85 | 25G | |
| Uptimed | UP-SFP28-SR-CI | 25G | |
### [25G Direct-Attach](#id20)
[](#id6 "Permalink to this heading")
| Vendor | Type | Speed | Notes |
| --- | --- | --- | --- |
| FlexOptix | P.C3025G.H Passive | 25G | |
| FS | SFP-H25G-CU1M | 25G | With Intel compatibility |
---
# Serial Console connectivity — OPNsense documentation
* [](../index.html)
* [Official hardware](../vendor.html)
* Serial Console connectivity
* * *
Serial Console connectivity[](#serial-console-connectivity "Permalink to this heading")
=========================================================================================
The following device families offer a mini-usb connection which can be used for serial communication:
| Serie | Formfactor | Range |
| --- | --- | --- |
| DEC6XX | Desktop | Entry level |
| DEC7XX | Desktop | Midrange |
| DEC8XX | Desktop | Enterprise |
| DEC26XX | Rack | Entry level |
| DEC27XX | Rack | Midrange |
| DEC38XX | Rack | Enterprise |
| DEC40XX | Rack | Enterprise / Datacenter |
Supplied with the firewall is a mini-usb to usb cable, use this to connect the to your PC (Windows, Linux, Mac) next start your terminal program (Putty, screen, etc).
The baudrate should be set to `115200,8N1`, more information about how to use the serial console is available in our [serial access guide](../manual/how-tos/serial_access.html)
Note
The default configured settings in OPNsense for proper serial connectivity in System->Settings->Administration are as followed:
| setting | value |
| --- | --- |
| Primary Console | Serial Console |
| Secondary Console | None |
| Serial Speed | 115200 |
| USB-based serial | (unchecked) |
| Console menu | (checked) |
Windows Tip
On windows a COM port would be assigned after connecting the unit to usb, to find which one (COM1, COM2, .,) to use, keep the windows key pressed and hit `R` (Windows+R) and execute the following command `devmgmt.msc` to open the device manager.
In the device manager all available ports are visible under the “Ports (COM & LPT)” section.
**Legacy UART vs. UEFI serial**[](#legacy-uart-vs-uefi-serial "Permalink to this heading")
--------------------------------------------------------------------------------------------
Starting from OPNsense 22.1 (22.4 for the business edition) and the change to FreeBSD 13-STABLE, support for EFI serial has changed, which requires EFI based systems to disable legacy support to prevent confusing the operating system. Should you connect your Deciso appliance with a serial line and get limited output / no output from the point of handover to the OS, it is important your BIOS settings are updated to disable legacy UART.
While in the BIOS, go to Setup Utility –> AMD CBS –> FCH Common Options –> UART Configuration Options –> UART 0 Legacy Options. and make sure this setting is set to **Disabled**.
---
# Default Configurations — OPNsense documentation
* [](../index.html)
* [Official hardware](../vendor.html)
* Default Configurations
* * *
Default Configurations[](#default-configurations "Permalink to this heading")
===============================================================================
Since our firewall configuration is fully enclosed in a single xml file, we can offer the factory configurations in case a machine needs to be reinstalled at some point in time.
Below you will find the list of our currently available models:
| Model | Formfactor | config |
| --- | --- | --- |
| DEC675 | Desktop | [`22.1/22.4`](../_downloads/33f4de998449bb841cfb7efcd15ab55a/A10V2-SD-config.xml)
[`22.7/22.10`](../_downloads/574ddfd96b770c01012246e299984e60/A10V2-SD-config.xml)
[`23.1 ... 24.4`](../_downloads/ddad9cb7a79cf7ea212bd61469b6fd07/A10V2-SD-config.xml)
[`24.7/24.10`](../_downloads/aa0fc2f7d83f0091bd9cb876a540fedf/A10V2-SD-config.xml) |
| DEC677 | Desktop | [`24.7/24.10`](../_downloads/aa0fc2f7d83f0091bd9cb876a540fedf/A10V2-SD-config.xml) |
| DEC695 | Desktop | [`22.1/22.4`](../_downloads/8e87ac4203fd0674780b5209fa6440eb/A10V2-config.xml)
[`22.7/22.10`](../_downloads/cc49b60fa2a45d2fe962f9f59006ad21/A10V2-config.xml)
[`23.1 ... 24.4`](../_downloads/57e99c09954553112af35b8d4c10e944/A10V2-config.xml)
[`24.7/24.10`](../_downloads/aa0fc2f7d83f0091bd9cb876a540fedf/A10V2-SD-config.xml) |
| DEC697 | Desktop | [`24.7/24.10`](../_downloads/326a49a888caf50a9ed054c670f898e9/A10V2-config.xml) |
| DEC740 | Desktop | [`22.1/22.4`](../_downloads/2a9b243ef024a25648228cd2d20dd28e/A10-gen3-config.xml)
[`22.7/22.10`](../_downloads/9322cb3eaeb49c6bbc1065b969eb13c5/A10-gen3-config.xml)
[`23.1 ... 24.4`](../_downloads/e1a20e3d7051a34ba996d6225e7c0421/A10-gen3-config.xml)
[`24.7/24.10`](../_downloads/9715721789abedc86357ef5807953848/A10-gen3-config.xml) |
| DEC750 | Desktop | [`22.1/22.4`](../_downloads/2a9b243ef024a25648228cd2d20dd28e/A10-gen3-config.xml)
[`22.7/22.10`](../_downloads/9322cb3eaeb49c6bbc1065b969eb13c5/A10-gen3-config.xml)
[`23.1 ... 24.4`](../_downloads/e1a20e3d7051a34ba996d6225e7c0421/A10-gen3-config.xml)
[`24.7/24.10`](../_downloads/9715721789abedc86357ef5807953848/A10-gen3-config.xml) |
| DEC840 | Desktop | [`22.1/22.4`](../_downloads/ebc036f802fc2ba3efc8f536c4dae48d/A20-config.xml)
[`22.7/22.10`](../_downloads/f74ae078862360e9121ef296441221e4/A20-config.xml)
[`23.1 ... 24.4`](../_downloads/0d33cfc546f0558154b6c0afd05e5783/A20-config.xml)
[`24.7/24.10`](../_downloads/f0197442e1cfe5ace981bfa43361c7b2/A20-config.xml) |
| DEC850 | Desktop | [`22.1/22.4`](../_downloads/ebc036f802fc2ba3efc8f536c4dae48d/A20-config.xml)
[`22.7/22.10`](../_downloads/f74ae078862360e9121ef296441221e4/A20-config.xml)
[`23.1 ... 24.4`](../_downloads/0d33cfc546f0558154b6c0afd05e5783/A20-config.xml)
[`24.7/24.10`](../_downloads/f0197442e1cfe5ace981bfa43361c7b2/A20-config.xml) |
| DEC2685 | Rack | [`22.1/22.4`](../_downloads/8e87ac4203fd0674780b5209fa6440eb/A10V2-config.xml)
[`22.7/22.10`](../_downloads/cc49b60fa2a45d2fe962f9f59006ad21/A10V2-config.xml)
[`23.1 ... 24.4`](../_downloads/57e99c09954553112af35b8d4c10e944/A10V2-config.xml)
[`24.7/24.10`](../_downloads/326a49a888caf50a9ed054c670f898e9/A10V2-config.xml) |
| DEC2687 | Rack | [`24.7/24.10`](../_downloads/326a49a888caf50a9ed054c670f898e9/A10V2-config.xml) |
| DEC2750 | Rack | [`22.1/22.4`](../_downloads/2a9b243ef024a25648228cd2d20dd28e/A10-gen3-config.xml)
[`22.7/22.10`](../_downloads/9322cb3eaeb49c6bbc1065b969eb13c5/A10-gen3-config.xml)
[`23.1 ... 24.4`](../_downloads/e1a20e3d7051a34ba996d6225e7c0421/A10-gen3-config.xml)
[`24.7/24.10`](../_downloads/9715721789abedc86357ef5807953848/A10-gen3-config.xml) |
| DEC2752 | Rack | [`22.1/22.4`](../_downloads/2a9b243ef024a25648228cd2d20dd28e/A10-gen3-config.xml)
[`22.7/22.10`](../_downloads/9322cb3eaeb49c6bbc1065b969eb13c5/A10-gen3-config.xml)
[`23.1 ... 24.4`](../_downloads/e1a20e3d7051a34ba996d6225e7c0421/A10-gen3-config.xml)
[`24.7/24.10`](../_downloads/9715721789abedc86357ef5807953848/A10-gen3-config.xml) |
| DEC2770 | Rack | [`22.1/22.4`](../_downloads/2a9b243ef024a25648228cd2d20dd28e/A10-gen3-config.xml)
[`22.7/22.10`](../_downloads/9322cb3eaeb49c6bbc1065b969eb13c5/A10-gen3-config.xml)
[`23.1 ... 24.4`](../_downloads/e1a20e3d7051a34ba996d6225e7c0421/A10-gen3-config.xml)
[`24.7/24.10`](../_downloads/9715721789abedc86357ef5807953848/A10-gen3-config.xml) |
| DEC3840 | Rack | [`22.1/22.4`](../_downloads/ebc036f802fc2ba3efc8f536c4dae48d/A20-config.xml)
[`22.7/22.10`](../_downloads/f74ae078862360e9121ef296441221e4/A20-config.xml)
[`23.1 ... 24.4`](../_downloads/0d33cfc546f0558154b6c0afd05e5783/A20-config.xml)
[`24.7/24.10`](../_downloads/f0197442e1cfe5ace981bfa43361c7b2/A20-config.xml) |
| DEC3842 | Rack | [`22.1/22.4`](../_downloads/ebc036f802fc2ba3efc8f536c4dae48d/A20-config.xml)
[`22.7/22.10`](../_downloads/f74ae078862360e9121ef296441221e4/A20-config.xml)
[`23.1 ... 24.4`](../_downloads/0d33cfc546f0558154b6c0afd05e5783/A20-config.xml)
[`24.7/24.10`](../_downloads/9715721789abedc86357ef5807953848/A10-gen3-config.xml) |
| DEC3852 | Rack | [`22.1/22.4`](../_downloads/ebc036f802fc2ba3efc8f536c4dae48d/A20-config.xml)
[`22.7/22.10`](../_downloads/f74ae078862360e9121ef296441221e4/A20-config.xml)
[`23.1 ... 24.4`](../_downloads/0d33cfc546f0558154b6c0afd05e5783/A20-config.xml)
[`24.7/24.10`](../_downloads/f0197442e1cfe5ace981bfa43361c7b2/A20-config.xml) |
| DEC3850 | Rack | [`22.1/22.4`](../_downloads/ebc036f802fc2ba3efc8f536c4dae48d/A20-config.xml)
[`22.7/22.10`](../_downloads/f74ae078862360e9121ef296441221e4/A20-config.xml)
[`23.1 ... 24.4`](../_downloads/0d33cfc546f0558154b6c0afd05e5783/A20-config.xml)
[`24.7/24.10`](../_downloads/f0197442e1cfe5ace981bfa43361c7b2/A20-config.xml) |
| DEC3862 | Rack | [`22.1/22.4`](../_downloads/ebc036f802fc2ba3efc8f536c4dae48d/A20-config.xml)
[`22.7/22.10`](../_downloads/f74ae078862360e9121ef296441221e4/A20-config.xml)
[`23.1 ... 24.4`](../_downloads/0d33cfc546f0558154b6c0afd05e5783/A20-config.xml)
[`24.7/24.10`](../_downloads/f0197442e1cfe5ace981bfa43361c7b2/A20-config.xml) |
| DEC3860 | Rack | [`22.1/22.4`](../_downloads/ebc036f802fc2ba3efc8f536c4dae48d/A20-config.xml)
[`22.7/22.10`](../_downloads/f74ae078862360e9121ef296441221e4/A20-config.xml)
[`23.1 ... 24.4`](../_downloads/0d33cfc546f0558154b6c0afd05e5783/A20-config.xml)
[`24.7/24.10`](../_downloads/f0197442e1cfe5ace981bfa43361c7b2/A20-config.xml) |
| DEC4020 | Rack | [`22.1/22.4`](../_downloads/ebc036f802fc2ba3efc8f536c4dae48d/A20-config.xml)
[`22.7/22.10`](../_downloads/f74ae078862360e9121ef296441221e4/A20-config.xml)
[`23.1 ... 24.4`](../_downloads/0d33cfc546f0558154b6c0afd05e5783/A20-config.xml)
[`24.7/24.10`](../_downloads/f0197442e1cfe5ace981bfa43361c7b2/A20-config.xml) |
| DEC4040 | Rack | [`22.1/22.4`](../_downloads/ebc036f802fc2ba3efc8f536c4dae48d/A20-config.xml)
[`22.7/22.10`](../_downloads/f74ae078862360e9121ef296441221e4/A20-config.xml)
[`23.1 ... 24.4`](../_downloads/0d33cfc546f0558154b6c0afd05e5783/A20-config.xml)
[`24.7/24.10`](../_downloads/f0197442e1cfe5ace981bfa43361c7b2/A20-config.xml) |
| DEC4240 | Rack | [`22.1/22.4`](../_downloads/ebc036f802fc2ba3efc8f536c4dae48d/A20-config.xml)
[`22.7/22.10`](../_downloads/f74ae078862360e9121ef296441221e4/A20-config.xml)
[`23.1 ... 24.4`](../_downloads/0d33cfc546f0558154b6c0afd05e5783/A20-config.xml)
[`24.7/24.10`](../_downloads/f0197442e1cfe5ace981bfa43361c7b2/A20-config.xml) |
| DEC4280 | Rack | [`22.1/22.4`](../_downloads/ebc036f802fc2ba3efc8f536c4dae48d/A20-config.xml)
[`22.7/22.10`](../_downloads/f74ae078862360e9121ef296441221e4/A20-config.xml)
[`23.1 ... 24.4`](../_downloads/0d33cfc546f0558154b6c0afd05e5783/A20-config.xml)
[`24.7/24.10`](../_downloads/f0197442e1cfe5ace981bfa43361c7b2/A20-config.xml) |
---
# Serial Access — OPNsense documentation
* [](../../index.html)
* [Installation and setup](../../setup.html)
* Serial Access
* * *
Serial Access[](#serial-access "Permalink to this heading")
=============================================================

Besides the web frontend, SSH and a locally connected monitor (if your device supports it), OPNsense can also be controlled via serial. Accessing OPNsense via serial is similar to accessing via SSH, but unlike SSH, the system can be accessed at any time, even when OPNsense is not accessible over the network. This makes it especially useful for installing OPNsense, for emergency troubleshooting when you accidentally cut off internet access as well as for major system upgrades.
Requirements[](#requirements "Permalink to this heading")
-----------------------------------------------------------
* OPNsense installation must provide a serial interface (virtual or hardware)
* Software which can be used to access the serial interface (screen, minicom, PuTTY etc.)
For a bare metal installation, you also need the following (unless provided though a management interface differently, please refer your server manual):
* a null modem cable
* if you don’t have an RS232 port on your computer, you need an USB to RS232 converter
Connecting to the serial console[](#connecting-to-the-serial-console "Permalink to this heading")
---------------------------------------------------------------------------------------------------
If you already installed OPNsense via a non-serial installer, serial access needs to be turned on. To do this, open the web interface, navigate to System ‣ Settings ‣ Administration, scroll down to ‘Console’ and set the primary or secondary console to ‘Serial console’. Note: this is **only** necessary if you already installed OPNsense, and did not use the serial installer to do so. In all other cases (accessing BIOS, running the serial installer, connecting to an installation that was done via serial), serial access is already available.
On Unix-like systems, you can connect to the serial console using the `screen` program, with a baud rate of 115200. The device name can differ per system and per serial device. Examples of names are:
* /dev/ttyS0 (serial port, Linux)
* /dev/ttyUSB0 (usb-to-serial, Linux)
* /dev/cuau0 (serial port, FreeBSD)
* /dev/cuaU0 (usb-to-serial, FreeBSD)
* /dev/tty.usbmodem1112421 (usb-to-serial, macOS)
* COM1, COM2, … (Windows)
Note
If you have multiple devices of the same type like shown here:
> `# ls /dev/ttyUSB*`
>
> `/dev/ttyUSB0 /dev/ttyUSB1`
You can disconnect one of them to see which one is left or you can read the `dmesg` log to get the vendor information for the device node. You can search for a message containing “now attached to ttyUSB1” to find out which device it is. Afterwards you can compare the previous output to the output of a tool like `lsusb`.
For example, on the Deciso DEC630, accessed from macOS, the device is named `/dev/tty.usbmodem1112421`. Entering the serial console thus involves opening a terminal and executing the following instruction:
screen /dev/tty.usbmodem1112421 115200
\# or
minicom \-b 115200 \-D /dev/tty.usbmodem1112421
Note
Access to the device is likely to be access restricted. You should run the command as root because running it as a user may lead to an access denied error on Linux / BSD.
If OPNsense is running, you will now be asked for your username and password if authentication is enabled. Otherwise the menu is displayed (at least after pressing enter). The credentials are the same as those used for SSH.
A thing to note is that the screen won’t always auto-update. If you connect and see no output, try pressing Enter first before checking the other (more complex) possibilities. Another thing is that, when connecting via `screen`, you might not be able to scroll (but you can still pipe the output through a pager like `more` or `less`).
---
# Changelogs — OPNsense documentation
* [](../../index.html)
* [Installation and setup](../../setup.html)
* Changelogs
* * *
Changelogs[](#changelogs "Permalink to this heading")
=======================================================
OPNsense core offers a changelog of the core and the plugins may offer their own changelog, if they are growing rapidly so the changelog does not fit into core anymore.
Core[](#core "Permalink to this heading")
-------------------------------------------
Core offers a changelog section in the area System ‣ Firmware as an own menu or the dialog will automatically open in case of an available update.
To open a changelog manually, you can open the Changelog tab, and click the book:

After opening the changelog, you will get an entry like this one:

The changelog entries can be found at different places:
* Forum: [https://forum.opnsense.org/index.php?board=11.0](https://forum.opnsense.org/index.php?board=11.0)
* GitHub: [https://github.com/opnsense/changelog/tree/master/community](https://github.com/opnsense/changelog/tree/master/community)
* Blog: [https://opnsense.org/blog/](https://opnsense.org/blog/)
Plugins[](#plugins "Permalink to this heading")
-------------------------------------------------
The plugins changelogs can be found in the plugins section after clicking the info button of the plugin (Plugins tab in Firmware).

After the description of the software behind the plugin or the plugin itsef, the changelog follows.
---
# Dashboard — OPNsense documentation
* [](../index.html)
* [Lobby](../lobby.html)
* Dashboard
* * *
Dashboard[](#dashboard "Permalink to this heading")
=====================================================
The Dashboard is the first page you will see after you log into OPNsense. Additionally, it can be accessed via Lobby ‣ Dashboard. The Dashboard provides an overview of your system status.
Configuration[](#configuration "Permalink to this heading")
-------------------------------------------------------------
What is shown on the Dashboard can be configured by adding and removing widgets. Some widgets also allow further configuration.
By default, the following widgets are present:
* **System Information** Shows information about the installed OPNsense version, updates etc.
* **Memory** Shows memory usage.
* **Disk** Shows disk usage.
* **CPU** Shows CPU usage.
* **Announcements** Shows the latest announcements from the OPNsense project.
* **Gateways** Shows used gateways.
* **Interface Statistics** Shows the number of packets, bytes and errors handled by each interface.
* **Firewall** Collects logged events from the moment the dashboard has loaded to represent a snapshot of what the firewall is currently seeing. Can be expanded to show a live log.
* **Traffic Graph** Shows traffic passing through the system.
* **Services** Shows the configured services as well as the options to start/restart/stop them.
In the upper right corner of the page, you can find the following buttons:
* **Edit dashboard (pencil icon)** Enter edit mode. Unlocks the dashboard temporarily so you can move, resize, remove, or configure widgets.
* **Add widget (plus icon)** Opens a dialog window with a list of widgets that can be added to the Dashboard. Simply click on an entry in the list to add it to the Dashboard.
* **Restore default layout (widgets icon)** Restores the dashboard to its default configuration discarding all your modifications.
* **Save** After editing the dashboard, you can make all changes persistent by clicking this button. Otherwise the changes will be discarded as soon as you reload the page.
If the dashboard is in edit mode, the following buttons are available in the upper right corner of every widget:
* **Edit (pencil icon)** Click this to modify the widget settings. This button is only present if the widget is configurable.
* **Remove (cross icon)** Removes the widget from the Dashboard.
If the widget is not in edit mode, you can find a link in the upper right corner of each widget if applicable, which will take you to the relevant configuration page.
All widgets can be resized by dragging on one of the corners of the widget.
Note
The dashboard configuration is saved per user. This means that each user can have their own dashboard layout. Therefore, use the “Users and Groups” high availability option to synchronize the dashboard configuration.
---
# General User Interface — OPNsense documentation
* [](../index.html)
* [Lobby](../lobby.html)
* General User Interface
* * *
General User Interface[](#general-user-interface "Permalink to this heading")
===============================================================================
This article explains the basics of the OPNsense Graphical User Interface or GUI for short.
User Login[](#user-login "Permalink to this heading")
-------------------------------------------------------
Before we can take a look at the GUI options we need to login. The default user is root and the password is opnsense.
[](../_images/login.png)
GUI Layout & Main Components[](#gui-layout-main-components "Permalink to this heading")
-----------------------------------------------------------------------------------------
The GUI consists out of the following main components:
[](../_images/gui_layout.png)
### Logo & Link to Lobby[](#logo-link-to-lobby "Permalink to this heading")
Click on the OPNsense logo wherever you are in the interface and you will be directed to the lobby and dashboard.
In the Lobby you can:
* Look at the dashboard with widgets
* View the 2-clause BSD license
* Change your password
* Logout
### Menu Area[](#menu-area "Permalink to this heading")
The Menu area holds all the primary menus and submenus. Here you can select what part of the system you want to watch or change.
You can see the layering on the menu. There are three levels:
1. Category level
2. Function level
3. Configuration level _(may not exist if the function is simple)_
In the following sample you see a screenshot of the Category **System**, with:
* Function: **Settings**
* Selected Configuration item: **General**

### Quick Navigation[](#quick-navigation "Permalink to this heading")
A faster way to navigate trough the GUI is by using the quick navigation/search box on the upper right corner of the screen. Either click on it or hit tab to select it.
The search field is a type-ahead field, meaning that it will guess what you are looking for and fill up while typing. Hit Enter or click on an option to select and navigate directly to the right page.

### System Status[](#system-status "Permalink to this heading")
In the upper right corner of the screen is also a small indication of the system status. In a normal situation this will be greyed out, but it will display a color if something is wrong. You can click on it to review any of the pending messages, if any:

The colors indicate the severity of the issue. They are:
* Red. Indicates that an error has occured during system operation. Click it to go to the relevant page. In most cases this will be the crash reporter, which you can use to send us information about the crash.

* Yellow. Indicates a warning.
* Blue. Indicates an informational message.
* Grey. Everything is working as normal.
### User & Local domain[](#user-local-domain "Permalink to this heading")
In the right corner just to the left of the system status you will see your username and the full domain name the firewall is configured with (to change firewall name, go to System ‣ Setting ‣ General).
### Content Area[](#content-area "Permalink to this heading")
The content area is used to display:
* Input forms
* Popup Forms
* Buttons
* General forms of data output graphical and text based
Form View[](#form-view "Permalink to this heading")
-----------------------------------------------------
Let’s take a look at how an advanced form may look like:

### Full Help[](#full-help "Permalink to this heading")
Many forms are equipped with built-in help. In the upper right corner of the form you can select to view all help messages at once. The toggle will color green when enabled and show the help messages beneath the input items.

### Advanced Mode[](#advanced-mode "Permalink to this heading")
Some forms have hidden advanced features, to view them toggle the **advanced mode** in the left corner of the form. Doing so will reveal all advanced options.

### Single Item Help[](#single-item-help "Permalink to this heading")
Show a single line help by pressing the **(i)** left of a form item. Like this:

### Standard Tabs[](#standard-tabs "Permalink to this heading")
A standard tab can be clicked upon to open the corresponding form.
A sample can be seen here:

### Dropdown Tabs[](#dropdown-tabs "Permalink to this heading")
A dropdown tab can be clicked upon to open the first menu item or you can click on the arrow next to it to show all options, like so:

Data grids[](#data-grids "Permalink to this heading")
-------------------------------------------------------
Many components within OPNsense use grid views to navigate through content, below is an example of a simple table view supporting the most relevant actions.

### Fields[](#fields "Permalink to this heading")
The available fields vary between components, the icon can be used to select which fields should be visible or hidden.
### Filter and limit[](#filter-and-limit "Permalink to this heading")
The top area of the grid contains a search input combined with a reload button and a selection for the number of rows to show at once on a page. Often the search input will be instantly applied, but in some cases a reload is needed if the action can't be processed fast enough.
When using the filter in log files, you will find a **Go to page** action behind every record. This will jump to the corresponding page and show you all surrounding records so you can see the context of a log message.
The search input tokenizes space-delimited words, causing the filter to return records matching all of the clauses included in the search phrase.
### Actions[](#actions "Permalink to this heading")
Different actions could be supported on a (set of) records:
* / Enable / disable a record
* Edit a record
* Copy a record and edit
* Delete a record, usually this will ask for a confirmation
* Add a new record and open edit dialog
### Page Navigation[](#page-navigation "Permalink to this heading")
The navigation buttons `« ‹ [1,2,..] › »` help scroll through the different pages that are available for the selected data.
Note
Although the page numbers and last page button (`»`) are always visible, they can only be used when the size of the dataset is known upfront. In case of large datasets, such as intrusion alerts and log views the number of records is not known upfront, since there’s no relation between the size of the underlaying data and the number of records.
The record count in these cases is more or less a guestimate based on the number of records already shown.
---
# Installing OPNsense AWS image — OPNsense documentation
* [](../../index.html)
* [Installation and setup](../../setup.html)
* Installing OPNsense AWS image
* * *
Installing OPNsense AWS image[](#installing-opnsense-aws-image "Permalink to this heading")
=============================================================================================
[](../../_images/amazon-web-services.png)
Our EC2 image is available in the [aws marketplace](https://aws.amazon.com/marketplace/pp/prodview-lu5v2tokic3py)
.
Step 1 - New Instance[](#step-1-new-instance "Permalink to this heading")
---------------------------------------------------------------------------
To start a new instance go to “instances”, followed by “launch instance” in your EC2 view.
Next go to “AWS Marketplace” and search “OPNsense”. Our official image is sold via Deciso Sales B.V..
[](../../_images/aws_step1_choose_ami.png)
Step 2 - Select Type[](#step-2-select-type "Permalink to this heading")
-------------------------------------------------------------------------
Choose an instance type
[](../../_images/aws_launch_new_image.png)
Step 3 - Configure Instance Details[](#step-3-configure-instance-details "Permalink to this heading")
-------------------------------------------------------------------------------------------------------
Here you can configure your network details, by default a network is assigned which is accesible from an external IPv4 address.
At the bottom of the page you can also supply “User data” in the “Advanced Details” section, you can use this to set an initial password for the ec2-user.
Note
When a password is omited, one will be automatically generated for you and displayed on the console (get system log).
Step 4 - Add Storage[](#step-4-add-storage "Permalink to this heading")
-------------------------------------------------------------------------
Here you can change the initial storage size and type of volume to use.
Step 5 - Add Tags[](#step-5-add-tags "Permalink to this heading")
-------------------------------------------------------------------
Optionally you may add tags to the instance, it’s safe to leave this empty.
Step 6 - Configure security group[](#step-6-configure-security-group "Permalink to this heading")
---------------------------------------------------------------------------------------------------
To configure security group, make sure you allow HTTPS access from your own network. Since SSH is also enabled by default on these images, you may enable port 22 (SSH) too from your network.
[](../../_images/aws_configure_security_group.png)
Step 7 - Review your settings[](#step-7-review-your-settings "Permalink to this heading")
-------------------------------------------------------------------------------------------
[](../../_images/aws_review_settings.png)
Step 8 - SSH keypair[](#step-8-ssh-keypair "Permalink to this heading")
-------------------------------------------------------------------------
Select ssh keypair or skip, the selected ssh key is attached to the ec2-user, you can change this afterwards from the usermanager. (System -> Access -> Users).
[](../../_images/aws_ssh_keypair.png)
Step 9 - Review status page[](#step-9-review-status-page "Permalink to this heading")
---------------------------------------------------------------------------------------
[](../../_images/aws_status.png)
Step 10 - AWS instances[](#step-10-aws-instances "Permalink to this heading")
-------------------------------------------------------------------------------
Go to your AWS instances
[](../../_images/aws_instances.png)
Select the image, go to “image settings” then “get system log” to obtain the initial password for the ec2-user (if not specified in the user data) and the initial root password.
Note
Sometimes it can take a bit of time before the console settings appear in the “system log”, in our experience the output is available when the Status check reports it’s finished.
Step 11 - Initial root password[](#step-11-initial-root-password "Permalink to this heading")
-----------------------------------------------------------------------------------------------
Copy your initial root password (line \*\* set initial….)
.....
Configuring system logging...done.
>>> Invoking start script 'aws'
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*\*\* set initial ec2-user password to : J4heQUAaRWJFGkXrfUKssjQ9jyFiBmaRgqaBiYRK7iiL2lUtvG
\*\*\* !!! remember to change this immediately
\*\*\* openssh-key provided, set to ec2-user
\*\*\* set initial root password to : SNFpd2lcefYXXjyRezPrloTWTF3LjhgZPV3zLuDxEdVkiBGWxn
\*\*\* remember to change this immediately
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
>>> Invoking start script 'newwanip'
Reconfiguring IPv4 on xn0: OK
Reconfiguring routes: OK
>>> Invoking start script 'freebsd'
>>> Invoking start script 'syslog-ng'
Stopping syslog\_ng.
Waiting for PIDS: 57924.
Starting syslog\_ng.
>>> Invoking start script 'carp'
>>> Invoking start script 'cron'
Starting Cron: OK
>>> Invoking start script 'beep'
Root file system: /dev/gpt/rootfs
Sat Feb 5 17:58:45 UTC 2022
\*\*\* OPNsense.localdomain: OPNsense 21.7.7 (amd64/OpenSSL) \*\*\*
WAN (xn0) -> v4/DHCP4: 172.31.27.130/20
HTTPS: SHA256 52 87 3F 28 48 59 A3 7D 59 66 26 36 01 2C 77 61
FB 8E 78 C8 C4 C4 80 2C 97 C6 67 AA CB 28 48 60
SSH: SHA256 pwupAQ6U+TOKoI1NAvcFpKF90Is02W0YMem7CNPG9j8 (ECDSA)
SSH: SHA256 +JOMcgZ14lUnUxp4jEbEWf7Q+OvHJufvjhFzybJG1/M (ED25519)
SSH: SHA256 2mR9csHFwDgBl7SGfOPeW2r9E15zMP9OuMpHnBrGwUI (RSA)
FreeBSD/amd64 (OPNsense.localdomain) (ttyu0)
login:
Tip
When the ec2 console doesn’t show the initial password you can also use the configured ssh shell to reset the root password using `sudo /usr/local/sbin/opnsense-shell` and option `3` in the menu.
Step 11 - Search current address and login[](#step-11-search-current-address-and-login "Permalink to this heading")
---------------------------------------------------------------------------------------------------------------------
[](../../_images/aws_search_current_ip.png)
Login to OPNsense using the address provided.
---
# BIOS updates / settings — OPNsense documentation
* [](../index.html)
* [Official hardware](../vendor.html)
* BIOS updates / settings
* * *
BIOS updates / settings[](#bios-updates-settings "Permalink to this heading")
===============================================================================
This page is dedicated to the latest BIOS update downloads for Deciso appliances as well as a generic instruction on how to install them.
* * *
Table of Contents
* [**Product families**](#product-families)
* [DEC800, DEC3800 & DEC4000 series](#dec800-dec3800-dec4000-series)
* [DEC700 and DEC2700 series](#dec700-and-dec2700-series)
* [DEC600 and DEC2600 2.5GbE series](#dec600-and-dec2600-2-5gbe-series)
* [**Installation instructions**](#installation-instructions)
* [**Hyper threading**](#hyper-threading)
* [**Microcode updates**](#microcode-updates)
[**Product families**](#id1)
[](#product-families "Permalink to this heading")
--------------------------------------------------------------------------------
### [DEC800, DEC3800 & DEC4000 series](#id2)
[](#dec800-dec3800-dec4000-series "Permalink to this heading")
| **06-2024** Version 15 | |
| --- | --- |
| Download | SHA256 Checksum |
| --- | --- |
| [`Archive`](../_downloads/9bce5ef951143ca4499dd8caeff0b573/A20_v15_bios.tar.gz) | 9089a1875617fedf0ae634515d31e683e67f494ae55df8cfcac2db6edfb00888 |
| CVE Update. | |
### [DEC700 and DEC2700 series](#id3)
[](#dec700-and-dec2700-series "Permalink to this heading")
| **02-2025** Version 32 | |
| --- | --- |
| Download | SHA256 Checksum |
| --- | --- |
| [`Archive`](../_downloads/6e07ff865f73118592e1718955344e47/A10_v32_bios.tar.gz) | 1fc2efa0f16e3630bbdedcce5e6626c45378cce2e8c6739b19b436d957066903 |
| CVE Update. | |
### [DEC600 and DEC2600 2.5GbE series](#id4)
[](#dec600-and-dec2600-2-5gbe-series "Permalink to this heading")
Warning
This firmware is exclusive to the DEC600 and DEC2600 2.5 Gigabit series of the A8 version 2 boards. Do not install this firmware on older DEC600/DEC2600 devices that only support 1 Gigabit Ethernet.
Attention
The DEC600 and DEC2600 series (2.5GbE) use an image file that must be written to a USB drive as described in the [OPNsense installation instructions](../manual/install.html#installation-media)
. Replace the OPNsense image in the instructions with the BIOS image and write it to the USB drive. After preparing the USB drive, you can ignore steps 1 to 3 and start from step 4 of the installation instructions below.
| **03-2024** Version 2 | |
| --- | --- |
| Download | SHA256 Checksum |
| --- | --- |
| [`Image`](../_downloads/4ed93e5d1e28d71a2f76120eeb619ab8/Coreboot_Deciso_A8V2.img.bz2) | 1f05ed6423dc45bf5c479a86e813ec2a87d73e77544eedd49f2343c5942d2218 |
| CPU Frequency corrections and minor bugfixes | |
[**Installation instructions**](#id5)
[](#installation-instructions "Permalink to this heading")
--------------------------------------------------------------------------------------------------
Updating the UEFI firmware requires writing a bootable image to a USB drive on a separate machine. Make sure you have an empty or unused USB drive before starting this procedure. Also make sure the USB drive is FAT32 formatted.
Warning
As a general warning, following this procedure is at your own risk.
**Step 1**
Download the latest BIOS archive file for your platform from the downloads section above.
**Step 2**
Verify the SHA256 checksum.
**Step 3**
Insert the USB drive into your computer and extract the archive to the USB drive. Make sure the file structure is as follows:
USB drive:/
├── LATEST.FD
├── startup.nsh
├── H2OFFT-Sx64.efi
├── efi/
│ ├── boot/
│ │ ├── Bootx64.efi
**Step 4**
Safely remove the USB drive from the computer and plug it into the appliance.
**Step 5**
Connect to the appliance using a [Serial Console connectivity](serial_connectivity.html#serial)
connection. Open a terminal to the relevant COM port.
**Step 6**
Boot the appliance and enter the BIOS by pressing Escape. The current BIOS version (suffix) should show up. Make note of it so you can compare it to the new version to verify everything went well.
**Step 7**
Go to Setup Utility –> AMD CBS –> FCH Common Options –> UART Configuration Options –> UART 0 Legacy Options. Make sure this setting is set to **Disabled**. This is explained in [Legacy UART vs. UEFI serial](serial_connectivity.html#legacy-uart)
.
Note
Should your serial terminal highlight a BIOS option selection in such a way that it is unreadable, for the A20 appliance it’s the very first option in the UART Configuration Options menu screen.
**Step 8**
Select **Boot manager** and boot the USB drive. The UEFI shell will take over and execute the necessary BIOS update. If the update is complete, the machine will power off. **Do NOT do anything until the machine has shutdown.**
Note
Should the USB drive not show up, something went wrong during writing. The newly created FAT32 partition should be the very first block on the drive. Inspect the drive on a different machine to check the layout.
**Step 9**
Reboot the machine and check the new BIOS version in either the boot log or the BIOS itself.
[**Hyper threading**](#id6)
[](#hyper-threading "Permalink to this heading")
------------------------------------------------------------------------------
Selected models do support hyper threading, but as effectiveness depends on workload, we tend to disable it by default. If you do want to enable it when supported, enter the setup utility and search for the following menu item:
> AMD CBS -> Zen Common Options -> Core/Thread Enablement -> SMTEN
Select `Auto` here to enable the feature.
[**Microcode updates**](#id7)
[](#microcode-updates "Permalink to this heading")
----------------------------------------------------------------------------------
Microcode patches are distributed in our EFI firmware updates. If a Microcode update is required to address specific issues which are deemed important enough by AMD/Intel, you can install the microcode update yourself in a timely manner by using the [CPU Microcode updates \[AMD/Intel\]](../manual/cpu-microcode.html)
plugin.
---
# Password — OPNsense documentation
* [](../index.html)
* [Lobby](../lobby.html)
* Password
* * *
Password[](#password "Permalink to this heading")
===================================================
The password page in the lobby offers the user the ability to change his or hers password and default settings.
When The option `User OTP seed` is enabled in the System->Settings->Administration page, one could also acquire a new OTP seed here.
Warning
Changing an OTP seed automatically invalidates the previous one, so only request a new one when you are able to scan the new one using your mobile phone.
---
# Installing OPNsense OVA image — OPNsense documentation
* [](../../index.html)
* [Installation and setup](../../setup.html)
* Installing OPNsense OVA image
* * *
Installing OPNsense OVA image[](#installing-opnsense-ova-image "Permalink to this heading")
=============================================================================================
OPNsense is available as an Open Virtual Appliance (OVA) package, which can be deployed in various virtualization products (e.g. VMWare, Virtualbox).
The image is not provided as a community free download, but can be acquired from Deciso.
In this document we describe the simple steps when deploying in VirtualBox, other supported platforms function quite similar.
Step 1 - Import appliance[](#step-1-import-appliance "Permalink to this heading")
-----------------------------------------------------------------------------------
In the top menu, choose File ‣ Import appliance and select the image you downloaded, it should show a dialog like the following.
[](../../_images/ova_import_dialog_1.png)
Just click import, accept the license and the image should be transferred to your machine.
Step 2 - Network setup[](#step-2-network-setup "Permalink to this heading")
-----------------------------------------------------------------------------
The OVA template comes with two interfaces configured by default (you can add more later if needed). Always choose the right type of network before using OPNsense, the imported adapters might not be assigned to a type after import.
Note
Please be aware that the order of the network cards in the virtualization product may differ from how they are presented to the operating system. In VirtualBox “Adapter 1” seems to connect to WAN (em1)
Step 3 - Initial configuration[](#step-3-initial-configuration "Permalink to this heading")
---------------------------------------------------------------------------------------------
The virtual machine is operational now, initial configuration is performed similar to other setups, as described in [Initial Installation & Configuration](../install.html)
.
---
# OPNsense Azure Virtual Appliance — OPNsense documentation
* [](../../index.html)
* [Installation and setup](../../setup.html)
* OPNsense Azure Virtual Appliance
* * *
OPNsense Azure Virtual Appliance[](#opnsense-azure-virtual-appliance "Permalink to this heading")
===================================================================================================
OPNsense is a fully featured security platform that secures your network with high-end features such as inline intrusion prevention, virtual private networking, two factor authentication, captive portal and filtering web proxy. The optional high availability setup ensures stable network performance with automatic failover and synchronised states, minimising disruption. Keep your network secure and the good packets flowing.
The Virtual Appliance is available on the Microsoft Azure Marketplace ([here](https://azuremarketplace.microsoft.com/en-en/marketplace/apps/decisosalesbv.opnsense?tab=Overview)
).
[](../../_images/azure_offer.png)
Our installation manual will guide you through a simple installation scenario using 1 network interface, for more advanced network setups you best checkout the Azure [documentation](https://docs.microsoft.com/en-en/azure/virtual-machines/linux/multiple-nics)
.
Setup : Basic settings[](#setup-basic-settings "Permalink to this heading")
-----------------------------------------------------------------------------
The Marketplace create button guides you to the initial virtual machine setup, choose your subscription and system preferences here and name your virtual machine.
[](../../_images/azure_deploy_basics.png)
Next make sure you create an initial administrative user, since some names are reserved (like admin and root), you need to choose another one here. In our example we choose `adm001` here.
Note
You can enable the root user after installation, the setup user can access the system using ssh or https after installation todo so.
[](../../_images/azure_deploy_basics_user.png)
Setup : Disks[](#setup-disks "Permalink to this heading")
-----------------------------------------------------------
Next you can choose a disk type to use, **standard SSD** is fast enough for most workloads.
[](../../_images/azure_deploy_disks.png)
Setup : Network[](#setup-network "Permalink to this heading")
---------------------------------------------------------------
For our example, we kept our settings simple using a **private IP** which is accessible over port **443 (https)** after bootup. Most settings can be changed after deployment.
[](../../_images/azure_deploy_network.png)
Note
Microsoft has quite some information available about different networking settings and options [here](https://docs.microsoft.com/en-en/azure/virtual-machines/windows/network-overview)
Create[](#create "Permalink to this heading")
-----------------------------------------------
Proceed to **Review + create** to finalize the deployment.
Login to your instance[](#login-to-your-instance "Permalink to this heading")
-------------------------------------------------------------------------------
When the virtual machine is created and booted for the first time, you can login using the assigned user (`adm001`), now you can enable the root user if you like in System -> Access -> Users
[](../../_images/azure_startup_users.png)
Note
Our Azure virtual appliance has ssh enabled by default, you can change these settings in System -> Settings -> Administration
---
# OPNsense Tools — OPNsense documentation
* [](../index.html)
* [Lobby](../lobby.html)
* OPNsense Tools
* * *
OPNsense Tools[](#opnsense-tools "Permalink to this heading")
===============================================================
The OPNsense project offers a number of tools to instantly patch the system, revert a package to a previous (older version) state or revert the whole kernel.
opnsense-update[](#opnsense-update "Permalink to this heading")
-----------------------------------------------------------------
The opnsense-update utility offers combined kernel and base system upgrades using remotely fetched binary sets, as well as package upgrades via pkg. For a complete list of options look at the manpage on the system.
### Example:[](#example "Permalink to this heading")
A minor update also updated the kernel and you experience some driver issues with your NIC. Open your browser and go to
[https://pkg.opnsense.org/FreeBSD:11:amd64/18.1/sets/](https://pkg.opnsense.org/FreeBSD:11:amd64/18.1/sets/)
Here you can see all the kernels for version 18.1. Be aware to change the version if you are on a newer version. As an example you updated from 18.1.4 to 18.1.5 you have now installed kernel-18.1.5. To revert back to the last stable you can see kernel-18.1 so the syntax would be:
\# opnsense-update -kr 18.1
\# opnsense-shell reboot
Where -k only touches the kernel and -r takes the version number.
To switch back to the current kernel just use
\# opnsense-update -k
\# opnsense-shell reboot
Warning
Before reverting a kernel please consult the forums or open an issue via Github. You should only revert kernels on test machines or when qualified team members advise you to do so!
opnsense-revert[](#opnsense-revert "Permalink to this heading")
-----------------------------------------------------------------
The opnsense-revert utility offers to securely install previous versions of packages found in an OPNsense release as long as the selected mirror caches said release. For a complete list of options look at the manpage on the system.
### Example 1:[](#example-1 "Permalink to this heading")
The latest update of OPNsense to version 18.1.5 did a minor jump for the IPSec package “strongswan”. From this moment your VPNs are unstable and only a restart helps.
To check if the update of the package is the reason you can easily revert the package to its previous state while running the latest OPNsense version itself.
\# opnsense-revert -r 18.1.4 strongswan
With this command you can, for example, run OPNsense 18.1.5 while using the 18.1.4 version of strongswan. If you want to go back to the current release version just do
\# opnsense-revert strongswan
### Example 2:[](#example-2 "Permalink to this heading")
The previous revert of strongswan was not the solution you expected so you try to completely revert to the previous OPNsense version:
\# opnsense-revert -r 18.1.4 opnsense
Be aware to also check if there were kernel updates like above to also downgrade the kernel if needed!
opnsense-patch[](#opnsense-patch "Permalink to this heading")
---------------------------------------------------------------
The opnsense-patch utility treats all arguments as upstream git repository commit hashes, downloads them and finally applies them in order. Patches can also be reversed by reapplying them, but multiple patches must be given in reverse order to succeed. For a complete list of options look at the manpage on the system.
### Example 1:[](#id1 "Permalink to this heading")
In the Traffic Shaper a newly introduced typo prevents the system from setting the correct ipfw ruleset. You were asked by the developer to test a fresh patch 63cfe0a at URL [https://github.com/opnsense/core/commit/63cfe0a96c83eee0e8aea0caa841f4fc7b92a8d0](https://github.com/opnsense/core/commit/63cfe0a96c83eee0e8aea0caa841f4fc7b92a8d0)
At the end of the page there’s the short version 63cfe0a so the command would be:
\# opnsense-patch 63cfe0a
If it doesn’t fix your issue or makes it even worse, you can just reapply the command to revert it.
### Example 2:[](#id2 "Permalink to this heading")
You need a special feature for a plugin and ask in Github for it. A developer adds it and ask you to install the patch 699f1f2 for testing. The full link to it would be [https://github.com/opnsense/plugins/commit/699f1f28a33ce0122fa0e2f5e6e1f48eb3c4f074](https://github.com/opnsense/plugins/commit/699f1f28a33ce0122fa0e2f5e6e1f48eb3c4f074)
\# opnsense-patch -c plugins 699f1f2
The -c changes the default core to plugin repo and adds the patch to the system.
It is also possible to add patches from different users, just add -a githubusername before -c
---
# System Health & Round Robin Data — OPNsense documentation
* [](../index.html)
* [Reporting](../reporting.html)
* System Health & Round Robin Data
* * *
System Health & Round Robin Data[](#system-health-round-robin-data "Permalink to this heading")
=================================================================================================
[](../_images/systemhealth_sample.png)
System Health is a dynamic view on RRD data gathered by the system. It can be accessed via Reporting ‣ Health. It allows you to dive into different statistics that show the overall health and performance of the system over time.
The system health module will enable you to track down issues faster and easier than traditional static RRD graphs and it allows you to zoom in.
Data collectors[](#data-collectors "Permalink to this heading")
-----------------------------------------------------------------
System Health has the following primary data collectors:
Packets
Packets show the number of packets per second traveling to and from a certain interface.
Quality
Quality show latency and packet loss of the monitored gateways (ip).
System
The system section is used for sensor data regarding the system utilization, such as memory usage, mbufs, states, processes and (when available) cpu temperature.
Traffic
Shows traffic graphs for each interface including vpn (ipsec).
Depending on the features in use there may be more or less graphs available.
GUI Features Overview[](#gui-features-overview "Permalink to this heading")
-----------------------------------------------------------------------------
Please see the screenshot below for all element of the system health module. Each element will be explained in the next chapters.
[](../_images/systemhealth_gui.png)
### Toggle menu collapse[](#toggle-menu-collapse "Permalink to this heading")
This feature will show or hide the top menu.
### Category Selection[](#category-selection "Permalink to this heading")
The category items are tabs with drop down menu’s. Click on one of the categories and select the graph you like to dive into.
### Graph Selection[](#graph-selection "Permalink to this heading")
Part of the drop down menu, where you can select the graph to view.
### Select primary dataset[](#select-primary-dataset "Permalink to this heading")
Select the RRD dataset you want to use. The more to the left the lower the maximum resolution. By default the graphs are opened with the highest available RRD resolution.
### Inverse[](#inverse "Permalink to this heading")
By selecting **Inverse** each odd dataset is reversed in direction (times minus one), this is especially useful for traffic flows where you can plot ingoing and outgoing flows in different directions.
[](../_images/systemhealth_inverse.png)
### Resolution[](#resolution "Permalink to this heading")
The resolution determines the maximum number of datapoints that will be shown in the graph and therefore indirectly influences the scale of the calculated averages.
### Hide/show table data[](#hide-show-table-data "Permalink to this heading")
By default the table data is hidden, you can show it by toggling the **Show Tables** to **On**.
The table data area consists of the min/max/average and detailed table data area.
### Name of the graph[](#name-of-the-graph "Permalink to this heading")
Shows the name of the selected graph.
### Current Detail Level[](#current-detail-level "Permalink to this heading")
Since the data is dynamically rendered it will automatically calculate the averages and show you the current detail level in this area.
### Label filter[](#label-filter "Permalink to this heading")
[](../_images/systemhealth_labelfilter.png)
The label filter can be used to filer out data you do not want to see. Click once to disable or double click to select only this set.
A nice sample can be seen here, where the _processes_ obscure all other data.
[](../_images/systemhealth_obscureddata.png)
Just click once on _processes_ to hide this data set, notice that the scales will adapt as well.
[](../_images/systemhealth_filtered.png)
### Main graph area[](#main-graph-area "Permalink to this heading")
The main graph area show the full graph or just the part you selected in the zoom area with more detail.
### Zoom Area[](#zoom-area "Permalink to this heading")
The zoom area can be used to select and zoom in on one part of the graph, the scales are adapted automatically and any tables will be updated as well.
This feature is very useful to zoom in on issues or for showing just part of the graph.
To use, click on it and hold while moving your pointer to another part of the zoom area, on mouse up (release mouse click) the main graph area will be updated accordingly. The zoom area will also be updated with more detailed data - when available - for the selected area.
A sample selection:
[](../_images/systemhealt_selection.png)
And the result:
[](../_images/systemhealth_zoomed.png)
### Min/max/average table[](#min-max-average-table "Permalink to this heading")
If **Show Tables** is on then this area will show: \* Minimum value of each dataset \* Maximum value of each dataset \* Average value of each dataset
### Detailed table[](#detailed-table "Permalink to this heading")
If **Show Tables** is on then this area will show each value that is plotted in the graph. You can toggle the time and date view from timestamp to human readable values and export the data to as comma separated file (.CSV).
The exported dataset can be used for your own reporting.
[](../_images/systemhealth_excel.png)
---
# Netflow Export & Analyses — OPNsense documentation
* [](../index.html)
* [Reporting](../reporting.html)
* Netflow Export & Analyses
* * *
Netflow Export & Analyses[](#netflow-export-analyses "Permalink to this heading")
===================================================================================
[](../_images/netflow_analyzer_insight.png)
Netflow is a monitoring feature, invented by Cisco, it is implemented in the FreeBSD kernel with ng\_netflow (Netgraph). Since Netgraph is a kernel implementation it is very fast with little overhead compared to softflowd or pfflowd.
While many monitoring solutions such as Nagios, Cacti and vnstat only capture traffic statistics, Netflow captures complete packet flows including source, destination IP and port number.
OPNsense offers full support for exporting Netflow data to external collectors as well as a comprehensive Analyzer for on-the-box analysis and live monitoring.
OPNsense is the only open source solution with a built-in Netflow analyzer integrated into its Graphical User Interface. It can be accessed via Reporting ‣ Netflow.
Supported Versions[](#supported-versions "Permalink to this heading")
-----------------------------------------------------------------------
OPNsense support both Netflow version 5 (IPv4) and version 9 (IPv4 & IPv6).
Netflow Basics[](#netflow-basics "Permalink to this heading")
---------------------------------------------------------------
For analyzing the flow data it is important to understand the difference between ingress and egress traffic.
### Ingress[](#ingress "Permalink to this heading")
Traffic to or coming from the firewall.
### Egress[](#egress "Permalink to this heading")
Traffic passing trough the firewall.
### Ingress + Egress = Double flow count[](#ingress-egress-double-flow-count "Permalink to this heading")
When enabling both ingress and egress, traffic gets counted double due to Network Address Translation as all packets going to the WAN coming from the LAN pass the Network translation of the firewall therefor also creating an ingress flow.
If you are not interested in ingress traffic then OPNsense offers the option to filter this traffic. When utilizing a proxy on the same device its important to capture the ingress flows as well, otherwise all proxy traffic won’t be visible. Downside is of course that all traffic not passing the proxy will be counted twice due to the mentioned NAT effect.
Netflow Exporter[](#netflow-exporter "Permalink to this heading")
-------------------------------------------------------------------
OPNsense Netflow Exporter supports multiple interfaces, filtering of ingress flows and multiple destinations including local capture for analysis by Insight (OPNsense Netflow Analyzer).
[](../_images/netflow_exporter1.png)
Netflow Analyzer - Insight[](#netflow-analyzer-insight "Permalink to this heading")
-------------------------------------------------------------------------------------
OPNsense offers a full Netflow Analyzer with the following features:
* Captures 5 detail levels
> * Last 2 hours, 30 second average
>
> * Last 8 hours, 5 minute average
>
> * Last week, 1 hour average
>
> * Last month, 24 hour average
>
> * Last year, 24 hour average
>
* Graphical representation of flows (stacked, stream and expanded)
* Top usage per interface, both ips and ports.
* Full in/out traffic in packets and bytes
* Detailed view with date selection and port/ip filter (up to 2 months)
* Data export to csv for offline analysis
> * Selectable Detail Level
>
> * Selectable Resolution
>
> * Selectable Dat range
>

Configuration[](#configuration "Permalink to this heading")
-------------------------------------------------------------
### Setup Netflow Exporter[](#setup-netflow-exporter "Permalink to this heading")
See [Configure Netflow Exporter](how-tos/netflow_exporter.html)
### Setup Insight[](#setup-insight "Permalink to this heading")
See [Using Insight - Netflow Analyzer](how-tos/insight.html)
---
# 25.1 “Ultimate Unicorn” Series — OPNsense documentation
* [](../index.html)
* [Releases](../releases.html)
* [Community Edition](../CE_releases.html)
* 25.1 “Ultimate Unicorn” Series
* * *
25.1 “Ultimate Unicorn” Series[](#ultimate-unicorn-series "Permalink to this heading")
========================================================================================
For an entire decade now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
25.1, nicknamed “Ultimate Unicorn”, features numerous MVC/API conversions, improved security zones support and documentation, ZFS snapshot support, a new UI look with a light and dark theme, PHP 8.3, FreeBSD 14.2 plus much more.
Download links, an installation guide [\[1\]](https://docs.opnsense.org/manual/install.html)
and the checksums for the images can be found below as well.
* Europe: [https://opnsense.c0urier.net/releases/25.1/](https://opnsense.c0urier.net/releases/25.1/)
* US East Coast: [https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.1/](https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.1/)
* US West Coast: [https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.1/](https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.1/)
* South America: [http://mirror.ueb.edu.ec/opnsense/releases/25.1/](http://mirror.ueb.edu.ec/opnsense/releases/25.1/)
* East Asia: [https://mirror.ntct.edu.tw/opnsense/releases/25.1/](https://mirror.ntct.edu.tw/opnsense/releases/25.1/)
* Full mirror list: [https://opnsense.org/download/](https://opnsense.org/download/)
25.1.4 (March 26, 2025)[](#march-26-2025 "Permalink to this heading")
-----------------------------------------------------------------------
This update offers support for “jq” syntax in JSON-based URL table aliases, new OpenVPN instance features and the mandatory batch of stability improvements in numerous parts of the GUI and backend.
Upcoming in 25.1.5 are better RADIUS integration and enabling message authentication. We are also replacing the captive portal implementation by moving from ipfw(4) to pf(4). Last but not least the firewall automation filter rules GUI received a generous revamp for a far better UX than before. You can preview these changes by switching to the development release type and let us know about any remaining bug that you may encounter.
Here are the full patch notes:
* system: add “Kill states when down” option to gatways
* system: stop pushing “nextuid” and “nextgid” during XMLRPC
* system: migrate tunables to implicit defaults
* system: secure access to sysctl configuration node
* system: fix RADIUS error check
* system: add “pwd\_changed\_at” field previously missing in user model
* system: rewire system\_usermanager\_passwordmg.php to /ui/user\_portal for cooperation with the next business edition
* system: default “net.inet.carp.senderr\_demotion\_factor” tunable to “0”
* system: opnsense-beep: serialize access to /dev/speaker (contributed by Leonid Evdokimov)
* reporting: minor code cleanups in insight backend
* interfaces: move “(de)select all” button to the same row on packet capture page
* interfaces: add ARP address family option to packet capture
* interfaces: fix advanced mode visibility in VIPs
* firewall: performance improvement by using pf overall table stats instead of dumping each table
* firewall: offer better plug-ability for dynamic alias type
* firewall: alias rename action ignored due to missing lock
* firewall: support “jq” processing syntax for JSON-based URL table aliases
* openvpn: use shared base\_bootgrid\_table and base\_apply\_button
* openvpn: add support for assorted options [\[1\]](https://github.com/opnsense/core/pull/8396)
(contributed by Marius Halden)
* openvpn: add basic HTTP client option
* router advertisements: move plugin code to its own space
* unbound: move whitelist (passlist) handling to Unbound plugin
* mvc: merge NetworkValidator into NetworkField to ease extensibility and add unit test
* mvc: send audit messages emitted in the authentication sequence to proper channel
* mvc: BooleanField now defaults to “0” on creation
* plugins: os-caddy 1.8.4 [\[2\]](https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr)
* plugins: os-frr 1.44 [\[3\]](https://github.com/opnsense/plugins/blob/stable/25.1/net/frr/pkg-descr)
* plugins: os-theme-cicada 1.39 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.29 (contributed by Team Rebellion)
* plugins: os-theme-vicuna 1.49 (contributed by Team Rebellion)
* ports: dnsmasq 2.91 [\[4\]](https://www.thekelleys.org.uk/dnsmasq/CHANGELOG)
* ports: expat 2.7.0 [\[5\]](https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes)
* ports: lighttpd 1.4.78 [\[6\]](https://www.lighttpd.net/2025/3/22/1.4.78/)
* ports: pecl-radius now offers message authenticator support (scheduled to be enabled with 25.1.5)
* ports: phalcon 5.9.0 [\[7\]](https://github.com/phalcon/cphalcon/releases/tag/v5.9.0)
* ports: php 8.3.19 [\[8\]](https://www.php.net/ChangeLog-8.php#8.3.19)
* ports: py-duckdb 1.2.1 [\[9\]](https://github.com/duckdb/duckdb/releases/tag/v1.2.1)
* ports: py-jq 1.8.0 [\[10\]](https://github.com/mwilliamson/jq.py/blob/master/CHANGELOG.rst)
* ports: suricata 7.0.10 [\[11\]](https://suricata.io/2025/03/25/suricata-7-0-10-released/)
A hotfix release was issued as 25.1.4\_1:
* backend: restore missing Python module
25.1.3 (March 11, 2025)[](#march-11-2025 "Permalink to this heading")
-----------------------------------------------------------------------
This time around a patch from OpenBSD has been added that fixes the state tracking for ICMPv6 neighbour discovery packets through pf. The user management gained a CSV import/export. Also, the bug of the missing PPP logs has been fixed in the upstream MPD package.
Please note that the FRR plugin now uses the new configuration file layout mandated by upstream and also gained reload support.
Since Google Drive is being phased out by Google, a new plugin now covers backups via SFTP. The old Google Drive backup functionality will move to plugins in 25.7 since it will only be useful for existing installs.
Here are the full patch notes:
* system: implement user CSV import/export functionality (sponsored by: m.a.x. it)
* system: switch boot logo and MOTD to the new-style logo (contributed by Gavin Chappell)
* system: migrate ‘default’ tunable value to empty one and improve UX
* system: bring back user/group audit messages lost in MVC conversion
* system: replace legacy service widget hook with a proper configd call
* interface: use shared base\_bootgrid\_table and base\_apply\_button where possible
* interfaces: remove obsolete code in get\_real\_interfaces() to match getRealInterface()
* interfaces: improve validation for CARP/proxy ARP VIP
* interfaces: remove defunct “other” VIP type
* interfaces: skip “nosync” processing on VIPs
* firewall: support partial alias exports
* kea-dhcp: use shared base\_bootgrid\_table and base\_apply\_button
* network time: move XMLRPC definition to correct file
* openvpn: add DCO validation for fragment size
* unbound: use shared base\_bootgrid\_table and base\_apply\_button
* unbound: fix model migration pertaining to “dots” model changes
* wireguard: use shared base\_bootgrid\_table and base\_apply\_button
* backend: allow pluginctl to filter on -x/-X option
* mvc: decode HTML tags in menu items
* mvc: fix unit tests for model relation fields
* plugins: os-caddy 1.8.3 [\[1\]](https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr)
* plugins: os-dmidecode 1.2 adds new dashboard widget (contributed by Neil Merchant)
* plugins: os-frr 1.43 [\[2\]](https://github.com/opnsense/plugins/blob/stable/25.1/net/frr/pkg-descr)
* plugins: os-intrusion-detection-content-pt-open 1.0 (contributed by kulikov-a)
* plugins: os-sftp-backup 1.0 allows configuration backups over SFTP
* plugins: os-zabbix-agent 1.15 [\[3\]](https://github.com/opnsense/plugins/blob/stable/25.1/net-mgmt/zabbix-agent/pkg-descr)
* plugins: os-zabbix-proxy 1.12 [\[4\]](https://github.com/opnsense/plugins/blob/stable/25.1/net-mgmt/zabbix-proxy/pkg-descr)
* src: carp: fix checking IPv4 multicast address
* src: icmp: use per rate limit randomized jitter
* src: ixgbe: Fix a logic error in ixgbe\_read\_mailbox\_vf()
* src: netinet6: do not forward to the unspecified address
* src: netinet: do not forward or ICMP response to INADDR\_ANY
* src: netinet: ipsec and ktls cannot coexists
* src: pf: align sanity checks for pfrw\_free
* src: pf: allow all forms of neighbor advertisements in either direction
* src: pf: cleanup leftover [PF\_ICMP\_MULTI\_](#id1)
\* code that is not needed anymore
* src: pf: do not keep state when dropping overlapping IPv6 fragments
* src: pf: drop IPv6 packets built from overlapping fragments in pf reassembly
* src: pf: fix fragment hole count
* src: sysctl: enable vnet sysctl variables to be loader tunable
* ports: mpd default logging level increased to LOG\_NOTICE
* ports: nss 3.109 [\[5\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_109.html)
* ports: pftop 0.12
* ports: py-jinja 3.1.6 [\[6\]](https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6)
25.1.2 (February 28, 2025)[](#february-28-2025 "Permalink to this heading")
-----------------------------------------------------------------------------
This was supposed to hit earlier this week, but some weeks are like this one now where QA takes more time than usual. Of note is the move of Dnsmasq to MVC and the ChartJS update to version 4 which is bundled with nice updates for widgets and the system health graphs.
The roadmap for 25.7 was also published [\[1\]](https://opnsense.org/about/road-map/)
. The IPsec and OpenVPN legacy parts will move to the plugins so that the functionality can live there in community support tier. Since Kea remains a bit of an odd choice we will be offering DHCP support via Dnsmasq as a new standard feature which also offers seamless DHCP lease registration some people keep looking for.
Here are the full patch notes:
* system: adjust gateway widget to use the intended caching mechanism
* system: thermal sensors widget can now select individual sensors to display plus UX changes
* system: handle dev.pchtherm temperatures in the thermal dashboard widget (contributed by Joe Roback)
* system: use new apply button partial in tunables page
* system: move high availability option “disable preempt” to advanced mode
* system: straighten out syslog-ng rc.d scripting
* reporting: switch health graphs to ChartJS
* interfaces: add “nosync” option to VIPs and fix sync conditional
* interfaces: exclude automatic radvd like we do for manual
* firewall: properly unpack multiple source/destination items in the rules page
* firewall: hide internal aliases to align with previous legacy\_list\_aliases() function
* firewall: add missing “persist” on bogonsv6
* captive portal: urlencode() selector items in voucher group list
* dhcrelay: integrate layout\_partials bootgrid/apply
* dnsmasq: migrate existing frontend to MVC/API
* ipsec: add deprecation notices for legacy components (will move to plugins)
* kea-dhcp: add “v6-only-preferred” option (contributed by darses)
* openvpn: add deprecation notices for legacy components (will move to plugins)
* openvpn: support “password first” for static-challenges
* unbound: add support for forward-first when configuring forwarders (contributed by Nigel Jones)
* wireguard: change tracking of peer status, improve widget and diagnostic
* backend: add an “import” rc.syshook facility
* backend: change the “monitor” rc.syshook facility and de-deprecate its use
* backend: remove unused functions and move once-used functions to their call script
* mvc: wrap locks around updates and perform some minor cleanups in ApiMutableModelControllerBase
* mvc: move “lazy loading” option to base model implementation and force usage on run\_migrations.php
* mvc: safeguard checkToken() to prevent fetching an non existing POST item
* ui: upgrade ChartJS to v4
* ui: change backdrop background color to black in dark theme
* ui: create a unified layout partial for the apply button
* plugins: adjust all themes for ChartJS 4 use
* plugins: treat empty string like null on argument map
* plugins: os-acme-client 4.9 [\[2\]](https://github.com/opnsense/plugins/blob/stable/25.1/security/acme-client/pkg-descr)
* src: ipfw: make ‘ipfw show’ output compatible with ‘ipfw add’ command
* src: pf: stop using net\_epoch to synchronize access to eth rules
* src: e1000: fix vlan PCP/DEI on lem(4)
* src: igc: remove unused register IGC\_RXD\_SPC\_VLAN\_MASK
* src: ifnet: detach BPF descriptors on interface vmove event
* src: libkern: add ilog2 macro et al
* src: ipfw: add missing initializer for ‘limit’ table value
* src: pf: add extra SCTP multihoming probe points
* src: pf: verify SCTP v\_tag before updating connection state
* src: pf: verify that ABORT chunks are not mixed with DATA chunks
* src: pf: allow ICMP messages related to an SCTP state to pass
* src: pf: add ‘allow-related’ to always allow SCTP multihome extra connections
* src: bpf: fix potential race conditions
* src: net: if\_media for 100BASE-BX
* src: rtw89: update Realtek rtw88/rtw89 driver et al
* src: net80211: 11ac: add options to manage VHT STBC
* src: ifconfig: make -vht work
* src: iwlwifi: update Intel iwlwifi/mvm driver et al
* src: ixgbe: Add ixgbe\_dev\_from\_hw() back
* ports: ca\_root\_nss / nss 3.108 [\[3\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_108.html)
* ports: curl 8.12.1 [\[4\]](https://curl.se/changes.html#8_12_1)
* ports: openssh 9.9p2 [\[5\]](https://www.openssh.com/txt/release-9.9p2)
* ports: php83 8.3.17 [\[6\]](https://www.php.net/ChangeLog-8.php#8.3.17)
* ports: py-duckdb 1.2.0 [\[7\]](https://github.com/duckdb/duckdb/releases/tag/v1.2.0)
25.1.1 (February 12, 2025)[](#february-12-2025 "Permalink to this heading")
-----------------------------------------------------------------------------
Here we are with further refinements to 25.1 and it is looking pretty well so far. Included are the recent FreeBSD security advisories and the OpenSSL 3.0.16 which came out just yesterday.
The roadmap for 25.7 is being worked on at the moment and should be ready for publication next week / release.
Here are the full patch notes:
* system: exclude pchtherm thresholds temperature thresholds
* system: regression in groupAllowed() as values are now comma-separated
* system: update button wording on new HA status page
* reporting: fix missing typecast in epoch range for DNS statistics
* interfaces: fix undefined array key warnings in DHCP client setup (contributed by Ben Smithurst)
* interfaces: remove “hellotime” configuration leftover of recent bridge cleanup
* firmware: opnsense-update: fix failure to clean up the working directory
* firmware: opnsense-update: support -B and -K with -c option check
* firmware: opnsense-update: let -u skip already installed packages set
* firmware: kernel may not be pending so be sure to check on upgrade attempt
* firmware: add an upgrade test for wrong pkg repository
* firmware: revoke 24.7 fingerprint
* captive portal: fix missing class import
* captive portal: partially revert new lighttpd TLS defaults
* ipsec: fix glob pattern for advanced configuration banner
* monit: revert “wrap exec in double quotes to allow arguments”
* ui: reverted style changes only relevant for the development version
* ui: header image scaling fixes in default light theme
* ui: remove right border from “aside” element in default dark theme
* plugins: os-caddy 1.8.2 [\[1\]](https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr)
* plugins: os-crowdsec 1.0.9 [\[2\]](https://github.com/opnsense/plugins/blob/stable/25.1/security/crowdsec/pkg-descr)
* plugins: os-ddclient 1.27 [\[3\]](https://github.com/opnsense/plugins/blob/stable/25.1/dns/ddclient/pkg-descr)
* src: pf: send ICMP destination unreachable fragmentation needed when appropriate
* src: pfil: set PFIL\_FWD for IPv4 forwarding
* src: if\_vxlan: use static initializers
* src: if\_vxlan: prefer SYSCTL\_INT over TUNABLE\_INT
* src: if\_vxlan: Invoke vxlan\_stop event handler only when the interface is configured
* src: pf: force logging if pf\_create\_state() fails
* src: tarfs: fix the size of struct tarfs\_fid and add a static assert
* src: ext2fs: fix the size of struct ufid and add a static assert
* src: cd9660: make sure that struct ifid fits in generic filehandle structure
* src: tzdata: import tzdata 2025a
* src: audit: fix short-circuiting in syscallenter()
* src: ktrace: fix uninitialized memory disclosure\]
* src: netinet: enter epoch in garp\_rexmit()
* ports: curl 8.12.0 [\[4\]](https://curl.se/changes.html#8_12_0)
* ports: monit 5.34.4 [\[5\]](https://mmonit.com/monit/changes/)
* ports: openssl 3.0.16 [\[6\]](https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md)
* ports: pcre2 10.45 [\[7\]](https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.45)
* ports: php 8.3.16 [\[8\]](https://www.php.net/ChangeLog-8.php#8.3.16)
25.1 (January 29, 2025)[](#january-29-2025 "Permalink to this heading")
-------------------------------------------------------------------------
For an entire decade now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
25.1, nicknamed “Ultimate Unicorn”, features numerous MVC/API conversions, improved security zones support and documentation, ZFS snapshot support, a new UI look with a light and dark theme, PHP 8.3, FreeBSD 14.2 plus much more.
Download links, an installation guide [\[1\]](https://docs.opnsense.org/manual/install.html)
and the checksums for the images can be found below as well.
* Europe: [https://opnsense.c0urier.net/releases/25.1/](https://opnsense.c0urier.net/releases/25.1/)
* US East Coast: [https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.1/](https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.1/)
* US West Coast: [https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.1/](https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.1/)
* South America: [http://mirror.ueb.edu.ec/opnsense/releases/25.1/](http://mirror.ueb.edu.ec/opnsense/releases/25.1/)
* East Asia: [https://mirror.ntct.edu.tw/opnsense/releases/25.1/](https://mirror.ntct.edu.tw/opnsense/releases/25.1/)
* Full mirror list: [https://opnsense.org/download/](https://opnsense.org/download/)
Here are the full patch notes against version 24.7.12:
* system: migrate user, group and privilege management to MVC/API
* system: remove the “disable integrated authentication” feature
* system: add “Default groups” option to add standard groups when a LDAP/RADIUS user logs in
* system: remove the old manual LDAP importer
* system: migrate HA status page to MVC/API
* system: allow custom additions to sshd\_config (contributed by Neil Greatorex)
* system: increase max-request-field-size for web GUI
* system: set tunable default for checksum offloading of the vtnet(4) driver to disabled (contributed by Patrick M. Hausen)
* system: add support for RFC 5549 routes and refactor static route creation code
* system: improve notification support to also allow persistent notifications and static banners
* system: add notifications for low disk space and OpenSSH file override use
* system: migrate tunables page to MVC/API
* system: switch to temperature sensor caching
* system: add certificate widget to track expiration dates and allow quick renewal
* system: remove deprecated “page-getserviceprovider”, “page-dashboard-all” and “page-system-groupmanager-addprivs” privileges
* system: replace file\_get\_contents() with curl implementation in XMLRPC sync and add verifypeer option
* system: add item edit links to several dashboard widgets
* system: prioritize index page and prevent redirection to a /api page on login
* system: mute disk space status in case of live install media
* system: optimize system status collection
* interfaces: adhere to DAD during VIP recreation in rc.newwanipv6
* interfaces: remove non-functional features from bridges
* interfaces: remove PPP edit in interfaces settings
* interfaces: batched device type creation under “devices” submenu
* interfaces: move PPP and wireless logs to system log
* interfaces: remove “Use IPv4 connectivity” setting as it will be set by default
* firewall: use “skip lo0” instead of policing lo0 explicitly following OpenBSD best practice
* firewall: remove duplicate table definition and make sure bogonsv6 table always exists
* firewall: cleanup of CARP and IPv6 rules behaviour
* firewall: filter feature parity in automation rules
* firewall: offer multi-select on source and destination addresses
* firewall: add experimental inline shaper support to filter rules
* firewall: add missing columns on one-to-one NAT page
* firewall: fix unassociated rule creation
* firewall: fix anti-lockout and “allow access to DHCP failover” automatic rules
* firewall: add optional authorization for URL type aliases
* firewall: add “URL Table in JSON format (IPs)” alias type
* dnsmasq: update ICANN Trust Anchor (contributed by Loganaden Velvindron)
* firmware: fix “r” abbreviation vs. version\_compare();
* installer: fixed missing prompt and help text in ZFS disk selection
* installer: warn on low RAM for ZFS as well
* installer: added a power off option
* intrusion detection: policy content dropdown missing data-container
* intrusion detection: cleanse metadata for brackets
* ipsec: add log search button in sessions
* ipsec: add banner message when using custom configuration files
* kea-dhcp: add “match-client-id” in subnet definitions
* lang: update available translations
* monit: wrap exec in double quotes to allow arguments (contributed by Nikita Uvarov)
* monit: flag file overwrites when they exist
* network time: take IPv6 addresses into account
* network time: remove support for explicit VIP selection
* openvpn: add validation pertaining to auth-gen-token and reneg-sec combinations
* unbound: cleanup available blocklists and add hagezi blocklists
* unbound: fix root.hits permission on copy
* unbound: flag file overwrites when they exist
* backend: -m option is unused so remove its complication
* mvc: implement reusable grid template using form definitions
* mvc: add Default() method to reset a model to its factory defaults
* mvc: fix LegacyMapper when the mount point is not the XML root
* mvc: move explicit cast in BaseModel when calling field->setValue()
* mvc: fields should implement getCurrentValue() rather than \_\_toString()
* mvc: fix value lookup in LinkAddressField
* mvc: memory preservation fix in BaseListField
* mvc: support lazy loading on alias models and use it in NetworkAliasField
* mvc: fix NetworkValidator for IPv4-mapped addresses with netmask (contributed by John Fieber)
* ui: upgrade Font Awesome icons to version 6
* ui: push search/edit logic towards bootgrid implementation
* ui: improved links with automatic edit and/or search
* ui: rewritten default theme for a light look and new logo
* ui: added default theme variant with a dark look
* plugins: turning binary data into JSON may fail globally
* plugins: os-acme-client 4.8 [\[2\]](https://github.com/opnsense/plugins/blob/stable/25.1/security/acme-client/pkg-descr)
* plugins: os-caddy 1.8.1 [\[3\]](https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr)
* plugins: os-cpu-microcode 1.1 removes unneeded late loading code
* plugins: os-haproxy 4.5 [\[4\]](https://github.com/opnsense/plugins/blob/stable/25.1/net/haproxy/pkg-descr)
* pluginsL os-tailscale 1.2 [\[5\]](https://github.com/opnsense/plugins/blob/stable/25.1/security/tailscale/pkg-descr)
* src: FreeBSD 14.2-RELEASE [\[6\]](https://www.freebsd.org/releases/14.2R/relnotes/)
* src: p9fs: add an implementation of the 9P filesystem
* ports: lighttpd 1.4.77 [\[7\]](https://www.lighttpd.net/2025/1/10/1.4.77/)
* ports: openvpn 2.6.13 [\[8\]](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.13)
* ports: php 8.3.15 [\[9\]](https://www.php.net/ChangeLog-8.php#8.3.15)
* ports: radvd 2.20 [\[10\]](https://radvd.litech.org/)
Migration notes, known issues and limitations:
* The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. The integrated authentication via PAM has been the default for a long time so the option to disable it has been removed. The manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option. The “page-system-groupmanager-addprivs” privilege was removed since the page does not exist anymore. A multi-purpose privilege editor has been added under the existing “page-system-usermanager-addprivs” instead.
* PPP devices can no longer be configured on the interface settings page. To edit the device settings use the native PPP device edit page instead.
* FreeBSD 14.2 comes with the stock pf(4) behaviour regarding ICMPv6 neighbour discovery state tracking which was avoided so far in 24.7.x.
* Let’s Encrypt ends support for the OCSP Must Staple extension on 30.01.2025. Issuance requests will fail if this option is still enabled past this date.
The public key for the 25.1 series is:
\# -----BEGIN PUBLIC KEY-----
\# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsnbyFjWXvUcUC4BqnQ9w
\# uH3yiaG7AY8UzwepXf2TqqOYt5Y0USbse3OBjxYnRs0iW5EHtdKSRcmelup374Hp
\# XDDeQ/mjmhhnvXryfQL57gyVpYeL5gRVhf/2DwEZELLCFUFhMNh52QPaJ5zTvdws
\# m1Q+OwI1WfTDR7ytm+0Too2tVerG3mM3XataZ+XOKwHp2xP0Mr8E4F+PZdR4hWbb
\# yC2elIzICXDWWpcEEg4JT48TIYZJPGnE2IJAzWRntrqVU2eLcEn5MffwTawXNoCZ
\# mvLYqguYskmeR/dAL7ZmZcPeMeibXMtld8xIZp49g7DPq7PqxCY1wxcgeuZPFOHv
\# kbYzL3BHbyni3K/qdLXKzy8oZeUUvlbUgaj8Xx14DSiNzJDknNf0Xg/eby7MkzgP
\# eUXgtB0MRQMih85BfaiH5r+uQMgPKnjutVWR8qUWglxDKIc4s69b8PXylfu2FwiP
\# iKMBdO8xnVvNFKOkuaUtI31cqxauw2hBAlILFvltM+adUz2rfB3Ch0bjfjDE5Hxq
\# En4fEUVHgQCu+Ojyyy3/8RwUpsRZq05fObypyeL3E/MvlwpaOVjwvw2ozVPGi2zi
\# xmXemn5CbgjD3vPR9XERXrFkHTwPnIiqz53znqn34P+NGEgD1veMhZPE6OGZRu/h
\# IfceSaxJ/An5SUh0zr7YgOsCAwEAAQ==
\# -----END PUBLIC KEY-----
\# SHA256 (OPNsense-25.1-dvd-amd64.iso.bz2) = 68efe0e5c20bd5fbe42918f000685ec10a1756126e37ca28f187b2ad7e5889ca
\# SHA256 (OPNsense-25.1-nano-amd64.img.bz2) = a51e4499df6394042ad804daa8e376c291e8475860343a0a44d93d8c8cf4636e
\# SHA256 (OPNsense-25.1-serial-amd64.img.bz2) = 57c05e935790f9b2b800a19374948284889988741cfbaf6fae7600f7a4451022
\# SHA256 (OPNsense-25.1-vga-amd64.img.bz2) = 89fcf5bdb1d2ea2ea6ba4cdc1268ea0a1e22b944330d7bee0711c8630cc905af
25.1.r2 (January 24, 2025)[](#r2-january-24-2025 "Permalink to this heading")
-------------------------------------------------------------------------------
Just a small update to ship the latest changes and fixes. The anti-lockout not working was finally addressed. Thanks for all the valuable feedback on the forum!
Here are the full patch notes against version 25.1-RC1:
* system: prioritize index page and prevent redirection to a /api page on login
* system: mute disk space status in case of live install media
* system: optimize system status collection
* firewall: add experimental inline shaper support to filter rules
* firewall: add missing columns on one-to-one NAT page
* firewall: fix unassociated rule creation
* firewall: fix anti-lockout and “allow access to DHCP failover” automatic rules
* firewall: add optional authorization for URL type aliases
* installer: fixed missing prompt and help text in ZFS disk selection
* installer: warn on low RAM for ZFS as well
* installer: added a power off option
* intrusion detection: policy content dropdown missing data-container
* intrusion detection: cleanse metadata for brackets
* ipsec: add banner message when using custom configuration files
* monit: flag file overwrites when they exist
* openvpn: add validation pertaining to auth-gen-token and reneg-sec combinations
* unbound: cleanup available blocklists and add hagezi blocklists
* unbound: flag file overwrites when they exist
* mvc: fix NetworkValidator for IPv4-mapped addresses with netmask (contributed by John Fieber)
* plugins: turning binary data into JSON may fail globally
* plugins: os-caddy 1.8.1 [\[1\]](https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr)
25.1.r1 (January 22, 2025)[](#r1-january-22-2025 "Permalink to this heading")
-------------------------------------------------------------------------------
The 25.1 series is nigh! This offers images based on an RC1 state with stable packages and online upgrades for the development version of 24.7. We will likely release a small RC2 online update in the near future. The final release date for 25.1 is January 29.
[https://pkg.opnsense.org/releases/25.1/](https://pkg.opnsense.org/releases/25.1/)
Here are the full patch notes against version 24.7.12:
* system: migrate user, group and privilege management to MVC/API
* system: remove the “disable integrated authentication” feature
* system: add “Default groups” option to add standard groups when a LDAP/RADIUS user logs in
* system: remove the old manual LDAP importer
* system: migrate HA status page to MVC/API
* system: allow custom additions to sshd\_config (contributed by Neil Greatorex)
* system: increase max-request-field-size for web GUI
* system: set tunable default for checksum offloading of the vtnet(4) driver to disabled (contributed by Patrick M. Hausen)
* system: add support for RFC 5549 routes and refactor static route creation code
* system: improve notification support to also allow persistent notifications and static banners
* system: add notifications for low disk space and OpenSSH file override use
* system: migrate tunables page to MVC/API
* system: switch to temperature sensor caching
* system: add certificate widget to track expiration dates and allow quick renewal
* system: remove deprecated “page-getserviceprovider”, “page-dashboard-all” and “page-system-groupmanager-addprivs” privileges
* system: replace file\_get\_contents() with curl implementation in XMLRPC sync and add verifypeer option
* system: add item edit links to several dashboard widgets
* interfaces: adhere to DAD during VIP recreation in rc.newwanipv6
* interfaces: remove non-functional features from bridges
* interfaces: remove PPP edit in interfaces settings
* interfaces: batched device type creation under “devices” submenu
* interfaces: move PPP and wireless logs to system log
* interfaces: remove “Use IPv4 connectivity” setting as it will be set by default
* firewall: use “skip lo0” instead of policing lo0 explicitly following OpenBSD best practice
* firewall: remove duplicate table definition and make sure bogonsv6 table always exists
* firewall: cleanup of CARP and IPv6 rules behaviour
* firewall: filter feature parity in automation rules
* firewall: experimental dummynet support in rules
* firewall: offer multi-select on source and destination addresses
* dnsmasq: update ICANN Trust Anchor (contributed by Loganaden Velvindron)
* ipsec: add log search button in sessions
* kea-dhcp: add “match-client-id” in subnet definitions
* lang: update available translations
* monit: wrap exec in double quotes to allow arguments (contributed by Nikita Uvarov)
* network time: take IPv6 addresses into account
* network time: remove support for explicit VIP selection
* unbound: fix root.hits permission on copy
* backend: -m option is unused so remove its complication
* mvc: implement reusable grid template using form definitions
* mvc: add Default() method to reset a model to its factory defaults
* mvc: fix LegacyMapper when the mount point is not the XML root
* mvc: move explicit cast in BaseModel when calling field->setValue()
* mvc: fields should implement getCurrentValue() rather than \_\_toString()
* mvc: fix value lookup in LinkAddressField
* mvc: memory preservation fix in BaseListField
* mvc: support lazy loading on alias models and use it in NetworkAliasField
* ui: upgrade Font Awesome icons to version 6
* ui: push search/edit logic towards bootgrid implementation
* ui: improved links with automatic edit and/or search
* ui: rewritten default theme for a light look and new logo
* ui: added default theme variant with a dark look
* plugins: os-acme-client 4.8 [\[1\]](https://github.com/opnsense/plugins/blob/stable/25.1/security/acme-client/pkg-descr)
* plugins: os-cpu-microcode 1.1 removes unneeded late loading code
* plugins: os-haproxy 4.5 [\[2\]](https://github.com/opnsense/plugins/blob/stable/25.1/net/haproxy/pkg-descr)
* src: FreeBSD 14.2-RELEASE [\[3\]](https://www.freebsd.org/releases/14.2R/relnotes/)
* src: p9fs: add an implementation of the 9P filesystem
* ports: lighttpd 1.4.77 [\[4\]](https://www.lighttpd.net/2025/1/10/1.4.77/)
* ports: openvpn 2.6.13 [\[5\]](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.13)
* ports: php 8.3.15 [\[6\]](https://www.php.net/ChangeLog-8.php#8.3.15)
* ports: radvd 2.20 [\[7\]](https://radvd.litech.org/)
Migration notes, known issues and limitations:
* The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. The integrated authentication via PAM has been the default for a long time so the option to disable it has been removed. The manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option. The “page-system-groupmanager-addprivs” privilege was removed since the page does not exist anymore. A multi-purpose privilege editor has been added under the existing “page-system-usermanager-addprivs” instead.
* PPP devices can no longer be configured on the interface settings page. To edit the device settings use the native PPP device edit page instead.
* FreeBSD 14.2 comes with the stock pf(4) behaviour regarding ICMPv6 neighbour discovery state tracking which was avoided so far in 24.7.x.
* Let’s Encrypt ends support for the OCSP Must Staple extension on 30.01.2025. Issuance requests will fail if this option is still enabled past this date.
The public key for the 25.1 series is:
\# -----BEGIN PUBLIC KEY-----
\# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsnbyFjWXvUcUC4BqnQ9w
\# uH3yiaG7AY8UzwepXf2TqqOYt5Y0USbse3OBjxYnRs0iW5EHtdKSRcmelup374Hp
\# XDDeQ/mjmhhnvXryfQL57gyVpYeL5gRVhf/2DwEZELLCFUFhMNh52QPaJ5zTvdws
\# m1Q+OwI1WfTDR7ytm+0Too2tVerG3mM3XataZ+XOKwHp2xP0Mr8E4F+PZdR4hWbb
\# yC2elIzICXDWWpcEEg4JT48TIYZJPGnE2IJAzWRntrqVU2eLcEn5MffwTawXNoCZ
\# mvLYqguYskmeR/dAL7ZmZcPeMeibXMtld8xIZp49g7DPq7PqxCY1wxcgeuZPFOHv
\# kbYzL3BHbyni3K/qdLXKzy8oZeUUvlbUgaj8Xx14DSiNzJDknNf0Xg/eby7MkzgP
\# eUXgtB0MRQMih85BfaiH5r+uQMgPKnjutVWR8qUWglxDKIc4s69b8PXylfu2FwiP
\# iKMBdO8xnVvNFKOkuaUtI31cqxauw2hBAlILFvltM+adUz2rfB3Ch0bjfjDE5Hxq
\# En4fEUVHgQCu+Ojyyy3/8RwUpsRZq05fObypyeL3E/MvlwpaOVjwvw2ozVPGi2zi
\# xmXemn5CbgjD3vPR9XERXrFkHTwPnIiqz53znqn34P+NGEgD1veMhZPE6OGZRu/h
\# IfceSaxJ/An5SUh0zr7YgOsCAwEAAQ==
\# -----END PUBLIC KEY-----
Please let us know about your experience!
\# SHA256 (OPNsense-25.1.r1-dvd-amd64.iso.bz2) = dbd65194b02dfda2abe0542c8660c5a8d5311719448fbacf8e7e08b260c90e15
\# SHA256 (OPNsense-25.1.r1-nano-amd64.img.bz2) = 1600a1b26114aec1e99653efed1dddf1869bddfa422d8e85ad34a1acf2e3e4fc
\# SHA256 (OPNsense-25.1.r1-serial-amd64.img.bz2) = ff709c926bd097bb52726944cde2c3363386d5062765bd4a75cce9009353f853
\# SHA256 (OPNsense-25.1.r1-vga-amd64.img.bz2) = 9cdb74c9f43f9ee6eb66fbe3ad8b4050938273e053872e063b1bc73cedcd6410
25.1.b (December 19, 2024)[](#b-december-19-2024 "Permalink to this heading")
-------------------------------------------------------------------------------
The 25.1 series will include FreeBSD 14.2 so we are putting this BETA version out based on the latest development state. This is not meant for production use but all plugins are provided and future updates of installations based on these images will be possible.
[https://pkg.opnsense.org/releases/25.1/](https://pkg.opnsense.org/releases/25.1/)
There is a bit more work to be done yet most of the milestones have already been reached. If you have a test deployment or would like to check out some of the new features these images are for you. Together we can make OPNsense better than it ever was.
The final release date for 25.1 is January 29. A release candidate will follow in early January.
Highlights over version 24.7 include:
* system: restructure PPP to accomodate IPv6-only deployments
* system: implement persistent notifications banner
* system: dashboard widget for certificate expiry and renew
* system: high availablilty status MVC/API conversion
* system: users and groups MVC/API conversion
* system: advanced trust settings page
* system: ZFS snapshot GUI
* reporting: RRD health graph refactoring
* firewall: improved security zones support and documentation
* ipsec: advanced settings MVC/API conversion
* unbound: merge domain overrides into query forwarding
* ui: theme update with new styling and add official dark theme
* src: FreeBSD 14.2
The public key for the 25.1 series is:
\# -----BEGIN PUBLIC KEY-----
\# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsnbyFjWXvUcUC4BqnQ9w
\# uH3yiaG7AY8UzwepXf2TqqOYt5Y0USbse3OBjxYnRs0iW5EHtdKSRcmelup374Hp
\# XDDeQ/mjmhhnvXryfQL57gyVpYeL5gRVhf/2DwEZELLCFUFhMNh52QPaJ5zTvdws
\# m1Q+OwI1WfTDR7ytm+0Too2tVerG3mM3XataZ+XOKwHp2xP0Mr8E4F+PZdR4hWbb
\# yC2elIzICXDWWpcEEg4JT48TIYZJPGnE2IJAzWRntrqVU2eLcEn5MffwTawXNoCZ
\# mvLYqguYskmeR/dAL7ZmZcPeMeibXMtld8xIZp49g7DPq7PqxCY1wxcgeuZPFOHv
\# kbYzL3BHbyni3K/qdLXKzy8oZeUUvlbUgaj8Xx14DSiNzJDknNf0Xg/eby7MkzgP
\# eUXgtB0MRQMih85BfaiH5r+uQMgPKnjutVWR8qUWglxDKIc4s69b8PXylfu2FwiP
\# iKMBdO8xnVvNFKOkuaUtI31cqxauw2hBAlILFvltM+adUz2rfB3Ch0bjfjDE5Hxq
\# En4fEUVHgQCu+Ojyyy3/8RwUpsRZq05fObypyeL3E/MvlwpaOVjwvw2ozVPGi2zi
\# xmXemn5CbgjD3vPR9XERXrFkHTwPnIiqz53znqn34P+NGEgD1veMhZPE6OGZRu/h
\# IfceSaxJ/An5SUh0zr7YgOsCAwEAAQ==
\# -----END PUBLIC KEY-----
Please let us know about your experience!
\# SHA256 (OPNsense-devel-25.1.b-dvd-amd64.iso.bz2) = 7a9a5eacc65f7128273558c7e5f4cf63e555004d4d938fb827280cf691fc1cfd
\# SHA256 (OPNsense-devel-25.1.b-nano-amd64.img.bz2) = 83b3a9b599477773b8f4877bf8c4a38436895477fef91a0dbfabdbfdbb7be2c3
\# SHA256 (OPNsense-devel-25.1.b-serial-amd64.img.bz2) = 57d087cf66d168338de4a611871c31813b3e42bb71d7b71be75aa20521c6d8a1
\# SHA256 (OPNsense-devel-25.1.b-vga-amd64.img.bz2) = 5bc51cc93bc64cc15d6fa68611d3cee4cf45b70b85e713cbdd3c0c8d2ebd4137
---
# Reporting Settings — OPNsense documentation
* [](../index.html)
* [Reporting](../reporting.html)
* Reporting Settings
* * *
Reporting Settings[](#reporting-settings "Permalink to this heading")
=======================================================================
Some basic reporting settings and options can be found under Reporting ‣ Settings.
Unbound DNS is capable of collecting statistics for insight into DNS traffic. This behaviour is not enabled by default, but can be enabled in this page. You can also clear any collected data using the “Reset DNS data” button.
The Health reporting uses RRD collection, for which you can disable the statistics collection process, in cases where monitoring is not relevant or causes too much stress on the system. The option to collect statistics is enabled by default.
For both health monitoring (rrd) and network insights (netflow) statistics could be reset in this form.
---
# Using Insight - Netflow Analyzer — OPNsense documentation
* [](../../index.html)
* [Reporting](../../reporting.html)
* Using Insight - Netflow Analyzer
* * *
Using Insight - Netflow Analyzer[](#using-insight-netflow-analyzer "Permalink to this heading")
=================================================================================================
OPNsense is equipped with a flexible and fast Netflow Analyzer called Insight. To use Insight, one needs to configure the Netflow exporter for local capturing of Netflow data. To do so take a look at [Configure Netflow Exporter](netflow_exporter.html)
.
User Interface[](#user-interface "Permalink to this heading")
---------------------------------------------------------------
Insight is a fully integrated part of OPNsense. Its User Interface is simple yet powerful. It can be accessed via Reporting ‣ Insight.
[](../../_images/insight_gui.png)
Insight offers a full set of analysis tools, ranging from a graphical overview to a csv exporter for further analysis with your favorite spreadsheet.
Graphs & Totals[](#graphs-totals "Permalink to this heading")
---------------------------------------------------------------
The default view of Insight is the Top users and Graphical Overview. This view allows for quick examination of current and past flows, showing a graph for in and out going traffic for each configured interface.
### Select Range & Resolution[](#select-range-resolution "Permalink to this heading")
In the top right corner a selection can be made for the date range and accuracy (resolution) of the collected traffic flows.
### View Type[](#view-type "Permalink to this heading")
One can show the traffic flows in a stacked manner (default), as a stream or expanded to compare usage with different interfaces.
**Stacked**
[](../../_images/stacked_view.png)
**Stream**
[](../../_images/stream_view.png)
**Expanded**
[](../../_images/expanded_view.png)
### Interfaces[](#interfaces "Permalink to this heading")
Clicking on an interface disables or enables the graph view, double clicking select only that interface.
### Top Users[](#top-users "Permalink to this heading")
The top 25 users are shown for a selected interface, both for ports and ips within the previously selected date range.
### Interface Top[](#interface-top "Permalink to this heading")
Select the interface to see the top 25 users.
### Port Pie Chart[](#port-pie-chart "Permalink to this heading")
The port pie chart shows the percentage per port/application. One can change the view by clicking or double clicking on one of the shown port names/numbers.
Clicking on a piece of the pie will open a detailed view for further analysis.
[](../../_images/pie_piece.png)
[](../../_images/pie_details.png)
### IP Addresses Pie Chart[](#ip-addresses-pie-chart "Permalink to this heading")
The IP addresses pie chart works the same as the ports pie chart and shows the percentage per IP number. One can change the view by clicking or double clicking on one of the shown IP numbers.
Clicking on a piece of the pie will open a detailed view for further analysis.
### Interface Totals[](#interface-totals "Permalink to this heading")
Not shown in the screenshot but latest version also includes a Total for the selected interface, shown are Packets (In, Out, Total) and Bytes (In, Out, Total).
Details View[](#details-view "Permalink to this heading")
-----------------------------------------------------------
One can open the details view by clicking on one of the pieces of a pie chart or click on the tab **Details**.
When opening the details view by clicking on the tab one can make a new query.
[](../../_images/insight_details_view.png)
After selecting a valid date range (form/to) and interface one can further limit the output by filtering on port or IP address. Select the refresh icon to update the detailed output. Leave Port and Address empty for a full detailed listing.
[](../../_images/insight_full_details.png)
Export View[](#export-view "Permalink to this heading")
---------------------------------------------------------
The **Export** view allows you to export the data for further analysis in your favorite spreadsheet or other data analysis application.
[](../../_images/insight_export_view.png)
To export data, select a **Collection** :
* FlowSourceAddrTotals - Totals per source address
* FlowInterfaceTotals - Totals per interface
* FlowDstPortTotals - Totals per destination port
* FlowSourceAddrDetails - Full details per source address
Select the **Resolution** in seconds (300,3600,86400)
Then select a date range (from/to) and click the **export** button.
[](../../_images/insight_export.png)
---
# 19.1 “Inspiring Iguana” Series — OPNsense documentation
* [](../index.html)
* [Releases](../releases.html)
* [Business Edition](../BE_releases.html)
* 19.1 “Inspiring Iguana” Series
* * *
19.1 “Inspiring Iguana” Series[](#inspiring-iguana-series "Permalink to this heading")
========================================================================================
For more than four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
The 19.1 release, nicknamed “Inspiring Iguana”, consists of a total of 620 individual changes since 18.7 came out 6 months ago, spread out over 12 intermediate releases including the recent release candidates. That is the average of 2 stable releases per month, security updates and important bug fixes included! If we had to pick a few highlights it would be: The firewall alias API is finally in place. The migration to HardenedBSD 11.2 has been completed. 2FA now works with a remote LDAP / local TOTP combination. And the OpenVPN client export was rewritten for full API support as well.
Download links, an installation guide [\[1\]](https://docs.opnsense.org/manual/install.html)
and the checksums for the images can be found below as well.
* Europe: [https://opnsense.c0urier.net/releases/19.1/](https://opnsense.c0urier.net/releases/19.1/)
* US East Coast: [http://mirrors.nycbug.org/pub/opnsense/releases/19.1/](http://mirrors.nycbug.org/pub/opnsense/releases/19.1/)
* US West Coast: [https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/](https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/)
* South America: [http://mirror.upb.edu.co/opnsense/releases/19.1/](http://mirror.upb.edu.co/opnsense/releases/19.1/)
* South-East Asia: [https://ftp.yzu.edu.tw/opnsense/releases/19.1/](https://ftp.yzu.edu.tw/opnsense/releases/19.1/)
* Full mirror list: [https://opnsense.org/download/](https://opnsense.org/download/)
19.1.10 (July 03, 2019)[](#july-03-2019 "Permalink to this heading")
----------------------------------------------------------------------
Small update as we are nearing the end of the 19.1 series. Yes, it is that time of the year again with a release candidate only a few days away and a final release date set to July 17.
Here are the full patch notes:
* system: change certificate manager actions to POST
* system: fix account removal with missing “-g” option
* system: add dashboard widgets to XMLRPC sync
* firewall: fix live log rule label mismatch caused by optimisation
* firewall: fix alias import with alias references included
* firewall: change default sorting of aliases to names
* firmware: add homelab.no mirror (contributed by Thomas Jensen)
* intrusion detection: when toggling rules keep the current action
* intrusion detection: suppress mystery PHP 7.2+ warning in API
* intrusion detection: show SID in alert view
* web proxy: add cache reset button
* web proxy: correct syslog export
* plugins: os-dyndns 1.6 DigitalOcean support (contributed by Dune Heishman)
* plugins: os-etpro-telemetry Python 3 support
* plugins: os-frr 1.11 [\[1\]](https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr)
* plugins: os-nginx 1.14 [\[2\]](https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr)
* plugins: os-rspamd 1.7 [\[3\]](https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr)
* plugins: os-tinc Python 3 support
* ports: ca\_root\_nss 3.44.1
* ports: curl 7.65.1 [\[4\]](https://curl.haxx.se/changes.html)
* ports: libevent 2.1.10 [\[5\]](https://github.com/libevent/libevent/releases/tag/release-2.1.10-stable)
* ports: libxml 2.9.9 [\[6\]](https://mail.gnome.org/archives/xml/2019-January/msg00000.html)
* ports: libressl 2.9.2 [\[7\]](https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.9.1-relnotes.txt)
[\[8\]](https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.9.2-relnotes.txt)
* ports: phalcon 3.4.4 [\[9\]](https://github.com/phalcon/cphalcon/releases/tag/v3.4.4)
* ports: strongswan 5.8.0 [\[10\]](https://wiki.strongswan.org/versions/73)
* ports: unbound 1.9.2 [\[11\]](https://nlnetlabs.nl/projects/unbound/download/)
A hotfix release was issued as 19.1.10\_1:
* firmware: enable upgrade path to 19.7
19.1.9 (June 06, 2019)[](#june-06-2019 "Permalink to this heading")
---------------------------------------------------------------------
Small 19.1 series update mainly focusing on LDAP group synchronisation and assorted OpenVPN improvements. Two regressions of previous versions have been fixed as well.
Here are the full patch notes:
* system: add LDAP group synchronisation feature
* system: allow an arbitrary group for sudo like ssh login
* system: stop using a lock around resolv.conf handling
* system: rename a number of service-related functions
* system: login not using cache-safe image yet
* system: add pluginctl -s support
* system: restyle config backup page
* system: fix log split view regression of 19.1.8
* interfaces: remove DHCPv6 on delete and clear config on IPsec assignment
* interfaces: small VIP restructure and IPv6 alias to IPv6 device
* interfaces: subtle changes in IPv6 and variable naming
* interfaces: add missing does\_interface\_exist() checks
* firewall: support multiple interfaces per NAT port forward rule
* captive portal: use “onestop” to stop service
* intrusion detection: missing header ID in alerts tab
* ipsec: remove remnants of gateway group interface selection
* ipsec: use indirect plugin calls in interface code
* openvpn: add live-search to longer lists in server page
* openvpn: support –cryptoapicert export (sponsored by m.a.x. it [\[1\]](https://www.max-it.de/)
)
* opnevpn: correctly check for translation in get\_carp\_interface\_status()
* openvpn: use waitforpid() to properly wait for instanes to come up
* openvpn: translate GUI error values when returning them
* openvpn: revamp status page
* unbound: leases watcher file rotation issue
* web proxy: squid log in readable date format (contributed by nhirokinet)
* web proxy: fix non-local authentication regression of 19.1.7
* plugins: os-bind 1.5 [\[2\]](https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr)
* plugins: os-clamav 1.7 [\[3\]](https://github.com/opnsense/plugins/blob/master/security/clamav/pkg-descr)
* plugins: os-dnscrypt-proxy 1.4 [\[4\]](https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr)
* plugins: os-dyndns clouldflare wildcard domain support
* plugins: os-nginx 1.13 [\[5\]](https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr)
* plugins: os-openconnect 1.4.0 [\[6\]](https://github.com/opnsense/plugins/blob/master/security/openconnect/pkg-descr)
* plugins: os-redis 1.1 [\[7\]](https://github.com/opnsense/plugins/blob/master/databases/redis/pkg-descr)
* plugins: os-rspamd 1.6 [\[8\]](https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr)
* plugins: os-theme-cicada 1.18 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.18 (contributed by Team Rebellion)
* ports: curl 7.65.0 [\[9\]](https://curl.haxx.se/changes.html)
* ports: lighttpd 1.4.54 [\[10\]](https://www.lighttpd.net/2019/5/27/1.4.54/)
* ports: python 3.7.3 [\[11\]](https://docs.python.org/release/3.7.3/whatsnew/changelog.html)
* ports: openssl 1.0.2s [\[12\]](https://www.openssl.org/news/cl102.txt)
* ports: php 7.2.19 [\[13\]](https://www.php.net/ChangeLog-7.php#7.2.19)
19.1.8 (May 20, 2019)[](#may-20-2019 "Permalink to this heading")
-------------------------------------------------------------------
This update addresses several privilege escalation issues in the access control implementation and new memory disclosure issues in Intel CPUs. We would like to thank Arnaud Cordier and Bill Marquette for the top-notch reports and coordination.
Here are the full patch notes:
* system: address CVE-2019-11816 privilege escalation bugs [\[1\]](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11816)
(reported by Arnaud Cordier)
* system: /etc/hosts generation without interface\_has\_gateway()
* system: show correct timestamp in config restore save message (contributed by nhirokinet)
* system: list the commands for the pluginctl utility when no argument is given
* system: introduce and use userIsAdmin() helper function instead of checking for “page-all” privilege directly
* system: use absolute path in widget ACLs (reported by Netgate)
* system: RRD-related cleanups for less code exposure
* interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion)
* interfaces: replace legacy\_getall\_interface\_addresses() usage
* firewall: fix port validation in aliases with leading / trailing spaces
* firewall: fix outbound NAT translation display in overview page
* firewall: prevent CARP outgoing packets from using the configured gateway
* firewall: use CARP net.inet.carp.demotion to control current demotion in status page
* firewall: stop live log poller on error result
* dhcp: change rule priority to 1 to avoid IPv6 bogon clash
* dnsmasq: only admins may edit custom options field
* firmware: use insecure mode for base and kernel sets when package fingerprints are disabled
* firmware: add optional device support for base and kernel sets
* firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)
* ipsec: always reset rightallowany to default when writing configuration
* lang: say “hola” to Spanish as the newest available GUI language
* lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
* network time: only admins may edit custom options field
* openvpn: call openvpn\_refresh\_crls() indirectly via plugin\_configure() for less code exposure
* openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette)
* openvpn: remove custom options field from wizard
* unbound: only admins may edit custom options field
* wizard: translate typehint as well
* plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86)
* plugins: os-nginx 1.12 [\[2\]](https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr)
* plugins: os-theme-cicada 1.17 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.17 (contributed by Team Rebellion)
* src: timezone database information update [\[3\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-19:08.tzdata.asc)
* src: install(1) broken with partially matching relative paths [\[4\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-19:09.xinstall.asc)
* src: microarchitectural Data Sampling (MDS) mitigation [\[5\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-19:07.mds.asc)
* ports: ca\_root\_nss 3.44
* ports: php 7.2.18 [\[6\]](https://www.php.net/ChangeLog-7.php#7.2.18)
* ports: sqlite 3.28.0 [\[7\]](https://sqlite.org/releaselog/3_28_0.html)
* ports: strongswan custom XAuth generic patch removed
19.1.7 (May 02, 2019)[](#may-02-2019 "Permalink to this heading")
-------------------------------------------------------------------
This update features a number of improvements such as link-local support for bridges, HA sync consolidation, adding local CAs to the trusted SSL certificates for most of the system download capabilities, plugin-based PAM authentication rework for IPsec and the web proxy as well as third party fixes for hostapd / wpa\_supplicant 2.8 and Suricata 4.1.4.
Python 3 migration is also underway now which requires to pull in both Python versions which may be heavy on embedded Nano installs, but we cannot see another way for this tedious task which will probably stretch into 19.7 to be fully carried out in 20.1.
And speaking of 20.1: This is the first of many reminders that 20.1 will discontinue the i386 (Intel 32 Bit) franchise as discussed a number of times within the community over the years. Our hope is that ARM64 will make a viable replacement. But that is for another time.
As you may have noticed the project has not been delivering releases every other week and there are a number of reasons for it:
Security-wise we have not had a lot of necessary third-party software updates. Feature-wise we are sitting on a number of improvements for the upcoming 19.7 series that will trickle into 19.1.x now, but that have also required larger preparations and testing in the meantime. On the community side of the spectrum, sponsored by our partner m.a.x. it, we have started to work on better default gateway switching which led to an overall gateway integration rework and then quickly to interface handling restructuring, which in turn led to improving plugin capabilities of core services (OpenVPN, IPsec, Unbound, Dnsmasq, DHCPD, Dpinger). Looking at it now it has been the largest rework so far on code established many years ago and only occasionally patched. We hope this shows our dedication to the code base even when things are not always 100% bug free. If you feel like pitching in now is a good time to try the development version and let us know about how it performs.
Without further ado, here are the full patch notes:
* system: HA sync cleanup removes opportunistic syncs in random GUI pages (use HA status page to sync and restart remote services)
* system: support for syncing alias and VHID to the slave
* system: cleanly rewrite CA root files and add local trusted CAs as well
* system: disable backup cron job when no backup is enabled
* system: more reliable load and sync for LDAP attributes (contributed by Indrajit Raychaudhuri)
* system: migrate health graph scripts to Python 3.6
* interfaces: properly add and remove IPv6 trackers after interface apply
* interfaces: validate prefix ID of IPv6 trackers so that each ID is unique
* interfaces: display “0x” in prefix ID field so that it is clear that value is in hex
* interfaces: fix passing VLAN name in interface\_virtual\_create()
* interfaces: fix group-related bugs and allow digits and underscores in name, but no more than 15 characters
* interfaces: allow link-local address on bridges via optional setting
* interfaces: PPP-related code cleanups
* firewall: prevent double-escaping of text in rules page
* firewall: handle IDNA encode failures in aliases
* firewall: alias import / export option
* captive portal: update to bootstrap 3.4.1
* captive portal: fix a race in directory creation and listClients()
* dhcp: fix TFTP boot file name usage (contributed by Bjorn Kalkbrenner)
* dhcp: merge static mac addresses with leases
* dhcp: prevent double-escaping of text in leases page
* firmware: add private log file for major upgrade package install step
* firmware: use a safer major upgrade package install mode
* firmware: retain /etc/motd on base updates
* ipsec: implemented wildcard includes (contributed by Mark Plomer)
* ipsec: only apply mobile PFS to mobile phase 2
* ipsec: restyle mobile settings a little
* ipsec: switch XAuth to PAM
* ipsec: partial fix for static routes on routed tunnels during boot
* network time: reload RRD since NTP has a setting for it
* web proxy: fix PAC weekday match labels (contributed by Mohammed Sadiq)
* web proxy: switch authentication to PAM
* backend: treat non existing key as empty string in sortDictList()
* mvc: pluggable PAM-based authentication framework
* mvc: add filter closure to searchBase()
* plugins: introduce plugins\_run() for collecting structured data from plugins
* plugins: os-clamav 1.6 [\[1\]](https://github.com/opnsense/plugins/blob/master/security/clamav/pkg-descr)
* plugins: os-dyndns 1.5 fixes CloudFlare zone ID lookup behaviour (contributed by George Johnson)
* plugins: os-frr 1.10 [\[2\]](https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr)
* plugins: os-netdata 1.0 (contributed by Michael Muenz)
* plugins: os-nginx 1.11\_2 fixes ACME support (contributed by Frank Wall)
* plugins: os-rfc2136 1.5 removes unused gateway group related code
* src: move invoking of callout\_stop(&lle->lle\_timer) into llentry\_free()
* src: ensure that IP addresses match in ICMP error packets in pf(4)
* src: add bsdinstall utility for upcoming 19.7 installer replacement
* ports: dhcp6c 20190419 fixes raw options segfaults (contributed by Franck78)
* ports: hostapd / wpa\_supplicant 2.8 [\[3\]](https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog)
* ports: perl 5.28.2 [\[4\]](https://perldoc.perl.org/5.28.2/perldelta)
* ports: py-yaml 5.1 [\[5\]](https://github.com/yaml/pyyaml/blob/master/CHANGES)
* ports: suricata 4.1.4 [\[6\]](https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/)
* ports: sqlite 3.27.2 [\[7\]](https://sqlite.org/releaselog/3_27_1.html)
19.1.6 (April 11, 2019)[](#april-11-2019 "Permalink to this heading")
-----------------------------------------------------------------------
This update brings a smaller number of fixes and improvements as well as the latest PHP version update.
With a heavy heart we disable E\_WARNING messages in the PHP error reporting. It has been implemented in 2015 to improve code quality and it did just that, but with the latest PHP 7.2 jump in 19.1.5 it causes problems around the newly added count() usage warning messages. We plan to bring back E\_WARNING usage in 19.7.
Here are the full patch notes:
* system: let dashboard only accept its own POST requests
* system: remove obsolete symlink to opnsense-auth
* system: skip PHP E\_WARNING log level until 19.7
* system: numerous PHP 7.2 warning fixes
* dhcp: DHCPD server check in relay only if interface is active
* dnsmasq: skip empty custom options
* intrusion prevention: do not drop flowbits:noalert rules
* unbound: add ACL entries for OpenVPN by default
* mvc: controller cleanups in firewall shaper, web proxy and captive portal
* plugins: numerous PHP 7.2 warning fixes
* plugins: os-freeradius 1.9.2 fixes LDAP group filter and EAP certificates write (contributed by Alexander Harm)
* plugins: os-nginx 1.11 [\[1\]](https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr)
* ports: php 7.2.17 [\[2\]](https://php.net/ChangeLog-7.php#7.2.17)
* ports: py-certifi 2019.3.9 [\[3\]](https://pypi.org/project/certifi/2019.3.9/)
19.1.5 (April 05, 2019)[](#april-05-2019 "Permalink to this heading")
-----------------------------------------------------------------------
After a longer pause we are back with considerable upgrades for IPsec, a new CSR feature for local CAs, PHP 7.2 migration and a number of other considerable third party updates.
These are the full patch notes:
* system: improve gateway status return when monitoring is off
* system: warn user about future deprecation of “user-config-readonly” privilege
* system: support certificate signing requests (contributed by nhirokinet)
* system: syslog does not need to do a background startup since it backgrounds itself
* system: invalidate Nextcloud URL with trailing slash (contributed by Fabian Franz)
* system: avoid double encoding cert name (contributed by Indrajit Raychaudhuri)
* interfaces: fix facility for rtsold log about dhcp6c (contributed by Thomas du Boys)
* interfaces: take all unknown arguments as real interfaces in interfaces\_addresses()
* interfaces: optionally allow interfaces\_addresses() to emit subnets instead of addresses
* interfaces: move mpd.script to new location (may require interface reconfigure)
* firewall: proper locking of aliases before config action on delete
* firewall: correctly set outbound NAT destination as network
* firewall: add support for DSCP in shaper (contributed by Michael Muenz)
* firewall: add support for IDN in aliases (contributed by Smart-Soft)
* captive portal: allow access to this host (contributed by Fredrik Ronnvall)
* firmware: fix parsing of packages in multi-repo env and revoked fingerprint message
* firmware: add University of Kent to the firmware mirrors
* ipsec: only use explicit reqid when using route-based interfaces
* ipsec: correctly set install policy option on newly created phase 1 entries
* ipsec: improve split DNS and INTERNAL\_DNS\_DOMAIN configuration
* ipsec: added IKEv2 DH group 31 / curve 25519 (contributed by Peter Stehlin)
* ipsec: properly quote UNITY\_BANNER for multi-line support
* ipsec: support for dynamic remote gateways
* monit: add migration/validation for service/test type dependency (contributed by Frank Brendel)
* monit: added missing “not on” label
* openvpn: support static-challenge formatted password
* openvpn: properly load custom config field in exporter
* openvpn: cleanups in listening address handling
* web proxy: IP address not available when address set to none
* web proxy: add sortable support for PAC proxy lists (contributed by Fabian Franz)
* web proxy: add dash to allowed characters in description (contributed by Fabian Franz)
* backend: python 2->3 iteritems() conversion in core templates
* mvc: migrate config backup rotation to handle static and MVC pages (contributed by Smart-Soft)
* mvc: controller cleanups in cron, intrusion detection, routes
* mvc: obey “user-config-readonly” privilege in mutable controllers
* mvc: support overlays in setBase() / addBase()
* ui: remove jquery-bootgrid converters which are now included in the library
* plugins: os-acmle-client 1.23 [\[1\]](https://github.com/opnsense/plugins/pull/1166)
[\[2\]](https://github.com/opnsense/plugins/pull/1212)
[\[3\]](https://github.com/opnsense/plugins/pull/1263)
* plugins: os-dyndns 1.14 supports wildcards for Google Domains
* plugins: os-etpro-telemetry 1.3 uses HOME\_NET to anonymization
* plugins: os-freeradius 19.1.0 [\[4\]](https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr)
* plugins: os-frr 1.9 [\[5\]](https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr)
* plugins: os-nginx 1.10 [\[6\]](https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr)
* plugins: os-postfix 1.9 [\[7\]](https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr)
* plugins: os-rspamd 1.5 [\[8\]](https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr)
* plugins: os-telegraf 1.7.5 [\[9\]](https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr)
* plugins: os-theme-cicada 1.15 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.14 (contributed by Team Rebellion)
* plugins: os-zabbix-agent 1.5 [\[10\]](https://github.com/opnsense/plugins/pull/1262)
* ports: ca\_root\_nss 3.43
* ports: curl 7.64.1
* ports: libucl 0.8.1
* ports: pcre 8.43
* ports: php 7.2.16
* ports: py-cryptography 2.6.1
* ports: phpseclib 2.0.15
* ports: python 2.7.16
* ports: unbound 1.9.1
A hotfix release was issued as 19.1.5\_1:
* mvc: sync missing hasPrivilege()
19.1.4 (March 12, 2019)[](#march-12-2019 "Permalink to this heading")
-----------------------------------------------------------------------
An UEFI boot panic scenario was debugged last week with the help of the community. This update includes a fix that will allow the ones affected by this 19.1 issue to upgrade or install (and boot of course) correctly. We are also including the IPsec VTI support and the latest Suricata 4.1.3 with stability and compatibility fixes.
Due to the severity of the UEFI boot panic 19.1.4 will be the new initial release for all upgrades from 18.7 within a day or two depending on additional testing and confirmation. Last but not least there will be new images some time next week to put this fully behind us. Thank you for your patience and understanding. :)
Special thanks go to the team of Synacktiv for reporting a packet filter IPv6 vulnerability for which a patch was included as well.
Here are the full patch notes:
* system: remove erroneously translated hostname example (contributed by nhirokinet)
* firewall: fix validation regression in outbound NAT introduced in 19.1.3
* firewall: mock labels for NAT rules in live log as pf does not offer label support
* interfaces: do not background LAGG ifconfig destroy
* installer: revert to use network connection to allow CTRL+C and resume
* ipsec: added Virtual Tunnel Interface (VTI) support
* unbound: fix nested statistics items read
* mvc: remove old Phalcon volt template workarounds from when scopes were broken
* mvc: fix bug in model relation field values merge
* plugins: os-zabbix4-proxy PSK directory fix (contributed by Michael Muenz)
* plugins: os-telegraf missed invoke of setup.sh
* plugins: os-frr adds validator to OSPF prefix lists (contributed by Michael Muenz)
* plugins: os-dmidecode 1.1 fixes data parsing (contributed by Smart-Soft)
* plugins: os-nginx 1.9 [\[1\]](https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr)
* src: do not pass pf(4) IPv6 fragments with malformed extension headers (reported by Synacktiv)
* src: revert upstream commit “protect the kernel text, data, and BSS” to fix certain UEFI boots
* ports: monit 5.25.3 [\[2\]](https://mmonit.com/monit/changes/)
* ports: ntp 4.2.8p13 [\[3\]](http://support.ntp.org/bin/view/Main/NtpBug3565)
* ports: php 7.1.27 [\[4\]](https://php.net/ChangeLog-7.php#7.1.27)
* ports: suricata 4.1.3 [\[5\]](https://suricata-ids.org/2019/03/07/suricata-4-1-3-released/)
The full list of changes of the OPNsense 19.1 series can be reviewed using their original announcements:
* 19.1: [https://forum.opnsense.org/index.php?topic=11398.0](https://forum.opnsense.org/index.php?topic=11398.0)
* 19.1.1: [https://forum.opnsense.org/index.php?topic=11469.0](https://forum.opnsense.org/index.php?topic=11469.0)
* 19.1.2: [https://forum.opnsense.org/index.php?topic=11849.0](https://forum.opnsense.org/index.php?topic=11849.0)
* 19.1.3: [https://forum.opnsense.org/index.php?topic=11941.0](https://forum.opnsense.org/index.php?topic=11941.0)
We would also like to use this opportunity to remind everyone that OPNsense is and always will be free software. All of its source code and associated build tools can be found here:
[https://github.com/opnsense](https://github.com/opnsense)
Download links, an installation guide [\[6\]](https://docs.opnsense.org/manual/install.html)
and the checksums for the images can be found below as well.
* Europe: [https://opnsense.c0urier.net/releases/19.1/](https://opnsense.c0urier.net/releases/19.1/)
* US East Coast: [http://mirrors.nycbug.org/pub/opnsense/releases/19.1/](http://mirrors.nycbug.org/pub/opnsense/releases/19.1/)
* US West Coast: [https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/](https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/)
* South America: [http://mirror.upb.edu.co/opnsense/releases/19.1/](http://mirror.upb.edu.co/opnsense/releases/19.1/)
* South-East Asia: [https://ftp.yzu.edu.tw/opnsense/releases/19.1/](https://ftp.yzu.edu.tw/opnsense/releases/19.1/)
* Full mirror list: [https://opnsense.org/download/](https://opnsense.org/download/)
The public key for the 19.1 series is:
\# -----BEGIN PUBLIC KEY-----
\# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
\# ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
\# QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
\# GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
\# pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
\# Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
\# NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
\# 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
\# Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
\# Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
\# C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
\# zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
\# -----END PUBLIC KEY-----
\# SHA256 (OPNsense-19.1.4-OpenSSL-dvd-amd64.iso.bz2) = 5f2e64797fce03d4d47050894c38e8e176fda6281009abd36f60d788d3e29d42
\# SHA256 (OPNsense-19.1.4-OpenSSL-nano-amd64.img.bz2) = ee5171fb837884fffd29c6e75cb089dc4020fb89459143bd9e7b859b1da3fd89
\# SHA256 (OPNsense-19.1.4-OpenSSL-serial-amd64.img.bz2) = 07868978903220bf9dee26c936d25140df07ec9c02cb8c480bd8619e69c562a0
\# SHA256 (OPNsense-19.1.4-OpenSSL-vga-amd64.img.bz2) = e473bc645778c95596639056ecc8ef92a12a7fd1cdc52cd0b1f6294a64561311
\# SHA256 (OPNsense-19.1.4-OpenSSL-dvd-i386.iso.bz2) = 9f40b591c27d90a86c60ec0b539f228999953f947573e2e575c2936c3993d7c0
\# SHA256 (OPNsense-19.1.4-OpenSSL-nano-i386.img.bz2) = c624d50b19f2ae4d471076c53f5c516e3a523ff41b69d0bfa779b5fff6415f81
\# SHA256 (OPNsense-19.1.4-OpenSSL-serial-i386.img.bz2) = 62bff974ae4238dfc2e830a32fbf4bd357ff418d15be99b89ac129f839e10eaf
\# SHA256 (OPNsense-19.1.4-OpenSSL-vga-i386.img.bz2) = ca893277a02b93129e6a30125107f7ad4fc01673b722f54ce6e5cb7eb438cae4
19.1.3 (March 07, 2019)[](#march-07-2019 "Permalink to this heading")
-----------------------------------------------------------------------
This is a smaller stable update consisting of LDAPS authentication server improvements, Unbound host overrides alias support, OpenSSL 1.0.2r security update and the recent PAM rework for better privilege separation.
We are currently focusing on IPsec VTI, third-party service PAM integration and investigating kernel boot crashes. In the latter case we are aware of the update issues some people are having and recommend running 18.7 until this is taken care of. Above all, please be patient. New images and seamless upgrade paths will be provided as soon as the problems have been pinned down.
Here are the full patch notes:
* system: improve LDAPS mode and related authentication cleanups
* system: move enable checkbox to the top in remote logging settings
* system: allow reset of tunables to to factory defaults
* system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop\_redirect=1)
* firewall: allow explicitly setting source hash key in outbound NAT (Fredrik Ronnvall)
* interfaces: probe media before applying new settings
* interfaces: correctly compare MAC addresses
* dhcp: added TFTP bootfile-name (contributed by Bjorn Kalkbrenner)
* firmware: move duty to return the correct set name / ID to opnsense-version
* firmware: finally revoke 18.7 fingerprint
* intrusion detection: minor template cleanups using helpers.empty()
* ipsec: peer identifier can now fall back to remote-gateway in manual SPD entries
* ipsec: allow easier override of colours in widget (contributed by Fabian Franz)
* monit: add validation for test type (contributed by Frank Brendel)
* openvpn: add auth-nocache option in exporter
* openvpn: validate certificate type for servers
* unbound: add host overrides alias support
* web proxy: add auth to parent proxy (contributed by Michael Muenz)
* backend: add helpers.empty() in configd
* mvc: simplify save / close / cancel button labels
* mvc: add sorting for field list types
* rc: move all template generation to early stage
* ui: improve escaping of displayed data in static pages
* ui: escape button values in static pages
* ui: avoid short PHP tags
* plugins: os-dnscrypt-proxy 1.3 [\[1\]](https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr)
* plugins: os-frr brings in missing area range code [\[2\]](https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr)
* plugins: os-postfix log file ACL and wrapper mode typo fix (contributed by Michael Muenz)
* plugins: os-theme-cicada IPsec widget colour fix (contributed by Team Rebellion)
* plugins: os-theme-tukan IPsec widget colour fix (contributed by Team Rebellion)
* plugins: os-vnstat /var MFS fix [\[3\]](https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr)
* plugins: os-zabbix4-proxy 1.0 (contributed by Michael Muenz)
* ports: openssl 1.0.2r [\[4\]](https://www.openssl.org/news/secadv/20190226.txt)
* ports: pam\_opnsense 19.1.3 uses setuid for privilege separation
* ports: phalcon 3.4.3 [\[5\]](https://github.com/phalcon/cphalcon/releases/tag/v3.4.3)
19.1.2 (February 28, 2019)[](#february-28-2019 "Permalink to this heading")
-----------------------------------------------------------------------------
This update is the sum of a few weeks of intense testing and debugging in areas such as WAN DHCP with very short lease times, Suricata IPS not working as expected, stacked 6RD setups that have overly long device names amongst others.
The update may be a bit bumpy this time since the web GUI session directory will be moved to a safer location. You will be logged out during the update and the system will reboot due to the included operating system update. As soon as it is back you will be able to log in as usual.
LibreSSL received a major upgrade from 2.7 to 2.8. If you are using LibreSSL and see any issues please do let us know because it sadly looks like third party projects such as OpenVPN, Squid, StrongSwan and NTP leave the use of LibreSSL to the few users who are able to fix the source code builds on their own and we want to ideally avoid having to patch third party software.
Here are the full patch notes:
* system: move session files into their own directory (forces the current sessions to expire)
* system: add validation check for time period for Dpinger (contributed by Team Rebellion)
* system: hide “show certificate info” button of pending CSR (contributed by nhirokinet)
* system: move opnsense-auth to libexec, but keep a symlink in sbin directory
* system: escaping issue in gateway edit page
* system: fix ACL for halt and reboot pages
* firewall: fix alias entry replacement in utility page
* firewall: prevent new alias creation when adding an address
* firewall: capture “nat” traffic like we do for “rdr” in live log
* firewall: escaping issues in schedule edit page
* interfaces: push dhclient and dhcp6c log messages to system log
* interfaces: write all nameservers via dhclient-script in multi WAN scenarios
* interfaces: check for valid alias IP in dhclient-script
* interfaces: 6RD interface naming back to 18.7 to sidestep character limits on stacked setups
* interfaces: avoid reading empty interface configurations
* firmware: bootstrap rework for HTTPS repository URL
* firmware: patch cache and assorted improvements
* firmware: minor update utility cleanups
* firmware: remove compatibility stubs for pre-19.1 version reads
* firmware: show revoked package mirror error in GUI if applicable
* firmware: bump RageNetwork mirror to HTTPS
* firmware: be more careful about parsing version info
* dhcp: fix behaviour of determining primary/secondary (contributed by Fredrik Ronnvall)
* intrusion detection: set stream.inline: true as an IPS workaround for a Suricata 4.1 regression [\[1\]](https://redmine.openinfosecfoundation.org/issues/2811)
* intrusion detection: support required rules/files in metadata package
* intrusion detection: less extensive logging
* ipsec: fix escaping issue in mobile page
* monit: fix address validation
* openvpn: obey verify-x509-name for remote access (user auth)
* openvpn: proper daemonize instead of background job
* openvpn: extract full CA chain for setup
* openvpn: missing “port” in protocol export
* mvc: fix port validation on whitespace input
* mvc: fix compare constraint (contributed by Fabian Franz)
* mvc: fix read-only access on config.xml during locked runs
* mvc: prevent UserException from being pushed to PHP error log
* ui: legacy browsers accommodation (contributed by NOYB)
* ui: update to Tokenize2 1.3 plus additional escaping patches
* ui: add support for Tokenize2 sortable tag
* ui: hardening of gettext() invokes in HTML tags
* ui: fix setFormData() HTML decode
* plugins: os-bind safe search google domain updates (contributed by Michael Muenz)
* plugins: os-dnscrypt-proxy 1.2 [\[2\]](https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr)
* plugins: os-dyndns 1.13 IPv6 device lookup fix
* plugins: os-etpro-telemetry 1.2 reduces telemetry data collection
* plugins: os-frr 1.8 adds route summarization via area range (contributed by Michael Muenz)
* plugins: os-haproxy 2.15 [\[3\]](https://github.com/opnsense/plugins/pull/1167)
[\[4\]](https://github.com/opnsense/plugins/pull/1209)
* plugins: os-nginx 1.8 [\[5\]](https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr)
* plugins: os-ntopng 1.2 [\[6\]](https://github.com/opnsense/plugins/blob/master/net/ntopng/pkg-descr)
* src: clear callee-preserved registers on amd64 syscall exit [\[7\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-19:01.syscall.asc)
* ports: cpdup 1.20
* ports: curl 7.64.0 [\[8\]](https://curl.haxx.se/changes.html)
* ports: libressl 2.8.3 [\[9\]](https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.8.3-relnotes.txt)
* ports: openvpn 2.4.7 [\[10\]](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24)
* ports: pam\_opnsense manual page addition
* ports: sqlite 3.27.1 [\[11\]](https://sqlite.org/releaselog/3_27_1.html)
* ports: squid forgery check avoidance [\[12\]](https://github.com/opnsense/ports/issues/66)
* ports: strongswan 5.7.2 [\[13\]](https://wiki.strongswan.org/versions/72)
* ports: unbound 1.9.0 [\[14\]](https://nlnetlabs.nl/projects/unbound/download/)
19.1.1 (February 05, 2019)[](#february-05-2019 "Permalink to this heading")
-----------------------------------------------------------------------------
This is a security and reliability release: WAN DHCP will no longer trust the server MTU given. Uncoordinated cross site scripting issues have been fixed. And the Python request library was patched due to CVE 2018-18074.
Here are the full patch notes:
* system: address XSS-prone escaping issues [\[1\]](https://packetstormsecurity.com/files/151381/OPNsense-18.7-Cross-Site-Scripting.html)
* firewall: add port range validation to shaper inputs
* firewall: drop description validation constraints
* interfaces: DHCP override MTU option (contributed by Team Rebellion)
* interfaces: properly configure SIM PIN on custom modems
* reporting: prevent cleanup from deleting current data when future data exists
* ipsec: allow same local subnet if used in different phase 1 (contributed by Max Weller)
* openvpn: multiple client export fixes
* web proxy: add ESD files to Windows cache option (contributed by R-Adrian)
* plugins: os-acme-client 1.20 [\[2\]](https://github.com/opnsense/plugins/pull/1157)
* plugins: os-dyndns fix for themed colours (contributed by Team Rebellion)
* plugins: os-etpro-telemetry 1.1 adds random delay to telemetry data send
* plugins: os-nginx 1.7 [\[3\]](https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr)
* plugins: os-rspamd reads DKIM keys via Redis (contributed by Garrod Alwood)
* plugins: os-theme-cicada 1.14 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.13 (contributed by Team Rebellion)
* ports: ca\_root\_nss 3.42.1
* ports: lighttpd 1.4.53 [\[4\]](https://www.lighttpd.net/2019/1/27/1.4.53/)
* ports: py-request 2.21.0 [\[5\]](https://vuxml.freebsd.org/freebsd/50ad9a9a-1e28-11e9-98d7-0050562a4d7b.html)
19.1 (January 31, 2019)[](#january-31-2019 "Permalink to this heading")
-------------------------------------------------------------------------
For more than four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
The 19.1 release, nicknamed “Inspiring Iguana”, consists of a total of 620 individual changes since 18.7 came out 6 months ago, spread out over 12 intermediate releases including the recent release candidates. That is the average of 2 stable releases per month, security updates and important bug fixes included! If we had to pick a few highlights it would be: The firewall alias API is finally in place. The migration to HardenedBSD 11.2 has been completed. 2FA now works with a remote LDAP / local TOTP combination. And the OpenVPN client export was rewritten for full API support as well.
Download links, an installation guide [\[1\]](https://docs.opnsense.org/manual/install.html)
and the checksums for the images can be found below as well.
* Europe: [https://opnsense.c0urier.net/releases/19.1/](https://opnsense.c0urier.net/releases/19.1/)
* US East Coast: [http://mirrors.nycbug.org/pub/opnsense/releases/19.1/](http://mirrors.nycbug.org/pub/opnsense/releases/19.1/)
* US West Coast: [https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/](https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/)
* South America: [http://mirror.upb.edu.co/opnsense/releases/19.1/](http://mirror.upb.edu.co/opnsense/releases/19.1/)
* South-East Asia: [https://ftp.yzu.edu.tw/opnsense/releases/19.1/](https://ftp.yzu.edu.tw/opnsense/releases/19.1/)
* Full mirror list: [https://opnsense.org/download/](https://opnsense.org/download/)
These are the most prominent changes since version 18.7:
* fully functional firewall alias API
* PIE firewall shaper support
* firewall NAT rule logging support
* 2FA via LDAP-TOTP combination
* WPAD / PAC and parent proxy support in the web proxy
* P12 certificate export with custom passwords
* Dpinger is now the default gateway monitor
* ET Pro Telemetry edition plugin [\[2\]](https://docs.opnsense.org/manual/etpro_telemetry.html)
* extended IPv6 DUID support
* Dnsmasq DNSSEC support
* OpenVPN client export API
* Realtek NIC driver version 1.95
* HardenedBSD 11.2, LibreSSL 2.7
* Unbound 1.8, Suricata 4.1
* Phalcon 3.4, Perl 5.28
* firmware health check extended to cover all OS files, HTTPS mirror default
* updates are browser cache-safe regarding CSS and JavaScript assets
* collapsible side bar menu in the default theme
* language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
* new plugins for API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat, Dnscrypt-proxy
Here are the full changes against version 19.1-RC2:
* ipsec: add firewall interface as soon as phase 1 is enabled
* ipsec: phase 1 selection GUI JavaScript compatibility fix
* monit: widget improvements and bug fix (contributed by Frank Brendel)
* ui: fix regression in single host or network subnet select in static pages
* plugins: os-frr 1.7 updates OSPF outbound rules (contributed by Fabian Franz)
* plugins: os-telegraf 1.7.4 fixes packet filter input
* plugins: os-theme-rebellion 1.8.2 adds image colour invert
* plugins: os-vnstat 1.1 [\[3\]](https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr)
* plugins: os-zabbix-agent now uses Zabbix version 4.0
* src: revert mmc\_calculate\_clock() as HS200/HS400 support breaks legacy support
* src: update sqlite3-3.20.0 to sqlite3-3.26.0 [\[4\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-19:03.sqlite.asc)
* src: import tzdata 2018h, 2018i [\[5\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-19:04.tzdata.asc)
* src: avoid unsynchronized updates to kn\_status [\[6\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-19:05.kqueue.asc)
* ports: ca\_root\_nss 3.42
* ports: dhcp6c 20190128 prevent rawops double-free (contributed by Team Rebellion)
* ports: sudo patch to fix listpw=never [\[7\]](https://bugzilla.sudo.ws/show_bug.cgi?id=869)
Migration notes and minor incompatibilities to look out for:
* Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration. Apinger is no longer available.
* Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
* Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.
* Please read the FRR documentation with regard to the required system tunables [\[8\]](https://docs.opnsense.org/manual/dynamic_routing.html)
.
* Bhyve VM boot may fail as a guest. Use the “-w” parameter [\[9\]](https://forum.opnsense.org/index.php?topic=11492.0)
to boot.
* Boot may fail due to Meltdown/Spectre mitigation. A workaround [\[10\]](https://github.com/opnsense/core/issues/3177)
exists.
* SNMP plugin has been superseded by Net-SNMP plugin.
The public key for the 19.1 series is:
\# -----BEGIN PUBLIC KEY-----
\# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
\# ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
\# QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
\# GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
\# pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
\# Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
\# NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
\# 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
\# Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
\# Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
\# C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
\# zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
\# -----END PUBLIC KEY-----
\# SHA256 (OPNsense-19.1-OpenSSL-dvd-amd64.iso.bz2) = 0a9e02954da1ddd1f0b7673394bbf81cfa74a1d5378600a87d3a9e6a26d3104d
\# SHA256 (OPNsense-19.1-OpenSSL-nano-amd64.img.bz2) = 2c4b0056ca26053c8d5e4efe196e512af618bad4fa136ba0e2528083a6263528
\# SHA256 (OPNsense-19.1-OpenSSL-serial-amd64.img.bz2) = c71274cea2b910cd4b3454b4ad29f7f70503fcb52ffa5b7f65ea96a27ac9e10d
\# SHA256 (OPNsense-19.1-OpenSSL-vga-amd64.img.bz2) = 37164481a413716d8786676d30bb709f8b967e53a47a36d10118214304d14bb9
\# SHA256 (OPNsense-19.1-OpenSSL-dvd-i386.iso.bz2) = 17d0aadf671bc2d99b57f0371e4fadfca0e2e9c8d27d6545674a610fc1f59c7a
\# SHA256 (OPNsense-19.1-OpenSSL-nano-i386.img.bz2) = 0c4e7616c93f14f5988df84b9b620543cb23a89c1f91505527b6c999d2dc7889
\# SHA256 (OPNsense-19.1-OpenSSL-serial-i386.img.bz2) = 93306e5349c7448ad3fdc03d9349ebf98e4d7c677201dcbec111f917c72dca24
\# SHA256 (OPNsense-19.1-OpenSSL-vga-i386.img.bz2) = 03d21319a784f93a7940d35168a35d15005e6f4579ac5b1c7a6ff606beb062a6
19.1.r2 (January 23, 2019)[](#r2-january-23-2019 "Permalink to this heading")
-------------------------------------------------------------------------------
Small online update issued to fix known and subsequently patched issues. If you use Insight and flowd\_aggregate service refuses to start go to System: Firmware: Packages and reinstall the “flowd” package.
These are the changes in detail:
* firmware: fix invisible error in health check
* intrusion detection: avoid spurious migration error on factor reset
* monit: fix dashboard widget display and general settings save
* plugins: os-telegraf fixes checkbox for CPU time collect (contributed by chaispaquichui)
* ports: flowd Python bindings runtime fix
Stay safe, Your OPNsense team
19.1.r1 (January 21, 2019)[](#r1-january-21-2019 "Permalink to this heading")
-------------------------------------------------------------------------------
For almost four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.
Download links, an installation guide [\[1\]](https://docs.opnsense.org/manual/install.html)
and the checksums for the images can be found below as well.
* Europe: [https://opnsense.c0urier.net/releases/19.1/](https://opnsense.c0urier.net/releases/19.1/)
* US East Coast: [http://mirrors.nycbug.org/pub/opnsense/releases/19.1/](http://mirrors.nycbug.org/pub/opnsense/releases/19.1/)
* US West Coast: [https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/](https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/)
* South America: [http://mirror.upb.edu.co/opnsense/releases/19.1/](http://mirror.upb.edu.co/opnsense/releases/19.1/)
* South-East Asia: [https://ftp.yzu.edu.tw/opnsense/releases/19.1/](https://ftp.yzu.edu.tw/opnsense/releases/19.1/)
* Full mirror list: [https://opnsense.org/download/](https://opnsense.org/download/)
Here are the full changes against version 18.7.10:
* system: console port assignment can now assign OPT without LAN
* system: anti-lockout will use OPT1 if LAN is not present
* system: allow creation of combined client/server SSL certificate
* system: gateway monitoring switches to Dpinger with Apinger removed
* system: detect unassigned gateways in static address setups
* system: more advanced gateway monitoring options for Dpinger (contributed by Team Rebellion)
* system: removal of the old notification system in favour of Monit
* system: only allow syslog remote binding to assigned interfaces
* system: disable IP aliases configured with VHID on temporary disable
* system: remove AHCI MSI disable workaround used in FreeBSD 11.1
* system: default gateway switching moves back to general settings
* system: beep sound notification setting moves to misc. settings
* system: limit log line length in log widget
* interfaces: change 6RD/6to4 interface prefix from internal name to physical device
* interfaces: prohibit tracking on 6RD with /64 upstream prefix
* interfaces: remove unneeded use of potentially clashing fe80::1:1 addresses for IPv6 tracking
* interfaces: clear an apparently faulty system DUID when no manual DUID is set
* interfaces: updated custom dhclient-script used for DHCPv4
* interfaces: VIP support for GRE devices
* interfaces: simplify find\_interface\_ip\* functions
* interfaces: remove get\_interface\_subnet\* functions
* interfaces: remove unused get\_possible\_listen\_ips function
* interfaces: link status indicator on assignments page
* interfaces: unify interface removal code
* firewall: switch GeoIP database download to HTTPS
* firewall: find IP reference tool for aliases
* firewall: improve alias page responsiveness with large number of addresses
* firewall: show system errors when reloading aliases
* firewall: NAT port forward logging option and live view support
* firewall: optionally resolve all host names in live view
* firewall: not all states could be removed in diagnostics page
* firewall: clean up unused NAT rule association code
* reporting: improve handling of empty Insight datasets
* reporting: prepare for Python 3 conversion
* firmware: switch default mirror location to HTTPS
* firmware: health check for base and kernel files including version check
* firmware: support base and kernel file size in packages overview
* firmware: /var MFS compatibility on base installation when reboot is deferred
* firmware: command line core lock feature prevents package upgrades
* firmware: internally remember plugins installed or removed in the GUI
* firmware: show last known update log on page open
* firmware: show untrusted repository error in GUI
* firmware: separate chanelogs tab for clarity
* dhcp: refuse setup of instances that have no associated IP address
* dhcp: fix lease time local vs. UTC display in IPv6 leases
* installer: change communication from TCP to named pipes
* installer: fix sporadic segmentation faults in frontend code
* installer: allow config import from ZFS pools
* installer: allow password reset on ZFS pools
* installer: removed a number of unused modules
* ipsec: generate correct config for “Hybrid-RSA + XAuth” (contributed by Max Weller)
* ipsec: reworked strongswan.conf generation
* ipsec: use new interface subnet retrieval code
* monit: support declaring dependencies (contributed by Alexander Werner)
* monit: add Service/Test type relation (contributed by Frank Brendel)
* monit: add CARP status to standard services
* monit: add gateway alerts to standard services
* monit: backend rework to simplify the service
* intrusion detection: support base ruleset overlays and improve logging
* intrusion detection: GeoIP feature in user-defined rules has been removed
* intrusion detection: obey Content-Disposition header
* openvpn: client export rewrite, new export option for The Green Bow
* unbound: reworked slab calculation
* unbound: added statistics page
* unbound: only bind to interfaces or OpenVPN instances, always bind to loopback
* unbound: fix ACL subnet calculation for OpenVPN instances
* unbound: do not generate host entries for OpenVPN instances
* unbound: improve help text wording and general settings layout
* web proxy: parent proxy support (contributed by Michael Muenz)
* wizard: fix checkbox label styling
* mvc: converted reboot, halt and license page to MVC
* mvc: compared-to-field constraint (contributed by Fabian Franz)
* mvc: external clients which set Authorization header now receive raw JSON responses
* mvc: fix empty value check in grid (contributed by Smart-Soft)
* mvc: globally lock config when multiple items are deleted at once
* mvc: volt template JavaScript cleanups
* ui: updated bootstrap-select to version 1.13.3
* ui: collapsible sidebar support in default theme (contributed by Team Rebellion)
* plugins: os-acme-client 1.19 [\[2\]](https://github.com/opnsense/plugins/pull/1134)
* plugins: os-c-icap 1.7 adds template support (contributed by Michael Muenz)
* plugins: os-dmidecode 1.0 hardware information widget (contributed by Smart-Soft)
* plugins: os-dyndns 1.12 changes HE tunnel broker to newer API (contributed by Dusan Dragic)
* plugins: os-frr switches to FRR 5.0.2, please see below
* plugins: os-l2tp 1.8 interface now selects reachable server address
* plugins: os-pptp 1.8 interface now selects reachable server address
* plugins: os-openconnect 1.3.3 [\[3\]](https://github.com/opnsense/plugins/blob/master/security/openconnect/pkg-descr)
* plugins: os-quagga removed, please use os-frr instead
* plugins: os-nginx 1.6 [\[4\]](https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr)
* plugins: os-rspamd 1.4 allows to set manual spam scores and subject (contributed by Michael Muenz and Fabian Franz)
* plugins: os-snmp removed, please use os-net-snmp instead
* plugins: os-theme-cicada 1.13
* plugins: os-theme-tukan 1.12
* plugins: os-wol 2.1 fixes widget link (contributed by Fabian Franz)
* src: HardenedBSD 11.2-RELEASE-p7 [\[5\]](https://hardenedbsd.org/content/easy-feature-comparison)
[\[6\]](https://www.freebsd.org/releases/11.2R/relnotes.html)
[\[7\]](https://www.freebsd.org/releases/11.2R/errata.html)
* src: fix missing transmit visibility for BPF-based listeners in native netmap mode
* src: limit the maximum number of fragments per packet in pf
* src: replace rwlock on PF\_RULES\_LOCK with rmlock in pf
* src: do not discard UDP6 traffic in Hyper-V adaptors
* src: fix state sync during initial bulk update in pfsync
* src: unbreak dhclient(8) option 26 processing
* src: import APU 1-3 LED kernel module
* ports: krb5 1.17 [\[8\]](https://web.mit.edu/kerberos/krb5-1.17/)
* ports: php 7.1.26 [\[9\]](https://php.net/ChangeLog-7.php#7.1.26)
* ports: sudo 1.8.27 [\[10\]](https://www.sudo.ws/stable.html#1.8.27)
* ports: perl 5.28.1 [\[11\]](https://perldoc.perl.org/5.28.1/perldelta)
* ports: suricata netmap forward-compatibility patch (contributed by Sunny Valley Networks)
Known issues and limitations:
* Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration.
* Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
* Monit general settings do not save. A patch exists [\[12\]](https://github.com/opnsense/core/commit/a2899594)
to remedy this problem: opnsense-patch a2899594
* Issue with IDS migration code creating a spurious crash report. Patch already done for the final 19.1.
* Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.
* Please read the FRR documentation with regard to the required system tunables [\[13\]](https://docs.opnsense.org/manual/dynamic_routing.html)
.
* SNMP plugin has been superseded by Net-SNMP plugin.
* ZFS guided installation pending.
The public key for the 19.1 series is:
\# -----BEGIN PUBLIC KEY-----
\# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
\# ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
\# QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
\# GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
\# pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
\# Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
\# NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
\# 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
\# Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
\# Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
\# C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
\# zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
\# -----END PUBLIC KEY-----
Please let us know about your experience!
\# SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-amd64.iso.bz2) = 7c0c6cf529cb2f8aa9c29b3645b4ec1e218c292f722941ae9880b009c93e6364
\# SHA256 (OPNsense-19.1.r1-OpenSSL-nano-amd64.img.bz2) = b355355fc6d10475af2b1c22daa2fd5f5ab78bb375aaf8100a51f087d2447289
\# SHA256 (OPNsense-19.1.r1-OpenSSL-serial-amd64.img.bz2) = f4d40b1ece162aac97505f8ad1e16271126df11fb1a317a9f431ff4737fe5da8
\# SHA256 (OPNsense-19.1.r1-OpenSSL-vga-amd64.img.bz2) = f8c860a7e3eb9be61d33da92b021a0f337ad50e00a6ffc1cca793277f1890b63
\# SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-i386.iso.bz2) = c7b5ced64623416bd56e5337d5212c9af25292a48eb1bb298321e4bb79056c94
\# SHA256 (OPNsense-19.1.r1-OpenSSL-nano-i386.img.bz2) = 1313645407d810dd7a5dedf4978deaa7c14f4655dee679de572d7a9e853749c0
\# SHA256 (OPNsense-19.1.r1-OpenSSL-serial-i386.img.bz2) = f44203f5bb6e2dbfe5b524b37e9e53baab0665684cbc215bdc3015e11a79c2bd
\# SHA256 (OPNsense-19.1.r1-OpenSSL-vga-i386.img.bz2) = a6cfc14b9675563053d6e7733011c381f39e8fb2e10a8a64d60cc7de421ac2db
---
# Reporting: Traffic — OPNsense documentation
* [](../index.html)
* [Reporting](../reporting.html)
* Reporting: Traffic
* * *
Reporting: Traffic[](#reporting-traffic "Permalink to this heading")
======================================================================
Under Reporting ‣ Traffic you will find a traffic monitor which show the current amount of data flowing through your firewall, measured in bps (bits per second).
Graph[](#graph "Permalink to this heading")
---------------------------------------------
[](../_images/reporting_traffic_sample.png)
The top area of the screen shows an overview of all network adapters for both in- and outgoing traffic. You can select the desired polling resolution with the dropdown left of the interface selection dropdown.
The graph below shows the top consumers over the same timespan, when you point to a dot it will show you the measured bandwith for the selected host (the color matches the interface).
Top talkers[](#top-talkers "Permalink to this heading")
---------------------------------------------------------
Although the graphical overview also shows the most active clients on the network, sometimes it is more convenient to see the list of addresses and their current activity in a grid type overview. This is where the “Top talkers” tab comes into play, the information is quite comparable to what a command line tool as `iftop` would display:
[](../_images/top_talkers.png)
When opening this tab you will be presented with the most active addresses, including the amount of traffic passed when measured and the last time traffic was seen from or to that address.
Every time the graph is updated, the grid will also be populated with new information.
---
# 24.1 “Savvy Shark” Series — OPNsense documentation
* [](../index.html)
* [Releases](../releases.html)
* [Community Edition](../CE_releases.html)
* 24.1 “Savvy Shark” Series
* * *
24.1 “Savvy Shark” Series[](#savvy-shark-series "Permalink to this heading")
==============================================================================
For more than 9 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
24.1, nicknamed “Savvy Shark”, features ports-based OpenSSL 3, Suricata 7, several MVC/API conversions, a new neighbor configuration feature for ARP/NDP, core inclusion of the os-firewall and os-wireguard plugins, CARP VHID tracking for OpenVPN and WireGuard, functional Kea DHCPv4 server with HA support plus much more.
Download links, an installation guide [\[1\]](https://docs.opnsense.org/manual/install.html)
and the checksums for the images can be found below as well.
* Europe: [https://opnsense.c0urier.net/releases/24.1/](https://opnsense.c0urier.net/releases/24.1/)
* US East Coast: [https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.1/](https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.1/)
* US West Coast: [https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.1/](https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.1/)
* South America: [http://mirror.ueb.edu.ec/opnsense/releases/24.1/](http://mirror.ueb.edu.ec/opnsense/releases/24.1/)
* East Asia: [https://mirror.ntct.edu.tw/opnsense/releases/24.1/](https://mirror.ntct.edu.tw/opnsense/releases/24.1/)
* Full mirror list: [https://opnsense.org/download/](https://opnsense.org/download/)
24.1.10 (July 11, 2024)[](#july-11-2024 "Permalink to this heading")
----------------------------------------------------------------------
Today a number of security advisories in third party software are being addressed. Also, a bad dhcp6c patch has been reverted which requires a manual reboot to take full effect.
CAUTION: The OpenSSH update prevents SSH sessions from being established. You need to restart OpenSSH from the GUI or run the console command “pluginctl -s openssh restart” or reboot the system in order to unbreak it.
Here are the full patch notes:
* interfaces: improve DHCPv6 requirement rules on WAN interface
* interfaces: support reading more attributes in ifconfig output parser
* interfaces: correct logic of resolve flag in ARP table (contributed by Kevin Pelzel)
* reporting: add NetFlow IPv6 support for destinations
* kea-dhcp: add description field to subnets
* kea-dhcp: add next-server option to subnets (contributed by Harm Kroon)
* wireguard: fix IP protocol detection for manual gateway
* ui: remove aria-hidden from dialogs (contributed by Jason Fayre)
* ui: properly break out selectpicker options in modals
* plugins: os-bind 1.32 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.1/dns/bind/pkg-descr)
* plugins: os-caddy 1.6.0 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.1/www/caddy/pkg-descr)
* plugins: os-ddclient 1.22 [\[3\]](https://github.com/opnsense/plugins/blob/stable/24.1/dns/ddclient/pkg-descr)
* plugins: os-nginx 1.33 [\[4\]](https://github.com/opnsense/plugins/blob/stable/24.1/www/nginx/pkg-descr)
* plugins: os-theme-cicada 1.36 (contributed by Team Rebellion)
* plugins: os-theme-vicuna 1.46 (contributed by Team Rebellion)
* plugins: os-zabbix-agent 1.14 [\[5\]](https://github.com/opnsense/plugins/blob/stable/24.1/net-mgmt/zabbix-agent/pkg-descr)
* plugins: os-zabbix-proxy 1.11 [\[6\]](https://github.com/opnsense/plugins/blob/stable/24.1/net-mgmt/zabbix-proxy/pkg-descr)
* ports: dhcp6c 20240710 reverts faulty Debian patch
* ports: krb5 1.21.3 [\[7\]](https://web.mit.edu/kerberos/krb5-1.21/)
* ports: nss 3.101 [\[8\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_101.html)
* ports: openssh 9.8p1 [\[9\]](https://www.openssh.com/txt/release-9.8)
* ports: openvpn 2.6.11 [\[10\]](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.11)
* ports: suricata 7.0.6 [\[11\]](https://suricata.io/2024/06/27/suricata-7-0-6-and-6-0-20-released/)
A hotfix release was issued as 24.1.10\_1:
* interfaces: allow DHCPv6 server answer from a GUA
A hotfix release was issued as 24.1.10\_2:
* interfaces: allow DHCPv6 multicast as well
A hotfix release was issued as 24.1.10\_3:
* firewall: fix regression in GeoIP aliases selector
A hotfix release was issued as 24.1.10\_8:
* firewall: fix one-to-one NAT migration with external address without a subnet set
* firmware: add fingerprint and upgrade hint for 24.7
* firmware: prefer ZFS over UFS in upgrade message
* firmware: remove unneeded Unbound DNS database upgrade script
* firmware: remove stale Squid plugin upgrade script
24.1.9 (June 18, 2024)[](#june-18-2024 "Permalink to this heading")
---------------------------------------------------------------------
This is the last bit of preparation for the upcoming 24.7 series reimplementing one-to-one NAT using MVC/API and a number of plumbing changes. IPv6 has also been improved with the dhcp6c client having received a number of new fixes and features.
Here are the full patch notes:
* system: do not create an interface route without an address
* system: add pluginctl -x/-X modes for digesting XMLRPC options
* system: replace rand() with random\_int() in remote backup script
* firewall: migrate one-to-one NAT to MVC/API
* interfaces: make SLAAC flush a feature of ifctl for incoming reuse
* interfaces: in SLAAC tracking prevent accepting our own radvd configuration
* interfaces: move SLAAC tunables to system requirements
* interfaces: disable IPv6 interface modes when IPv6 is disabled globally
* interfaces: avoid pluginctl giving out IPv4 info for non-interfaces
* dhcrelay: add logging into its own space
* firmware: change default fetch of changelog to 30 seconds
* firmware: dump TLS information for firmware server(s) in use
* isc-dhcp: allow root domain input as “.” (contributed by Skyler Mantysaari)
* kea-dhcp: support static DNS mappings (contributed by Markus Reiter)
* mvc: refactored and improved checkAndThrowSafeDelete() as checkAndThrowValueInUse()
* ui: prevent word break for top level menu items
* plugins: os-caddy 1.5.7 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.1/www/caddy/pkg-descr)
* ports: curl 8.8.0 [\[2\]](https://curl.se/changes.html#8_8_0)
* ports: dhcp6c 20240607 additions for WAN tracking, interface ID specification, etc.
* ports: nss 3.100 [\[3\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_100.html)
* ports: openldap 2.6.8 [\[4\]](https://www.openldap.org/software/release/changes.html)
* ports: openssl 3.0.14 [\[5\]](https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md)
* ports: php 8.2.20 [\[6\]](https://www.php.net/ChangeLog-8.php#8.2.20)
* ports: py-duckdb 1.0.0 [\[7\]](https://github.com/duckdb/duckdb/releases/tag/v1.0.0)
* ports: py-netaddr 1.3.0 [\[8\]](https://netaddr.readthedocs.io/en/latest/changes.html#release-1-3-0)
* ports: sqlite 3.46.0 [\[9\]](https://sqlite.org/releaselog/3_46_0.html)
A hotfix release was issued as 24.1.9\_1:
* firewall: “natreflection” rule attribute missed in MVC/API migration
A hotfix release was issued as 24.1.9\_3:
* firewall: typo in “destination” migration for one-to-one NAT
* firewall: one-to-one NAT default reflection setting was ignored
A hotfix release was issued as 24.1.9\_4:
* system: proper HA sync for new one-to-one NAT section
24.1.8 (May 29, 2024)[](#may-29-2024 "Permalink to this heading")
-------------------------------------------------------------------
The endless loop packet read in the new dhcrelay daemon has been fixed. A new kernel is included in this release bringing the latest stable/13 state in the relevant networking areas. A number of small changes have also been made. Thanks for all the reports and support!
To spread the news… 24.7 will be based on FreeBSD 14.1. Stay tuned.
Here are the full patch notes:
* system: fix regression in gateways migration causing far gateway option to be set incorrectly
* system: work around fatal password\_hash() change in PHP 8.2.18
* system: move net.inet.icmp.drop\_redirect sysctl to automatic mode
* system: add Google Drive configuration as an XMLRPC sync target
* interfaces: detect and ignore “detached” state for IPv6
* interfaces: remove unused imports from sockstat list
* firewall: use the new $.replaceInputWithSelector() for source/destination networks in MVC filter pages
* firewall: fix empty rule label rendered as “null” on sessions page
* ipsec: fix faulty “-” usage in URIs
* isc-dhcp: take into account that multiple ia-pd can be delegated
* kea-dhcp: simplified the controller code
* unbound: change blocklist processing in \_blocklist\_reader()
* unbound: allow RFC 2181 compatible names in query forwarding
* mvc: silence spurious validation message when explicitly asked to ignore them
* ui: prevent vertical modal overflows and instead present a scrollbar
* ui: add $.replaceInputWithSelector() action
* ui: handle static page CSRF without Phalcon
* plugins: os-caddy 1.5.6 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.1/www/caddy/pkg-descr)
* src: pfsync: fix use of invalidated stack variable
* src: pfsync: cope with multiple pending plus messages
* src: ipfw: skip to the start of the loop when following a keep-state rule
* src: bridge: use IF\_MINMTU
* src: bridge: change MTU for new members
* src: ethernet: support ARP for 802 networks
* src: ethernet: fix logging of frame length
* src: debugnet: fix logging of frame length
* src: wg: use ENETUNREACH when transmitting to a non-existent peer
* src: fib\_algo: lower level of algorithm switching messages to LOG\_INFO
* src: libpfctl: fix incorrect pcounters array size
* src: pf: always mark states as unlinked before detaching them
* src: vxlan: add checking for loops and nesting of tunnels
* src: igc: increase default per-queue interrupt rate to 20000
* ports: dhcrelay 0.5 fixes endless loop on packet read
* ports: hyperscan 5.4.2 [\[2\]](https://github.com/intel/hyperscan/releases/tag/v5.4.2)
* ports: libxml 2.11.8 [\[3\]](https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS)
* ports: ntp 4.2.8p18 [\[4\]](https://www.ntp.org/support/securitynotice/4_2_8-series-changelog/#428p18)
* ports: openssl fix for CVE-2024-4603
* ports: phalcon 5.7.0 [\[5\]](https://github.com/phalcon/cphalcon/releases/tag/v5.7.0)
* ports: py-duckdb 0.10.3 [\[6\]](https://github.com/duckdb/duckdb/releases/tag/v0.10.3)
24.1.7 (May 16, 2024)[](#may-16-2024 "Permalink to this heading")
-------------------------------------------------------------------
Python was updated to version 3.11 along with the usual reliability patches in the core, plugins and third party software.
At the moment we are working on removing most of the Phalcon framework dependencies which have the side effect of speeding up the MVC/API bits. The new dashboard is also taking shape. Try it on the development version if you can and let us know what you think.
Here are the full patch notes:
* system: fix maximum log file size being ignored when there is only one file
* system: make log rotate action available to Cron
* system: remove get\_current\_theme() and improve static page templating
* system: move radvd and rtsold to system log where they belong
* system: deny access to .core files from web GUI and disable core dumps by default
* system: adjust log levels in Google Drive backup
* system: prevent out of memory on gateways migrations
* interfaces: give DAD another second of delay to finish for the IPv6 renew
* interfaces: reword the gateway selector default and help text to describe its function more accurately
* ipsec: allow the equal sign for identity parsing in connections
* isc-dhcp: make private consumers actually private where it matters
* kea-dhcp: generate JSON payload from model
* kea-dhcp: fix field separator for subnet domain search (contributed by KitKat31337)
* openvpn: fix “attempt to read property…” in status page
* openvpn: safeguard config access in updown\_event.py
* wireguard: pass endpoint to validator to avoid invalid QR code errors on mobile app
* wireguard: add MTU when set on the instance
* backend: allow to query multiple sysctl queries at once
* mvc: pass isFieldChanged() to children in ContainerField
* mvc: replace PhalconFilterValidationException with OPNsenseBaseValidationException wrapper
* mvc: extend model implementation to ease legacy migrations
* mvc: change exception handling in runMigrations() to avoid mismatches in attributes being silently ignored
* mvc: refactor grid search to fetch descriptive values from the model instead of trying to reconstruct them
* mvc: replace array\_map+strval for loop with cast to preserve execution time in BaseListField
* ui: fix bootgrid parsing of timestamp
* ui: improve tokenizer paste behaviour
* plugins: os-acme-client 4.3 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.1/security/acme-client/pkg-descr)
* plugins: os-caddy 1.5.5 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.1/www/caddy/pkg-descr)
* plugins: os-crowdsec 1.0.8 [\[3\]](https://github.com/opnsense/plugins/blob/stable/24.1/security/crowdsec/pkg-descr)
* plugins: os-freeradius 1.9.23 [\[4\]](https://github.com/opnsense/plugins/blob/stable/24.1/net/freeradius/pkg-descr)
* plugins: os-frr 1.40 [\[5\]](https://github.com/opnsense/plugins/blob/stable/24.1/net/frr/pkg-descr)
* plugins: os-relayd 2.9 moves validation to model where it belongs
* plugins: os-shadowsocks 1.1 adds transport mode option (contributed by xabbok255)
* plugins: os-squid workaround for broken OpenSSL legacy provider handling
* plugins: os-telegraf 1.12.11 [\[6\]](https://github.com/opnsense/plugins/blob/stable/24.1/net-mgmt/telegraf/pkg-descr)
* ports: libpfctl 0.11
* ports: libucl 0.9.2
* ports: lighttpd 1.4.76 [\[7\]](https://www.lighttpd.net/2024/4/12/1.4.76/)
* ports: php 8.2.19 [\[8\]](https://www.php.net/ChangeLog-8.php#8.2.19)
* ports: pecl-mcrypt 1.0.7
* ports: python 3.11.9 [\[9\]](https://docs.python.org/release/3.11.9/whatsnew/changelog.html)
* ports: strongswan 5.9.14 [\[10\]](https://github.com/strongswan/strongswan/releases/tag/5.9.14)
* ports: suricata 7.0.5 [\[11\]](https://suricata.io/2024/04/23/suricata-7-0-5-and-6-0-19-released/)
* ports: syslog-ng 4.7.1 [\[12\]](https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.7.1)
* ports: unbound 1.20.0 [\[13\]](https://nlnetlabs.nl/projects/unbound/download/#unbound-1-20-0)
A hotfix release was issued as 24.1.7\_4:
* monit: fix referential constraint issue when dependency is removed
* wireguard: move validation to correct spot when no instance address and peer address was provided
* wireguard: also validate hostnames correctly in peer generator endpoint
* backend: resolve deprecation warnings for sre\_constants (contributed by MaxXor)
* plugins: os-caddy fix for setup.sh not executing on a reload
* plugins: os-crowdsec fix for LAPI mode startup problem
* plugins: os-squid fix for another netaddr/ipaddr related migration issue
24.1.6 (April 18, 2024)[](#april-18-2024 "Permalink to this heading")
-----------------------------------------------------------------------
Today we are happy to announce another milestone regarding ISC DHCP removal: the arrival of a DHCRelay replacement based on code forked and maintained by OpenBSD. While here the whole DHCP relay section was moved to MVC/API for the usual reasons and now offers a combined GUI for both DHCPv4 and DHCPv6 relay. As a special treat this also includes being able to run ISC DHCP as well as any desired relay at the same time.
The feedback for the WireGuard peer generator was quite extensive so a few more tweaks and fixes have been done in that area. Thank you for all the responses regarding that feature addition!
Otherwise this update simply moves ahead with security-related third party updates in OpenSSL and PHP.
Last but not least we are releasing the OPNProxy (formerly business) plugin to the community version for fine-grained access control using Squid with Redis as a database backend. For more details please consult the available documentation linked below.
Here are the full patch notes:
* firewall: show automation rules in their own section
* firewall: keep permissions to standard for filter.lock file
* firewall: replace searchNoCategoryItemAction() with new searchBase() extension
* firewall: add gateway to the states diagnostics output
* firewall: fix visible rows quantity off-by-one (contributed by NYOB)
* intrusion detection: query all fields for searchBase() actions
* dhcrelay: functional MVC/API replacement using the OpenBSD dhcrelay(6) fork
* isc-dhcp: fix log file location
* wireguard: add DNS field to peer generator and store previous used values in instance
* wireguard: add address field to peer generator which auto-calculates the next available address in the pool
* wireguard: add restart action to available cron tasks (contributed by Michael Muenz)
* wireguard: unlink instance on peer delete
* mvc: extend searchBase() to return all fields when no list is provided
* mvc: fix config locking issue when already owning the lock
* plugins: add globbing for plugin run tasks as well
* plugins: os-OPNProxy 1.0.5 business plugin released to community version [\[1\]](https://docs.opnsense.org/vendor/deciso/opnproxy.html)
* plugins: os-acme-client 4.2 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.1/security/acme-client/pkg-descr)
* plugins: os-caddy 1.5.4 [\[3\]](https://github.com/opnsense/plugins/blob/stable/24.1/www/caddy/pkg-descr)
* plugins: os-zabbix-proxy 1.10 [\[4\]](https://github.com/opnsense/plugins/blob/stable/24.1/net-mgmt/zabbix-proxy/pkg-descr)
* ports: dhcrelay 0.4 [\[5\]](https://github.com/opnsense/dhcrelay)
* ports: openssl fix for CVE-2024-2511 [\[6\]](https://github.com/freebsd/freebsd-ports/commit/3d9fc064b7)
* ports: php 8.2.18 [\[7\]](https://www.php.net/ChangeLog-8.php#8.2.18)
24.1.5 (April 04, 2024)[](#april-04-2024 "Permalink to this heading")
-----------------------------------------------------------------------
Today the kernel receives a number of minor updates that have accumulated since 24.1.2 was released. The primary focus for the time being is adding fixes and MVC improvements for upcoming feature backports into the next 24.1.x versions.
The update presents itself as a hotfix release 24.1.5\_1 but that is only due to catching an issue during the last QA stage with an update of the gettext library.
Here are the full patch notes:
* system: fix PHP warnings and spurious validation in route model
* system: fix translation of static PHP pages with newer gettext
* interfaces: support a primary interface in LAGG failover mode
* interfaces: stop caching IPv6 address to decide if reload is required
* firmware: opnsense-revert: fix issue with downloaded package install
* ipsec: fix typo in config generation for AH proposals
* unbound: duckduckgo.com blocklist fix
* wireguard: add a peer configuration generator with QR code capability
* wireguard: improve overall configuration UX
* mvc: add “safe” filter in Phalcon volt templates
* mvc: feed current language into view to replace hardcoded “en-US”
* mvc: fix minor regression with “allownew” not having a default
* mvc: extend model implementation to support volatile fields
* mvc: add setBaseHook() to ApiMutableModelControllerBase
* rc: fix wrong order in service startup (contributed by Frank Wall)
* ui: move cache\_safe() functions to appropriate include
* ui: add a “statusled” formatter to bootgrid
* ui: add a “grid-reload” helper to SimpleActionButton
* plugins: os-bind 1.21 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.1/dns/bind/pkg-descr)
* plugins: os-caddy 1.5.3 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.1/www/caddy/pkg-descr)
* src: wg: fix handling of errors in wg\_transmit()
* src: wg: use proper barriers around pkt->p\_state
* src: kern: fix panic with disabled ttys
* src: opencrypto: advance the correct pointer in crypto\_cursor\_copydata()
* src: opencrypto: handle end-of-cursor conditions in crypto\_cursor\_segment()
* src: opencrypto: respect alignment constraints in xor\_and\_encrypt()
* src: ccr,ccp: fix argument order to sglist\_append\_vmpages
* src: ossl: add missing labels to bsaes-armv7.S
* src: ipsec esp: avoid dereferencing freed secasindex
* src: irdma: upgrade to 1.2.36-k
* src: irdma: remove artificial completion generator
* src: tcp: cubic - restart epoch after RTO
* src: tcp: prevent div by zero in cc\_htcp
* src: net80211: adjust more VHT structures/fields
* ports: curl 8.7.1 [\[3\]](https://curl.se/changes.html#8_7_1)
* ports: expat 2.6.2 [\[4\]](https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes)
* ports: libucl 0.9.1
* ports: lighttpd 1.4.75 [\[5\]](https://www.lighttpd.net/2024/3/13/1.4.75/)
* ports: nss 3.99 [\[6\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_99.html)
* ports: openssh 9.7p1 [\[7\]](https://www.openssh.com/txt/release-9.7)
* ports: openvpn 2.6.10 [\[8\]](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.10)
* ports: php 8.2.17 [\[9\]](https://www.php.net/ChangeLog-8.php#8.2.17)
* ports: py-duckdb 0.10.1 [\[10\]](https://github.com/duckdb/duckdb/releases/tag/v0.10.1)
* ports: py-netaddr 1.2.1 [\[11\]](https://netaddr.readthedocs.io/en/latest/changes.html#release-1-2-1)
A hotfix release was issued as 24.1.5\_2:
* wireguard: store attached instance during peer generation
A hotfix release was issued as 24.1.5\_3:
* reporting: top talkers fix for backend required by new py-netaddr
24.1.4 (March 20, 2024)[](#march-20-2024 "Permalink to this heading")
-----------------------------------------------------------------------
Suricata and Unbound have been updated to their latest versions. Support for dynamic DNS VTI connections has also been added amongst other things.
We would like to thank Cedrik Pischem (Monviech) for upstreaming his Caddy plugin to the official packages. If you already have this plugin installed no further action has to be taken and updates should proceed through the standard firmware channel from now on. Documentation for it was added to the manual as well.
For 24.7, we are currently working on a DHCP-Relay replacement, a rewrite of the trust section in MVC as well as a new dashboard implementation. It has been busy and we will keep it that way. :)
Here are the full patch notes:
* system: allow 0 length voucher passwords in authentication server
* system: merge static logging settings into existing MVC page
* system: fix handling of empty “serialusb” node set during import
* system: prevent empty “user” node to crash during boot
* interfaces: prevent modal x-axis overflow on packet capture page
* firewall: refactor schedule matching and fix an end-of-the-month bug
* firewall: fix incorrect packet counters statistics collection
* intrusion detection: align performValidation()->count() to use count() instead
* ipsec: optionally hook VTI tunnel configuration to connection up event to support dynamic DNS
* isc-dhcp: do not add interfaces for non-Ethernet types to relaying
* kea-dhcp: add domain-search, time-servers and static-routes client options to subnet configuration
* openvpn: various improvements for TAP servers
* wireguard: migrate non-netmask allowed IP entries and enforce them in validation
* wireguard: show proper names when public keys overlap between instances
* mvc: fix PHP\_FLOAT\_MIN being unreliable
* mvc: add simple Message class and remove the previous Phalcon dependency
* mvc: refactor HostnameField, remove HostValidator dependency and add unit test
* mvc: add new static Autoconf class to access information collected by ifctl
* mvc: fix rewind() stream not supporting seeking error
* mvc: add copy of our html\_safe() and use it in the translator
* ui: adjust margin of hr elements to match \_\_mX helpers
* ui: add a button to allow textarea style edits of free-form tokenizers
* ui: when an error is raised make sure it is always visible
* ui: fix copy/paste buttons not showing for tokenizers in some situations
* plugins: os-bind 1.30 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.1/dns/bind/pkg-descr)
* plugins: os-caddy 1.5.2 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.1/www/caddy/pkg-descr)
(contributed by Monviech)
* ports: expat 2.6.1 [\[3\]](https://github.com/libexpat/libexpat/blob/R_2_6_1/expat/Changes)
* ports: libpfctl 0.10
* ports: nss 3.98 [\[4\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_98.html)
* ports: phalcon 5.6.2 [\[5\]](https://github.com/phalcon/cphalcon/releases/tag/v5.6.2)
* ports: sqlite 3.45.1 [\[6\]](https://sqlite.org/releaselog/3_45_1.html)
* ports: suricata 7.0.4 [\[7\]](https://suricata.io/2024/03/19/suricata-7-0-4-and-6-0-17-released/)
* ports: unbound 1.19.3 [\[8\]](https://nlnetlabs.nl/projects/unbound/download/#unbound-1-9-3)
24.1.3 (March 06, 2024)[](#march-06-2024 "Permalink to this heading")
-----------------------------------------------------------------------
This update fixes minor issues in the software and adds a CSV import/export to the Kea DHCP reservations to make bulk edits much easier. It also fixes defaults in Suricata 7 that would negatively impact the IPS mode usage and updates the curl package to its current latest version.
Here are the full patch notes:
* system: prevent gateway removal when it is currently bound to an interface
* system: fix assorted PHP deprecation warnings
* firewall: add optional advanced property “State policy” to influence state creation on a per rule base
* firewall: fix floating rule display (contributed by lin-xianming)
* firewall: fix display of ICMP tooltip (contributed by lin-xianming)
* firmware: fix missing space in audit message
* kea-dhcp: add import/export as CSV on reservations
* intrusion detection: set exception-policy and app-layer.error-policy to their advertised defaults
* unbound: make atomic copies of root.hints file to hopefully appease Unbound startup problems
* unbound: fix missing /lib nullfs mount in chroot
* unbound: add aggressive-nsec option toggle (contributed by kulikov-a)
* wireguard: remove duplicate “pubkey” field, remove required tag and validate on Base64 in model
* wireguard: address assorted interface configuration inconsistencies during configuration
* mvc: fix model cloning when array items contain nested containers
* ui: fix epoch support as number in bootgrid
* ui: replace all > and < occurrences in treeview (contributed by lin-xianming)
* wizard: reorder storage sequence to fix hostname/domain change bug
* plugins: os-theme-cicada 1.35 (contributed by Team Rebellion)
* plugins: os-theme-rebellion 1.8.10 (contributed by Team Rebellion)
* ports: curl 8.6.0 [\[1\]](https://curl.se/changes.html#8_6_0)
* ports: dnspython 2.6.1
* ports: expat 2.6.0 [\[2\]](https://github.com/libexpat/libexpat/blob/R_2_6_0/expat/Changes)
* ports: libpfctl 0.9
* ports: libxml 2.11.7 [\[3\]](https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS)
* ports: lighttpd 1.4.74 [\[4\]](https://www.lighttpd.net/2024/2/19/1.4.74/)
* ports: pcre2 10.43 [\[5\]](https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.43)
* ports: php 8.2.16 [\[6\]](https://www.php.net/ChangeLog-8.php#8.2.16)
A hotfix release was issued as 24.1.3\_1:
* intrusion detection: fix whitespace issue in yaml configuration file
24.1.2 (February 20, 2024)[](#february-20-2024 "Permalink to this heading")
-----------------------------------------------------------------------------
It is time to move back to Suricata version 7 after identifying the relevant default option changes in order to keep IPS/Netmap happy when running it. Kea also received a number of tweaks and updates as well as our VPN service integrations.
Last but not least this includes FreeBSD 13.2-p10 and the recent DNS denial of service attack mitigation.
Here are the full patch notes:
* system: accept colon character in log queries
* system: add issuer and logo to OTP link
* system: fix gateway migration issue causing individual items to be skipped
* reporting: update traffic graph colors to be contrast and consistent (contributed by brotherla)
* interfaces: fix strpos() deprecation null haystack
* interfaces: add missing ACL entries for ARP/NDP tables
* interfaces: fix VXLAN validation
* firewall: change default traffic normalization behavior and choose “in” as standard direction for manual rules
* firewall: make select width more consistent on alias diagnostics table selection
* dhcp: set RemoveAdvOnExit to off in CARP mode for router advertisements
* dhcp: make sure the register DNS leases options reflect that this is only supported for ISC DHCP
* dhcp: make option\_data\_autocollect option more explicit in Kea
* dhcp: gather missing Kea leases another way since the logs are unreliable
* dhcp: add address constraint to Kea reservations
* dhcp: add unique constraint for MAC address + subnet in Kea
* dhcp: add domain-name to client configuration in Kea
* dhcp: loosen constraints for TFTP boot in Kea
* intrusion detection: adjust for default behaviour changes in Suricata 7
* ipsec: improve enable button placement on connections page
* ipsec: show EAP-RADIUS settings only when legacy tunnels are being used
* ipsec: allow % to support %any in ID for connections
* openvpn: when “cert\_depth” is left empty it should ignore the value
* openvpn: data-ciphers-fallback should be a single option
* openvpn: fix support for /30 p2p/net30 instances
* openvpn: add “various\_push\_flags” field for simple boolean server push options in connections
* unbound: prevent os.write() on None when another thread closed the pipe in Python module
* wireguard: key constraints should only apply on peers and not instances
* wireguard: peer uniqueness should depend on pubkey + endpoint
* wireguard: skip attached instance address routes
* wireguard: remove duplicate ID columns
* mvc: fix Phalcon 5.4 and up
* src: jail: fix information leak [\[1\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:02.tty.asc)
* src: bhyveload: use a dirfd to support -h [\[2\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:01.bhyveload.asc)
* src: EVFILT\_SIGNAL: do not use target process pointer on detach [\[3\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-24:03.kqueue.asc)
* src: setusercontext(): apply personal settings only on matching effective UID [\[4\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-24:02.libutil.asc)
* src: re: generate an address if there is none in the EEPROM
* src: wg: detect loops in netmap mode
* src: wg: detach bpf upon destroy as well
* src: wg: fix access to noise\_local->l\_has\_identity and l\_private
* src: wg: fix erroneous calculation in calculate\_padding() for p\_mtu == 0
* plugins: os-acme-client 4.1 [\[5\]](https://github.com/opnsense/plugins/blob/stable/24.1/security/acme-client/pkg-descr)
* plugins: os-ddclient 1.21 [\[6\]](https://github.com/opnsense/plugins/blob/stable/24.1/dns/ddclient/pkg-descr)
* plugins: os-dnscrypt-proxy 1.15 [\[7\]](https://github.com/opnsense/plugins/blob/stable/24.1/dns/dnscrypt-proxy/pkg-descr)
* ports: dnsmasq 2.90 [\[8\]](https://www.thekelleys.org.uk/dnsmasq/CHANGELOG)
* ports: openvpn 2.6.9 [\[9\]](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.9)
* ports: phalcon 5.6.1 [\[10\]](https://github.com/phalcon/cphalcon/releases/tag/v5.6.1)
* ports: radvd adds upstream patch for RemoveAdvOnExit option
* ports: suricata 7.0.3 [\[11\]](https://suricata.io/2024/02/08/suricata-7-0-3-and-6-0-16-released/)
* ports: unbound 1.19.1 [\[12\]](https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-1)
A hotfix release was issued as 24.1.2\_1:
* system: fix dynamic gateway persisting its address
24.1.1 (February 06, 2024)[](#february-06-2024 "Permalink to this heading")
-----------------------------------------------------------------------------
Apart from rolling back Suricata 7 to 6 the new major version is looking good. The two intertwined Suricata default config changes in version 7 have been identified and fixed in the development version so that we can move back to version 7 in 24.1.2.
This minor release is intended as a small round of fixes and third party updates to ensure reliability and security.
Here are the full patch notes:
* system: enable OpenSSL legacy provider by default to allow Google Drive backup to continue working with OpenSSL 3
* system: bring back the interface statistics dashboard widget update interval
* system: fix all items in the OPNsense container being synced in XMLRCP when NAT option is selected
* interfaces: overview page UX improvements
* firewall: align GeoIP file check with documentation
* firewall: fix virtual IP API use with subnet/subnet\_bits usage
* wireguard: allow instances to start their ID at 0 like they used to a long time ago
* dhcp: omit faulty comma in Kea config when control agent is disabled
* dhcp: add opt-out automatic firewall rules for Kea server access
* ipsec: remove AEAD algorithms without a PRF for IKE proposals in connections
* openvpn: fix cso\_login\_matching being ignored during authentication
* backend: optimise stream\_handler to exit and kill running process when no listener is attached
* plugins: os-frr 1.39 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.1/net/frr/pkg-descr)
* plugins: os-haproxy 4.3 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.1/net/haproxy/pkg-descr)
* plugins: os-ntopng 1.3 [\[3\]](https://github.com/opnsense/plugins/blob/stable/24.1/net/ntopng/pkg-descr)
* plugins: os-tor 1.10 adds MyFamily support (contributed by Mike Bishop)
* ports: nss 3.97 [\[4\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_97.html)
* ports: openldap 2.6.7 [\[5\]](https://www.openldap.org/software/release/changes.html)
* ports: openssl 3.0.13 [\[6\]](https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md)
* ports: syslog-ng 4.6.0 [\[7\]](https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.6.0)
24.1 (January 30, 2024)[](#january-30-2024 "Permalink to this heading")
-------------------------------------------------------------------------
For more than 9 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
24.1, nicknamed “Savvy Shark”, features ports-based OpenSSL 3, Suricata 7, several MVC/API conversions, a new neighbor configuration feature for ARP/NDP, core inclusion of the os-firewall and os-wireguard plugins, CARP VHID tracking for OpenVPN and WireGuard, functional Kea DHCPv4 server with HA support plus much more.
Download links, an installation guide [\[1\]](https://docs.opnsense.org/manual/install.html)
and the checksums for the images can be found below as well.
* Europe: [https://opnsense.c0urier.net/releases/24.1/](https://opnsense.c0urier.net/releases/24.1/)
* US East Coast: [https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.1/](https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.1/)
* US West Coast: [https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.1/](https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.1/)
* South America: [http://mirror.ueb.edu.ec/opnsense/releases/24.1/](http://mirror.ueb.edu.ec/opnsense/releases/24.1/)
* East Asia: [https://mirror.ntct.edu.tw/opnsense/releases/24.1/](https://mirror.ntct.edu.tw/opnsense/releases/24.1/)
* Full mirror list: [https://opnsense.org/download/](https://opnsense.org/download/)
Here are the full patch notes against 23.7.12:
* system: prevent activating shell for non-admins
* system: add OCSP trust extensions and improved authorities implementation
* system: migrate single gateway configuration to MVC/API
* system: use new backend streaming functionality in the log viewer
* system: limit file system /conf/config.xml and backups access to administrators
* system: migrate gateways model to match new class introduced in 23.7.x
* system: refactor get\_single\_sysctl()
* system: update cron model
* system: fix migration issue in new gateways model
* system: handle case insensitivity while reading groups
* system: shuffle authentication templates to the end of login configuration
* system: add “maxfilesize” option to enforce a log rotate when files exceed their limit
* reporting: print status message when Unbound DNS database was not found during firmware upgrade
* reporting: update NetFlow model
* interfaces: implement new neighbor configuration for ARP and NDP entries using MVC/API
* interfaces: refactor interface\_bring\_down() into interface\_reset() and interface\_suspend()
* interfaces: migrate the overview page to MVC/API
* interfaces: add optional local/remote port to VXLAN
* interfaces: remove unused code from native dhclient-script
* interfaces: do not flush states on clear event
* firewall: add automation category for filter rules and source NAT using MVC/API, formerly known as os-firewall plugin
* firewall: migrate NPTv6 page to MVC/API
* firewall: add a track interface selection to NPTv6 as an alternative to the automatic rule interface fallback when dealing with dynamic prefixes
* captive portal: fix integer validation in vouchers
* captive portal: update model
* dhcp: clean up duplicated domain-name-servers option
* dhcp: cleanup get\_lease6 script and fix parsing issue
* dhcp: add Kea DHCPv4 server option with HA capabilities as an alternative to the end of life ISC DHCP
* dhcp: deduplicate records in Kea leases
* intrusion detection: show rule origin in rule adjustments grid
* ipsec: extend connection proposals tooltip to children and fix tooltip style issue
* lang: added traditional Chinese translation (contributed by Jason Cheng)
* monit: update model
* openvpn: allow optional OCSP checking per instance
* openvpn: emit device name upon creation
* openvpn: add workaround for net30/p2p smaller than /29 networks
* openvpn: add optional “route-metric” push option for server instances
* web proxy: integration moved to os-squid plugin
* wireguard: installed by default using the bundled FreeBSD 13.2 kernel module
* backend: constrain execution of user add/change/list actions to members of the wheel group
* backend: only parse stream results when configd socket could be opened
* backend: wait for all configd results and add it to the log message when detached
* mvc: remove legacy Phalcon migration glue
* mvc: add configdStream action to ApiControllerBase
* mvc: support array structures for better search functionality in ApiControllerBase
* mvc: scope xxxBase validations to the item in question in ApiMutableModelControllerBase
* mvc: remove Phalcon syslog implementation with a simple wrapper
* mvc: add a DescriptionField type
* mvc: add a MacAddressField type
* mvc: add IsDNSName to support DNS names as specified by RFC2181 in HostnameField
* ui: include meta tags for standalone/full-screen on Android and iOS (contributed by Shane Lord)
* ui: add double click event with grid dialog in tree view to show a row layout instead
* ui: auto-trim MVC input fields when being pasted
* ui: increase standard search delay from 250 ms to 1000 ms
* ui: make modal dialogs draggable
* ui: support key/value combinations for error messages in do\_input\_validation()
* plugins: os-acme-client 4.0 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.1/security/acme-client/pkg-descr)
* plugins: os-api-backup was discontinued due to overlapping functionality in core
* plugins: os-firewall moved to core
* plugins: os-haproxy 4.2 [\[3\]](https://github.com/opnsense/plugins/blob/stable/24.1/net/haproxy/pkg-descr)
* plugins: os-nrpe updated to NRPE 4.1.x
* plugins: os-postfix updated to Postfix 3.8.x
* plugins: os-squid 1.0 offers the removed web proxy core functionality
* plugins: os-wireguard moved to core
* plugins: os-wireguard-go was discontinued
* src: NFS client data corruption and kernel memory disclosure [\[4\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:18.nfsclient.asc)
* src: pf: merge extended support for SCTP and related stable changes
* src: e1000: merge assorted driver improvements for hardware capabilities
* src: bsdinstall: merge assorted stable changes
* src: tuntap: merge assorted stable changes
* src: wireguard: add experimental netmap support
* src: sys: Use mbufq\_empty instead of comparing mbufq\_len against 0
* src: e1000/igc: remove disconnected sysctl
* ports: libxml 2.11.6 [\[5\]](https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS)
* ports: openssl 3.0.12 [\[6\]](https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md)
* ports: php 8.2.15 [\[7\]](https://www.php.net/ChangeLog-8.php#8.2.15)
* ports: py-duckdb 0.9.2
* ports: sqlite 3.45.0 [\[8\]](https://sqlite.org/releaselog/3_45_0.html)
* ports: suricata 7.0.2 [\[9\]](https://forum.suricata.io/t/suricata-7-0-2-released/4069)
A hotfix release was issued as 24.1\_1:
* ports: revert back to suricata 6.0.15 for the time being
Migration notes, known issues and limitations:
* Audits and certifications are requiring us to restrict system accounts for non-administrators (without wheel group in particular). It will no longer be possible to use non-adminstrator accounts with shell access and permissions for sensitive files have been tightened to not be world-readable. This may cause custom tooling to stop working, but can easily be fixed by giving these required accounts the full administration rights.
* ISC DHCP functionality is slowly being deprecated with the introduction of Kea as an alternative. The work to replace the tooling of ISC DHCP is ongoing, but feature sets will likely differ for a long time therefore.
* The move to the FreeBSD ports version of OpenSSL 3.0 is included and may disrupt third party repository use until those have been fixed and rebuilt accordingly. Please note that we do not vet third party repositories and do not have control over them so their response time may vary.
* The Squid web proxy functionality moves to a plugin and will no longer be installed by default for new installations. However, if you have Squid enabled the plugin will automatically be installed during the upgrade. There is no code difference in the implementation and integration of the plugin compared to the core version.
The public key for the 24.1 series is:
\# -----BEGIN PUBLIC KEY-----
\# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArjthZplSNhbgab8VYDYl
\# jn3rNni+Fson28prwolUac0EHlu1e9ckM03BjYfRYUcpHRdNTglPr+likmgQ3K7j
\# 01oq0/H2krvXUbxUq8CQDYgHUM9QDBubdC06/oQ/S20YGHlHJ+odexUbLF0YvW04
\# RfzlEozBW0eUjc3LLYAvr1RwXoiZyB/Qit5bBC7No6fKIlCD9uZ3+7b1pO+Gjfq0
\# mPF01kE7P55Y9WqaEU9odS4xE+viGlj+k1+YZBsEWWzX+J3z5zGDhWcsWWskd92z
\# eMOUkJyVeiIWkW4draQ7CC0tJ4e+f/1PUkkLRfMMO55pGeunu3xwEgD4ALyD1A+y
\# 029sKMXF6OSWgDQDrxDOe4bA7RW4yUba3EhSz8UyAvL3HIKQ0OuOJaGYkRee9DBQ
\# DmCjIvPs6yCdAiuDbwO7V6RsH4k3yIONotST3qwf3sJXU3vvwsHi1n3ssccZBzw4
\# sKwQ1xQN1eIc5+At+OJ6bzkdb/vg+UrFUfuCknqxuxvwg99+3Wx6vvemW7yqIUY4
\# Vkhqs7WUZ0ucwo1zjLM12K4yS7kEQbOzHykYQzXXYxhzJIai+BZAJFytSER+Wl7Z
\# AyIioWGKwTD/WTEzyfK5svnSmosWlikagMhl3+XyF2cma1rPqOOyuFpcFhmV6nlR
\# vWhn568tDgJAyWqOCCHZqOMCAwEAAQ==
\# -----END PUBLIC KEY-----
\# SHA256 (OPNsense-24.1-dvd-amd64.iso.bz2) = 6d1e22713bf031d0a36a73b3820cd1564f426cae9c67a6ade4b7fa6518afa2d5
\# SHA256 (OPNsense-24.1-nano-amd64.img.bz2) = 6bc86a13bda81702382383b1e9b31550177bafe88fa599e0c2ed8064040461b1
\# SHA256 (OPNsense-24.1-serial-amd64.img.bz2) = c4c53e5dd80660cc67b349fa588b3ca11efd9f45d09f6cb391d8e19b48dd7fcc
\# SHA256 (OPNsense-24.1-vga-amd64.img.bz2) = ec08755245017cd449a8d174b6ea7c4e2038c454a8abecfad0d0378729d8b331
24.1.r1 (January 19, 2024)[](#r1-january-19-2024 "Permalink to this heading")
-------------------------------------------------------------------------------
For more than 9 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3
24.1-RC1 is an online uppgrade only. We will be publishing images with the final 24.1 release of course.
Here are the full patch notes against 23.7.12:
* system: prevent activating shell for non-admins
* system: add OCSP trust extensions and improved authorities implementation
* system: migrate single gateway configuration to MVC/API
* system: use new backend streaming functionality in the log viewer
* system: limit file system /conf/config.xml and backups access to administrators
* system: migrate gateways model to match new class introduced in 23.7.x
* system: refactor get\_single\_sysctl()
* system: update cron model
* reporting: update NetFlow model
* interfaces: implement new neighbor configuration for ARP and NDP entries using MVC/API
* interfaces: refactor interface\_bring\_down() into interface\_reset() and interface\_suspend()
* interfaces: migrate the overview page to MVC/API
* interfaces: add optional local/remote port to VXLAN
* interfaces: remove unused code from native dhclient-script
* interfaces: do not flush states on clear event
* firewall: add automation category for filter rules and source NAT using MVC/API, formerly known as os-firewall plugin
* firewall: migrate NPTv6 page to MVC/API
* firewall: add a track interface selection to NPTv6 as an alternative to the automatic rule interface fallback when dealing with dynamic prefixes
* captive portal: fix integer validation in vouchers
* captive portal: update model
* dhcp: clean up duplicated domain-name-servers option
* dhcp: cleanup get\_lease6 script and fix parsing issue
* dhcp: add Kea DHCPv4 server option with HA capabilities as an alternative to the end of life ISC DHCP
* intrusion detection: show rule origin in rule adjustments grid
* ipsec: extend connection proposals tooltip to children and fix tooltip style issue
* lang: added traditional Chinese translation (contributed by Jason Cheng)
* monit: update model
* openvpn: allow optional OCSP checking per instance
* openvpn: emit device name upon creation
* openvpn: add workaround for net30/p2p smaller than /29 networks
* web proxy: integration moved to os-squid plugin
* wireguard: installed by default using the bundled FreeBSD 13.2 kernel module
* backend: constrain execution of user add/change/list actions to members of the wheel group
* mvc: remove legacy Phalcon migration glue
* mvc: add configdStream action to ApiControllerBase
* mvc: support array structures for better search functionality in ApiControllerBase
* mvc: scope xxxBase validations to the item in question in ApiMutableModelControllerBase
* mvc: remove Phalcon syslog implementation with a simple wrapper
* mvc: add a DescriptionField type
* mvc: add a MacAddressField type
* ui: include meta tags for standalone/full-screen on Android and iOS (contributed by Shane Lord)
* ui: add double click event with grid dialog in tree view to show a row layout instead
* ui: auto-trim MVC input fields when being pasted
* ui: increase standard search delay from 250 ms to 1000 ms
* ui: make modal dialogs draggable
* ui: support key/value combinations for error messages in do\_input\_validation()
* plugins: os-api-backup was discontinued due to overlapping functionality in core
* plugins: os-firewall moved to core
* plugins: os-nrpe updated to NRPE 4.1.x
* plugins: os-postfix updated to Postfix 3.8.x
* plugins: os-squid 1.0 offers the removed web proxy core functionality
* plugins: os-wireguard moved to core
* plugins: os-wireguard-go was discontinued
* src: NFS client data corruption and kernel memory disclosure [\[1\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:18.nfsclient.asc)
* src: pf: merge extended support for SCTP and related stable changes
* src: e1000: merge assorted driver improvements for hardware capabilities
* src: bsdinstall: merge assorted stable changes
* src: tuntap: merge assorted stable changes
* src: wireguard: add netmap support
* ports: libxml 2.11.6 [\[2\]](https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS)
* ports: openssl 3.0.12 [\[3\]](https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md)
* ports: py-duckdb 0.9.2
* ports: suricata 7.0.2 [\[4\]](https://forum.suricata.io/t/suricata-7-0-2-released/4069)
Migration notes, known issues and limitations:
* Audits and certifications are requiring us to restrict system accounts for non-administrators (without wheel group in particular). It will no longer be able to use non-adminstrator accounts with shell access and permissions for sensitive files have been tightened to not be world-readable. This may cause custom tooling to stop working, but can easily be fixed by giving these required accounts the full administration rights.
* ISC DHCP functionality is slowly being deprecated with the introduction of Kea as an alternative. The work to replace the tooling of ISC DHCP is ongoing, but feature sets will likely differ for a long time therefore.
* The move to the FreeBSD ports version of OpenSSL 3.0 is included and may disrupt third party repository use until those have been fixed and rebuilt accordingly. Please note that we do not vet third party repositories and do not have control over them so their response time may vary.
* The Squid web proxy functionality moves to a plugin and will no longer be installed by default for new installations. However, if you have Squid enabled the plugin will automatically be installed during the upgrade. There is no code difference in the implementation and integration of the plugin compared to the core version.
The public key for the 24.1 series is:
\# -----BEGIN PUBLIC KEY-----
\# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArjthZplSNhbgab8VYDYl
\# jn3rNni+Fson28prwolUac0EHlu1e9ckM03BjYfRYUcpHRdNTglPr+likmgQ3K7j
\# 01oq0/H2krvXUbxUq8CQDYgHUM9QDBubdC06/oQ/S20YGHlHJ+odexUbLF0YvW04
\# RfzlEozBW0eUjc3LLYAvr1RwXoiZyB/Qit5bBC7No6fKIlCD9uZ3+7b1pO+Gjfq0
\# mPF01kE7P55Y9WqaEU9odS4xE+viGlj+k1+YZBsEWWzX+J3z5zGDhWcsWWskd92z
\# eMOUkJyVeiIWkW4draQ7CC0tJ4e+f/1PUkkLRfMMO55pGeunu3xwEgD4ALyD1A+y
\# 029sKMXF6OSWgDQDrxDOe4bA7RW4yUba3EhSz8UyAvL3HIKQ0OuOJaGYkRee9DBQ
\# DmCjIvPs6yCdAiuDbwO7V6RsH4k3yIONotST3qwf3sJXU3vvwsHi1n3ssccZBzw4
\# sKwQ1xQN1eIc5+At+OJ6bzkdb/vg+UrFUfuCknqxuxvwg99+3Wx6vvemW7yqIUY4
\# Vkhqs7WUZ0ucwo1zjLM12K4yS7kEQbOzHykYQzXXYxhzJIai+BZAJFytSER+Wl7Z
\# AyIioWGKwTD/WTEzyfK5svnSmosWlikagMhl3+XyF2cma1rPqOOyuFpcFhmV6nlR
\# vWhn568tDgJAyWqOCCHZqOMCAwEAAQ==
\# -----END PUBLIC KEY-----
Please let us know about your experience!
---
# 23.1 “Quintessential Quail” Series — OPNsense documentation
* [](../index.html)
* [Releases](../releases.html)
* [Community Edition](../CE_releases.html)
* 23.1 “Quintessential Quail” Series
* * *
23.1 “Quintessential Quail” Series[](#quintessential-quail-series "Permalink to this heading")
================================================================================================
For more than 8 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
23.1, nicknamed “Quintessential Quail”, features Unbound DNS statistics with a blocklist rewrite in Python, improved WAN SLAAC operability, firewall alias BGP ASN type support, PHP 8.1, assorted FreeBSD networking updates, MVC/API pages for packet capture/virtual IPs/IPsec connection management, IPsec configuration file migration to swanctl.conf, new sslh plugin, ddclient custom backend support (including Azure), WireGuard kernel module plugin variant as the new default plus much more.
Download links, an installation guide [\[1\]](https://docs.opnsense.org/manual/install.html)
and the checksums for the images can be found below as well.
* Europe: [https://opnsense.c0urier.net/releases/23.1/](https://opnsense.c0urier.net/releases/23.1/)
* US East Coast: [https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/](https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/)
* US West Coast: [https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/](https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/)
* South America: [http://mirror.ueb.edu.ec/opnsense/releases/23.1/](http://mirror.ueb.edu.ec/opnsense/releases/23.1/)
* East Asia: [https://mirror.ntct.edu.tw/opnsense/releases/23.1/](https://mirror.ntct.edu.tw/opnsense/releases/23.1/)
* Full mirror list: [https://opnsense.org/download/](https://opnsense.org/download/)
23.1.11 (June 28, 2023)[](#june-28-2023 "Permalink to this heading")
----------------------------------------------------------------------
So this is the end of life release for the 23.1 series which includes the recent FreeBSD advisories as well as plugin support for Zabbix 6.4.
We have finished the OpenVPN MVC “instances” for anyone who is interested in a preview using the current development release. FreeBSD 13.2 side looks ready so we will be releasing 23.7-RC1 some time in the second half of July. The final 23.7 release is scheduled for July 31. The upgrade path from 23.1 will be enabled shortly after the new major release, but can take up to 24 hours due to testing and mirror propagation. Please do not despair. ;)
Here are the full patch notes:
* system: add RADIUS authentication support for MSCHAPv2 using Crypt\_CHAP\_MSv2()
* system: propagate error in rc.syshook scripts
* dhcp: validate client hostnames in Dnsmasq/Unbound lease watchers
* firmware: automatic kernel upgrade after reboot like base and package stages
* firmware: sticky advanced mode if flavour is set to non-default
* intrusion detection: add missing typecast in getAlertLogsAction()
* mvc: fix locking regression that caused bulk changes to not being rendered correctly
* plugins: os-zabbix-agent plugin variant for Zabbix 6.4
* plugins: os-zabbix-proxy plugin variant for Zabbix 6.4
* src: axgbe: account for 4 SFP ports during GPIO expander check
* src: ipsec: make algorithm tables read-only
* src: mpr: fix copying of event\_mask [\[1\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-23:07.mpr.asc)
* src: pam\_krb5: fix spoofing vulnerability [\[2\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:04.pam_krb5.asc)
* src: loader: comconsole: do not unconditionally wipe out hw.uart.console [\[3\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-23:06.loader.asc)
* src: contrib/tzdata: import tzdata 2023c [\[4\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-23:05.tzdata.asc)
* src: ixgbe: change if condition for RSS and rxcsum
* src: pf: fix pf\_nv##\_array() size check
* src: e1000: fix VLAN 0
* ports: py-setuptools fix for CVE-2022-40897
A hotfix release was issued as 23.1.11\_1:
* firmware: enable upgrade path to 23.7
* ports: openssh 9.3p2 [\[5\]](https://www.openssh.com/txt/release-9.3p2)
A hotfix release was issued as 23.1.11\_2:
* unbound: enable migration of Unbound DNS reports
23.1.10 (June 22, 2023)[](#june-22-2023 "Permalink to this heading")
----------------------------------------------------------------------
As summer is approaching we release this minor update in preparation for the upcoming 23.7 series. We are planning the upgrade to FreeBSD 13.2 as well as offering an MVC variant of the OpenVPN integration amongst many other improvements some of which already shipped in previous 23.1.x releases.
There may be another kernel update before the final 23.7 arrives but that is for next week to decide. For now enjoy the sun and stay hydrated!
Here are the full patch notes:
* system: do not delete dpinger PID file
* system: improve RRD collector PID/service handling
* system: do not touch /var/run/booting if it exists (contributed by William Desportes)
* system: do a full transition on gateway group apply
* system: automatically create core dump with installed debug kernel
* interfaces: minor fixes in IP address status read
* interfaces: additions for legacy\_interface\_stats()
* interfaces: use interfaces\_primary\_address() during IPv4 renewal
* firewall: remove duplicate table definitions
* firewall: prevent VIP address adding /32 on IPv6 rule selection
* dhcp: fix IPv6 lease page undefined vars and other issues
* dhcp: share DUID parsing code via dhcpd\_parse\_duid()
* dhcp: revamp the prefix route handling also adding support for statically mapped downstream routers
* firmware: opnsense-update: move -K option to -x
* firmware: opnsense-update: support deferred kernel set install
* firmware: opnsense-update: use -w option with -a option in fetch(1)
* firmware: opnsense-update: ensure kernel directory consistency
* firmware: shift subscription key extract to “-x” option
* firmware: use post-upgrade hook and stage kernel as well for clean abort
* firmware: sort plugins before store
* monit: fix “not on” validation
* openvpn: fix typo in widget for client timestamp display
* web proxy: syslog parsing cleanup
* ui: remove noodp and noydir from HTML meta robots tag (contributed by William Desportes)
* plugins: os-crowdsec 1.0.6 [\[1\]](https://github.com/opnsense/plugins/blob/stable/23.1/security/crowdsec/pkg-descr)
* plugins: os-nginx 1.32.1 [\[2\]](https://github.com/opnsense/plugins/blob/stable/23.1/www/nginx/pkg-descr)
* ports: curl 8.1.2 [\[3\]](https://curl.se/changes.html#8_1_2)
* ports: krb5 1.21 [\[4\]](https://web.mit.edu/kerberos/krb5-1.21/)
* ports: nss 3.90 [\[5\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_90.html)
* ports: ntp 4.2.8p17 [\[6\]](https://www.ntp.org/support/securitynotice/)
* ports: openssl 1.1.1u [\[7\]](https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md)
* ports: openvpn 2.6.5 [\[8\]](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.5)
* ports: phalcon 5.2.2 [\[9\]](https://github.com/phalcon/cphalcon/releases/tag/v5.2.2)
* ports: php 8.1.20 [\[10\]](https://www.php.net/ChangeLog-8.php#8.1.20)
* ports: python 3.9.17 [\[11\]](https://docs.python.org/release/3.9.17/whatsnew/changelog.html)
* ports: squid 5.9 [\[12\]](http://www.squid-cache.org/Versions/v5/squid-5.9-RELEASENOTES.html)
* ports: strongswan upstream fix for VICI stalls [\[13\]](https://github.com/opnsense/core/issues/6308)
* ports: suricata 6.0.13 [\[14\]](https://suricata.io/2023/06/15/suricata-6-0-13-released/)
A hotfix release was issued as 23.1.10\_1:
* firewall: align rule validation with port forward validation
* plugins: os-nginx fix for missing load\_module directive after nginx update to 1.24
23.1.9 (May 31, 2023)[](#may-31-2023 "Permalink to this heading")
-------------------------------------------------------------------
A small update to improve stability with multiple delegated prefixes from DHCPv6 connectivity as well as proper “no binding” handling in the DHCPv6 client itself. Internally, the backend service has been refactored to allow for future additions, but no visible functionality changes have been done.
Still pretty happy with the IPsec connections MVC pages introduced in 23.1 so we would like to apply the same approach to OpenVPN for 23.7 and it is going to land in the next development version most likely for a sneak preview.
Here are the full patch notes:
* system: fix MVC service page with ID-based reload like OpenVPN
* system: fix issue with route add command for far gateway static route (contributed by Daniel Mason)
* system: improve static routes error handling
* system: fix a typo and align “attribute” use in gateway edit page
* system: pluginctl: service mode can now batch-reload services when existing ID is omitted
* firewall: simplify rule edit layout slightly and fix unused element ID
* dhcp: remove ::/64 magic as it uses AdvRouterAddr yes
* interfaces: deal with RENEW and REBIND only reporting partial PDINFO
* ipsec: support the default selector (\[dynamic\]) when local\_ts or remote\_ts are left empty in connections
* backend: improved nested command support, reorganise action types, use ActionFactory to offer the requested type
* backend: add “getUtcTime” template helper function
* ports: curl 8.1.1 [\[1\]](https://curl.se/changes.html#8_1_1)
* ports: dhcp6c 20230530
* ports: lighttpd 1.4.71 [\[2\]](https://www.lighttpd.net/2023/5/27/1.4.71/)
* ports: openssh 9.3p1 [\[3\]](https://www.openssh.com/txt/release-9.3)
* ports: sqlite 3.42.0 [\[4\]](https://sqlite.org/releaselog/3_42_0.html)
* ports: syslog-ng 4.2.0 [\[5\]](https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.2.0)
23.1.8 (May 25, 2023)[](#may-25-2023 "Permalink to this heading")
-------------------------------------------------------------------
This update improves IPv6 connectivity, extends module support for the axgbe network driver and fixes a panic with IPv6 refragmentation over policy-based routes amongst others.
We are currently testing FreeBSD 13.2 for the upcoming OPNsense 23.7 and it looks promising. Watch out for roadmap updates over the next few weeks as more MVC page conversions are being carried out.
Here are the full patch notes:
* system: calling return\_down\_gateways() depends on default gateway switch setting
* system: open new session if missing to prevent spurious CRSF errors in static pages
* system: add device hint to empty interface address message in case of mismatch during default route attempt
* system: add kernel messages to the general system log
* system: make sure routing log messages all use “ROUTING:” prefix
* system: print warning for duplicated gateway name
* system: prefix API key filename with FQDN of this host
* interfaces: deal with “prefixv6” as an array
* interfaces: improve address cleanup when handling VIP modifications
* interfaces: explicitly report current IP address during renewal avoidance
* interfaces: patch in appropriate rebind/renew DHCPv6 handling
* interfaces: for static “Use IPv4 connectivity” on PPPoE bring up IPv6 routes as well
* interfaces: ifctl: fix typo causing content to be printed while adding it
* interfaces: ifctl: avoid null route on fragile /64 prefix delegation
* interfaces: ifctl: do not flush name server routes
* firewall: add “set debug” and “set keepcounters” options to advanced options
* dhcp: provide run task “static\_mapping” to avoid polluting unrelated plugins
* dnsmasq: use new run task “static\_mapping” to collect static mappings from DHCP
* firmware: show support tiers in plugin list
* firmware: now that we have a full data model do not overdo cleanup during plugin registration
* intrusion detection: minor performance improvements when parsing metadata from rules
* openvpn: fix a warning by passing a desirable empty input containing a slash
* unbound: fix migration edge case in model version 1.0.3
* unbound: remove DNS blocklist start syshook causing an unnecessary download during bootup
* unbound: when called via GET during override creation encode using URLSearchParams()
* wizard: do not end up duplicating WAN\_GW entry
* mvc: add CIDRToMask() to utilities
* mvc: prevent config restore when writer has flushed or partly written the file
* mvc: format BaseModel logger to avoid duplicate timestamps
* plugins: os-crowdsec 1.0.5 [\[1\]](https://github.com/opnsense/plugins/blob/stable/23.1/security/crowdsec/pkg-descr)
* plugins: os-acme-client 3.17 [\[2\]](https://github.com/opnsense/plugins/blob/stable/23.1/security/acme-client/pkg-descr)
* src: axgbe: fix link issues for gigabit external SFP PHYs and 100/1000 fiber modules
* src: axgbe: apply RRC to miibus attached PHYs and add support for variable bitrate 25G SFP+ DACs
* src: axgbe: properly release resource in error case
* src: ifconfig: improve VLAN identifier parsing
* src: pfsync: hold b\_mtx for callout\_stop(pd\_tmo)
* src: pf: remove pd\_refs from pfsync
* src: pf: deal with KPI change bug on stable/13 by redirecting otherwise crashing traffic through ip6\_output()
* ports: curl 8.1.0 [\[3\]](https://curl.se/changes.html#8_1_0)
* ports: dhcp6c 20230523
* ports: lighttpd 1.4.70 [\[4\]](https://www.lighttpd.net/2023/5/10/1.4.70/)
* ports: nss 3.89.1 [\[5\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_89_1.html)
* ports: openvpn 2.6.4 [\[6\]](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.4)
* ports: php 8.1.19 [\[7\]](https://www.php.net/ChangeLog-8.php#8.1.19)
* ports: suricata 6.0.12 [\[8\]](https://suricata.io/2023/05/09/suricata-6-0-12-released/)
23.1.7 (May 04, 2023)[](#may-04-2023 "Permalink to this heading")
-------------------------------------------------------------------
Today we switch to OpenVPN 2.6 including deferred authentication which we know some people have been waiting for. The routing subsystem received a refactor to integrate default gateway switching into the actual routing code.
Suricata was finally updated to a newer release since the Netmap (IPS) stall bug inside their code had been found and fixed while we were still using an older code base that did not have the error.
Please also note that OpenVPN does no longer support the XOR feature due to FreeBSD ports blocking these types of out-of-project contributions and OpenVPN itself was never interested in supporting it natively. We have been keeping this alive since 2015, but several alternatives exist now that were not available back then.
Here are the full patch notes:
* system: restructure routing to carry out default gateway switching and address family specific reconfig
* system: prevent PHP session garbage collection from running early (contributed by lin-xianming)
* system: finish simplifying plugins\_run()
* firewall: add missing scrub rules in dependency check for alias use
* firewall: usability improvements and cleanups in scheduler pages (contributed by kuya1284)
* interfaces: ensure single PPP netgraph node has the proper name
* interfaces: reject invalid self-assignments in VLAN parent
* interfaces: migrate trace route page to MVC/API
* interfaces: migrate port probe page to MVC/API
* interfaces: remove indirection in PPP ports handling
* interfaces: exclude a few cases from PPPoEv6 negotiation
* reporting: fix incorrect interface index in NetFlow init (contributed by Nicolas Thumann)
* dhcp: restart radvd on config changes, otherwise keep SIGHUP
* dhcp: when cleaning up static leases do not remove entries where only a MAC address is set
* firmware: update size requirements for major upgrades from command line
* firmware: embed build metadata into package annotations for use in runtime remote queries
* firmware: fix execution of version queries when not possible
* firmware: revoke 22.7 fingerprint
* openvpn: fix two widget display issues
* openvpn: use CARP INIT state the same way as BACKUP state for client start/stop
* openvpn: enable deferred authentication (sponsored by m.a.x. it)
* unbound: minor improvements to handle “Dot” endpoints ambiguity
* web proxy: allow more signs for username and password (contributed by Bi0T1N)
* mvc: change Phalcon logging to omit type and date
* mvc: add strict option to NetworkField
* ui: prevent crashing out when endpoint does not return data for SimpleActionButton
* plugins: os-ddclient 1.13 [\[1\]](https://github.com/opnsense/plugins/blob/stable/23.1/dns/ddclient/pkg-descr)
* plugins: os-stunnel fix for missing OpenSSL CRL functions
* plugins: os-smart fix for highlighting result (contributed by Justin Horton)
* ports: libxml 2.10.4 [\[2\]](https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS)
* ports: openvpn 2.6.3 [\[3\]](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.3)
* ports: sqlite 3.41.2 [\[4\]](https://sqlite.org/releaselog/3_41_2.html)
* ports: suricata 6.0.11 [\[5\]](https://suricata.io/2023/04/13/suricata-6-0-11-released/)
* ports: syslog-ng 4.1.1 [\[6\]](https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.1.1)
A hotfix release was issued as 23.1.7\_3:
* system: fix a typo in monitor script preventing filter/routes reconfiguration
* system: improve monitor alarm situation by not reloading monitors
* openvpn: force the interface down before reconfiguration to work around a probable regression
23.1.6 (April 20, 2023)[](#april-20-2023 "Permalink to this heading")
-----------------------------------------------------------------------
Two major improvements being shipped today are standalone core DNS support for Bind and Dnscrypt-Proxy plugins as well as OpenVPN group firewall alias type. The latter makes it easier to manage distinct policies for connected VPN users. For more details please refer to the documentation listed below.
The other honorable mention is the netmap work we have been doing with Zenarmor and Klara on the FreeBSD kernel side which brings bridge device support as well as a considerable improvement to the emulated mode where several packet stalls and mbuf leaks have been identified and subsequently fixed. This should have an operational impact on Suricata (IPS mode) and Zenarmor. The state is much better now but please do not hesitate to contact us about issues that you might still be having with netmap-based packet flows as the topic is a rather complex one.
Orange FR users be aware that your ISP now requires strict VLAN PCP on all DHCPv4 requests so please now set ‘Use VLAN priority’ interface setting for both DHCPv4 and DHCPv6. The ‘Option Modifiers’ override for “vlan-pcp” in DHCPv4 can be removed.
Here are the full patch notes:
* system: register DNS service ports for unified use across core and plugins
* system: serialize deferred requests for web GUI restart
* system: relocate API messages to backend log target as they currently end up in captive portal logs
* system: remove /31 subnet restriction in wizard
* system: use data attribute to find existing rows in service widget to avoid special character issues (contributed by Alexander O’Mara)
* system: allow non-system group delete after faulty PHP 8 warning fix (contributed by kulikov-a)
* system: handle empty DNS server gateway (contributed by Nicolas Thumann)
* reporting: translate invalid interface name characters for NetFlow/Netgraph use
* reporting: sort interfaces by description in health graphs
* interfaces: ping diagnostic tool was rewritten using MVC/API
* interfaces: allow to set PCP value on IPv4 DHCP traffic to address recent Orange FR changes
* firewall: allow to create aliases for logged-in OpenVPN users [\[1\]](https://docs.opnsense.org/manual/aliases.html#openvpn-group)
* firewall: leave out fractional seconds from timestamps in aliases
* firewall: fix progress bar default value (contributed by Nicolas Thumann)
* dhcp: fix too many addresses issue in radvd RDNSS setting
* dhcp: add missing double quotes in hostname handling
* firmware: remove flavouring support from update tools
* ipsec: pull data for dashboard widget exclusively from backend
* ipsec: move XAuth out of “IKE Extensions” block
* ipsec: add connection child as option for manual SPDs
* ipsec: another small GUI fix for basic log option in advanced settings
* openvpn: fix dashboard widget and add missing byte data to status call
* plugins: os-bind 1.26 [\[2\]](https://github.com/opnsense/plugins/blob/stable/23.1/dns/bind/pkg-descr)
* plugins: os-crowdsec 1.0.4 [\[3\]](https://github.com/opnsense/plugins/blob/stable/23.1/security/crowdsec/pkg-descr)
* plugins: os-ddclient 1.12 [\[4\]](https://github.com/opnsense/plugins/blob/stable/23.1/dns/ddclient/pkg-descr)
* plugins: os-dnscrypt-proxy 1.13 [\[5\]](https://github.com/opnsense/plugins/blob/stable/23.1/dns/dnscrypt-proxy/pkg-descr)
* plugins: os-nginx 1.32 [\[6\]](https://github.com/opnsense/plugins/blob/stable/23.1/www/nginx/pkg-descr)
* plugins: os-upnp now allows subnet mask 0 in rules (contributed by Reiko Asakura)
* src: bridge: add support for emulated netmap mode [\[7\]](https://github.com/opnsense/src/commit/eebd4b140f)
* src: epair: also remove vlan metadata from mbufs
* src: ifconfig: fix configuring if\_bridge with additional operating parameters
* src: netmap: fix queue stalls with generic interfaces [\[8\]](https://github.com/opnsense/src/commit/cc92d78fa5)
* src: netmap: assorted upstream stable patches
* src: sched\_ule: assorted fixes to address issues on newer AMD platforms
* ports: curl 8.0.1 [\[9\]](https://curl.se/changes.html#8_0_1)
* ports: ifinfo now also prints interface index (contributed by Nicolas Thumann)
* ports: php 8.1.18 [\[10\]](https://www.php.net/ChangeLog-8.php#8.1.18)
23.1.5 (March 29, 2023)[](#march-29-2023 "Permalink to this heading")
-----------------------------------------------------------------------
This moves MVC/API migration a bit further and fixes the radvd restart behaviour using SIGHUP which caused issues with the initial 23.1.4. Unbound gained wildcard domain blocking and its backend was further refactored and improved upon.
Here are the full patch notes:
* system: timezone parsing issue for zones west of UTC using “-“
* system: migrate services page and widget to MVC/API
* system: move web GUI service definition to correct file
* system: add service\_by\_filter() service search extension
* system: pin down the auto-far gateway selection and routing log adjustments
* system: prevent applying tunables which are already set
* firewall: refactor alias update scripts
* dhcp: bring back the SIGHUP handling of radvd due to fix upstream
* ipsec: replace status call with portable alternative
* network time: migrate service status to PID file
* openvpn: fix client output for widget (contributed by kulikov-a)
* openvpn: migrate connection status page and widget to MVC/API
* unbound: replace status call with portable alternative
* unbound: bring back missing advanced page ACL entry
* unbound: implement wildcard blocking and refactor DNSBL module
* unbound: account for CNAME redirection in DNSBL module
* unbound: prevent logging SERVFAIL twice in DNSBL module
* unbound: allow scripts to extend blocklist functionality
* mvc: add MaskPerItem toggle to allow regex validation per entry in CSVListField
* ui: add a fail() handler to disable action button spinner
* plugins: os-frr 1.33 [\[1\]](https://github.com/opnsense/plugins/blob/stable/23.1/net/frr/pkg-descr)
* src: pfsync: fix pfsync\_undefer\_state() locking
* src: pfsync: add missing unlock in pfsync\_defer\_tmo()
* src: epair: merged assorted fixes
* ports: openssl fix for CVE-2023-0464
* ports: radvd fix for SIGHUP behaviour
A hotfix release was issued as 23.1.5\_2:
* firewall: ignore empty lines when reading current alias content using pfctl
* network time: revert PID file use as it is still unreliable with ntpd
A hotfix release was issued as 23.1.5\_4:
* openvpn: fix typo in widget missing virtual address display
* unbound: translate empty values to empty strings in DNSBL module
23.1.4 (March 21, 2023)[](#march-21-2023 "Permalink to this heading")
-----------------------------------------------------------------------
Another stable update to fix a StrongSwan regression and two OpenVPN incompatibilities introduced prior. We have also improved the service handling code in multiple areas, fixed issues like the VIP migration problem with IP alias on a CARP VIP and improved/simplified the firmware settings now that cryptography flavours no longer exist.
Here are the full patch notes:
* system: address a number of web GUI startup problems
* system: service handling refactor, tweaks and improvements
* system: rework killbypid()/killbyname() behaviour
* system: use system\_resolver\_configure() everywhere
* reporting: simplify state collection for system-states.rrd
* interfaces: fix an issue with a batch killbyname() in static ARP case
* interfaces: make sure output buffering is disabled when downloading a packet capture
* interfaces: lock gateway save button while the request is being processed
* interfaces: fix IP alias with VHID validation issue
* dhcp: several plumbing improvements in service handling
* dnsmasq: remove now unused host configuration and refactor
* firmware: responsiveness fix (contributed by kulikov-a)
* firmware: move settings handling to full-fledged model
* firmware: add advanced/help toggles, cancel button, subscription errors
* monit: add permanent include statement for custom configuration files (contributed by codiflow)
* openvpn: add ovpn\_status.py script and configd action to fetch connected clients
* openvpn: reintroduce “cipher” keyword for older clients
* openvpn: add missing static-challenge parsing for auth framework introduced in 23.1.3
* unbound: adhere to restart logic during hosts configure and wait for service to start
* unbound: add infra-keep-probing advanced option
* unbound: lowercase domain for case insensitive search in blocklists
* mvc: fix PHP warnings and dance around null/0.0.0 ambiguity in migration code
* plugins: os-api-backup 1.1 [\[1\]](https://github.com/opnsense/plugins/blob/stable/23.1/sysutils/api-backup/pkg-descr)
* plugins: os-theme-cicada 1.34 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.27 (contributed by Team Rebellion)
* plugins: os-theme-vicuna 1.45 (contributed by Team Rebellion)
* ports: curl 7.88.1 [\[2\]](https://curl.se/changes.html#7_88_1)
* ports: nss 3.89 [\[3\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_89.html)
* ports: php 8.1.17 [\[4\]](https://www.php.net/ChangeLog-8.php#8.1.17)
* ports: py-vici 5.9.10
* ports: squid 5.8 [\[5\]](http://www.squid-cache.org/Versions/v5/squid-5.8-RELEASENOTES.html)
* ports: strongswan EAP-TLS upstream fix [\[6\]](https://github.com/opnsense/core/issues/6415)
A hotfix release was issued as 23.1.4\_1:
* dhcp: revert sending HUP to radvd for restart
23.1.3 (March 09, 2023)[](#march-09-2023 "Permalink to this heading")
-----------------------------------------------------------------------
This update was not planned as such, but an Sqlite compile change in FreeBSD ports required a clean rebuild so instead of a hotfix we are shipping this tiny stable update.
Here are the full patch notes:
* firewall: fix mismatch of options in new automatic listing of floating rules in interface rules
* ipsec: “Allow any remote gateway to connect” should suffix all in order to connect to the other end
* ipsec: store proper log values in advanced settings
* ipsec: add a routing hook and execute it for all VTI devices during reconfiguration
* ports: phpseclib 3.0.19 [\[1\]](https://github.com/phpseclib/phpseclib/releases/tag/3.0.19)
* ports: sqlite backs out disabling DQS option which broke software on multiple ends
* ports: sudo 1.9.13p3 [\[2\]](https://www.sudo.ws/stable.html#1.9.13p3)
A hotfix release was issued as 23.1.3\_4:
* firewall: fix rule display of inverted aliases
* firmware: add stub for previously removed -f option in opnsense-version
23.1.2 (March 07, 2023)[](#march-07-2023 "Permalink to this heading")
-----------------------------------------------------------------------
This is mainly a reliability update with fixes in assorted subsystems. Of note is the OpenVPN authentication framework rewrite in order to take advantage of the upcoming OpenVPN 2.6 deferred authentication feature and the fix for DHCP renew behaviour that was reported on 23.1.
The roadmap for 23.7 was published, but at this point mainly consists of MVC/API porting efforts for existing static pages. While the rewrite is not strictly necessary from a user perspective it will move us a lot closer to our mission goal to introduce privilege separation and to provide an API for all components.
Here are the full patch notes:
* system: use singleton boot detection everywhere
* system: protect against more stray scripts on boot
* system: several shell\_safe() conversions
* system: when applying auto-far default route make sure the local address is not empty
* system: refactor system\_default\_route() to prevent empty $gateway
* system: create system\_resolver\_configure() and cron job support
* system: add simple script and configd action to list current group membership (configctl auth list groups)
* system: prevent alias reload in routing reconfiguration like we do in rc.syshook monitor reload
* interfaces: protect against empty GIF host route
* interfaces: fix parsing of device names with a dot in packet capture
* interfaces: force newip calls through DHCP/PPP/OVPN on IPv4
* interfaces: force newip calls through DHCP/PPP on IPv6
* firewall: fix NAT dropdowns ignoring VIPs
* firewall: fix validation of alias names such as “A\_BC”
* firewall: show all applicable floating rules when inspecting interface rules
* firewall: prevent networks from being sent to DNS resolver in update\_tables.py
* reporting: make all status mapping colors configurable for themes in the Unbound DNS page
* dnsmasq: add dns\_forward\_max, cache\_size and local\_ttl options to GUI (contributed by Dr. Uwe Meyer-Gruhl)
* firmware: remove retired LibreSSL flavour handling and annotations
* ipsec: reqid should not be provided on mobile sessions
* ipsec: validate pool names on connections page
* ipsec: allow “@” character in all other eap\_id fields for new connections
* ipsec: add connection data to XMLRPC sync
* ipsec: “Dynamic gateway” (rightallowany) option should be translated to 0.0.0.0/0,::/0
* network time: remove “disable monitor” to get rid of log warnings (contributed by Dr. Uwe Meyer-Gruhl)
* openvpn: replace authentication handler to prepare for upcoming OpenVPN 2.6 with deferred authentication
* openvpn: rename -cipher option to –data-ciphers-fallback and adjust GUI accordingly
* unbound: fix typo in logger and create a pipe early in dnsbl\_module.py (contributed by kulikov-a)
* unbound: fix type cast to prevent unnecessary updateBlocklist action
* unbound: add missing blocklist
* ui: solve deprecation in PHP via html\_safe() wrapper
* wizard: unbound hardened DNSSEC setting moved
* plugins: os-acme-client 3.16 [\[1\]](https://github.com/opnsense/plugins/blob/stable/23.1/security/acme-client/pkg-descr)
* plugins: os-crowdsec 1.0.2 [\[2\]](https://github.com/opnsense/plugins/blob/stable/23.1/security/crowdsec/pkg-descr)
* plugins: os-rfc2136 1.8 [\[3\]](https://github.com/opnsense/plugins/blob/stable/23.1/dns/rfc2136/pkg-descr)
* plugins: os-theme-cicada 1.33 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.26 (contributed by Team Rebellion)
* plugins: os-theme-vicuna 1.44 (contributed by Team Rebellion)
* src: fix multiple OpenSSL vulnerabilities [\[4\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:03.openssl.asc)
* src: pfsync: support deferring IPv6 packets
* src: pfsync: add missing bucket lock
* src: pfsync: ensure ‘error’ is always initialised
* ports: filterlog 0.7 fixes unknown TCP option print
* ports: lighttpd 1.4.69 [\[5\]](https://www.lighttpd.net/2023/2/10/1.4.69/)
* ports: monit 5.33.0 [\[6\]](https://mmonit.com/monit/changes/)
* ports: nss 3.88.1 [\[7\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_88_1.html)
* ports: openldap 2.6.4 [\[8\]](https://www.openldap.org/software/release/changes.html)
* ports: openssh 9.2p1 [\[9\]](https://www.openssh.com/txt/release-9.2)
* ports: php 8.1.16 [\[10\]](https://www.php.net/ChangeLog-8.php#8.1.16)
* ports: phalcon 5.2.1 [\[11\]](https://github.com/phalcon/cphalcon/releases/tag/v5.2.1)
* ports: sqlite 3.41.0 [\[12\]](https://sqlite.org/releaselog/3_41_0.html)
* ports: strongswan 5.9.10 [\[13\]](https://github.com/strongswan/strongswan/releases/tag/5.9.10)
* ports: sudo 1.9.13p2 [\[14\]](https://www.sudo.ws/stable.html#1.9.13p2)
23.1.1 (February 15, 2023)[](#february-15-2023 "Permalink to this heading")
-----------------------------------------------------------------------------
Apart from security updates for operating system and third party software this mainly fixes issues with the initial 23.1 release. IPsec and Unbound components in particular receive a number of improvements being the more prominent areas of work for this series. Unbound also gained a SafeSearch option and the new reporting database CPU usage should be much lower and easier to use.
Overall we are happy with how the major release turned out and look forward to further fixes in e.g. Netmap framework including Suricata changes for multi-threading support which has been in the works for a long time. OpenVPN 2.6 update and related changes are also pending at the moment.
The roadmap for 23.7 will be published soon and will again include a number of MVC/API conversions for static components. Statistics do indicate that we are over 60% done with converting the code base to a modern framework as compared to early 2015 which is now already over 8 years ago!
Here are the full patch notes:
* system: replace single exec\_command() with new shell\_safe() wrapper
* system: fix assorted PHP 8.1 deprecation notes
* system: remove overreaching “Reconfigure a plugin facility” cron job and backend command that has no visible users
* interfaces: fix VLAN rename after protocol addition in 23.1
* interfaces: fix VLAN missing a config lock on delete
* interfaces: make description field show for all types of VIP (contributed by FingerlessGloves)
* interfaces: allow VHID reuse as it was before 23.1
* firewall: prevent possible infinite loop in alias parsing (contributed by kulikov-a)
* firewall: do not calculate local port range for alias (contributed by kulikov-a)
* firewall: update validation of alias names to be slightly more restrictive
* firewall: safeguard download\_geolite() and log errors
* firewall: do not switch gateway on bootup
* captive portal: enforce a database repair during operation if necessary
* firmware: move single-call function to reporter page
* intrusion detection: properly reset metadata response when no metadata is found
* ipsec: allow “@” character in eap\_id fields for new connections
* ipsec: missing remapping pool UUID to name for new connections
* ipsec: change status column sizing and hide local/remote auth by default
* ipsec: fix username parsing in lease status
* ipsec: refactor widget to use new data format
* ipsec: migrate duplicated cron job
* ipsec: faulty unique constraint in pre-shared keys
* ipsec: fix eap\_id placement for eap-mschapv2
* unbound: simplify logger logic for required queries
* unbound: add SafeSearch option to blocklists
* unbound: match white/blocklist action exactly from reporting page
* unbound: always prioritize whitelists over blocklists
* unbound: various UX improvements in reporting page
* unbound: add serve-expired, log-servfail, log-local-actions and val-log-level advanced settings
* unbound: drop unnecessary index from reporting database and other optimizations to lower CPU usage
* unbound: add HTTPS record type to reporting
* unbound: remember reporting page logarithmic setting
* unbound: missing global so that cache is never flushed when requested
* mvc: cleanse $record input in searchRecordsetBase() before usage
* plugins: os-haproxy 4.1 [\[1\]](https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr)
* plugins: os-openconnect 1.4.4 [\[2\]](https://github.com/opnsense/plugins/blob/stable/23.1/security/openconnect/pkg-descr)
* plugins: os-qemu-guest-agent 1.2 [\[3\]](https://github.com/opnsense/plugins/blob/stable/23.1/emulators/qemu-guest-agent/pkg-descr)
* plugins: os-tayga fixes MVC interface registration
* plugins: os-wireguard fixes MVC interface registration
* src: geli: split the initalization of HMAC [\[4\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:01.geli.asc)
* src: fix ena driver crash after reset in 7th gen AWS instance types [\[5\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-23:03.ena.asc)
* src: fix sdhci broken write-protect settings [\[6\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-23:02.sdhci.asc)
* src: import tzdata 2022g [\[7\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-23:01.tzdata.asc)
* src: ipsec: clear pad bytes in PF\_KEY messages
* src: fib\_algo: set vnet when destroying algo instance
* src: if\_ipsec: handle situations where there are no policy or SADB entry for if
* src: if\_ipsec: protect against user supplying unknown address family
* src: if\_me: use dedicated network privilege
* src: vxlan: add support for socket ioctls SIOC\[SG\]TUNFIB
* src: introduce and use the NET\_EPOCH\_DRAIN\_CALLBACKS() macro
* src: iflib: add null check to iflib\_stop()
* src: x86: ignore stepping for APL30 errata
* src: pfctl: rule.label is a two-dimensional array
* src: pf: fix syncookies in conjunction with tcp fast port reuse
* src: pf: fix panic on deferred packets
* src: ipfw: add missing ‘va’ code point name
* src: netmap: try to count packet drops in emulated mode
* src: netmap: fix a queue length check in the generic port rx path
* src: netmap: tell the compiler to avoid reloading ring indices
* ports: remove GnuTLS workarounds from ports previously required for LibreSSL
* ports: dnsmasq 2.89 [\[8\]](https://www.thekelleys.org.uk/dnsmasq/CHANGELOG)
* ports: dpinger 3.3 [\[9\]](https://github.com/dennypage/dpinger/releases/tag/v3.3)
* ports: lighttpd 1.4.68 [\[10\]](https://www.lighttpd.net/2023/1/3/1.4.68/)
* ports: openssh 9.1p1 [\[11\]](https://www.openssh.com/txt/release-9.1)
* ports: openssl 1.1.1t [\[12\]](https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md)
* ports: php 8.1.15 [\[13\]](https://www.php.net/ChangeLog-8.php#8.1.15)
A hotfix release was issued as 23.1.1\_2:
* captive portal: remove mod\_evasion use which was discontinued by lighttpd
* unbound: wait for pipe in logger (contributed by kulikov-a)
Rate limiting was removed from the captive portal which was set to 250 connections by the same IP to the captive portal itself. This can be easily replaced by a manual firewall rule with advanced options set, e.g. “Max established” set to 250 with destination “This Firewall”.
23.1 (January 26, 2023)[](#january-26-2023 "Permalink to this heading")
-------------------------------------------------------------------------
For more than 8 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
23.1, nicknamed “Quintessential Quail”, features Unbound DNS statistics with a blocklist rewrite in Python, improved WAN SLAAC operability, firewall alias BGP ASN type support, PHP 8.1, assorted FreeBSD networking updates, MVC/API pages for packet capture/virtual IPs/IPsec connection management, IPsec configuration file migration to swanctl.conf, new sslh plugin, ddclient custom backend support (including Azure), WireGuard kernel module plugin variant as the new default plus much more.
Download links, an installation guide [\[1\]](https://docs.opnsense.org/manual/install.html)
and the checksums for the images can be found below as well.
* Europe: [https://opnsense.c0urier.net/releases/23.1/](https://opnsense.c0urier.net/releases/23.1/)
* US East Coast: [https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/](https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/)
* US West Coast: [https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/](https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/)
* South America: [http://mirror.ueb.edu.ec/opnsense/releases/23.1/](http://mirror.ueb.edu.ec/opnsense/releases/23.1/)
* East Asia: [https://mirror.ntct.edu.tw/opnsense/releases/23.1/](https://mirror.ntct.edu.tw/opnsense/releases/23.1/)
* Full mirror list: [https://opnsense.org/download/](https://opnsense.org/download/)
Here are the full patch notes against 22.7.11:
* system: replaced log\_error() use with log\_msg() and adjusted logging levels accordingly
* system: introduced a service boot log
* system: the LibreSSL flavour has been discontinued
* system: simplify gateway monitoring setup code
* system: add option to skip gateway monitor host route
* system: populate /etc/hosts file with IPv6 addresses too
* system: simplify and guard host route creation
* system: merge system\_staticroutes\_configure() into system\_routing\_configure()
* system: do not yield process after calling shutdown command
* system: apply tunables during late boot in case a module was loaded depending on them to be set to a specific value
* system: show size of ZFS ARC (adaptive replacement cache) in system widget
* system: introduce support tier annotations for core and plugins [\[2\]](https://docs.opnsense.org/support.html)
* system: add cron tasks for scrubbing and trimming ZFS pools (contributed by Iain Henderson)
* system: fix 6rd/6to4 gateway interface detection (contributed by Frans J Elliott)
* reporting: add Unbound DNS statistics frontend including client drill-down
* interfaces: heavy cleanup of the wireless device integration
* interfaces: use 802.1ad protocol for stacked VLAN parent (QinQ)
* interfaces: GIF and GRE now support subnet-based IPv6 configurations instead of always falling back to a point-to-point (/128) setup
* interfaces: GIF and GRE now disable IPv6 on IPv4 tunnels (contributed by Maurice Walker)
* interfaces: add isolated PPPoEv6 mode to selectively enable IPv6 CP negotiation and turn it off when no IPv6 mode is set
* interfaces: add support for SLAAC WAN interfaces without DHCPv6 (contributed by Maurice Walker)
* interfaces: register LAGG, PPP, VLAN and wireless devices as plugins
* interfaces: simplified get\_real\_interface() function
* interfaces: removed obsolete “defaultgw” files
* interfaces: simplified rc.linkup script
* interfaces: improve IP address cache behaviour in rc.newwanip(v6) scripts
* interfaces: converted virtual IPs to MVC/API
* interfaces: add MAC filtering to packet capture
* interfaces: convert ARP/NDP pages to server-side searchable variant
* interfaces: create null route for DHCPv6 delegated prefix
* interfaces: tighten the concept of hardware interfaces and pull supported plugin devices into assignments page automatically
* firewall: remove deprecated “Dynamic state reset” mechanic
* firewall: invalidate port forward rule entry when no target is specified
* firewall: hide deprecated source OS rule setting under advanced
* firewall: add group option to prevent grouping in interfaces menu
* firewall: safeguard against missing name from the alias API call
* intrusion detection: keep grid to prevent widgets being removed
* intrusion detection: reload grid after log drop (contributed by kulikov-a)
* intrusion detection: add verbose logging mode selector
* ipsec: disable charon.install\_routes completely in case upstream would implement it for FreeBSD later on
* ipsec: move user PSK (pre-shared key) and static PSK items to new MVC/API implementation
* ipsec: migrate existing configuration from ipsec.conf to swanctl.conf
* ipsec: add a new independent connections MVC/API component to manage IPsec in a layout matching swanctl.conf syntax more closely
* ipsec: rewrote lease status page in MVC/API
* ipsec: add configurable “unique” setting to phase 1
* ipsec: missing correct phase 1 to collect “Network List” option
* monit: support start timeout setting (contributed by spoutin)
* openvpn: add unique daemon name to each instance
* unbound: add statistics database backend
* unbound: add exact domain blocking
* mvc: call plugins\_interfaces() optionally on service reconfigure
* mvc: match UUID for multiple values (contributed by kulikov-a)
* mvc: convert setBase() to an upsert operation
* mvc: change default sorting to case-insensitive
* mvc: add TextField tests (contributed by agh1467)
* mvc: implement required getRealInterface() variant
* ui: assorted improvements in bootgrid and form controls
* ui: switch to pure JSON data in bootgrids
* plugins: os-bind 1.25 [\[3\]](https://github.com/opnsense/plugins/blob/stable/23.1/dns/bind/pkg-descr)
* plugins: os-ddclient 1.11 [\[4\]](https://github.com/opnsense/plugins/blob/stable/23.1/dns/ddclient/pkg-descr)
* plugins: os-dyndns end of life note moves to 23.7
* plugins: os-freeradius 1.9.22 [\[5\]](https://github.com/opnsense/plugins/blob/stable/23.1/net/freeradius/pkg-descr)
* plugins: os-frr 1.32 [\[6\]](https://github.com/opnsense/plugins/blob/stable/23.1/net/frr/pkg-descr)
* plugins: os-haproxy 4.0 [\[7\]](https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr)
* plugins: os-puppet-agent 1.1 [\[8\]](https://github.com/opnsense/plugins/blob/stable/23.1/sysutils/puppet-agent/pkg-descr)
* plugins: os-sslh 1.0 [\[9\]](https://github.com/opnsense/plugins/blob/stable/23.1/net/sslh/pkg-descr)
(contributed by agh1467)
* plugins: os-theme-cicada 1.32 (contributed by Team Rebellion)
* plugins: os-upnp 1.5 [\[10\]](https://github.com/opnsense/plugins/blob/stable/23.1/net/upnp/pkg-descr)
* plugins: os-wireguard switches to kernel module with a separate os-wireguard-go variant available for installation to keep the old behaviour
* src: assorted FreeBSD 13 stable fixes for e.g. bpf, bridge, bsdinstall ifconfig, iflib, ipfw, ipsec, lagg, netmap, pf, route and vlan components
* ports: php 8.1.14 [\[11\]](https://www.php.net/ChangeLog-8.php#8.1.14)
* ports: sudo 1.9.12p2 [\[12\]](https://www.sudo.ws/stable.html#1.9.12p2)
A hotfix release was issued as 23.1\_6:
* system: incorrect link to CARP status page on dashboard widget
* reporting: bail DNS resolve in traffic graphs when resolver is not configured
* captive portal: for static MAC assignments make sure that the IP address actually changed before updating it
* ipsec: missing a bracket for aggressive mode selection
* ipsec: mute a spurious boot warning
* ipsec: myid may be be optional
* plugins: os-bind fix plugin directory path
* plugins: os-ddclient minor PHP fix
* plugins: os-frr allow restart via cron
* plugins: os-nut wrong user for latest port
* plugins: os-upnp typo in log level
* plugins: os-wireguard service widget fix
Migration notes, known issues and limitations:
* LibreSSL flavour has been discontinued. Switch to OpenSSL flavour to proceed with the upgrade.
* StrongSwan IPsec configuration now uses the preferred swanctl.conf instead of the deprecated ipsec.conf which could lead to connectivity issues in ambiguous cases. Subtle bugs cannot be ruled out as well so please raise an issue on GitHub to be able to investigate each case.
* The new IPsec connections pages and API create an independent set of connections following the design of swanctl.conf. Legacy tunnel settings cannot be managed from the API and are not migrated.
The public key for the 23.1 series is:
\# -----BEGIN PUBLIC KEY-----
\# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4J0k7cPtunUYiR4vbRof
\# AiNTnkkByaWpjTeKneR/CBAaImUxpED5EnFprwM0mm4BX3Vqkf1KYQtRSawNxeXz
\# NiPT5Ykv0Vus0tYafBzIPsOCdUz/gtuJmtjih0uNvFSdwDRNE42MpX2RFeTm652H
\# fNE5Rxv23liLYdm3RNDFcM7tJEMs+zr01Lrn3McDv4OUACl3YTwFKS1BJGkBqpDI
\# gX1HsJMz934zNItrLxj6B2tDIR4oGrqowzW+1owT4+a8EoaimY48RAb8AUWezAZu
\# tQcGQ0wuZ8qy2WClYvrogsmAEUpfv1Y0YcSfpdxopOx4KyE0KEzAooRF95iFLu94
\# PODk1oPTr0N9qXn7XsLkpaufk+EpNecZSvbqrj3IWMyCLEBO60YuFpcFFI6SVJBC
\# i5OG7JVQaE8hu4CY50tMOO0M54umM8lPIOW8AuIH2PlmQWJ4tPb7j8HHnV1cM1Sf
\# Ha/EAJQlKEEyj4hbzSb6aKATv++qvh4jwgADsTsDtbCrtxrcBV7i+iLUM7DdxrPZ
\# QnLELdJPjyFxtClzi4Tf1svrF5K6NGd/nJQ1pLSkM64dKPA0iTiMMzjQMHnN8++G
\# UdhRzswRZ/BtB8ha1ZRRvnEHe+tcEtsXFZZSTgcR60lXlZzPY/0h+xfbgOApYlqq
\# MIMJsdvZkuxYrGQ5eL2nk0UCAwEAAQ==
\# -----END PUBLIC KEY-----
\# SHA256 (OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2) = f25c10113ef1ea13c031fc6102f8e6caf73a7296b12bcc287670026cab29c7c7
\# SHA256 (OPNsense-23.1-OpenSSL-nano-amd64.img.bz2) = 74ec824288adde409074f6855cb0110b860d0b28c33fbd6a30f12473a5e97d54
\# SHA256 (OPNsense-23.1-OpenSSL-serial-amd64.img.bz2) = 2b0ea23de4d09eed952f074e561d55b06b5d323bf9d68a2eae34c3118c304318
\# SHA256 (OPNsense-23.1-OpenSSL-vga-amd64.img.bz2) = 13b9f31651aa165862965566238eaecf66563a3b037fb7f8912a6d0440170bdb
23.1.r2 (January 19, 2023)[](#r2-january-19-2023 "Permalink to this heading")
-------------------------------------------------------------------------------
Only a small number of fixes and the usual third party updates.
Still on track for January 26. See you then…
Here are the full patch notes:
* system: introduce support tier annotations for core and plugins
* system: add cron tasks for scrubbing and trimming ZFS pools (contributed by Iain Henderson)
* system: fix 6rd/6to4 gateway interface detection (contributed by Frans J Elliott)
* interfaces: further simplify get\_real\_interface()
* interfaces: correct PPPoEv6 device lookup
* reporting: add Unbound DNS drill-down for client graph
* mvc: implement required getRealInterface() variant
* plugins: os-haproxy 4.0 [\[1\]](https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr)
* ports: curl 7.87.0 [\[2\]](https://curl.se/changes.html#7_87_0)
* ports: nss 3.87 [\[3\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html)
* ports: pcre 10.42 [\[4\]](https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.42)
* ports: phalcon 5.1.4 [\[5\]](https://github.com/phalcon/cphalcon/releases/tag/v5.1.4)
* ports: php 8.1.14 [\[6\]](https://www.php.net/ChangeLog-8.php#8.1.14)
* ports: strongswan 5.9.9 [\[7\]](https://github.com/strongswan/strongswan/releases/tag/5.9.9)
* ports: unbound 1.17.1 [\[8\]](https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1)
23.1.r1 (January 13, 2023)[](#r1-january-13-2023 "Permalink to this heading")
-------------------------------------------------------------------------------
For more than 8 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3
Download links, an installation guide [\[1\]](https://docs.opnsense.org/manual/install.html)
and the checksums for the images can be found below as well.
* Europe: [https://opnsense.c0urier.net/releases/23.1/](https://opnsense.c0urier.net/releases/23.1/)
* US East Coast: [https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/](https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/)
* US West Coast: [https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/](https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/)
* South America: [http://mirror.ueb.edu.ec/opnsense/releases/23.1/](http://mirror.ueb.edu.ec/opnsense/releases/23.1/)
* East Asia: [https://mirror.ntct.edu.tw/opnsense/releases/23.1/](https://mirror.ntct.edu.tw/opnsense/releases/23.1/)
* Full mirror list: [https://opnsense.org/download/](https://opnsense.org/download/)
Here are the full patch notes against 22.7.10:
* system: replaced log\_error() use with log\_msg() and adjusted logging levels accordingly
* system: introduced a service boot log
* system: the LibreSSL flavour has been discontinued
* system: simplify gateway monitoring setup code
* system: add option to skip gateway monitor host route
* system: populate /etc/hosts file with IPv6 addresses too
* system: simplify host route creation
* system: merge system\_staticroutes\_configure() into system\_routing\_configure()
* system: do not yield process after calling shutdown command
* system: apply tunables during late boot in case a module was loaded depending on them to be set to a specific value
* system: show size of ZFS ARC (adaptive replacement cache) in system widget
* interfaces: heavy cleanup of the wireless device integration
* interfaces: use 802.1ad protocol for stacked VLAN parent (QinQ)
* interfaces: GIF and GRE now support subnet-based IPv6 configurations instead of always falling back to a point-to-point (/128) setup
* interfaces: GIF and GRE now disable IPv6 on IPv4 tunnels (contributed by Maurice Walker)
* interfaces: add PPPoEv6 mode to prevent IPv6 CP negotiation over PPPoE in other IPv6 modes
* interfaces: add support for SLAAC WAN interfaces without DHCPv6 (contributed by Maurice Walker)
* interfaces: register LAGG, PPP, VLAN and wireless devices as plugins
* interfaces: simplified get\_real\_interface() function
* interfaces: removed obsolete “defaultgw” files
* interfaces: simplified rc.linkup script
* interfaces: improve IP address cache behaviour in rc.newwanip(v6) scripts
* interfaces: converted virtual IPs to MVC/API
* interfaces: add MAC filtering to packet capture
* interfaces: convert ARP/NDP pages to server-side searchable variant
* interfaces: create null route for DHCPv6 delegated prefix
* interfaces: tighten the concept of hardware interfaces and pull supported plugin devices into assignments page automatically
* firewall: remove deprecated “Dynamic state reset” mechanic
* firewall: invalidate port forward rule entry when no target is specified
* firewall: show automated “port 0” rule as actual port “0” on PHP 8
* firewall: hide deprecated source OS rule setting under advanced
* reporting: fix incompatible regex syntax in FreeBSD 13.1 for firewall state health statistics
* intrusion detection: keep grid to prevent widgets being removed
* intrusion detection: reload grid after log drop (contributed by kulikov-a)
* ipsec: disable charon.install\_routes completely in case upstream would implement it for FreeBSD later on
* ipsec: move user PSK (pre-shared key) and static PSK items to new MVC/API implementation
* ipsec: migrate existing configuration from ipsec.conf to swanctl.conf
* ipsec: add a new independent connections MVC/API component to manage IPsec in a layout matching swanctl.conf syntax more closely
* ipsec: rewrote lease status page in MVC/API
* ipsec: add configurable “unique” setting to phase 1
* monit: support start timeout setting (contributed by spoutin)
* openvpn: add unique daemon name to each instance
* unbound: add DNS statistics collector and reporting frontend
* unbound: safeguard retrieval of blocklist shortcode
* unbound: add exact domain blocking
* mvc: call plugins\_interfaces() optionally on service reconfigure
* mvc: match UUID for multiple values (contributed by kulikov-a)
* mvc: convert setBase() to an upsert operation
* mvc: change default sorting to case-insensitive
* mvc: fix IntegerField minimum value (contributed by xbb)
* mvc: add TextField tests (contributed by agh1467)
* ui: assorted improvements in bootgrid and form controls
* ui: switch to pure JSON data in bootgrids
* plugins: os-acme-client 3.15 [\[2\]](https://github.com/opnsense/plugins/blob/stable/23.1/security/acme-client/pkg-descr)
* plugins: os-bind 1.25 [\[3\]](https://github.com/opnsense/plugins/blob/stable/23.1/dns/bind/pkg-descr)
* plugins: os-ddclient 1.11 [\[4\]](https://github.com/opnsense/plugins/blob/stable/23.1/dns/ddclient/pkg-descr)
* plugins: os-dyndns end of life note moves to 23.7
* plugins: os-freeradius 1.9.22 [\[5\]](https://github.com/opnsense/plugins/blob/stable/23.1/net/freeradius/pkg-descr)
* plugins: os-upnp 1.5 [\[6\]](https://github.com/opnsense/plugins/blob/stable/23.1/net/upnp/pkg-descr)
* plugins: os-stunnel fixes missing include in certificate script
* plugins: os-wireguard switches to kernel module with a separate os-wireguard-go variant available for installation to keep the old behaviour
* plugins: os-sslh 1.0 [\[7\]](https://github.com/opnsense/plugins/blob/stable/23.1/net/sslh/pkg-descr)
(contributed by agh1467)
* src: assorted FreeBSD 13 stable fixes for e.g. bpf, bridge, bsdinstall ifconfig, iflib, ipfw, ipsec, lagg, netmap, pf, route and vlan components
* ports: php 8.1.13 [\[8\]](https://www.php.net/ChangeLog-8.php#8.1.13)
* ports: sqlite 3.40.1 [\[9\]](https://sqlite.org/releaselog/3_40_1.html)
Migration notes, known issues and limitations:
* LibreSSL flavour has been discontinued. Switch to OpenSSL flavour to proceed with the upgrade.
* StrongSwan IPsec configuration now uses the preferred swanctl.conf instead of the deprecated ipsec.conf which could lead to connectivity issues in ambiguous cases. Subtle bugs cannot be ruled out as well so please raise an issue on GitHub to be able to investigate each case.
* The new IPsec connections pages and API create an independent set of connections following the design of swanctl.conf. Legacy tunnel settings cannot be managed from the API and are not migrated.
The public key for the 23.1 series is:
\# -----BEGIN PUBLIC KEY-----
\# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4J0k7cPtunUYiR4vbRof
\# AiNTnkkByaWpjTeKneR/CBAaImUxpED5EnFprwM0mm4BX3Vqkf1KYQtRSawNxeXz
\# NiPT5Ykv0Vus0tYafBzIPsOCdUz/gtuJmtjih0uNvFSdwDRNE42MpX2RFeTm652H
\# fNE5Rxv23liLYdm3RNDFcM7tJEMs+zr01Lrn3McDv4OUACl3YTwFKS1BJGkBqpDI
\# gX1HsJMz934zNItrLxj6B2tDIR4oGrqowzW+1owT4+a8EoaimY48RAb8AUWezAZu
\# tQcGQ0wuZ8qy2WClYvrogsmAEUpfv1Y0YcSfpdxopOx4KyE0KEzAooRF95iFLu94
\# PODk1oPTr0N9qXn7XsLkpaufk+EpNecZSvbqrj3IWMyCLEBO60YuFpcFFI6SVJBC
\# i5OG7JVQaE8hu4CY50tMOO0M54umM8lPIOW8AuIH2PlmQWJ4tPb7j8HHnV1cM1Sf
\# Ha/EAJQlKEEyj4hbzSb6aKATv++qvh4jwgADsTsDtbCrtxrcBV7i+iLUM7DdxrPZ
\# QnLELdJPjyFxtClzi4Tf1svrF5K6NGd/nJQ1pLSkM64dKPA0iTiMMzjQMHnN8++G
\# UdhRzswRZ/BtB8ha1ZRRvnEHe+tcEtsXFZZSTgcR60lXlZzPY/0h+xfbgOApYlqq
\# MIMJsdvZkuxYrGQ5eL2nk0UCAwEAAQ==
\# -----END PUBLIC KEY-----
Please let us know about your experience!
\# SHA256 (OPNsense-23.1.r1-OpenSSL-dvd-amd64.iso.bz2) = ed7d61d0107536c3095526d74c9d4e3b44cb86a7d8896bb51d65eccfd0a2056d
\# SHA256 (OPNsense-23.1.r1-OpenSSL-nano-amd64.img.bz2) = 66269b2eb434476d437cbf705af25b938e5d17436727eee565dd5e88fe8e6247
\# SHA256 (OPNsense-23.1.r1-OpenSSL-serial-amd64.img.bz2) = ca6676ae825241190e63b4fbedd8e727b28011fa484c35c1ef1e68e0355b1f4b
\# SHA256 (OPNsense-23.1.r1-OpenSSL-vga-amd64.img.bz2) = 5a4a8ec5f248484890d569b89f2fd1e29470bb95996c48def20686648e279f77
---
# 24.7 “Thriving Tiger” Series — OPNsense documentation
* [](../index.html)
* [Releases](../releases.html)
* [Community Edition](../CE_releases.html)
* 24.7 “Thriving Tiger” Series
* * *
24.7 “Thriving Tiger” Series[](#thriving-tiger-series "Permalink to this heading")
====================================================================================
For more than 9 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
24.7, nicknamed “Thriving Tiger”, features a new dashboard, system trust MVC/API support, GRE and GIF MVC/API support, NAT 1-to-1 MVC/API support, WireGuard QR code generator, dynamic IPsec VTI tunnel support, experimental OpenVPN DCO support, FreeBSD 14.1, Python 3.11 plus much more.
The upgrade path from 24.1.x will follow tomorrow. Do not be hasty. The major operating system upgrade has not happened in while and should be taken with the appropriate amount of care.
Download links, an installation guide [\[1\]](https://docs.opnsense.org/manual/install.html)
and the checksums for the images can be found below as well.
* Europe: [https://opnsense.c0urier.net/releases/24.7/](https://opnsense.c0urier.net/releases/24.7/)
* US East Coast: [https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.7/](https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.7/)
* US West Coast: [https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.7/](https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.7/)
* South America: [http://mirror.ueb.edu.ec/opnsense/releases/24.7/](http://mirror.ueb.edu.ec/opnsense/releases/24.7/)
* East Asia: [https://mirror.ntct.edu.tw/opnsense/releases/24.7/](https://mirror.ntct.edu.tw/opnsense/releases/24.7/)
* Full mirror list: [https://opnsense.org/download/](https://opnsense.org/download/)
24.7.12 (January 15, 2025)[](#january-15-2025 "Permalink to this heading")
----------------------------------------------------------------------------
One last stable update before the switch to the 25.1 series. Security-wise it has bee rather quiet over the past few weeks. A new kernel is included with a number of smaller reliability fixes and amendments.
The 25.1-RC1 images follow next week based on a full build using FreeBSD 14.2. Thanks all for testing the beta version so far! The release date for the final 25.1 version is January 29.
Here are the full patch notes:
* system: re-enable support for subjectAltName when creating CSRs
* system: remove spurious backup() during config revert
* reporting: add daemon -f parameter to close file descriptors for NetFlow local capture (contributed by Ben Smithurst)
* firmware: use output\_cmd/output\_txt helpers in remaining scripts
* ipsec: fix mobile clients reload missing system.inc
* isc-dhcp: IPv6 prefixes script can fail to restart (contributed by Ben Smithurst)
* kea-dhcp: align hostname validation with manual host entries
* mvc: add serialNumber and issuer in Store::parseX509()
* mvc: restore support for JSON input data without configd callout in JsonKeyValueStoreField
* ui: add classes to system history diff content so themes can override the defaults
* ui: load CSV as text to prevent encoding issues in SimpleFileUploadDlg()
* plugins: os-acme-client 4.7 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.7/security/acme-client/pkg-descr)
* plugins: os-caddy 1.8.0 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr)
* plugins: os-freeradius 1.9.27 [\[3\]](https://github.com/opnsense/plugins/blob/stable/24.7/net/freeradius/pkg-descr)
* plugins: os-haproxy 4.4 [\[4\]](https://github.com/opnsense/plugins/blob/stable/24.7/net/haproxy/pkg-descr)
* plugins: os-mdns-repeater 1.2 [\[5\]](https://github.com/opnsense/plugins/blob/stable/24.7/net/mdns-repeater/pkg-descr)
* plugins: os-squid 1.1 [\[6\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/squid/pkg-descr)
* plugins: os-tailscale 1.1 [\[7\]](https://github.com/opnsense/plugins/blob/stable/24.7/security/tailscale/pkg-descr)
* plugins: os-theme-rebellion 1.9.2 (contributed by Team Rebellion)
* src: if\_ovpn: improve reconnect handling
* src: iflib: set the NUMA domain in receive packet headers
* src: ip: defer checks for an unspecified dstaddr until after pfil hooks
* src: ice\_ddp: update to 1.3.41.0
* ports: curl 8.11.1 [\[8\]](https://curl.se/changes.html#8_11_1)
* ports: libpfctl 0.15
* ports: php 8.2.27 [\[9\]](https://www.php.net/ChangeLog-8.php#8.2.27)
* ports: python 3.11.11 [\[10\]](https://docs.python.org/release/3.11.11/whatsnew/changelog.html)
A hotfix release was issued as 24.7.12\_2:
* plugins: turning binary data into JSON may fail globally
* unbound: fixup permission on copy
* ports: openvpn 2.6.13 [\[11\]](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.13)
A hotfix release was issued as 24.7.12\_4:
* firmware: add fingerprint and upgrade hint for 25.1
* firmware: disable duckdb migration for stable transition again
24.7.11 (December 17, 2024)[](#december-17-2024 "Permalink to this heading")
------------------------------------------------------------------------------
This is a minor update all things considered, but it does bring you the long sought after Tailscale plugin courtesy of Sheridan Computers. Suricata is also updated to its latest version to fix a couple of CVEs.
In other news, 25.1 will contain FreeBSD 14.2 which will be available for BETA preview using images later this week as well. The 25.1-BETA will also include a rewritten theme (light and dark) using the new OPNsense logo already being used in the documentation. It also has MVC/API support for the user and group management plus more you can always find on the roadmap [\[1\]](https://opnsense.org/about/road-map/)
in detail.
Here are the full patch notes:
* system: show multiple SAN entries when supplied by the certificate
* system: traffic dashboard widget should persist interface identifiers
* system: reset dashboard widget options to the default if none of the options match
* system: mismatch in returned “change” attribute for route toggle
* system: suppress XML parse errors in announcement widget when forum is unreachable
* system: catch PHP errors for Google Drive backups
* system: ignore plugins\_interfaces() errors in write\_config()
* system: fix snapshot ACL
* interfaces: reload GUI in the background
* firewall: remove faulty PPP exclusion in scrubbing rule creation
* dhcp: allow radvd to use /128 CARP VIP as source
* firmware: add “configctl firmware changelog current” backend command
* firmware: refactor lock/unlock scripts using new output helpers
* firmware: opnsense-code: support for origin selection during upgrade mode
* firmware: opnsense-patch: improve patch behaviour for non-default account/repositories combinations
* ipsec: remove hashing algorithm from null cipher
* unbound: make OpenSSL bundle workaround permanent
* mvc: last batch of sessionClose() cleanups in controllers
* mvc: call initialize() after authentication
* mvc: normalize multiple slashes in paths
* plugins: os-caddy 1.7.6 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr)
* plugins: os-ddclient 1.26 [\[3\]](https://github.com/opnsense/plugins/blob/stable/24.7/dns/ddclient/pkg-descr)
* plugins: os-nut 1.9 [\[4\]](https://github.com/opnsense/plugins/blob/stable/24.7/sysutils/nut/pkg-descr)
* plugins: os-qemu-guest-agent 1.3 [\[5\]](https://github.com/opnsense/plugins/blob/stable/24.7/emulators/qemu-guest-agent/pkg-descr)
* plugins: os-tailscale 1.0 (contributed by Sheridan Computers)
* plugins: os-telegraf 1.12.12 [\[6\]](https://github.com/opnsense/plugins/blob/stable/24.7/net-mgmt/telegraf/pkg-descr)
* ports: monit 5.34.3 [\[7\]](https://mmonit.com/monit/changes/)
* ports: suricata 7.0.8 [\[8\]](https://suricata.io/2024/12/12/suricata-7-0-8-released/)
A hotfix release was issued as 24.7.11\_2:
* firmware: fix the return value handling in the firmware option of the console menu
* mvc: fix a regression in “normalize multiple slashes in paths”
24.7.10 (December 03, 2024)[](#december-03-2024 "Permalink to this heading")
------------------------------------------------------------------------------
This ships a number of base system changes, kernel fixes and driver updates. The time-loop authentication change is back with the fixed TOTP case and the Unbound domain overrides are now found in query forwarding since this offers the same functionality anyway.
Please note we had to hotfix the kernel which will not reinstall automatically if you caught the bad version. If you experience panics on 24.7.10 relating to pf(4) please reinstall from the GUI (which includes an automatic reboot) or run “opnsense-update -fk” from the shell followed by a manual reboot. The correct kernel identifies itself as “stable/24.7-n267981-8375762712f” using “uname -v”.
With the year almost over we are shifting focus to finishing the items on the roadmap and it is nice to note that the MVC/API conversions are already over 75% complete. That means it will not take another decade to migrate the other 25%. ;)
Here are the full patch notes:
* system: readd a “time-loop” around authentication for failed attempts
* system: remove the SSL bundles in default locations
* system: prevent JS crashing out when dashboard widget title is not set
* system: use system instead of sample defaults when reverting tunables
* system: report actual LAN address being used after factory reset
* interfaces: use Autoconf class to avoid raw ifctl file access
* interfaces: remove ancient MAC address trickery to unbreak hostapd
* interfaces: add missing neighbor and DNS lookup page ACL entries
* interfaces: PPP device page ACL missed getserviceproviders.php
* firmware: force CRL check on development deployment
* firmware: use REQUEST to print a TLS/CRL usage hint
* firmware: improved output helpers and associated cleanup in audit scripts
* firmware: opnsense-update: add support for regression tests set
* intrusion detection: limit stats.log logging (contributed by doktornotor)
* kea-dhcp: add dhcp-socket-type option (contributed by Till Niederauer)
* kea-dhcp: add MAC formatter to leases page (contributed by cpalv)
* openvpn: support case-insensitive strict user CN matching for instances
* unbound: move domain overrides to query forwarding
* mvc: let JsonKeyValueStoreField cache configd call for the duration of the session
* mvc: another batch of sessionClose() cleanups in controllers
* mvc: cleanup in ApiMutableServiceControllerBase
* mvc: fix hint display for “0”
* ui: restore right tab border in standard theme
* plugins: os-caddy 1.7.5 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr)
* plugins: os-debug 1.7 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.7/devel/debug/pkg-descr)
* src: atf/kyua: ship regression tests runtime support
* src: if\_bridge: mask MEXTPG if some members do not support it
* src: if\_tuntap: enable MEXTPG support
* src: ice: update to 1.43.2-k et al
* src: ipsec: fix IPv6 over IPv4 tunneling
* src: ixgbe: add support for 1Gbit (active) DAC links
* src: ixgbe: sysctl for TCP flag handling during TSO
* src: jail: expose children.max and children.cur via sysctl
* src: libfetch: add the error number to verify callback failure case
* src: netlink: assorted stable backports
* src: pf: prevent SCTP-based NULL dereference in pfi\_kkif\_match()
* src: pf: let rdr rules modify the src port if doing so would avoid a conflict
* src: pf: make pf\_get\_translation() more expressive
* src: pf: let pf\_state\_insert() handle redirect state conflicts
* src: pf: fix wrong pflog action in NAT rule
* src: pf: fix potential state key leak
* src: rc: ignore INSYDE BIOS placeholder UUID for /etc/hostid
* src: route: fix failure to add an interface prefix route when route with the same prefix is already presented in the routing table
* src: route: route: avoid overlapping strcpy
* src: sfxge: defer ether\_ifattach to when ifmedia\_init is done
* ports: curl 8.11.0 [\[3\]](https://curl.se/changes.html#8_11_0)
* ports: expat 2.6.4 [\[4\]](https://github.com/libexpat/libexpat/blob/R_2_6_4/expat/Changes)
* ports: nss 3.107 [\[5\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_107.html)
* ports: openldap 2.6.9 [\[6\]](https://www.openldap.org/software/release/changes.html)
* ports: php 8.2.26 [\[7\]](https://www.php.net/ChangeLog-8.php#8.2.26)
* ports: sudo 1.9.16p2 [\[8\]](https://www.sudo.ws/stable.html#1.9.16p2)
A hotfix release was issued as 24.7.10\_1:
* unbound: use tls-cert-bundle to point to remaining valid bundle
A hotfix release was issued as 24.7.10\_2:
* system: fix TOTP regression when used with LDAP
* src: reverted “pf: fix potential state key leak” due to reported panics
* src: netlink: allow force remove on pinned delete from route binary
24.7.9 (November 20, 2024)[](#november-20-2024 "Permalink to this heading")
-----------------------------------------------------------------------------
This is a minor update that further tweaks the trust store integration and firmware updates tying into it although in practice it does not change the current behaviour from a user perspective. If something is not behaving as usual afterwards please let us know.
A new plugin has been added to finally allow proxying ND messages for those people stuck on a single /64 prefix delegation. Otherwise it has been pretty quiet as you can see. But we will be back soon. ;)
Here are the full patch notes:
* system: revert CRLs in bundles as the default bundles will be removed in 25.1
* system: migrate authoritative bundle location to /usr/local/etc/ssl/cert.pem
* system: flush the global OpenSSL configuration to /etc/ssl/openssl.cnf as well
* system: ignore gateway monitor status on boot when setting up routes
* system: fix IP address validation not being displayed in the gateway form
* system: add a “time-loop” around authentication for failed attempts
* reporting: ISO dates and logical ranges in health graphs (contributed by Roy Orbitson)
* interfaces: kill defunct route-to states with the stale gateway IP
* firewall: make loopback traffic stateful again to fix its use with syncookie option
* firewall: add ‘Action’ property to list of retrieved rules
* firewall: use UUIDs as rule labels to ease tracking
* firmware: refactor for generic config.sh use and related code audit
* firmware: move the bogons update script to the firmware scripts, improve logging messages and use config.sh
* firmware: opnsense-version: restored pre-2019 default output format (contributed by TotalGriffLock)
* openvpn: add Require Client Provisioning option for instances
* backend: add ‘configd environment’ debug action
* mvc: always do stop/start on forced restart
* mvc: remove obsolete sessionClose() use in Base, Firmware, Unbound and WireGuard controllers
* plugins: os-debug 1.6
* plugins: os-ndproxy 1.0 adds an IPv6 Neighbour Discovery proxy
* plugins: os-wazuh-agent 1.2 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.7/security/wazuh-agent/pkg-descr)
* ports: py-duckdb 1.1.3 [\[2\]](https://github.com/duckdb/duckdb/releases/tag/v1.1.3)
A hotfix release was issued as 24.7.9\_1:
* system: reverted “time-loop” patch as it makes Local+TOTP authentication fail
24.7.8 (November 06, 2024)[](#november-06-2024 "Permalink to this heading")
-----------------------------------------------------------------------------
Minor update with FreeBSD security advisories and a number of stable branch patches for various Intel drivers. Two problems with the RRD rework are herby fixed as well.
Here are the full patch notes:
* system: add missing MinProtocol in OpenSSL config template from trust settings
* system: add SignatureAlgorithms option and fix minor form glitch in trust settings
* system: bring CRLs into bundles as well
* system: sync certctl to FreeBSD 14.1 base code et al
* reporting: isset() vs. empty() on RRD enable
* reporting: fix regression in RRD temperature readings
* interfaces: parse part of SFP module information in legacy\_interfaces\_details()
* firewall: add a note about stateless TCP during syncookie use
* firewall: enhance validation that group name can not start or end with a digit
* firmware: improve health script and use config.sh
* firmware: rework CRL check in config.sh
* firmware: use the trust store for CRL verification
* lang: update available translations
* ipsec: add swanctl.conf download button to settings page
* ipsec: add description field to pre-shared-keys
* isc-dhcp: safeguard output type for json\_decode() in leases page
* unbound: allow RFC 2181 compatible names in overrides
* mvc: fix UpdateOnlyTextField incompatibility with DependConstraint (contributed by kumy)
* plugins: os-bind 1.33 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.7/dns/bind/pkg-descr)
* plugins: os-caddy 1.7.4 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr)
* plugins: os-etpro-telemetry lowers log level of collection invoke (contributed by doktornotor)
* plugins: os-iperf fixes JS TypeError when parsing result (contributed by Leo Huang)
* plugins: os-tinc removes “pipes” Python module dependency (contributed by andrewhotlab)
* src: multiple issues in the bhyve hypervisor [\[3\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:17.bhyve.asc)
* src: unbounded allocation in ctl(4) CAM Target Layer [\[4\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:18.ctl.asc)
* src: XDG runtime directory file descriptor leak at login [\[5\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-24:17.pam_xdg.asc)
* src: assorted FreeBSD stable patches for Intel ixgbe, igb, igc and e1000 drivers
* src: cxgb: register ifmedia callbacks before ether\_ifattach
* src: enc: use new KPI to create enc interface
* src: ifconfig: fix wrong indentation for the status of pfsync
* src: iflib: simplify iflib\_legacy\_setup
* src: iflib: use if\_alloc\_dev() to allocate the ifnet
* src: netmap: make memory pools NUMA-aware
* src: vlan: handle VID conflicts
* ports: libpfctl 0.14
* ports: nss 3.106 [\[6\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_106.html)
* ports: php 8.2.25 [\[7\]](https://www.php.net/ChangeLog-8.php#8.2.25)
24.7.7 (October 23, 2024)[](#october-23-2024 "Permalink to this heading")
---------------------------------------------------------------------------
A small update to keep things moving forward while things are quietening down a little bit. Still working on improving the trust store integration and already tackling new MVC/API conversions on the development end.
Here are the full patch notes:
* system: add OpenSSH “RekeyLimit” with a limited set of choices
* system: fix certificate condition in setCRL() (contributed by richierg)
* system: untrusted directory changed in FreeBSD 14
* system: remove obsolete banners from static pages
* system: address CRL/cert subject hash mismatch during trust store rehash
* reporting: refactor existing RRD backend code
* firewall: throttle live logging on dashboard widget
* interfaces: fix VXLAN interface being busy when vxlanlocal or vxlanremote is changed
* interfaces: 6RD/6to4 route creation should be limited to IPv6
* firmware: remove escaped slashes workaround on mirror/flavour write
* firmware: CRL checking for business update mirror
* firmware: introduce config.sh and use it in launcher.sh and connection.sh
* firmware: restart cron on updates
* intrusion detection: reorganise settings page with headers
* intrusion detection: support configuration of eve-log for HTTP and TLS (contributed by Toby Chen)
* ipsec: fix advanced option “max\_ikev1\_exchanges”
* backend: cache file cleanup when TTL is reached
* backend: correct template helper exists() return type (contributed by kumy)
* mvc: fix config.xml file open mode in overwrite()
* mvc: add missing request->hasQuery()
* mvc: add missing request->getScheme()
* mvc: add missing request->getURI()
* mvc: extend sanity checks in isIPInCIDR()
* ui: fix tree view style targeting elements outside this view
* plugins: enforce defaults on devices
* plugins: os-caddy 1.7.3 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr)
* plugins: os-ddclient 1.25 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.7/dns/ddclient/pkg-descr)
* plugins: os-freeradius 1.9.26 [\[3\]](https://github.com/opnsense/plugins/blob/stable/24.7/net/freeradius/pkg-descr)
* plugins: os-frr 1.42 [\[4\]](https://github.com/opnsense/plugins/blob/stable/24.7/net/frr/pkg-descr)
* plugins: os-lldpd 1.2 [\[5\]](https://github.com/opnsense/plugins/blob/stable/24.7/net-mgmt/lldpd/pkg-descr)
* plugins: os-net-snmp 1.6 [\[6\]](https://github.com/opnsense/plugins/blob/stable/24.7/net-mgmt/net-snmp/pkg-descr)
* plugins: os-upnp 1.7 [\[7\]](https://github.com/opnsense/plugins/blob/stable/24.7/net/upnp/pkg-descr)
* plugins: os-wazuh-agent 1.1 [\[8\]](https://github.com/opnsense/plugins/blob/stable/24.7/security/wazuh-agent/pkg-descr)
* ports: monit 5.34.2 [\[9\]](https://mmonit.com/monit/changes/)
* ports: nss 3.105 [\[10\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_105.html)
* ports: openssh 9.9.p1 [\[11\]](https://www.openssh.com/txt/release-9.9)
* ports: pkg fix for for embedded libfetch when doing CRL verification
* ports: py-duckdb 1.1.2 [\[12\]](https://github.com/duckdb/duckdb/releases/tag/v1.1.2)
* ports: syslog-ng 4.8.1 [\[13\]](https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.8.1)
* ports: unbound 1.22.0 [\[14\]](https://nlnetlabs.nl/projects/unbound/download/#unbound-1-22-0)
24.7.6 (October 09, 2024)[](#october-09-2024 "Permalink to this heading")
---------------------------------------------------------------------------
A few security and reliability issues this week. Most notably Suricata and Unbound. The dashboard rework seems to be concluded now as the ACL behaviour was aligned and should match the user expectation on the “Lobby” section privileges. Note not all widgets have separate ACLs as it aims to provide a minimal safe selection of system widgets associated with the access to the dashboard page in general.
We will, however, continue to improve the dashboard further while we also tackle other interesting areas for 25.1. That being said have a look at the new roadmap [\[1\]](https://opnsense.org/about/road-map/)
we published recently.
You may notice the increased activity on the trust store side due to our LINCE certification efforts. Valuable feedback and code changes have come from this process that will also find their way into other related projects in the near future.
Here are the full patch notes:
* system: do not render non-reachable dashboard widget links
* system: handle picture deletion via hidden input on general settings page
* system: straighten out API ACL entries for several components
* system: remove unreachable “page-getstats” ACL entry
* system: adjust “page-system-login-logout” ACL entry to be used as a minimal dashboard privilege
* system: deprecate the “page-dashboard-all” ACL entry as it will be removed in 25.1
* system: add descriptions on CA and certificate downloads file names
* system: show user icon when certificate is not otherwise used (in case CN matches any of our registered users)
* system: add proper validation when certificates are being imported via CSR
* system: add missing CRL changed event when CRLs are saved in the GUI
* system: add a trust settings page and move existing trust settings there as well
* system: optionally fetch and store CRLs attached to trusted authorities
* system: improve and extend certctl.py script doing the trust store rehashing
* system: enforce CRL behaviour for existing revocations in the trust store when doing remove syslog sending over TLS
* interfaces: simplify and clarify pfsync reconfiguration hooks
* interfaces: non-functional refactors in PPP configuration
* interfaces: send IPv6 solicit immediately on WAN interfaces
* firewall: add gateway groups to the list of gateways in automation rules
* dhcrelay: refactor for plugins\_argument\_map() use
* ipsec: add “make\_before\_break” option to settings
* kea-dhcp: add configurable “max-unacked-clients” parameter and change its default to 2
* kea-dhcp: add missing constraint on IP address for reservations
* openvpn: register OpenVPN group immediately when setting up instances
* openvpn: push “data-ciphers-fallback” in client export when configured to align with legacy setup
* unbound: port to newwanip\_map / plugins\_interface\_map()
* ui: remove bold text from tab headers for consistency
* plugins: os-acme-client 4.6 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.7/security/acme-client/pkg-descr)
* plugins: os-caddy 1.7.2 [\[3\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr)
* plugins: os-frr 1.41 [\[4\]](https://github.com/opnsense/plugins/blob/stable/24.7/net/frr/pkg-descr)
* plugins: os-smart 2.3 adds new dashboard widget (contributed by Francisco Dimattia)
* src: pf: revert part of 39282ef3 to properly log the drop due to state limits
* src: pflog: pass the action to pflog directly
* src: various check removals for malloc(M\_WAITOK) driver calls
* src: libpfctl: ensure we return useful error codes
* src: x86/ucode: add support for early loading of CPU ucode on AMD
* src: libfetch: improve optional CRL verification
* src: fetch: fix “–crl” option not working
* ports: curl 8.10.1 [\[5\]](https://curl.se/changes.html#8_10_1)
* ports: crowdsec fix for stuck service handling [\[6\]](https://discourse.crowdsec.net/t/bug-opnsense-24-7-5-crowdsec-1-6-3/2057)
* ports: dhcp6c 20241008 properly handle NoAddrAvail status code
* ports: monit 5.34.1 [\[7\]](https://mmonit.com/monit/changes/)
* ports: php 8.2.24 [\[8\]](https://www.php.net/ChangeLog-8.php#8.2.24)
* ports: dnspython 2.7.0
* ports: py-duckdb 1.1.1 [\[9\]](https://github.com/duckdb/duckdb/releases/tag/v1.1.1)
* ports: suricata 7.0.7 [\[10\]](https://suricata.io/2024/10/01/suricata-7-0-7-released/)
* ports: unbound 1.21.1 [\[11\]](https://nlnetlabs.nl/projects/unbound/download/#unbound-1-21-1)
24.7.5 (September 26, 2024)[](#september-26-2024 "Permalink to this heading")
-------------------------------------------------------------------------------
This release removes significant processing overhead from larger setups due to being able to coalesce parallel configuration requests for the same component instead of iterating over the list of selected interfaces one by one. A number of third party software updates and FreeBSD security advisories are included as well.
This update also disables NUMA by default which can bring a boost in network throughput on affected systems. And of course we are still working on dashboard improvements so now the treasured picture widget is back with a better integration approach.
Also take note that the NTP default changes to “restrict noquery” so that the system cannot externally be queried for revealing system internals anymore unless explicitly allowed.
The technical stuff out of the way we would simply like to add that we had a great time at EuroBSDCon in Dublin over the weekend. Lots of good and productive conversations. Looking forward to more of those! :)
Here are the full patch notes:
* system: update default dashboard layout and include the services widget
* system: render header for failed active widgets to allow identification and removal
* system: add ability for widget referral links
* system: cleaned up ACL definitions and use thereof
* system: add a picture widget
* system: default to vm.numa.disabled=1
* system: handle log lines with no timestamp (contributed by Iain MacDonnell)
* system: use interface maps in system\_routing\_configure() and dpinger\_configure\_do()
* system: when only selecting TLS1.3 ciphers make sure to only allow 1.3 as well in web GUI
* system: move web GUI restart to newwanip\_map / plugins\_argument\_map() use
* interfaces: move compatible event listeners to newwanip\_map
* interfaces: decouple PPP configure/reset from IPv4/IPv6 modes
* interfaces: move legacy RFC2136 invoke to plugin hook
* interfaces: add “spoofmac” device option and enforce it
* interfaces: prevent CARP VIP removal when VHID group is in use by IP aliases
* interfaces: routing configuration on changed interfaces only during apply
* firmware: opnsense-update: support unescaped mirror input (contributed by Michael Gmelin)
* firmware: opnsense-verify: show repository priority while listing active repositories
* ipsec: convert to vpn\_map event invoke and plugins\_argument\_map() use
* monit: fix undefined function error in CARP script
* network time: enable “restrict noquery” by default (contributed by doktornotor)
* openssh: port to plugins\_argument\_map()
* openvpn: validate “Auth Token Lifetime” to require a non-zero renegotiate time in instances
* openvpn: convert to vpn\_map event invoke and plugins\_argument\_map() use
* wireguard: convert to vpn\_map event invoke
* ui: refine cookie policies and make them explicit
* plugins: add plugins\_argument\_map() helper
* plugins: os-caddy 1.7.1 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr)
* src: bhyve: improve input validation in pci\_xhci [\[2\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:15.bhyve.asc)
* src: libnv: correct the calculation of the size of the structure [\[3\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:16.libnv.asc)
* src: ifnet: Remove if\_getamcount()
* src: ifnet: Add handling for toggling IFF\_ALLMULTI in ifhwioctl()
* src: ifconfig: Add an allmulti verb
* src: date: include old and new time in audit log
* src: bpf: Add IfAPI analogue for bpf\_peers\_present()
* src: pf: use AF\_INET6 when comparing IPv6 addresses
* src: if\_ovpn: ensure it is safe to modify the mbuf
* src: if\_ovpn: declare our dependency on the crypto module
* ports: curl 8.10.0 [\[4\]](https://curl.se/changes.html#8_10_0)
* ports: dhcp6c 20240919 reintroduced fixed arc4random() usage
* ports: expat 2.6.3 [\[5\]](https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes)
* ports: libpfctl 0.13
* ports: libxml 2.11.9 [\[6\]](https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS)
* ports: nss 3.104 [\[7\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_104.html)
* ports: python 3.11.10 [\[8\]](https://docs.python.org/release/3.11.10/whatsnew/changelog.html)
* ports: sudo 1.9.16 [\[9\]](https://www.sudo.ws/stable.html#1.9.16)
A hotfix release was issued as 24.7.5\_3:
* system: due to observed timing issues avoid the use of closelog()
* openvpn: fix “auth-gen-token” being supplied in server mode
24.7.4 (September 12, 2024)[](#september-12-2024 "Permalink to this heading")
-------------------------------------------------------------------------------
Since we are currently having a vivid discussion about what constitutes a downstream or upstream issue in the FreeBSD scope we will revert the FreeBSD-SA-24:05.pf advisory until further notice. As confirmed by many users this brings ICMPv6 and therefore IPv6 back to an uneventful stable state. We will be trying to work with FreeBSD on the issue as it seems unavoidable that we meet it again when working on FreeBSD 14.2 inclusion.
In other IPv6 news we found a strange regression in dhcp6c introduced in 24.7.2 and reverted the offending commits for now. What this tells us, though, is that we did uncover an inherent issue with the timeout value generation that may be present since two decades in the code at least.
Apart from smaller fixes for the dashboard, trust pages, this update also ships the first backwards-compatible PPP rework patch. The ultimate goal here is to offer IPv6-only connectivity which requires untangling old code to be IP family agnostic. Should you note any change in behaviour please do not hesitate to contact us.
BTW, the roadmap for 25.1 has been decided and will be published soon.
Here are the full patch notes:
* system: recover stuck monitors and offer a cron job
* system: use built-in controller logic for JSON decoding on dashboard
* system: map derivative field cert\_type to expose purpose to the UI
* system: handle stale “pfsyncinterfaces” and improve workflow
* system: tweak the boot detection for code minimalism
* system: do not save x/y widget coordinates on smaller screens
* system: fix CARP widget on invalid CARP configuration
* system: fix storing private key when creating a CSR
* reporting: remove nonexistent 3G statistics
* interfaces: force regeneration of link-local on spoofed MAC
* interfaces: add proper validation for 6RD and 6to4
* interfaces: add new “vpn\_map” event to deprecate “vpn”
* interfaces: unify PPP linkup/linkdown scripting
* interfaces: replace “newwanip” from interface apply with “early”
* interfaces: move IPv6 over IPv4 connectivity to a separate script
* interfaces: port VXLAN to newwanip\_map event
* firewall: replace filter\_(un)lock() with a FileObject lock
* isc-dhcp: allow to disable a DHCPv6 server with faulty settings
* firmware: remove auto-retry from fetch invokes
* firmware: allow auto-configure patching via full URL
* firmware: automatically handle most plugin conflicts
* openssh: convert to newwanip\_map and rework the code
* openvpn: add username field to the status page
* openvpn: add close-on-exec flag to service lock file
* unbound: add discard-timeout (contributed by Nigel Jones)
* wireguard: fix widget display with public key reuse
* wireguard: add close-on-exec flag to service lock file
* ui: allow style tag on headers
* plugins: os-helloworld 1.4
* plugins: os-caddy 1.7.0 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr)
* src: revert FreeBSD-SA-24:05.pf until further notice to restore proper IPv6 behaviour [\[2\]](https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701)
* src: agp: Set the driver-specific field correctly
* src: cron(8) / periodic(8) session login [\[3\]](https://www.freebsd.org/security/advisories/FreeBSD-EN-24:15.calendar.asc)
* src: multiple vulnerabilities in libnv [\[4\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:09.libnv.asc)
* src: bhyve(8) privileged guest escape via TPM device passthrough [\[5\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:10.bhyve.asc)
* src: multiple issues in ctl(4) CAM target layer [\[6\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:11.ctl.asc)
* src: bhyve(8) privileged guest escape via USB controller [\[7\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:12.bhyve.asc)
* src: possible DoS in X.509 name checks in OpenSSL [\[8\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:13.openssl.asc)
* src: umtx kernel panic or use-after-free [\[9\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc)
* src: revert “ixl: fix multicast filters handling” [\[10\]](https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281125)
* ports: dhcp6c 20240907 for now reverts instability regression in random number handling
* ports: openssl 3.0.15 [\[11\]](https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md)
* ports: php 8.2.23 [\[12\]](https://www.php.net/ChangeLog-8.php#8.2.23)
A hotfix release was issued as 24.7.4\_1:
* interfaces: fix PPP regression of empty gateway default
24.7.3 (August 29, 2024)[](#august-29-2024 "Permalink to this heading")
-------------------------------------------------------------------------
Today we are switching pf stateful tracking of ICMPv6 neighbour discoveries off in order to fix the previous instability with the FreeBSD security advisory first shipped in 24.7.1. We do this in order to provide the same reliable IPv6 functionality that was on all previous versions prior to 24.7.1 at the cost of resurfacing CVE-2024-6640 until a better solution has been devised. A link to the long and difficult upstream bug report is included below.
But that is not all. The GUI gains snapshot support on ZFS installations by implementing what is called “boot environments” which allows one to move seamlessly from one snapshot to another via reboot. This functionality can also be accessed from the boot loader menu option “8” for a quick recovery ensuring that at least one other snapshot was created to boot into. A very special thank you to Sheridan Computers for contributing this feature.
Here are the full patch notes:
* system: add snapshots (boot environments) support via MVC/API (contributed by Sheridan Computers)
* system: remove obsolete dashboard sync
* system: compact services widget on dashboard
* system: convert lock mode to edit mode on dashboard
* system: link certificates by subject on import
* system: unify how log search clauses work and add a search time constraint
* system: move to static imports for widget base classes on dashboard
* system: fix ACL check on dashboard restore and add safety check for save action
* system: change dashboard modify buttons to a bootstrap group (contributed by Jaka Prašnikar)
* interfaces: add “newwanip\_map” event and deprecate old “newwanip” one
* interfaces: keep 24.7 backwards compatibility by allowing 6RD and 6to4 on PPP
* interfaces: add logging to PPP link scripts to check for overlap
* interfaces: return correct uppercase interface name in getArp()
* interfaces: fix issue with PPP port not being posted
* dhcrelay: start on “newwanip\_map” event as well
* intrusion detection: update the default suricata.yaml (contributed by Jim McKibben)
* ipsec: move two logging settings to correct location misplaced in previous version
* ipsec: fix migration and regression during handling of “disablevpnrules” setting
* wireguard: support CARP VHID reuse on different interfaces
* mvc: when a hint is provided, also show them for selectpickers
* rc: fix banner HTTPS fingerprint
* plugins: os-ddclient 1.24 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.7/dns/ddclient/pkg-descr)
* plugins: os-theme-advanced 1.0 based on AdvancedTomato (contributed by Jaka Prašnikar)
* plugins: os-theme-cicada 1.38 (contributed by Team Rebellion)
* plugins: os-theme-vicuna 1.48 (contributed by Team Rebellion)
* plugins: os-upnp 1.6 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.7/net/upnp/pkg-descr)
* plugins: os-wol 2.5 adds widget for new dashboard (contributed by Michał Brzeziński)
* src: pf: fully annotated patch of disabling ND state tracking and issues for ICMPv6 [\[3\]](https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701)
* src: u3g: add SIERRA AC340U
* ports: dhcrelay 1.0 switches to official release numbering, but otherwise equal to 0.6
* ports: sqlite 3.46.1 [\[4\]](https://sqlite.org/releaselog/3_46_1.html)
A hotfix release was issued as 24.7.3\_1:
* intrusion detection: fix indent in suricata.yaml
24.7.2 (August 21, 2024)[](#august-21-2024 "Permalink to this heading")
-------------------------------------------------------------------------
Today a follow-up for the FreeBSD security advisory for pf/ICMP ships that addresses the undesired traceroute behaviour. A few dashboard improvements are included as well as better IPv6 recovery for dhcp6c and assorted stability fixes.
As a special note we now have native CPU microcode update plugins for either AMD or Intel to install from the GUI. Apart from a reboot these plugins require no further user interaction and will keep the applicable microcode at the latest known version as shipped in the packages repository.
We are currently working on making PPP capable of running in IPv6-only deployments; additionally ZFS snapshots (a.k.a boot environments) are coming to the next stable release and can already be previewed in the bundled development version.
Last but not least, an “importmap” free dashboard version is also ready for testing in the development release. We hereby ask for feedback so that it can be included in a subsequent stable release.
Here are the full patch notes:
* system: CRL import ignored text input and triggered unrelated validations
* system: improve the locking during web GUI restart
* system: improve WireGuard and IPsec widgets
* system: add CPU widget graph selection
* system: reformat traffic graphs to bps
* system: add gateway widget item selection
* system: add table view to interface statistics widget on expansion
* system: improve widget error recovery
* system: fix wrong variable assignment in system log search backend
* system: add missing delAction() for proper CRL removal
* interfaces: require PPP interface to be in up state (contributed by Nicolai Scheer)
* interfaces: lock down PPP modes when editing interfaces
* interfaces: backport required interface\_ppps\_capable()
* interfaces: retire interfaces\_bring\_up()
* reporting: start using cron for RRD collection
* firmware: remove inactive mirrors from the list
* firmware: introduce sanity checks prior to upgrades
* firmware: cleanup package manager temporary files prior to upgrades
* kea-dhcp: fix privileges for page ACL
* ipsec: advanced settings MVC/API conversion
* ipsec: add retransmission settings in charon section in advanced settings
* openvpn: unhide server fields for DCO instances
* mvc: remove setJsonContent() and make sure Response->send() handles array types properly
* mvc: FileObject write() should sync by default
* rc: export default ZPOOL\_IMPORT\_PATH
* ui: sidebar submenu expand fix (contributed by Team Rebellion)
* plugins: os-caddy 1.6.3 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr)
* plugins: os-cpu-microcode-amd 1.0
* plugins: os-cpu-microcode-intel 1.0
* plugins: os-freeradius 1.9.25 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.7/net/freeradius/pkg-descr)
* plugins: os-intrusion-detection-content-snort-vrt 1.2 switch to newer ruleset snapshot (contributed by Jim McKibben)
* plugins: os-theme-tukan 1.28 (contributed by Dr. Uwe Meyer-Gruhl)
* src: axgbe: implement ifdi\_i2c\_req for diagnostics information
* src: if\_clone: allow maxunit to be zero
* src: if\_pflog: limit the maximum unit via the new KPI
* src: pf: invert direction for inner icmp state lookups
* src: pf: fix icmp-in-icmp state lookup
* src: pf: vnet-ify pf\_hashsize, pf\_hashmask, pf\_srchashsize and V\_pf\_srchashmask
* ports: dhcp6c 20240820 fixes two renewal edge cases
* ports: nss 3.103 [\[3\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_103.html)
* ports: phpseclib 3.0.41 [\[4\]](https://github.com/phpseclib/phpseclib/releases/tag/3.0.41)
* ports: unbound 1.21.0 [\[5\]](https://nlnetlabs.nl/projects/unbound/download/#unbound-1-21-0)
24.7.1 (August 08, 2024)[](#august-08-2024 "Permalink to this heading")
-------------------------------------------------------------------------
This release includes a batch of dashboard changes due to the reliable feedback we have received from you all so far. There will be more dashboard changes in the future mostly relating to UX and sane default behaviour so just know we are aware.
A few smaller regressions due to the Phalcon module replacement efforts have been fixed as well. IPv6 behaviour has been adjusted for SLAAC and the web GUI.
Last but not least we found and fixed a number of issues with FreeBSD 14.1 and are including its security advisories from yesterday while at it.
MVC/API conversions are already being carried out in the development version and it seems that PPP-related connectivity will get a bigger makeover too. The roadmap for 25.1 will be discussed and likely published later this month.
Here are the full patch notes:
* system: guard destroy on traffic widget
* system: adjust address display in interfaces widget
* system: fix display of multiple sources in thermal sensor widget
* system: add load average back to system info widget
* system: remove dots from traffic widget graphs
* system: add publication date to announcement widget
* system: fix monit widget status code handling
* system: allow and persist vertical resize in widgets
* system: improve formatting of byte values in widgets
* system: update OpenVPN widget server status color
* system: add aggregated traffic information about connected children in IPsec widget
* system: remove animated transition from row hover for table widgets
* system: improve the styling of the widget lock button
* system: apply locked state to newly added widgets as well
* system: account for removal of rows in non-rotated widget tables with top headers
* system: use “importmap” to force cache safe imports of base classes for widgets
* system: allow custom fonts in the widgets with gauges (contributed by Jaka Prasnika)
* system: add monitor IP to gateway API result (contributed by Herman Bonnes)
* system: better define “in use” flag and safety guards in certificates section
* system: export p12 resulted in mangled binary blob in certificates section
* system: when using debug kernels prevent them from triggering unrelated panics on assertions
* system: switch Twitter to Reddit URL in message of the day
* system: fix API exception on empty CA selection
* system: skip tentative IPv6 addresses for binding in the web GUI (contributed by tionu)
* interfaces: avoid deprecating SLAAC address for now
* firewall: show inspect button on “xs” size screen
* firewall: fix parsing port alias names in /etc/services
* captive portal: fix client disconnect (contributed by Vivek Panchal)
* firmware: revoke old fingerprints
* ipsec: add aggregated traffic totals to phase 1 view
* kea-dhcp: ignore invalid hostnames in static mappings to prevent DNS services crashes
* openvpn: use new trust model to link users by common\_name in exporter
* openvpn: DCO mode only supports UDP on FreeBSD
* openvpn: add “float” option to instances (contributed by Christian Kohlstedde)
* backend: patch -6 address support into pluginctl
* mvc: fix API endpoint sending data without giving the Response object the chance to flush its headers
* plugins: os-acme-client 4.5 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.7/security/acme-client/pkg-descr)
* plugins: os-apcupsd 1.2 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.7/sysutils/apcupsd/pkg-descr)
* plugins: os-caddy 1.6.2 [\[3\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr)
* plugins: os-ddclient 1.23 [\[4\]](https://github.com/opnsense/plugins/blob/stable/24.7/dns/ddclient/pkg-descr)
* plugins: os-theme-rebellion 1.9.1 fixes more compatibility issues with new dashboard (contributed by Team Rebellion)
* src: pf incorrectly matches different ICMPv6 states in the state table [\[5\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:05.pf.asc)
* src: ktrace(2) fails to detach when executing a setuid binary [\[6\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:06.ktrace.asc)
* src: NFS client accepts file names containing path separators [\[7\]](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:07.nfsclient.asc)
* src: xen/netfront: Decouple XENNET tags from mbuf lifetimes
* src: dummynet: fix fq\_pie traffic stall
* src: mcast: fix leaked igmp packets on multicast cleanup
* src: wg: change dhost to something other than a broadcast address (contributed by Sunny Valley Networks)
* ports: curl 8.9.1 [\[8\]](https://curl.se/changes.html#8_9_1)
* ports: dhcrelay 0.6 [\[9\]](https://github.com/opnsense/dhcrelay/issues/2)
* ports: kea 2.6.1 [\[10\]](https://downloads.isc.org/isc/kea/2.6.1/Kea-2.6.1-ReleaseNotes.txt)
* ports: nss 3.102 [\[11\]](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_102.html)
* ports: php 8.2.22 [\[12\]](https://www.php.net/ChangeLog-8.php#8.2.22)
* ports: rrdtool 1.9.0 [\[13\]](https://github.com/oetiker/rrdtool-1.x/releases/tag/v1.9.0)
* ports: syslog-ng 4.8.0 [\[14\]](https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.8.0)
24.7 (July 25, 2024)[](#july-25-2024 "Permalink to this heading")
-------------------------------------------------------------------
For more than 9 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
24.7, nicknamed “Thriving Tiger”, features a new dashboard, system trust MVC/API support, GRE and GIF MVC/API support, NAT 1-to-1 MVC/API support, WireGuard QR code generator, dynamic IPsec VTI tunnel support, experimental OpenVPN DCO support, FreeBSD 14.1, Python 3.11 plus much more.
The upgrade path from 24.1.x will follow tomorrow. Do not be hasty. The major operating system upgrade has not happened in while and should be taken with the appropriate amount of care.
Download links, an installation guide [\[1\]](https://docs.opnsense.org/manual/install.html)
and the checksums for the images can be found below as well.
* Europe: [https://opnsense.c0urier.net/releases/24.7/](https://opnsense.c0urier.net/releases/24.7/)
* US East Coast: [https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.7/](https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.7/)
* US West Coast: [https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.7/](https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.7/)
* South America: [http://mirror.ueb.edu.ec/opnsense/releases/24.7/](http://mirror.ueb.edu.ec/opnsense/releases/24.7/)
* East Asia: [https://mirror.ntct.edu.tw/opnsense/releases/24.7/](https://mirror.ntct.edu.tw/opnsense/releases/24.7/)
* Full mirror list: [https://opnsense.org/download/](https://opnsense.org/download/)
Here are the full changes against version 24.1.10:
* system: remove “load\_balancer” configuration remnants from core
* system: replace usage of mt\_rand() with random\_int()
* system: rewrote Trust configuration using MVC/API
* system: add XMLRPC option for OpenDNS
* system: rewrote the high availability settings page using MVC/API
* system: remove obsolete SSH DSA key handling
* system: replaced the dashboard with a modern alternative with streaming widgets
* system: harden a number of PHP settings according to best practices
* system: support streaming of log files for the new dashboard widget
* system: assorted dashboard widget tweaks
* system: sidebar optimisation and fixes (contributed by Team Rebellion)
* system: set short Cache-Control lifetime for widgets
* interfaces: rewrote GRE configuration using MVC/API
* interfaces: rewrote GIF configuration using MVC/API
* interfaces: temporary flush SLAAC addresses in DHCPv6 WAN mode to avoid using them primarily
* interfaces: add peer/peer6 options to CARP VIPs
* interfaces: allow to assign a prefix ID to WAN interface in DHCPv6 as well
* interfaces: allow to set manual interface ID in DHCPv6 and tracking modes
* firewall: performance improvements in alias handling
* firewall: refactor pftop output, move search to controller layer and implement cache for sessions page
* firewall: support streaming of filter logs for the new dashboard widget
* captive portal: add “Allow inbound” option to select interfaces which may enter the zone
* captive portal: remove defunct transparent proxy settings
* captive portal: clean up the codebase
* ipsec: prevent gateway when remote gateway family does not match selected protocol in legacy tunnel configuration
* isc-dhcp: do not reload DNS services when editing static mappings to match behaviour with Kea
* monit: expose HTTPD username and password settings to GUI
* openvpn: optionally support DCO devices for instances
* openvpn: remove duplicate and irrelevant data for the client session in question
* openvpn: add “remote\_cert\_tls” option to instances
* backend: add “cache\_ttl” parameter to allow for generic caching of actions
* backend: run default action “configd actions” when none was specified
* backend: extended support for streaming actions
* installer: update the ZFS install script to the latest FreeBSD 14.1 code
* installer: prefer ZFS over UFS in main menu selection
* ui: assorted improvements for screen readers (contributed by Jason Fayre)
* ui: add “select all” to standard form selectors and remove dialog on “clear all” for tokenizers
* ui: lock save button while in progress to prevent duplicate input on Bootgrid
* ui: backport accessibility fix in Bootstrap
* mvc: replaced most of the Phalcon MVC use with a native band compatible implementation
* mvc: improve searchRecordsetBase() filtering capabilities
* mvc: improve container field cloning
* mvc: remove obsolete getParams() usage in ApiControllerBase
* mvc: hook default index action in API handler
* plugins: os-acme-client 4.4 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.7/security/acme-client/pkg-descr)
* plugins: os-caddy 1.6.1 [\[3\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr)
* plugins: os-dec-hw 1.1 replaces the dashboard widget
* plugins: os-etpro-telemetry 1.7 replaces dashboard widget
* plugins: os-freeradius 1.29.4 [\[4\]](https://github.com/opnsense/plugins/blob/stable/24.7/net/freeradius/pkg-descr)
* plugins: os-nginx 1.34 [\[5\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/nginx/pkg-descr)
* plugins: os-theme-cicada 1.37 fixes dropdown element style (contributed by Team Rebellion)
* plugins: os-theme-vicuna 1.47 fixes dropdown element style (contributed by Team Rebellion)
* src: FreeBSD 14.1-RELEASE [\[6\]](https://www.freebsd.org/releases/14.1R/relnotes/)
* src: assorted backports from FreeBSD stable/14 branch
* ports: hostapd 2.11 [\[7\]](https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog)
* ports: libpfctl 0.12
* ports: phalcon 5.8.0 [\[8\]](https://github.com/phalcon/cphalcon/releases/tag/v5.8.0)
* ports: openvpn 2.6.12 [\[9\]](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.12)
* ports: wpa\_supplicant 2.11 [\[10\]](https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog)
A hotfix release was issued as 24.7\_5:
* system: fix disk widget byte unit “B” parsing crashing the whole widget
* interfaces: improve apply of the new peer/peer6 options to avoid unneeded reset
* firewall: fix one-to-one NAT migration with external address without a subnet set
* openvpn: disable DCO permanently in legacy client/server configuration
* mvc: fix API regression due to getParams() removal
* plugins: os-udpbroadcastrelay API error fixes (contributed by Team Rebellion)
A hotfix release was issued as 24.7\_9:
* system: increase widget timeout to 5 seconds
* system: cores and threads flipped in system widget
* system: increase the PHP children count of the web GUI
* mvc: make Response->setContentType() second argument optional
* plugins: os-theme-rebellion 1.9 fixes compatibility issues with new dashboard (contributed by Team Rebellion)
Migration notes, known issues and limitations:
* The dashboard has been replaced. Widgets from the old format are no longer supported and need to be rewritten by the respective authors.
* ISC DHCP will no longer reload DNS services on static mapping edits. This is for feature parity with Kea DHCP and avoiding cross-service complications. If you expect your static mappings to show up in a particular DNS service please restart this service manually.
The public key for the 24.7 series is:
\# -----BEGIN PUBLIC KEY-----
\# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAunCgLymz7ichjk+uZ4pR
\# XwFX8FxG0KFBf4f6kCfQ+wNF9KTFBELzGg2tXPUmrJD/DzcMqQExP3WyTg0Z96ZW
\# HofN2AbOCG84PpNlsKXpaUtm9Ow8kiYh7tn26eX7FaOEPtpJkMiwUymbCJJaPE0O
\# smQbWGnJTvF8LTmuviPoiMrPv1cJ0kEyJvjDD0yMw1HrIgwPOazGmTQiuM3LoLOK
\# F0KWf2p40c77QDOuGC7AIobQgDkZTabfU7PQUn6gDiKARYCst7y2xX3OQ7foXCJW
\# nDDypfbfHixv77mVAeIED0h9ZsQaIHskL2dqqRbFHiY+OHjQTCAJP1Ptm/HGSCdj
\# GOjpuD4WXvxru8AgcOCh6GpqO4IbByIHXu+67Ur3UBlxsp4x44lxBWXQzeemVhaS
\# ZAmkJNemw51oRDTxYtpR7TF3OlgLAQBOB/0tqHmkbSBouQ6PK7HYzNglu9LStxo1
\# uxgMss5q8GoZCkWKvRDz87YceeC75l0aWOVnkOMmC5Lf+fFMJp6TF7BzCi3ZC7CD
\# DQchBlE2F98D3E7KiI4vGrLUj3qKwfwV41JSQ8OtwOV+KFGOmyHeNassTQHm1Mdn
\# reTzHeusqUdAL7+pXH1XNwoFSZo7A6RoZzTzb0p7WYbKU9SV39DPytsYES7FsyY8
\# l7+AsM+sBOY1ngeB/twBzyUCAwEAAQ==
\# -----END PUBLIC KEY-----
\# SHA256 (OPNsense-24.7-dvd-amd64.iso.bz2) = 4452df716417cac324bb06322fc4428870ac2a64fd6ae47675a421e8db0a18b5
\# SHA256 (OPNsense-24.7-nano-amd64.img.bz2) = a44711b6c088d6d12434afef9a3ccadc4ef1b56e44babd13e4b199589170c51a
\# SHA256 (OPNsense-24.7-serial-amd64.img.bz2) = a94207c3515389c3fab5c6d72eeda4951526f9f50f06794ad9a4c1478bc8e8d0
\# SHA256 (OPNsense-24.7-vga-amd64.img.bz2) = 11031aecabce97f6d5502f943d347704b5a888ec213d7f9229200877d72f297c
24.7.r2 (July 19, 2024)[](#r2-july-19-2024 "Permalink to this heading")
-------------------------------------------------------------------------
For more than 9 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3
Download links, an installation guide [\[1\]](https://docs.opnsense.org/manual/install.html)
and the checksums for the images can be found below as well.
* Europe: [https://opnsense.c0urier.net/releases/24.7/](https://opnsense.c0urier.net/releases/24.7/)
* US East Coast: [https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.7/](https://mirror.wdc1.us.leaseweb.net/opnsense/releases/24.7/)
* US West Coast: [https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.7/](https://mirror.sfo12.us.leaseweb.net/opnsense/releases/24.7/)
* South America: [http://mirror.ueb.edu.ec/opnsense/releases/24.7/](http://mirror.ueb.edu.ec/opnsense/releases/24.7/)
* East Asia: [https://mirror.ntct.edu.tw/opnsense/releases/24.7/](https://mirror.ntct.edu.tw/opnsense/releases/24.7/)
* Full mirror list: [https://opnsense.org/download/](https://opnsense.org/download/)
Here are the full changes against version 24.7-RC1:
* system: assorted dashboard widget tweaks
* system: sidebar optimisation and fixes (contributed by Team Rebellion)
* installer: update the ZFS install script to the latest FreeBSD 14.1 code
* mvc: remove obsolete getParams() usage in ApiControllerBase
* mvc: hook default index action in API handler
* src: assorted backports from FreeBSD stable/14 branch
* plugins: os-caddy 1.6.1 [\[2\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr)
* plugins: os-dec-hw 1.1 replaces the dashboard widget
* plugins: os-nginx 1.34 [\[3\]](https://github.com/opnsense/plugins/blob/stable/24.7/www/nginx/pkg-descr)
* plugins: os-theme-cicada 1.37 fixes dropdown element style (contributed by Team Rebellion)
* plugins: os-theme-vicuna 1.47 fixes dropdown element style (contributed by Team Rebellion)
Migration notes, known issues and limitations:
* The dashboard has been replaced. Widgets from the old format are no longer supported and need to be rewritten by the respective authors.
* ISC DHCP will no longer reload DNS services on static mapping edits. This is for feature parity with Kea DHCP and avoiding cross-service complications. If you expect your static mappings to show up in a particular DNS service please restart this service manually.
The public key for the 24.7 series is:
\# -----BEGIN PUBLIC KEY-----
\# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAunCgLymz7ichjk+uZ4pR
\# XwFX8FxG0KFBf4f6kCfQ+wNF9KTFBELzGg2tXPUmrJD/DzcMqQExP3WyTg0Z96ZW
\# HofN2AbOCG84PpNlsKXpaUtm9Ow8kiYh7tn26eX7FaOEPtpJkMiwUymbCJJaPE0O
\# smQbWGnJTvF8LTmuviPoiMrPv1cJ0kEyJvjDD0yMw1HrIgwPOazGmTQiuM3LoLOK
\# F0KWf2p40c77QDOuGC7AIobQgDkZTabfU7PQUn6gDiKARYCst7y2xX3OQ7foXCJW
\# nDDypfbfHixv77mVAeIED0h9ZsQaIHskL2dqqRbFHiY+OHjQTCAJP1Ptm/HGSCdj
\# GOjpuD4WXvxru8AgcOCh6GpqO4IbByIHXu+67Ur3UBlxsp4x44lxBWXQzeemVhaS
\# ZAmkJNemw51oRDTxYtpR7TF3OlgLAQBOB/0tqHmkbSBouQ6PK7HYzNglu9LStxo1
\# uxgMss5q8GoZCkWKvRDz87YceeC75l0aWOVnkOMmC5Lf+fFMJp6TF7BzCi3ZC7CD
\# DQchBlE2F98D3E7KiI4vGrLUj3qKwfwV41JSQ8OtwOV+KFGOmyHeNassTQHm1Mdn
\# reTzHeusqUdAL7+pXH1XNwoFSZo7A6RoZzTzb0p7WYbKU9SV39DPytsYES7FsyY8
\# l7+AsM+sBOY1ngeB/twBzyUCAwEAAQ==
\# -----END PUBLIC KEY-----
Please let us know about your experience!
\# SHA256 (OPNsense-24.7.r2-dvd-amd64.iso.bz2) = 43617bcb97b40a4c681c9468e0f7837aef9e7ff3849377649ab350287ad4639b
\# SHA256 (OPNsense-24.7.r2-nano-amd64.img.bz2) = 8fad59de6fdb07b9df2edb637a9d5f18a892d462d76118da6270dede90180a35
\# SHA256 (OPNsense-24.7.r2-serial-amd64.img.bz2) = 5c4d9b6f7ef4baf555c43d949f5946b59856fea45303a4b32890c102909d9f75
\# SHA256 (OPNsense-24.7.r2-vga-amd64.img.bz2) = 46f78b3fa40a429f52adbe1caf923cb8f4856e01ff61888b3db2658b43fe3f56
24.7.r1 (July 16, 2024)[](#r1-july-16-2024 "Permalink to this heading")
-------------------------------------------------------------------------
If you have not heard: 24.7-RC1 is an online update. You can update from the 24.7-BETA and switch to the community release type for the stable track which leads into 24.7.x. The development version of the upcoming 24.1.11 release will also be able to update to the RC. An RC2 will follow up with the relevant images and additional information at the end of the week.
Here are the full changes against version 24.1.10:
* system: remove “load\_balancer” configuration remnants from core
* system: replace usage of mt\_rand() with random\_int()
* system: rewrote Trust configuration using MVC/API
* system: add XMLRPC option for OpenDNS
* system: rewrote the high availability settings page using MVC/API
* system: remove obsolete SSH DSA key handling
* system: replaced the dashboard with a modern alternative with streaming widgets
* system: harden a number of PHP settings according to best practices
* system: support streaming of log files for the new dashboard widget
* interfaces: rewrote GRE configuration using MVC/API
* interfaces: rewrote GIF configuration using MVC/API
* interfaces: temporary flush SLAAC addresses in DHCPv6 WAN mode to avoid using them primarily
* interfaces: add peer/peer6 options to CARP VIPs
* interfaces: allow to assign a prefix ID to WAN interface in DHCPv6 as well
* interfaces: allow to set manual interface ID in DHCPv6 and tracking modes
* firewall: performance improvements in alias handling
* firewall: refactor pftop output, move search to controller layer and implement cache for sessions page
* firewall: support streaming of filter logs for the new dashboard widget
* captive portal: add “Allow inbound” option to select interfaces which may enter the zone
* captive portal: remove defunct transparent proxy settings
* captive portal: clean up the codebase
* ipsec: prevent gateway when remote gateway family does not match selected protocol in legacy tunnel configuration
* isc-dhcp: do not reload DNS services when editing static mappings to match behaviour with Kea
* monit: expose HTTPD username and password settings to GUI
* openvpn: optionally support DCO devices for instances
* openvpn: remove duplicate and irrelevant data for the client session in question
* openvpn: add “remote\_cert\_tls” option to instances
* backend: add “cache\_ttl” parameter to allow for generic caching of actions
* backend: run default action “configd actions” when none was specified
* backend: extended support for streaming actions
* ui: assorted improvements for screen readers (contributed by Jason Fayre)
* ui: add “select all” to standard form selectors and remove dialog on “clear all” for tokenizers
* ui: lock save button while in progress to prevent duplicate input on Bootgrid
* ui: backport accessibility fix in Bootstrap
* mvc: replaced most of the Phalcon MVC use with a native band compatible implementation
* mvc: improve searchRecordsetBase() filtering capabilities
* mvc: improve container field cloning
* plugins: os-acme-client 4.4 [\[1\]](https://github.com/opnsense/plugins/blob/stable/24.7/security/acme-client/pkg-descr)
* plugins: os-etpro-telemetry 1.7 replaces dashboard widget
* src: FreeBSD 14.1-RELEASE [\[2\]](https://www.freebsd.org/releases/14.1R/relnotes/)
* ports: phalcon 5.8.0 [\[3\]](https://github.com/phalcon/cphalcon/releases/tag/v5.8.0)
Migration notes, known issues and limitations:
* The dashboard has been replaced. Widgets from the old format are no longer supported and need to be rewritten by the respective authors.
* ISC DHCP will no longer reload DNS services on static mapping edits. This is for feature parity with Kea DHCP and avoiding cross-service complications. If you expect your static mappings to show up in a particular DNS service please restart this service manually.
24.7.b (June 13, 2024)[](#b-june-13-2024 "Permalink to this heading")
-----------------------------------------------------------------------
Since OPNsense 24.7 will be based on a newer FreeBSD major version it is crucial for us to release these BETA images based on the latest development state. This is not meant for production use but all plugins are provided and future updates of installations based on these images will be possible.
[https://pkg.opnsense.org/releases/24.7/](https://pkg.opnsense.org/releases/24.7/)
There is a bit more work to be done yet most of the milestones have already been reached. If you have a test deployment or would like to check out some of the new features these images are for you. Together we can make OPNsense better than it ever was.
The final release date for 24.7 is July 24. A release candidate will follow in early July.
Highlights over the current 24.1 series include:
* Dashboard replacement with streaming widgets
* System: High Availability: Settings page has been converted to MVC
* System: Trust section has been converted to MVC/API
* Interfaces: GIF section has been converted to MVC/API
* Interfaces: GRE section has been converted to MVC/API
* Firewall: NAT 1-to-1 has been converted to MVC/API
* Added experimental OpenVPN DCO device type support
* Added unicast CARP support to Virtual IPs
* DHCPv6 on WAN can now assign a prefix subnet to itself and support static interface identifiers
* Built-in cache capability for backend commands
* Captive portal backend refactor and new “Allow inbound interfaces” option
* Large portions of Phalcon MVC have been replaced by native PHP implementation
* FreeBSD 14.1
The public key for the 24.7 series is:
\# -----BEGIN PUBLIC KEY-----
\# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAunCgLymz7ichjk+uZ4pR
\# XwFX8FxG0KFBf4f6kCfQ+wNF9KTFBELzGg2tXPUmrJD/DzcMqQExP3WyTg0Z96ZW
\# HofN2AbOCG84PpNlsKXpaUtm9Ow8kiYh7tn26eX7FaOEPtpJkMiwUymbCJJaPE0O
\# smQbWGnJTvF8LTmuviPoiMrPv1cJ0kEyJvjDD0yMw1HrIgwPOazGmTQiuM3LoLOK
\# F0KWf2p40c77QDOuGC7AIobQgDkZTabfU7PQUn6gDiKARYCst7y2xX3OQ7foXCJW
\# nDDypfbfHixv77mVAeIED0h9ZsQaIHskL2dqqRbFHiY+OHjQTCAJP1Ptm/HGSCdj
\# GOjpuD4WXvxru8AgcOCh6GpqO4IbByIHXu+67Ur3UBlxsp4x44lxBWXQzeemVhaS
\# ZAmkJNemw51oRDTxYtpR7TF3OlgLAQBOB/0tqHmkbSBouQ6PK7HYzNglu9LStxo1
\# uxgMss5q8GoZCkWKvRDz87YceeC75l0aWOVnkOMmC5Lf+fFMJp6TF7BzCi3ZC7CD
\# DQchBlE2F98D3E7KiI4vGrLUj3qKwfwV41JSQ8OtwOV+KFGOmyHeNassTQHm1Mdn
\# reTzHeusqUdAL7+pXH1XNwoFSZo7A6RoZzTzb0p7WYbKU9SV39DPytsYES7FsyY8
\# l7+AsM+sBOY1ngeB/twBzyUCAwEAAQ==
\# -----END PUBLIC KEY-----
Please let us know about your experience!
\# SHA256 (OPNsense-devel-24.7.b-dvd-amd64.iso.bz2) = af740f12d4363d13e96ad95ac06dd1d659009c345af3e8ff6d544a66200ba93f
\# SHA256 (OPNsense-devel-24.7.b-nano-amd64.img.bz2) = 394e150c3cb22b7f2d2b131fc2bcb545355e6a129b7d9afe2ced9c4364bfa862
\# SHA256 (OPNsense-devel-24.7.b-serial-amd64.img.bz2) = a8770d247400859e66151aae177171f141ea7064de98728edfc22a77d8d5f447
\# SHA256 (OPNsense-devel-24.7.b-vga-amd64.img.bz2) = 046bba7c48312578f819535a0f29210e24f9bcb1e8153256fb15a35a62f3d443
---
# Unknown
STIC Evaluation Technical Report STIC\_OPNSENSE\_MEDIUM-2404 1.0 2024/08/29 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 2/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. CHANGELOG Version Date Author Reason Changes 1.0 2024/08/29 DAT Document creation. First version. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 3/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. INDEX 1 Introduction .............................................................................................................. 5 1.1 Evaluation Technical Report information ......................................................... 5 1.2 TOE developer information .............................................................................. 5 2 TOE description ........................................................................................................ 6 2.1 Functional description of the TOE .................................................................... 6 2.2 Inventory of security functions ........................................................................ 7 3 Operational environment ....................................................................................... 11 3.1 Description of the operational environment ................................................. 11 3.2 Operational environment assumptions ......................................................... 12 4 Executive summary of the evaluation .................................................................... 13 5 Verdict of the evaluation ........................................................................................ 15 6 TOE installation and review of the installation, configuration and operation guides 16 6.1 Evaluation activities ........................................................................................ 16 6.2 Detailed configuration of the operational environment................................ 17 6.3 Description of the installation and configuration of the TOE installation ..... 17 6.3.1 Setting a subscription key ....................................................................... 24 6.3.2 Updating to 24.04.1\_3 version ............................................................... 25 6.3.3 Enabling access logs ................................................................................ 25 6.3.4 Change shell type and inactivity timeout ............................................... 26 6.3.5 Defining a password policy ..................................................................... 26 6.3.6 Add a read-only audit role ...................................................................... 27 6.3.7 Disable root user for SSH ........................................................................ 29 6.3.8 Configure system backups rotation ........................................................ 29 6.3.9 Configure two-factor authentication ..................................................... 30 6.3.10 Configuring configd access control ......................................................... 31 6.3.11 Web interface TLS cipher suites configuration ...................................... 31 6.3.12 SSH cryptographic parameters configuration ........................................ 32 6.3.13 Syslog client TLS cipher suites configuration .......................................... 33 6.3.14 Installing certificates from trustworthy CA ............................................ 34 6.4 Verification of the installed TOE version ........................................................ 34 6.5 Used installation options ................................................................................ 34 6.6 Results............................................................................................................. 34 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 4/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 7 Conformity assessment .......................................................................................... 35 7.1 Functional tests .............................................................................................. 35 7.1.1 Evaluation activities ................................................................................ 35 7.1.2 List of functional tests ............................................................................ 35 7.1.3 Results..................................................................................................... 36 8 Vulnerability analysis .............................................................................................. 37 8.1 Evaluation activities ........................................................................................ 37 8.2 Methodology used for the analysis ................................................................ 38 8.3 TOE vulnerability analysis ............................................................................... 38 8.4 List of potential vulnerabilities ....................................................................... 39 8.5 Results............................................................................................................. 39 9 References .............................................................................................................. 40 9.1 Developer Evidences ...................................................................................... 40 10 Acronyms ............................................................................................................ 41 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 5/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 1 INTRODUCTION This document is the National Essential Security Certification (LINCE) Evaluation Technical Report (ETR) for the TOE OPNsense Business Edition according to the method described in \[CCN-STIC-2001\] and \[CCN-STIC-2002\]. The results only affect the tested TOE, so they may not be representative of other manufacturer developments. No part of this report may be reproduced without the express permission of the laboratory. 1.1 EVALUATION TECHNICAL REPORT INFORMATION ETR reference STIC\_OPNSENSE\_MEDIUM-2404-ETR- v1.0 ETR version 1.0 Author or authors DAT Reviewer ACP Approved by JTG Start date of the works 2024/08/27 End date of the works 2024/08/29 CB dossier code N/A Laboratory project code STIC\_OPNSENSE\_MEDIUM-2404 Type of evaluation Complementary STIC Product Taxonomy N/A Evaluation Laboratory holding the accreditation jtsec Beyond IT Security SLU (ESB93551422) Laboratory address Avenida de la Constitución 20 Oficina 208. CP 18012 Granada, España. Address where the work is done Avenida de la Constitución 20 Oficina 208. CP 18012 Granada, España. 1.2 TOE DEVELOPER INFORMATION Applicant data Deciso B.V. Applicant’s contact information Ad Schellevis +31(0)187744020 a.a.schellevis@deciso.com Edison 43, 3241 LS Middelharnis, The Netherlands. Developer data Deciso B.V. TOE name OPNsense Business Edition TOE version 24.4.1\_3 Operating manuals of the product \[OPNSENSE-DOCS-D971B9D\] 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 6/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 2 TOE DESCRIPTION The information in this section is provided by the manufacturer in the latest version of its Security Target. 2.1 FUNCTIONAL DESCRIPTION OF THE TOE OPNsense Business Edition, from now on referred as TOE, is a stateful software-based firewall. It is in charge of interconnecting two or more networks, channelling all communications between them through itself to examine each message and block those that do not meet the specified security criteria. The TOE includes both the firewall application and the platform/operating system on which it operates. The underlying operating system, based on FreeBSD, is an essential component of the TOE, as it provides the necessary capabilities for the secure execution of the TOE. The TOE is thus considered as an integrated solution comprising: 1. Firewall application: implements traffic filtering and security policy management functionality. 2. Platform/Operating System: FreeBSD, specifically configured to support the security operations required by the TOE. 3. Management Interface: Includes both the command line interface (CLI) and the graphical user interface (GUI), through which the administration of the TOE is performed. Although the TOE offers a wide range of additional functionalities, such as VPN, proxy, intrusion detection, among others, the scope of evaluation focuses on the firewall functionality (traffic filtering and policy management). In this context, the TOE interconnect two or more networks so that all communications between these networks pass through it, in order to examine each message and filtering those that do not meet the specified security criteria. Filtering is implemented at various levels within the layers defined by the Open Systems Interconnection model (ISO/IEC 7498-1), specifically addressing network (Layer 3) and transport (Layer 4). Regarding to the TOE management, the TOE can be managed by two different interfaces: • CLI interface: o Local access: Available directly on the machine where the TOE is installed, allowing administrators to perform the initial configuration, maintenance and management of the system without the need for a network connection. o Remote access: which allows remote TOE management via SSHv2. The use of this interface is not allowed to the root user. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 7/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. • GUI interface: it is a web interface which allows TOE management via HTTPS (over TLSv1.2 or higher). 2.2 INVENTORY OF SECURITY FUNCTIONS This evaluation takes as a baseline the LINCE evaluation carried out for the same TOE that is the subject of this STIC evaluation, OPNsense Business Edition. This LINCE evaluation has been carried out in accordance with the Security Target \[ST-08\], which is essentially based on \[CCN-STIC-140-D3M\]. The evaluator has considered the Impact Analysis Report \[IAR-10\] when defining the requirements to be tested in this evaluation. Those requirements that have been affected by changes in the product from the version evaluated in the LINCE to the initial version of this STIC evaluation will be retested. Therefore: 1. A coverage analysis has been carried out, considering \[ST-08\] and \[IAR-10\]. 2. The SFRs to be evaluated have been defined according to the TOE version of this assessment. The analysis performed is included in the following table: Requirement from \[ST-08\] Retested in the present evaluation? ADM.1 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. ADM.2 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. ADM.3 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. IAU.1 Not covered, requirement to test in the present STIC evaluation. Functionality was evaluated in LINCE evaluation (IAU.1 requirement) but changes (as indicated in \[IAR-10\]) introduced in the product affect such functionality; therefore, retesting is a necessity. Related change is described as "system: prevent activating shell for non- admins". IAU.2 Considered covered since changes introduced and described in \[IAR-10\] are not related to the 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 8/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. functionality described; therefore, retesting is not considered necessary. IAU.3 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. IAU.4 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. COM.1 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. COM.2 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. COM.3 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. COM.4 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. CIF.1 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. ACT.1 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. ACT.2 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. ACT.3 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. AUD.1 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 9/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. AUD.2 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. AUD.3 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. AUD.4 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. AUD.5 Not covered, requirement to test in the present STIC evaluation. Related requirement AUD.5 was evaluated in LINCE evaluation but changes (as indicated in \[IAR-10\]) introduced in the product affect such functionality; therefore, retesting is a necessity. Related changes are described as "system: fix maximum log file size being ignored when there is only one file" and "system: make log rotate action available to Cron". PSC.1 Not covered, requirement to test in the present STIC evaluation. Functionality was evaluated in LINCE evaluation (PSC.1 requirement) but changes (as indicated in \[IAR-10\]) introduced in the product affect such functionality; therefore, retesting is a necessity. Related change is described as "system: limit file system /conf/config.xml and backups access to administrators". FWL.1 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. FWL.2 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. FWL.3 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. FWL.4 Considered covered since changes introduced and described in \[IAR-10\] are not related to the functionality described; therefore, retesting is not considered necessary. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 10/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. Given the previous analysis, the requirements to verify in the present report are the following: Requirement Description IAU.1 The TOE shall identify and authenticate every user through username and password before grating access to the GUI and administrative users through the CLI interfaces. AUD.5 The TOE shall implement a rotation mechanism based on two main configurations: • "preservelogs": Determines the number of logs to be kept before deletion. • "maxfilessize": Sets a limit on the maximum size allowed for each log file. If a log file exceeds the "maxfilesize" limit, an early log rotation will be forced, preserving the integrity of the logs without compromising the available storage space. PSC.1 The TOE shall ensure that the specific directory where are stored credentials (login passwords) and private keys has read/write permissions only for the root user and read permissions for the administrator users included in wheel user group by a previously defined control access. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 11/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 3 OPERATIONAL ENVIRONMENT 3.1 DESCRIPTION OF THE OPERATIONAL ENVIRONMENT The following diagram shows the operational environment where the TOE is typically deployed: The main entities that compose the operational environment are described below: • Administrator: The Administrator user has the permissions to configure and manage the TOE. In order to access the GUI and CLI interfaces, the administrator's PC requires a web browser and a command prompt respectively. • Internal Network: This network contains several connected devices, such as computers, servers and other devices. The TOE protects this network by filtering the incoming and outgoing traffic. • External network: The set of networks and devices that communicate with the internal network in both directions (ingoing and outgoing). The incoming and outgoing traffic to the internal networks is filtered by the TOE. • External syslog server: This server receives and stores the log files generated by the TOE. • External update server: This server is listening for petitions from the TOE for updating purposes (requests to know if new updates are available, updates delivery...). Hardware requirements To install the TOE the virtual machine should have the following hardware prerequisites: • Minimum required RAM is 1GB 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 12/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. • Minimum recommended virtual disk size of 8 GB. 3.2 OPERATIONAL ENVIRONMENT ASSUMPTIONS This section contains the assumptions presented by the manufacturer in the latest version of his Security Target. They are described below: Assumption Description A.PHYSICAL PROTECTION The product shall be physically protected by its environment and not subject to physical attacks that could compromise its security or interfere with its proper operation. A.LIMITED FUNCTIONALITY The product shall only provide network access control functionality as its primary function and shall not provide any other functionality or service. A.TRUSTED ADMINISTRATOR Administrators shall be members of the organization who are fully trusted and have the best security interests for the organization. They shall be properly trained and shall be free of any malicious intent or conflict of interest in managing the product. A.PERIODIC UPDATES The software of the product is updated when new updates that fix known vulnerabilities appear. A.PROTECTION OF THE CREDENTIALS All credentials, especially the administrator's, must be properly protected by the organization using the product be properly protected by the organization. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 13/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 4 EXECUTIVE SUMMARY OF THE EVALUATION The present STIC evaluation for the product OPNsense Business Edition has been carried out following the LINCE methodology in order to verify if the product covers a set of requirements declared in the Security Target from a past LINCE evaluation. The main purpose of the present evaluation is to verify if such requirements are still met in the version 24.04.1\_3 of the TOE and identify any deviation. In order to define the requirements to retest in the present STIC evaluation, the evaluation has taken the Security Target from the previous LINCE evaluation for OPNsense Business Edition version 23.10 (\[ST-08\]) as a baseline. Given the requirements in such Security Target, the changes introduced in the product are analysed with the objective of determining which requirements need to be retested; these are the ones whose functionality are impacted by a change included throughout product versions up to the TOE version in the current evaluation \[TOE-2441\_3\]. The analysis and definition of the requirements is included in section 2.2 Inventory of security functions. Briefly, only the requirements IAU.1, AUD.5 and PSC.1 are considered in need of retesting, given a few changes included in the product as defined in the manufacturer's changelogs. This evaluation dismisses the analysis of the Security Target, as this STIC evaluation does not involves its own Security Target, and the sections related to such tasks are not included in the present report. The installation procedure does not reveal any non-conformities, the procedure remains the same as described in LINCE Security Target \[ST-08\]. It just differs in one aspect, the indications related to the modification of permissions related to the configuration file /conf/config.xml are not followed as it would not make sense to manually change such permissions since \[IAR-10\] reveals a change that suggests that such permissions are applied by default. Therefore, the permissions are unmodified, and they are analysed in the functional test related to the pertinent requirement. Since most of the changes reviewed and defined in \[IAR-10\] are deemed not related to most of the requirements, only a few requirements are considered in necessity of retesting. The execution of these functional tests reveals the following: • \[TOE-2441\_3\] does not meet the requirement IAU.1 as described in the Security Target \[ST-08\] which is taken as an initial reference for the present evaluation. The test reveals that not every user is now able to access all interfaces, local access through the CLI/SSH interface is not allowed for non-administrator users. This behaviour is deemed not consistent with IAU.1; therefore, the non- conformity OR01.NC01 is generated. This behaviour is not considered conflictive security-wise since it is more restrictive, only administrative users are allowed to access the TOE locally. In order to address this inconsistency, the definition of the requirement declared in section 2.2 Inventory of security functions of the present report is refined to express accurately the behaviour of the TOE and the non-conformity is deemed closed. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 14/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. After executing the functional tests, the vulnerability analysis was conducted. This phase mainly involves the review of public vulnerabilities related to the TOE and its third-party components or libraries. This analysis does not reveal public vulnerabilities (CVE) that could affect the TOE at the date this report is developed. It is worth noting that vulnerabilities related to the evaluated functionality have not been considered or identified, given that the functionality tested in the present evaluation is minimal and most functionality remains the same as in the previous LINCE evaluation and additional functionality has not been added. For this reason, penetration tests have been dismissed in the present evaluation. Since no penetration tests are performed, the sections related to such tasks are not included in the present report. Given the results obtained in the present evaluation, it is deemed that \[TOE-2441\_3\] meets ENS medium category and the evaluation is assigned a PASS verdict. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 15/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 5 VERDICT OF THE EVALUATION After analyzing the results of the evaluation, the laboratory determines that the verdict is PASS. The TOE installation phase does not reveal any non-conformity. The functional test phase does not reveal any non-conformity. The vulnerability analysis does not reveal any non-conformity. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 16/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 6 TOE INSTALLATION AND REVIEW OF THE INSTALLATION, CONFIGURATION AND OPERATION GUIDES Documents used during installation \[OPNSENSE-DOCS-D971B9D\] Evaluator DAT Days required 1 day. Date 2024/08/29 Results of the evaluator's work PASS 6.1 EVALUATION ACTIVITIES This section contains the evaluation activities defined in section 4.2 of \[CCN-STIC-2002\] as well as a brief description of the result of these tasks on the TOE and its documentation. TE.2.1. Verify that the applicant has provided the required test platform to perform the tests on the product. PASS The manufacturer has provided the evaluator with the platform required for testing, as well as the necessary documentation to make use of it within the conditions of the evaluation. TE.2.2. Check that the installation and operation guides describe the roles and privileges for the different user roles defined in the TOE that allow the TOE to be installed and operated in a secure manner. PASS The guides provided by the manufacturer clearly describe the roles and privileges of the various TOE users that allow the TOE to be installed and operated safely. TE.2.3. Check that, according to the product installation or configuration guides, it is possible to install the product according to the configuration(s) described in the Security Target. o In the case of products that can be installed on several operating system versions, the operating system used and its version must be indicated as precisely as possible (patch, service pack, etc.). o If the product allows several mounting/configuration (set-up) modes, the guides must clearly indicate which mode is evaluated. The identification of this mode shall be indicated in the Security Target. o If the product supports different settings in its configuration, the guides must clearly differentiate between those that are part of the scope of the evaluation and those that are not. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 17/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. o If the product requires installation, the product shall be installed in the configuration specified in the installation guide. Additionally, the applicant shall provide documentation related to the different configuration modes existing in the product. PASS The evaluator has been able to install the product exclusively following the contents of the manufacturer's documentation, provided through \[ST-08\] and \[OPNSENSE-DOCS-D971B9D\]. TE.2.4. Check that the version of the TOE installed corresponds to the one declared in the Security Target and that the guides describe the TOE identification procedure to the TOE consumers. PASS The evaluator has followed the guidelines provided by the manufacturer and has been able to correctly verify that the version of the TOE installed corresponds to the version subject to the current evaluation as can be seen in 6.4 Verification of the installed TOE version. TE.2.5. The evaluator shall register the relevant information to successfully install the TOE. PASS The information necessary to carry out the complete installation of the product, under the same conditions as those used for this evaluation, can be found in the sections 6.2 Detailed configuration of the operational environment and 6.3 Description of the installation and configuration of the TOE. TE.2.6. The evaluator shall register all system’s configuration specific data when appropriate. PASS The specific data used during the TOE preparation and configuration process is reflected in the 6.5 Used installation options. TE.2.7. The evaluator shall register every non-conformity in regards to the installation and configuration of the TOE or the test environment. PASS No non-conformities were found regarding the installation process of the TOE and its documentation. The results are summarized in the section 6.6 Results. 6.2 DETAILED CONFIGURATION OF THE OPERATIONAL ENVIRONMENT The test scenarios are described in section 11 Annex A: Test scenarios. 6.3 DESCRIPTION OF THE INSTALLATION AND CONFIGURATION OF THE TOE INSTALLATION To perform the installation, the steps needed are the following: 1. Open VMware and click on Create a new virtual machine. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 18/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 2. Select \[TOE-ISO-2404\] and click on “Next”. 3. Give a name to the virtual machine and click on “Next”. 4. Set 30GB as disk size. 5. Click on Customize Hardware → Memory and set 1GB of RAM memory. Add a network adapter and configure the virtual networks as shown (“Network Adapter” set to VMnet2 and “Network Adapter 2” set to VMnet8). 6. Press “Close”. 7. Click on “Finish”. 8. Wait for the TOE to boot up. 9. In order to install the TOE, log in with the user “installer” and authenticate with the password “opnsense”. 10. Select the keyboard layout. 11. Indicate “Continue with...”. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 19/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 12. Select “Install (ZFS)” and press Enter. 13. Select “stripe” and press Enter. 14. Select the virtual disk and press OK. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 20/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 15. Select Yes and press Enter. 16. Select “Change root password” and press OK. 17. Define a new password for the root user. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 21/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 18. Select “Complete Install” and press OK. 19. Wait for the TOE to reboot and navigate to the web interface. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 22/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 20. Access the LAN IP address through HTTPS using a web browser and log in with the root user credentials. 21. Follow the wizard setup, press Next. 22. Give a hostname and a domain to the TOE and press Next. 23. Set NTP servers and the time zone. In this case the NTP servers configured are the ones offered by default. Press Next. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 23/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 24. Leave the default configuration for the WAN interface and press Next. 25. Leave the default configuration for the LAN interface and press Next. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 24/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 26. Set a new root password if it was not changed before. 27. Click on reload to apply the changes. 28. The TOE is now configured and ready. 6.3.1 SETTING A SUBSCRIPTION KEY The following steps are followed in order to configure a subscription key: 1. Log in through the TOE web interface with the root user. 2. Go to System → Firmware → Settings. 3. Indicate the Subscription key in the Subscription text box and click Save. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 25/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 6.3.2 UPDATING TO 24.04.1\_3 VERSION The TOE version in the present evaluation is 24.04.1\_3, after installing the TOE it is required to update to such version: 1. Log in through the TOE web interface with the root user. 2. Go to System → Firmware → Settings. 3. Toggle "Advanced mode". 4. Indicate "/24.4/MINT/24.4.1p2/latest" in the Flavour parameter and click Save. 5. Go to the Status tab and click Check for updates. 6. Click Update. 7. Wait for the update to be installed. 6.3.3 ENABLING ACCESS LOGS After installing the TOE, given the indications in the Security Target, the following steps are required through the web interface: 1. Enable the access log parameter in the Settings menu. In the left panel go to System → Settings → Administration and select “Enable access log”. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 26/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 6.3.4 CHANGE SHELL TYPE AND INACTIVITY TIMEOUT For the inactivity session timeout to work, it is required to change the login shell assigned to the user as indicated in the Security Target. The Security Target also indicates to change the session/inactivity timeout to 5 minutes. The steps below are followed: 1. Log in through the TOE web interface with the root user. 2. Go to System → Access → Users. 3. For each user, change the Login shell assigned from /usr/local/sbin/opnsense- shell to /bin/csh. 4. Go to System → Settings → Administration. 5. Set the "Session Timeout" and "Inactivity timeout" parameters to 5 minutes in order to set the inactivity timeout for the GUI and CLI interfaces. 6.3.5 DEFINING A PASSWORD POLICY 1. Log in through the TOE web interface with the root user. 2. Go to System → Access → Servers. 3. Edit the "Local Database" server. 4. Enable “Password policy constraints”. Then, add a duration for passwords, the minimum length and enable complexity requirements. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 27/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 5. Save the changes. 6.3.6 ADD A READ-ONLY AUDIT ROLE In order to prevent any user (other than the root user) with read access to audit records from deleting the logs, the following steps must be followed as described in the Security Target: 1. Create a new directory that will store the new ACL by executing this command in CLI interface. mkdir -p /usr/local/opnsense/mvc/app/models/security/security/ACL 2. Create the file ACL.xml with the following content in order to create the new read-only audit role. read only logs ui/diagnostics/log/core/configd api/diagnostics/log/core/configd api/diagnostics/log/core/configd/export\* ui/diagnostics/log/core/audit api/diagnostics/log/core/audit api/diagnostics/log/core/audit/export\* 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 28/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. ui/diagnostics/log/core/boot api/diagnostics/log/core/boot api/diagnostics/log/core/boot/export\* ui/diagnostics/log/core/system api/diagnostics/log/core/system api/diagnostics/log/core/system/export\* ui/diagnostics/log/core/lighttpd api/diagnostics/log/core/lighttpd api/diagnostics/log/core/lighttpd/export\* ui/diagnostics/log/core/firewall api/diagnostics/log/core/firewall api/diagnostics/log/core/firewall/export\* ui/diagnostics/firewall/log api/diagnostics/firewall/log/\* ui/diagnostics/firewall/stats api/diagnostics/firewall/stats\* ui/diagnostics/log/core/filter api/diagnostics/log/core/filter api/diagnostics/log/core/filter/export\* 3. Clear the cache to prevent old ACL-s still being used with the following command: rm /tmp/opnsense\_acl\_cache.json After this, the new role shall appear when assigning privileges to a user or group. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 29/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 6.3.7 DISABLE ROOT USER FOR SSH The Security Target indicates that it is required to disable root access to the CLI through SSH. The steps below are followed: 1. Log in through the TOE web interface with the root user. 2. Go to System → Settings → Administration → Secure Shell. 3. Uncheck the option "Permit root login". 6.3.8 CONFIGURE SYSTEM BACKUPS ROTATION The Security Target indicates that it is necessary to define a specific number of configuration backups to preserve. The steps below are followed: 1. Log in through the TOE web interface with the root user. 2. Go to System → Configuration → Backups. 3. Configure the "Backup Count" parameter to 5. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 30/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 6.3.9 CONFIGURE TWO-FACTOR AUTHENTICATION The Security Target indicates that it is required to configure a 2FA as part of the user configuration process. The steps below are followed: 1. Go to System → Access → Servers 2. Click Add server in the top right corner. 3. Create a new server with the following parameters. 4. Install a Google Authenticator compatible app on your device. 5. Go to System → Access → Users. 6. Edit the root user. 7. Select "Generate a new secret (160 bit)" in the OTP parameter and click Save 8. Edit again the root user to view the seed and QR, register such token or QR code in the Google Authenticator compatible app. 9. Go to System → Access → Tester. 10. Verify that the 2FA authentication is properly configured concatenating the authenticator code and the user password "". 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 31/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 11. Go to System → Settings → Administration. 12. Change the Authentication server by selecting the "2FA" server that was just created in the dropdown menu. 6.3.10 CONFIGURING CONFIGD ACCESS CONTROL In order to prevent local non-authorized interaction with the configd backend service, the steps below are followed as described in the Security Target: 1. Log in through the TOE CLI interface with the root user. 2. Execute the following command to create a new directory: mkdir /usr/local/opnsense/service/conf/configd.conf.d 3. Add the file lockdown.conf in the previous directory with the following content: \[action\_defaults\] allowed\_groups = wheel 4. After the file is created, run the following command: service configd restart 6.3.11 WEB INTERFACE TLS CIPHER SUITES CONFIGURATION In order to meet the cryptographic requirements and conform \[CCN-STIC-807\] as declared in the Security Target, it is required to configure accepted cipher suites for TLS 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 32/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. through the web interface. This configuration affects the web portal used to manage and administrate the TOE. The steps below are followed: 1. Log in through the TOE web interface with the root user. 2. Navigate to System → Settings → Administration. 3. In the Web GUI section, use the dropdown menu for “SSL Ciphers” to select valid cipher suites. TLS\_AES\_128\_GCM\_SHA256 TLS\_AES\_256\_GCM\_SHA384 TLS\_CHACHA20\_POLY1305\_SHA256 TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256 4. Scroll down and click Save. 6.3.12 SSH CRYPTOGRAPHIC PARAMETERS CONFIGURATION In order to meet the cryptographic requirements and conform \[CCN-STIC-807\] as declared in the Security Target, it is required to configure accepted cryptographic parameters for SSH through the web interface. This configuration affects the SSH connections that users establish with the TOE. The steps below are followed: 1. Log in through the TOE web interface with the root user. 2. Navigate to System → Settings → Administration. 3. In the Secure Shell section, use the dropdown menu for “Key exchange algorithms”, “Ciphers”, “MACs” and “Public key signature algorithms” to select valid cryptographic parameters. a. Key exchange algorithms: i. diffie-hellman-group16-sha512 ii. diffie-hellman-group18-sha512 iii. ecdh-sha2-nistp256 iv. ecdh-sha2-nistp384 v. ecdh-sha2-nistp521 b. Ciphers: 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 33/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. i. aes128-ctr ii. aes192-ctr iii. aes256-ctr c. MACs: i. hmac-sha2-256 ii. hmac-sha2-512 d. Public key signature algorithms: i. ecdsa-sha2-nistp256 2. Scroll down and click Save. 6.3.13 SYSLOG CLIENT TLS CIPHER SUITES CONFIGURATION In order to meet the cryptographic requirements and conform \[CCN-STIC-807\] as declared in the Security Target, it is required to configure accepted cipher suites through the local command line interface. This configuration affects the TLS connections when the TOE communicates with a remote syslog server. The steps below are followed: 1. Log in through the TOE local command line and select the Shell option. 2. Edit the file /usr/local/opnsense/service/templates/OPNsense/Syslog/sysl og-ng-destinations.conf 3. In the network parameters, inside the TLS parameters, add the following lines: ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11) cipher-suite("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA- AES128-GCM- SHA256:TLS\_AES\_128\_GCM\_SHA256:TLS\_AES\_128\_GCM\_SHA256:TLS\_C HACHA20\_POLY1305\_SHA256:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256- CCM:ECDHE-ECDSA-AES128-CCM") 4. Save the file. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 34/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 6.3.14 INSTALLING CERTIFICATES FROM TRUSTWORTHY CA In the Security Target, it is recommended to install a digital certificate signed by a trusted CA. However, a self-signed certificate generated by \[TOE-2441\_3\] itself is used in this evaluation, as it does not imply a degradation in the quality level at the functionality or testing of \[TOE-2441\_3\]. This matter is considered by the evaluator when conducting the testing. 6.4 VERIFICATION OF THE INSTALLED TOE VERSION In order to check the verification of the installed TOE version, the steps below are followed: 1. Log in through the TOE web interface with the root user. 2. Go to System → Firmware. 3. Check the version number identifier. 6.5 USED INSTALLATION OPTIONS The selection of different installation options in order to achieve the secure configuration was not considered or required. 6.6 RESULTS ID Non-conformity State N/A None. N/A ID Comments State N/A None. N/A 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 35/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 7 CONFORMITY ASSESSMENT 7.1 FUNCTIONAL TESTS Evaluator DAT Days required 1 day. Date 2024/08/29 Results of the evaluator's work PASS 7.1.1 EVALUATION ACTIVITIES The information presented in this section covers the result of carrying out the evaluation activities specified in section 4.3 of \[CCN-STIC-2002\], with regard to functional testing of the TOE. TE.4.1. The evaluator shall check and test the product’s security functions and mechanisms to a level of detail that allows checking that the declared security functionality has been correctly implemented in the product. The evaluator must justify the sample using as a reference Annex A.2 of \[CEM\]. PASS Information concerning this task of the evaluator can be found in the section 7.1.2 List of functional tests. This information is presented in more detail in the section 12 Annex B: Functional test plan and report. TE.4.2. The evaluator shall register every non-conformity in regards to any test performed. PASS Information concerning this task of the evaluator can be found in the section 7.1.3 Results. 7.1.2 LIST OF FUNCTIONAL TESTS Security function Test code Objective Result SF. Identification and Authentication IAU.1 \[STIC\_OPNSENSE\_MEDIUM- 2404-TST-ND-0010\] Verify that the TOE identifies and authenticates users through username and password as defined in the description of the requirement. PASS SF. Audit AUD.5 \[STIC\_OPNSENSE\_MEDIUM- 2404-TST-ND-0020\] Verify that the TOE overwrites previous audit records according to the maximum log file size and PASS 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 36/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. number of logs to be kept defined. SF. Protection of credentials and sensitive data PSC.1 \[STIC\_OPNSENSE\_MEDIUM- 2404-TST-ND -0030\] Verify that the TOE stores credentials and private keys as declared in the requirement. PASS 7.1.3 RESULTS ID Non-conformity State OR01.NC01 \[STIC\_OPNSENSE\_MEDIUM-2404-TST-ND-0010\] SF. Identification and Authentication IAU.1 The requirement IAU.1 of \[ST-08\] declares the following: "The TOE shall identify and authenticate every user through username and password before grating access to the GUI and CLI interfaces.". The test related to the present non- conformity reveals that \[TOE-2441\_3\] does not allow every user to access the CLI/SSH interface, such access is now completely disabled and cannot be reenabled. Therefore, the requirement is considered inconsistent with the behaviour of the TOE. The description of the requirement was refined to express the behaviour of \[TOE-2441\_3\] accurately, the requirement now differentiates between administrative and normal users. This behaviour is not considered conflictive security-wide since it is more restrictive, only administrative users are allowed to access the TOE locally. Since results obtained are now consistent with the definition of the requirement; therefore, this issue is deemed closed. CLOSED ID Comments State N/A None. N/A 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 37/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 8 VULNERABILITY ANALYSIS Evaluator DAT Days required 1 day. Date 2024/08/29 Results of the evaluator's work PASS 8.1 EVALUATION ACTIVITIES The information presented in this section covers the result of carrying out the Evaluation activities specified in section 4.4 of \[CCN-STIC-2002\], with regard to the analysis of vulnerabilities present in the TOE. TE.5.1. The evaluator shall perform a methodic vulnerability analysis by using any means within their technical competence, using at least the following sources of information: a) Documentation provided by the applicant (e.g., Security Target, user's guides, etc.). b) Available information on the technology. c) Public vulnerability databases for the type of product taking into account in such analysis the relation of third-party libraries defined in the Security Target by the applicant. d) The product itself, which is installed on a test platform as representative as possible with respect to environment of the product. PASS The TOE vulnerability analysis is described in the 8.3 TOE vulnerability analysis . The result of this analysis is detailed in the section 13 Annex C: Vulnerability Analysis. TE.5.2 The evaluator shall document the devised vulnerability analysis methodology. PASS The method followed to carry out the vulnerability analysis is described in the section 8.2 Methodology used for the analysis. TE.5.3. Document all potential vulnerabilities found within the applicable attack potential and document possible attack scenarios based on those vulnerabilities. PASS Information regarding the vulnerabilities found is summarized in section 8.4 List of potential vulnerabilities and described in more detail in section 13 Annex C: Vulnerability Analysis. The scenarios are detailed in section 11 Annex A: Test scenarios. TE.5.4. Calculate the attack potential for each of the attack scenarios designed by the evaluator according to the scoring system described in section 4.4.1.1.1 Calculation of Attack Potential of \[CCN-STIC-2002\]. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 38/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. PASS Information concerning this task of the evaluator can be found in the section 8.4 List of potential vulnerabilities. This information is described in more detail in the section 13 Annex C: Vulnerability Analysis. TE.5.5. The evaluator shall register every non-conformity in relation to the Vulnerability Analysis. PASS Information regarding this task of the evaluator can be found in section 8.5 Results. 8.2 METHODOLOGY USED FOR THE ANALYSIS The methodology used follows the spirit of the Common Criteria \[CC\] methodology for vulnerability analysis \[CEM\]. Firstly, a survey of the TOE information available has been carried out to identify potential vulnerabilities that can be exploited by an attacker with low attack potential. An extensive analysis of the state of the art regarding the different vectors of attack on TOE-like tools has been carried out from different points of view. Based on the results of these tools and the analysis of the most common weaknesses of this type of tools, the vulnerabilities of the TOE have been identified. As part of this initial analysis, a search for public vulnerabilities in third-party components and in older versions of the TOE, if any, is performed. For each public vulnerability, its applicability is determined and a brief rationale is provided. If a public vulnerability is considered applicable, a calculation of the attack potential required to exploit the vulnerability will be performed. Next, an assessment and analysis of the vulnerabilities found has been made by performing tests that provide more information on the vulnerabilities and give rise to more sophisticated attacks. In a third step, penetration tests have been carried out based on the vulnerabilities found to check the degree of exploitability of the vulnerabilities. Finally, comprehensive and more complex penetration tests on the exploitable vulnerabilities present in the TOE have been developed as proofs of concept to illustrate the possibilities of an attacker exploiting these vulnerabilities. To calculate the distribution of the time dedicated to each vulnerability, it has been done taking into account the degree of difficulty to be exploited, as well as the severity for the integrity of the TOE that a successful attack would entail. 8.3 TOE VULNERABILITY ANALYSIS The vulnerability analysis process involves checking all security features declared in the TOE, identifying potential TOE vulnerabilities. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 39/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. The analysis process continues with the clear definition of the context of vulnerability to serve as a basis for understanding its severity and subsequent consideration. On the basis of this information, the different routes of attack on the vulnerable element are established, which, if appropriate, will be tested for penetration later. The tools used in the identification of the vulnerabilities present in the TOE are developed from information present in the TOE are developed from public information always under the requirements of time and effort marked by the methodology and developing small scripts from public information and based on the functional tests performed in the previous stage. All the security functions are analyzed, paying special attention to threats that could damage the communication between the TOE and other entities, the information stored in it and its ability to maintain the quality of its functionality in the face of attempts to circumvent the restrictions it places on the traffic. 8.4 LIST OF POTENTIAL VULNERABILITIES Code Attack potential N/A N/A 8.5 RESULTS ID Non-conformity State N/A None. N/A ID Comments State N/A None. N/A 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 40/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 9 REFERENCES \[CC\] Common Criteria for Information Technology Security Evaluation. The last approved version must be considered which is published in the website of the Certification Body. (https://oc.ccn.cni.es). \[CCN-STIC-2001\] Definition of the National Essential Security Certification (LINCE), version 2.0. March 2022. \[CCN-STIC-2002\] Evaluation Methodology for the National Essential Security Certification (LINCE), version 2.0. March 2022. \[CCN-STIC-2003\] Template for the Security Target of the National Essential Security Certification (LINCE), version 2.0. March 2022. \[CCN-STIC-807\] Use of cryptology within the National Security Scheme (Esquema Nacional de Seguridad). May 2022. \[CEM\] Common Methodology for Information Technology Security Evaluation: Evaluation Methodology. The last approved version must be considered which is published in the website of the Certification Body. (https://oc.ccn.cni.es). \[listado\_de\_evidencias\] List of evidence in which are included the reference, title, version, path and SHA-256 hash of the different evidence provided by the manufacturer for the evaluation. \[CCN-STIC-140-D3M\] Reference Taxonomy for ICT Security Products - Annex D.3M: Firewall. 2020 August. \[ST-08\] OPNsense Business Edition Security Target version 0.8 (LINCE) \[IAR-10\] OPNsense Business Edition IAR version 1.0 9.1 DEVELOPER EVIDENCES The applicable developer evidence is listed in the latest version of the attached document \[listado\_de\_evidencias\]. 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 41/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. 10 ACRONYMS CCN Centro Criptológico Nacional CNI Centro Nacional de Inteligencia ENS Esquema Nacional de Seguridad LINCE National Essential Security Certification STIC Seguridad en las Tecnologías de Información y la Comunicación TIC Information and Communications Technology TOE Target Of Evaluation HTTPS Hypertext Transfer Protocol Secure TLS Transport Layer Security SSH Secure Socket Shell CLI Command-line interface GUI Graphical User Interface VPN Virtual Private Network PC Personal Computer RAM Random Access Memory GB GigaByte MB MegaByte CVE Common Vulnerabilities and Exposures LAN Local Area Network WAN Wide Area Network NTP Network Time Protocol OTP One-Time Password MAC Message Authentication Code RSA Rivest-Shamir-Adleman ECDHE Elliptic Curve Diffie-Hellman Ephemeral 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 42/43 jtsec Beyond IT Security SL Uncontrolled copy if printed. ECDSA Elliptic Curve Digital Signature Algorithm SHA Secure Hash Algorithm AES Advanced Encryption Standard CA Certificate Authority XML Extended Markup Language 0 STIC ETR STIC\_OPNSENSE\_MEDIUM-2404 STIC Evaluation Technical Report 43/43 jtsec Beyond IT Security SL Uncontrolled copy if printed.
---
# Unknown
STIC Evaluation Technical Report STIC\_OPNSENSE\_CQ (CUA-2022-46) 3.1 12/07/2023 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 2/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. CHANGELOG Version Date Author Reason Changes 0.1 08/06/2022 DHA First version Creation of the document 0.2 09/06/2022 DAT Comments by CPSTIC Added additional information related to the differences between Community and Business Edition. 1.0 28/07/2022 DAT Performed pertinent testing effort for BE 22.4 Added sections 4 to 11. Added annexes A, B, C, D. 2.0 12/12/2022 JAL Performed pertinent testing effort for BE 22.10 Updated security requirements from the previous evaluation. Updated sections 4 to 11. Updated annexes A, B, C, D. Deleted section related to bootup sequence hardening from installation procedure. 3.0 26/05/2023 DAT JEC Performed pertinent testing effort for BE 23.4 Updated evaluated security requirements in section 2.2. Added Version 3.0 for the executive summary. Updated sections 4 to 11. Updated annexes A, B, C, D. 3.1 12/07/2023 DAT Modifications given ETR validation report from CPSTIC. Added Version 3.1 for the executive summary. Added information for tests included in Annex B. Enhanced description for \[STIC\_OPNSENSE\_CQ- VUL-3010\]. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 3/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. TABLE OF CONTENTS 1 Introduction .............................................................................................................. 5 1.1 Evaluation Technical Report information .......................................................... 5 1.2 TOE developer information ............................................................................... 5 2 TOE description ........................................................................................................ 6 2.1 Functional description of the TOE ..................................................................... 6 2.2 Inventory of security functions .......................................................................... 7 2.2.1 ADM (Trusted administration) ................................................................... 7 2.2.2 IAU (Identification and authentication) ..................................................... 8 2.2.3 COM (Reliable communication channels) .................................................. 9 2.2.4 ACT (Reliable Installation and upgrades) ................................................. 10 2.2.5 AUD (Audit) ............................................................................................... 10 2.2.6 CIF (Cryptographic requirements) ............................................................ 11 2.2.7 FW (Firewall) ............................................................................................. 13 3 Operational environment ....................................................................................... 15 3.1 Description of the operational environment ................................................... 15 3.2 Operational environment assumptions ........................................................... 15 4 Executive summary of the evaluation .................................................................... 17 4.1 Version 1.0 ....................................................................................................... 17 4.2 Version 2.0 ....................................................................................................... 20 4.3 Version 3.0 ....................................................................................................... 22 4.4 Version 3.1 ....................................................................................................... 24 5 Verdict of the evaluation ........................................................................................ 25 6 TOE preparation and configuration ........................................................................ 26 6.1 Evaluation activities ......................................................................................... 26 6.2 Detailed configuration of the operational environment ................................. 27 6.3 Description of the installation and configuration of the TOE .......................... 27 6.3.1 OPNSense installation .............................................................................. 27 6.3.2 Web interface TLS cipher suites configuration ........................................ 38 6.3.3 SSH cryptographic parameters configuration .......................................... 39 6.3.4 Syslog client TLS cipher suites configuration ............................................ 41 6.4 Used installation options ................................................................................. 42 6.5 Results .............................................................................................................. 42 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 4/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 7 Conformity assessment .......................................................................................... 43 7.1 Documentation analysis .................................................................................. 43 7.1.1 Evaluation activities .................................................................................. 43 7.1.2 Results....................................................................................................... 43 7.2 Functional tests ................................................................................................ 45 7.2.1 Evaluation activities .................................................................................. 45 7.2.2 List of functional tests .............................................................................. 45 7.2.3 Results....................................................................................................... 50 8 Vulnerability analysis .............................................................................................. 51 8.1 Evaluation activities ......................................................................................... 51 8.2 Methodology used for the analysis ................................................................. 51 8.3 TOE vulnerability analysis ................................................................................ 52 8.4 List of potential vulnerabilities ........................................................................ 52 8.5 Results .............................................................................................................. 53 9 TOE penetration tests ............................................................................................. 54 9.1 Evaluation activities ......................................................................................... 54 9.2 List of penetration tests ................................................................................... 54 9.3 Results .............................................................................................................. 57 10 References .............................................................................................................. 58 10.1 Developer Evidences .................................................................................... 58 11 Acronyms ................................................................................................................ 59 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 5/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 1 INTRODUCTION This document is the STIC Evaluation Technical Report (ETR) for the Evaluation Technical Report (ETR) for the TOE OPNsense Business Edition according to the method described in \[CCN-STIC-2001\] and \[CCN-STIC-2002\]. The results only affect the tested TOE, so they may not be representative of other manufacturer developments. No part of this report may be reproduced without the express permission of the laboratory. 1.1 EVALUATION TECHNICAL REPORT INFORMATION ETR reference STIC\_OPNSENSE\_CQ-ETR-v3.1 ETR version 3.1 Author or authors DAT Reviewer JTG Approved by JTG Start date of the works 26/04/2023 End date of the works 12/07/2023 CB dossier code CUA-2022-46 Laboratory project code STIC\_OPNSENSE\_CQ Type of evaluation STIC Product Taxonomy Communications Protection/Firewall Evaluation Laboratory holding the accreditation jtsec Beyond IT Security SLU (ESB93551422) Laboratory address Avenida de la Constitución 20 Oficina 208. CP 18012 Granada, España. Address where the work is done Avenida de la Constitución 20 Oficina 208. CP 18012 Granada, España. 1.2 TOE DEVELOPER INFORMATION Sponsor data Deciso B.V Edison 43, 3241 LS Middelharnis, Netherlands. Developer data Deciso B.V Edison 43, 3241 LS Middelharnis, Netherlands. Contact information of developer Deciso B.V. project@opnsense.org TOE name OPNsense Business Edition TOE version 23.4 Operating manuals of the product \[OPNSENSE-LINCE-ST16\] \[DOC-74b13d1\] 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 6/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 2 TOE DESCRIPTION 2.1 FUNCTIONAL DESCRIPTION OF THE TOE OPNsense is an open-source, easy-to-use, and easy-to-build FreeBSD based firewall (stateful firewall) and routing platform. A stateful firewall is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. The product offers a grouping of Firewall Rules by Category, an excellent feature for more demanding network setups. OPNsense includes most of the features available in commercial firewalls and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. The TOE, as any firewall, has the following basic security features: • Protection against network traffic outside the network they protect by limiting incoming packets according to the policy applied. • Access restriction to the outside network for elements of the internal network. Only those devices or users specified in the applied policy are allowed to leave. The feature set of OPNsense includes high-end features. Those features are intended to make possible that an administrator role performs secure and centralized management and configuration of the product itself and administer the key functionalities for the security of the product and the network it protects. This will make possible the existence of only one type of role capable of performing this type of highly relevant tasks for the product and the network in which it is deployed. The product also allows users to properly authenticate themselves before accessing the product's configuration through its interfaces, preventing the reading and modification of unauthorized personnel parameters. The product also permits the establishment of a password complexity policy to improve security in the authentication process. The product offers the possibility of establishing secure communication channels by using SSH and HTTPS protocols so that only authorized entities can establish secure communication channels. Moreover, the product allows performing a reliable installation and updating, protecting integrity and authenticity during the product's installation. The product also has several types of audit reports grouped according to the set of functionalities recorded. These records allow the detection and traceability of any event that occurs during the operation of the product. Finally, the product allows the creation of rules providing the possibility of performing packet filtering according to the protocol used, the source network, and the destination network and allowing to decide what type of action to take for each rule. The product also records all the events that occur related to the rules created. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 7/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 2.2 INVENTORY OF SECURITY FUNCTIONS 2.2.1 ADM (TRUSTED ADMINISTRATION) After analyzing \[CCN-STIC-140-D3\] and \[OPNSENSE-LINCE-ST16\] in relation to this security function, the following coverage has been considered: SFR Retested ADM.1 Yes ADM.2 Yes ADM.3 No Equivalent requirements are included in \[OPNSENSE-LINCE-ST16\], \[OPNSENSE-IAR-30\] does not present changes that may affect this security functionality. In any case, the following requirements are going to be tested: Requirement Description Objective ADM.1 The product must at least define the role of administrator and be able to associate users with roles. Verify that the TOE allows to differentiate between users with administrative privileges and users with no administrative privileges. ADM.2 The product must be able to manage the following functionalities: • Administration of the product locally and remotely. • Configuration of session termination time or blocking when inactivity is detected. • Other product configuration parameters. Verify that it is possible to configure session termination by inactivity time for the web interface and SSH console. Verify that it is possible to configure through the web interface: • Protocols • SSL Certificate • SSL Ciphers • TCP Port • Alternate hostnames • Listen interfaces • HTTP Compression Verify that it is possible to configure parameters related to the SSH connection: • Enable secure Shell 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 8/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. • Login group • Permit root user login • Permit password login • SSH Port • Listen interfaces 2.2.2 IAU (IDENTIFICATION AND AUTHENTICATION) After analyzing \[CCN-STIC-140-D3\] and \[OPNSENSE-LINCE-ST16\] in relation to this security function, the following coverage has been considered: SFR Retested IAU.1 Yes IAU.2 No IAU.3 Yes IAU.4 Yes IAU.5 Yes Equivalent requirements are included in \[OPNSENSE-LINCE-ST16\], \[OPNSENSE-IAR-30\] does not present changes that may affect this security functionality. In any case, the following requirements are going to be tested: Requirement Description Objective IAU.1 The product must identify and authenticate each user before allowing actions that modify the product's configuration. Verify that the TOE does not allow to perform any action that modify its configuration to users that have been not identified and authenticated in the Web Interface. IAU.3 The product must protect against unauthorized reading and modification of authentication credentials. Verify that the TOE does not allow an authenticated user without enough permissions to modify the credentials of another user. IAU.4 The product must have the ability to manage passwords: • The password must be configurable to a minimum length of 9 characters. Verify that the TOE allows to set a password policy for password minimum length. Verify that the TOE does not allow to configure 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 9/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. • The password must be able to be composed of lower-case letters, upper case letters, numbers and special characters \["!", "@", "#", "$","%", "^", "&", "\*", "(", "\]. passwords that does not comply with complexity checks. Verify that the TOE admits the declared special characters (“!”, “@”, “#”, “$”, “%”, “&”, “^”, “\*”, “(”, “)”, “\[”, “\]”) in the user passwords. IAU.5 The product must block or log off a user after a certain period of inactivity. Verify if the TOE block or log off a user after a certain period of inactivity. 2.2.3 COM (RELIABLE COMMUNICATION CHANNELS) After analyzing \[CCN-STIC-140-D3\] and \[OPNSENSE-LINCE-ST16\] in relation to this security function, the following coverage has been considered: SFR Retested COM.1 Yes COM.2 Yes COM.3 No Equivalent requirements are included in \[OPNSENSE-LINCE-ST16\], \[OPNSENSE-IAR-30\] does not present changes that may affect this security functionality. In any case, the following requirements are going to be tested: Requirement Description Objective COM.1 Protection of information in transit. The TOE shall establish secure channels when exchanging sensitive information with authorized entities or between different parts of the product using functions, algorithms and protocols by following the \[CCN- STIC-807\] guide (e.g., HTTPS/TLS 1.2, TLS 1.2 or higher, IPSec, etc.). Verify that the TOE establishes secure channels using: • SSH, via remote console • HTTPS, via web interface COM.2 The TOE must allow these secure communication channels to be initiated by itself or by authorized entities. Verify that the TOE still uses secure channels when stablishes communications with different services in the network where it is running. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 10/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 2.2.4 ACT (RELIABLE INSTALLATION AND UPGRADES) After analyzing \[CCN-STIC-140-D3\] and \[OPNSENSE-LINCE-ST16\] in relation to this security function, the following coverage has been considered: SFR Retested ACT.1 Yes ACT.2 Yes ACT.3 Yes ACT.4 Yes Equivalent requirements are included in \[OPNSENSE-LINCE-ST16\], \[OPNSENSE-IAR-30\] does not present changes that may affect this security functionality. In any case, the following requirements are going to be tested: Requirement Description Objective ACT.1 The product must offer the possibility to check the current version of the firmware/software. Verify that the TOE allow to check the current version of the firmware/software. ACT.2 The product must provide mechanisms (according to the cryptography used in the ENS) through hashes or digital signature to authenticate the firmware/software updates before installing them. Verify that TOE uses mechanisms to verify and authenticate updates before installing them in accordance to the cryptography agreed in the ENS. ACT.3 The update of the firmware/software will be allowed only to users with administrator role. Verify that the TOE only allows administrators to perform an update. ACT.4 The product must offer the possibility to start updates manually and to check if there are new updates available. Verify that the TOE allow to start updates manually and to check if there are new updates available. 2.2.5 AUD (AUDIT) After analyzing \[CCN-STIC-140-D3\] and \[OPNSENSE-LINCE-ST16\] in relation to this security function, the following coverage has been considered: SFR Retested AUD.1 Yes AUD.2 Yes AUD.3 Yes AUD.4 No AUD.5 No 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 11/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. Equivalent requirements are included in \[OPNSENSE-LINCE-ST16\], since \[OPNSENSE-IAR- 30\] does not present changes that may affect this security functionality. In any case, the following requirements are going to be tested: Requirement Description Objective AUD.1 The product must generate audit information at the beginning and termination of the audit functions and when any of the following events: a) Login and logout of registered users b) Change in user credentials c) Changes in the product configuration d) Events related to product functionality e) Generation, import, change or deletion of cryptographic keys Verify that the TOE generate audit events when the mentioned actions are performed. AUD.2 The audit records shall contain at least the following information: date and time of the event, type of event identified, result of the event, user producing the event (if applicable). Verify that the events logs generated by TOE when the listed actions are performed contains at least date and time of the event, type of event, result of the event and user producing the event. AUD.3 The following access policy shall apply to the audit records: a) Read: authorized users. b) Modification: no users. c) Delete: administrators. Verify that administrative users can read the logs and delete them, but cannot modified them in the TOE. Verify that non-authorized users cannot read the logs from the TOE. 2.2.6 CIF (CRYPTOGRAPHIC REQUIREMENTS) After analyzing \[CCN-STIC-140-D3\] and \[OPNSENSE-LINCE-ST16\] in relation to this security function, the following coverage has been considered: SFR Retested CIF.1 Yes 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 12/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. Equivalent requirements are included in \[OPNSENSE-LINCE-ST16\], \[OPNSENSE-IAR-30\] does not present changes that may affect this security functionality. In any case, the following requirements are going to be tested: Requirement Description Objective CIF.1 All symmetric and asymmetric encryption algorithms, key agreement protocols and summary functions used by the product must be within those accredited by the CCN for use in the ENS. The list of these algorithms is included in the \[CCN-STIC-807\] Cryptology for use in the ENS (MEDIUM Category). Verify that the TOE uses agreed cryptographic mechanisms such as communication protocols, cipher suites or summary functions. To do so, the evaluator will mainly inspect the communication channels. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 13/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 2.2.7 FW (FIREWALL) After analyzing \[CCN-STIC-140-D3\] and \[OPNSENSE-LINCE-ST16\] in relation to this security function, the following coverage has been considered: SFR Retested FW.1 Yes FW.2 Yes FW.3 Yes FW.4 No FW.5 No FW.6 No FW.7 Yes FW.8 No Equivalent requirements are included in \[OPNSENSE-LINCE-ST16\], \[OPNSENSE-IAR-30\] does not present changes that may affect this security functionality. In any case, the following requirements are going to be tested: Requirement Description Objective FW.1 The product allows the definition of stateful traffic filtering rules using the following network protocol fields: 1. ICMPv4 2. Type 3. Code 4. ICMPv6 5. Type 6. Code 7. IPv4 8. Source address 9. Destination address 10. Transport Layer Protocol 11. IPv6 12. Source address 13. Destination address 14. Transport layer protocol 15. TCP 16. Source Port 17. Destination Port 18. UDP 19. Source Port 20. Destination Port Verify that the TOE allows to set traffic filtering rules that are defined by the declared network protocols. FW.2 The product allows the following operations to be associated with stateful traffic filtering rules: permit Verify that TOE allows the modification of the Action parameter (permit or 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 14/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. or drop with the capability to log the operation. block) when defining a new firewall filtering rule with the capacity to log the operation. FW.3 The product allows the stateful traffic filtering rules to be assigned to each distinct network interface. Verify that the TOE allows to assign firewall filtering rules to distinct network interfaces. FW.7 The product denies packet flow if a matching rule is not identified. Verify that TOE denies packets by default. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 15/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 3 OPERATIONAL ENVIRONMENT 3.1 DESCRIPTION OF THE OPERATIONAL ENVIRONMENT The product is designed to run on a network to protect interconnections by allowing and/or limiting traffic to or from a network that is protected based on a set of rules established by an administrator. The TOE provides a Dashboard or graphical interface which offers a list of features to check the status of the product and the network quickly. According to its features, the product is capable of being deployed according to the use cases described in the firewall taxonomy: • Border device. The product is able to be deployed in an operational environment where protects a network from an external network, as the Internet. • Network segmentation. The device is located in an area where it protects two internal networks from each other, i.e., it segments both networks and allows only authorized traffic to flow from one to the other. 3.2 OPERATIONAL ENVIRONMENT ASSUMPTIONS This section contains the assumptions presented by the manufacturer. They are described below: Reference Description A.Physical Protection The product must be installed in an area where access is only possible for authorized personnel and under suitable environmental conditions. A.Limited functionality The product must be used for network routing and filtering as its basic function and not provide any other 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 16/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. functionality, except for certain compatible communication protection-oriented ones. A.Reliable Administration The Administrator will be a trusted member and will look after getting the best security interests on behalf of the organization. It is therefore assumed that such an administrator is trained and free from any harmful intent in handling the product. The product will not be able to protect itself against and administrator user with bad intentions. A.Periodic Updates The product's firmware and software will be updated as updates that correct known vulnerabilities are released. A.Credential Protection All credentials, especially the administrator's credentials, must be properly protected by the organization who uses the product. A.Security Policy A security policy should reflect the set of principles, organization and procedures required by an organization to address its information security needs, included the use of ICT. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 17/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 4 EXECUTIVE SUMMARY OF THE EVALUATION 4.1 VERSION 1.0 This is a STIC evaluation for the product OPNsense Business Edition 22.4. The evaluation has been carried out following the LINCE methodology to verify that the Business Edition of the previously evaluated and certified product still meets a series of requirements. The previous evaluated version was the community edition and though the evaluated edition is the business edition and there are differences (showed in the table below), the security functions that are going to be evaluated are the same, since the additional functionality is not relevant. The main difference is that business edition is intended for companies, enterprises and professionals looking for a more stable upgrade path (this version lags 4 releases behind the community edition) and additional commercial features. Features Community Edition Business Edition Stateful Firewall ✔ ✔ Various authentication options ✔ ✔ Two-Factor Authentication ✔ ✔ Certificates (Let’s encrypt) ✔ ✔ Link Aggregation & Failover ✔ ✔ Traffic Shaping ✔ ✔ Multi WAN ✔ ✔ Load Balancer ✔ ✔ Intrusion Detection & Prevention ✔ ✔ Captive Portal ✔ ✔ VPN Services (Ipsec, OpenVPN, WireGuard) ✔ ✔ High Availability ✔ ✔ Virus scanner ✔ ✔ Tested Updates (Business Edition Update Repository) ✖ ✔ Access to GeoIP database ✖ ✔ Access to the official OPNsense OVA image ✖ ✔ Business-Plugins (OPNcentral (in development)) ✖ ✔ Support of the active development with the license fee ✖ ✔ Given that the Business Edition version 22.4 is based on the Community Edition 22.1.4 as mentioned by the manufacturer in https://docs.opnsense.org/releases/BE\_22.4.html#april-26-2022. The changes introduced from the evaluated version of the Community Edition (21.7.1) to the version 22.1.4 have been examined in order to determine what security functionality could have been affected and, therefore, must be retested. This changelog is provided in the document \[OPNSENSE-IAR-10\]. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 18/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. Moreover, as a consequence of a further analysis requested by CPSTIC given the manufacturer’s statement “This business release is based on the OPNsense 22.1.4 community version with additional reliability improvements.”, the evaluator has requested the manufacturer more detail in relation to the aforementioned additional reliability improvements. These additional reliability improvements are documented in \[OPNSENSE-IAR-10\] and are described by the manufacturer as bug fixes and minor changes backported from superior versions (22.1.5 and 22.1.6) of the Community Edition 22.1.4 into the Business Edition version 22.4. Such improvements, included in \[OPNSENSE-IAR-10\], were analysed and are considered to not affect the requirements tested and declared in \[OPNSENSE-LINCE-ST16\]. The changes between the versions, included in \[OPNSENSE-IAR-10\], were analysed by the evaluator, determining that, with the information given in the changelog, none of the requirements were considered affected by the changes. Given this, the evaluator has sampled the tests performed in the previous LINCE evaluation and has determined a set of tests to repeat for the Business edition. The section 2.2 Inventory of security functions delves deeper on the tests that are going to be carried out and they can be found in Annex B: Functional test plan and report. Regarding this evaluation, after analyzing the scope of the tests and determining the requirements to retest, the installation of the TOE was carried following the manuals and taking into account the indications included in the security target \[OPNSENSE-LINCE- ST16\]) for the version of the product included in CPSTIC. The installation was straightforward and flawless; therefore, no non-conformities were generated through this phase of the evaluation. Apart from the installation procedure, in order to meet the cryptographic requirements, additional steps were followed in order to configure TLS cipher suites for the web interface, SSH cryptographic parameters and TLS cipher suites offered when connecting to a remote syslog server. These steps are documented in sections 6.3.2 Web interface TLS cipher suites configuration, 6.3.3 SSH cryptographic parameters configuration and 6.3.4 Syslog client TLS cipher suites configuration. Following with the evaluation, the set of functional tests was conducted revealing that \[TOE-224\] passes the set of tests determined. Given the results experienced, the evaluator has not required to perform additional functional testing effort as the behavior showed by \[TOE-224\] demonstrate a high level of confidence. As all the functional tests passed, no non-conformities were generated during this phase. Leading the completion of the functional tests, it was proceeded to perform the analysis of the TOE vulnerabilities. The evaluator followed the type of vulnerabilities documented in the previous LINCE evaluation as the TOE is the same. Given the vulnerabilities, the evaluator selected a set of penetration tests carried out in the LINCE evaluation, alongside others considered adequate, conducting them to verify that the 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 19/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. product maintains the security warranties from the LINCE evaluation. These tests can be found in Annex D: Penetration test plan and report. During this phase, only one test failed and a non-conformity was generated and reported to the manufacturer: • \[STIC\_OPNSENSE\_CQ-PT-7010\]: The evaluator identified an issue with the bootup procedure causing the transmission of packets without the application of the filtering rules defined in \[TOE-224\] during a temporal window. The root cause of this is that the network interfaces were configured and up before configuring the filtering rules. This issue, labeled as OR01.NC01, was communicated to the manufacturer. A solution to this issue was provided which consists on a small change related to the file that defines the bootup sequence. This change is documented in section 6.3.5 Bootup Sequence Hardening. Once the indications were provided by the manufacturer, the evaluator repeated the related test and verified that the solution was valid and working, closing the associated non-conformity OR01.NC01. Therefore, since all the registered non-conformities were solved, the laboratory concludes the evaluation with the verdict PASS. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 20/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 4.2 VERSION 2.0 This is a STIC evaluation for the product OPNsense Business Edition 22.10. The evaluation has been carried out following the LINCE methodology to verify that the requirements evaluated in previous testing rounds are still met by the TOE, as part of a contiguous qualification procedure. The approach to OPNsense Bussiness Edition 22.10 evaluation is the same as for OPNsense Bussiness Edition 22.4, which was tested in the previous testing round, determine a set of tests to perform and verify if the results still met the requirements. In this case, the coverage considered slightly differs from the last STIC evaluation with the objective to verify a different group of requirements that were not tested in the previous round. The changes introduced from the latest evaluated version of the Business Edition (22.4) to the version 22.10 have been examined in order to determine what security functionality could have been affected and, therefore, must be retested. This changelog is provided in the document \[OPNSENSE-IAR-20\]. Moreover, as a consequence of the manufacturer’s statement “This business release is based on the OPNsense 22.7.6 community version with additional reliability improvements.”, the evaluator has requested the manufacturer more detail in relation to the aforementioned additional reliability improvements. These additional reliability improvements are documented in \[OPNSENSE-IAR-20\] and are described by the manufacturer as bug fixes and minor changes backported into the Business Edition version 22.10. Such improvements, included in \[OPNSENSE-IAR-20\], were analysed and are considered to not affect the requirements tested and declared in \[OPNSENSE-LINCE-ST16\]. The changes between the versions, included in \[OPNSENSE-IAR-20\], were analysed by the evaluator, determining that, with the information given in the changelog, none of the requirements were considered affected by the changes. Given this, and taking into account the tests performed in the previous STIC evaluation, the evaluator has determined a set of tests to repeat for OPNsense Business edition 22.10. The section 2.2 Inventory of security functions delves deeper on the tests that are going to be carried out and they can be found in Annex B: Functional test plan and report. Regarding this evaluation, after analyzing the scope of the tests and determining the requirements to retest, the installation of the TOE was carried following the manuals and taking into account the indications included in the security target \[OPNSENSE-LINCE- ST16\]) for the version of the product included in CPSTIC. The installation was straightforward and flawless; therefore, no non-conformities were generated through this phase of the evaluation. Apart from the installation procedure, in order to meet the cryptographic requirements, additional steps were followed in order to configure TLS cipher suites for the web 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 21/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. interface, SSH cryptographic parameters and TLS cipher suites offered when connecting to a remote syslog server. These steps are documented in sections 6.3.2 Web interface TLS cipher suites configuration, 6.3.3 SSH cryptographic parameters configuration and 6.3.4 Syslog client TLS cipher suites configuration. Following with the evaluation, the set of functional tests was conducted revealing an issue related to the brute force protection for the GUI and SSH: • \[STIC\_OPNSENSE\_CQ-TST-2020\]/ \[STIC\_OPNSENSE\_CQ-TST-2021\]: The evaluator determined that the brute force protection was not working properly given the behavior of \[TOE-2210\]. Firstly, performing the brute force attack was possible if the connection remained open as \[TOE-2210\] did not seem to be killing the state of such connection when the limit failed attempts was reached. Secondly, regarding SSH, the protection was not complete since only the username enumeration was protected, failed login attempts for registered users were not properly monitored. The authentication error generated when an existing user indicates a wrong password was not taken into account. This issue is registered as OR02.NC01 and was communicated to the manufacturer. The developer response was quick and confirmed the finding, providing a solution for the issue. The change performed is present in the publicly-available Github repository (https://github.com/opnsense/core/commit/ae8e0ce4a4a2c0c96f6f561b85a59a0b71e ba828). Given the results of the functional tests experienced, the evaluator has not required to perform additional functional testing effort as the behavior showed by \[TOE-2210\] demonstrate a high level of confidence. Leading the completion of the functional tests, it was proceeded to perform the analysis of the TOE vulnerabilities. The evaluator followed the type of vulnerabilities documented in previous evaluations as the TOE is the same. Given the vulnerabilities, the evaluator selected a set of penetration tests to conduct, alongside others considered adequate. These tests can be found in Annex D: Penetration test plan and report. Therefore, since all the registered non-conformities were solved, the laboratory concludes the evaluation with the verdict PASS. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 22/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 4.3 VERSION 3.0 This is a STIC evaluation for the product OPNsense Business Edition 23.4. The evaluation has been carried out following the LINCE methodology to verify that the requirements evaluated in previous testing rounds are still met by the TOE, as part of a contiguous qualification procedure. The approach for OPNsense Bussiness Edition 23.4 evaluation is the same as the one adopted for previous rounds, determine a set of tests to perform and verify if the results still met the requirements. In this case, the coverage considered slightly differs from the last STIC evaluation with the objective to verify a different group of requirements that were not tested in the previous round. In addition, the laboratory has developed a Python script (SRC-001\_autosense.py) to automate the steps required to execute the tests considered for this testing round. The objective is to keep developing the script as future testing rounds are conducted so it reaches a point where all requirements are verified automatically in each round. The changes introduced from the latest evaluated version of the Business Edition (22.10) to the version 23.4 have been examined in order to determine what security functionality could have been affected and, therefore, must be retested. This changelog is provided in the document \[OPNSENSE-IAR-30\]. Moreover, as a consequence of the manufacturer’s statement “This business release is based on the OPNsense 23.1.5 community version with additional reliability improvements.”, the evaluator has requested the manufacturer more detail in relation to the aforementioned additional reliability improvements. These additional reliability improvements are documented in \[OPNSENSE-IAR-30\] and are described by the manufacturer as bug fixes and minor changes backported into the Business Edition version 23.4. Such improvements, included in \[OPNSENSE-IAR-30\], were analysed and are considered to not affect the requirements tested and declared in \[OPNSENSE-LINCE-ST16\]. The changes between the versions, included in \[OPNSENSE-IAR-30\], were analysed by the evaluator, determining that, with the information given in the changelog, none of the requirements were considered affected by the changes. Given this, and taking into account the tests performed in the previous STIC evaluation, the evaluator has determined a set of tests to repeat for OPNsense Business edition 23.4. The section 2.2 Inventory of security functions delves deeper on the tests that are going to be carried out. Regarding this evaluation, after analyzing the scope of the tests and determining the requirements to retest, the installation of the TOE was carried following the manuals and taking into account the indications included in the security target \[OPNSENSE-LINCE- ST16\]) for the version of the product included in CPSTIC. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 23/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. The installation was straightforward and flawless; therefore, no non-conformities were generated through this phase of the evaluation. Apart from the installation procedure, in order to meet the cryptographic requirements, additional steps were followed in order to configure TLS cipher suites for the web interface, SSH cryptographic parameters and TLS cipher suites offered when connecting to a remote syslog server. These steps are documented in sections 6.3.2 Web interface TLS cipher suites configuration, 6.3.3 SSH cryptographic parameters configuration and 6.3.4 Syslog client TLS cipher suites configuration. Following with the evaluation, the set of functional tests was conducting making use of the script developed by the laboratory to carry out the pertinent verifications for the related requirements. Non-conformities were not detected in this phase of the evaluation. Given the results of the functional tests experienced, the evaluator has not required to perform additional functional testing effort as the behavior showed by \[TOE-234\] demonstrate a high level of confidence. Leading the completion of the functional tests, it was proceeded to perform the analysis of the TOE vulnerabilities. The evaluator followed the type of vulnerabilities documented in previous evaluations as the TOE is the same. Given the vulnerabilities, the evaluator selected a set of penetration tests to conduct, alongside others considered adequate. These tests can be found in Annex D: Penetration test plan and report. No non-conformities were revealed through the execution of the penetration tests. Therefore, since all the registered non-conformities were solved, the laboratory concludes the evaluation with the verdict PASS. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 24/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 4.4 VERSION 3.1 After delivering version 3.0 of the ETR to CPSTIC, the laboratory received the validation report which included some items to be remedied. As a consequence, some changes were performed in the present evaluation technical report. In summary, these are the following: • SRC-001\_autosense.py was replace with SRC-002\_autosense.py. This is an enhanced version that corrects the issue indicated in the validation report for the version 3.0 of the present document. • The evaluator has extended the information for each test in Annex B: Functional test plan and report according to the observation in the validation report. • The description for \[STIC\_OPNSENSE\_CQ-VUL-3010\] has been amended, providing a description according to the name of the vulnerability. After the automated script was modified, the evaluator executed it and the results of the functional tests remained the same, all tests passed; therefore, no new non- conformities were generated. Since there are not non-conformities with an OPEN state, the laboratory concludes the evaluation with the verdict PASS. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 25/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 5 VERDICT OF THE EVALUATION After analyzing the results of the evaluation, the laboratory determines that the verdict is PASS. The installation of the product does not reveal any non-conformity. The documentation analysis does not reveal any non-conformity. The functional tests do not reveal any non-conformity. The vulnerability analysis does not reveal any non-conformity. The penetration tests do not reveal any non-conformity. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 26/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 6 TOE PREPARATION AND CONFIGURATION Documents used during installation \[OPNSENSE-LINCE-ST16\] \[DOC-74b13d1\] Evaluator JEC Days required 1 day. Results of the evaluator's work PASS 6.1 EVALUATION ACTIVITIES This section contains the evaluation activities defined in section 4.2 of \[CCN-STIC-2002\] as well as a brief description of the result of these tasks on the TOE and its documentation. TE.2.1. The evaluator shall check that, according to the TOE operative and preparative guidance, it is possible to securely install the product using the configuration or configurations referenced in the Security Target. PASS The evaluator has been able to install the product exclusively following the contents of the manufacturer's documentation, provided through \[OPNSENSE-LINCE- ST16\] and \[DOC-74b13d1\]. TE.2.2. The evaluator shall check that the manufacturer has provided the testing platforms required to carry out the TOE evaluation activities. PASS The manufacturer has provided the evaluator with a platform on which to develop the tests, as well as the necessary documentation to make use of it within the conditions of the evaluation. TE.2.3. The evaluator shall register the relevant information to successfully install the TOE. PASS The information necessary to carry out the complete installation of the product, under the same conditions as those used for this evaluation, can be found in the sections 6.2 Detailed configuration of the operational environment and 6.3 Description of the installation and configuration of the TOE. TE.2.4. The evaluator shall register all system’s configuration specific data when appropriate. PASS The specific data used during the TOE preparation and configuration process is reflected in the section 6.4 Used installation options. TE.2.5. The evaluator shall register every non-conformity in regards to the installation and configuration of the TOE or the test environment. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 27/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. PASS No non-conformities were found regarding the installation process of the TOE and its documentation. The results are summarized in the section 6.5 Results. 6.2 DETAILED CONFIGURATION OF THE OPERATIONAL ENVIRONMENT The test scenarios are described in section 12 Annex A: Test scenarios. 6.3 DESCRIPTION OF THE INSTALLATION AND CONFIGURATION OF THE TOE 6.3.1 OPNSENSE INSTALLATION To perform the installation, the steps needed are the following: 1. Open VMware and click on Create a new virtual machine. 2. Select \[TOE-ISO-234\] and click on “Next”. 3. Give a name to the virtual machine and click on “Next”. 4. Set 40GB as disk size. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 28/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 5. Click on Customize Hardware → Memory and set 1GB of RAM memory. Then, press “Close”. 6. Click on “Finish”. 7. Wait for \[TOE-234\] to boot up. 8. In order to install \[TOE-234\], log in with the user “installer” and authenticate with the password “opnsense”. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 29/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 9. Select the keyboard layout. 10. Indicate “Continue with...”. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 30/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 11. Select “Install (UFS)” and press Enter. 12. Select “Proceed anyway” and press Enter. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 31/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 13. Select the 40GB virtual disk and press OK. 14. Select Yes and press Enter. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 32/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 15. Select Yes and press Enter. 16. Select “Change root password” and press OK. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 33/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 17. Define a new password for the root user, the password shall be at least 10 characters long and have capital letters, numbers and special characters. 18. Select Exit and Press OK. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 34/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 19. Wait for \[TOE-234\] to reboot and navigate to the web interface. 20. Log in with the root user credentials. 21. Follow the wizard setup, press Next. 22. Give a hostname and a domain to the TOE and press Next. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 35/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 23. Set NTP servers and the time zone. In this case the NTP servers configured are the ones offered by default. Press Next. 24. Do not configure any field in “Configure WAN interface”. 25. In “Configure LAN interface” check that the IP address and the subnet mask are the same as configured in previous steps. Press Next. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 36/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 26. Set a new root password if it was not changed before. 27. Click on reload to apply the changes. 28. \[TOE-234\] is now configured and ready, click to the dashboard. After installing the TOE, given the indications in the security target \[OPNSENSE-LINCE- ST16\], the following steps are required through the web interface: 1. Enable the access log parameter in the Settings menu. In the left panel go to System → Settings → Administration and select “enable access log”. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 37/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 2. Enable SSH by password for admin users, do not allow root user login. 3. Define an “Inactivity timeout” of 10 minutes for the SSH shell. 4. Press “Save”. 5. Define a password policy. In the left panel, go to System → Access → Servers. 6. Press the edit button. 7. Enable “Password policy constraints”. Then, add a duration for passwords, the minimum length and enable complexity requirements. Finally, press “Save”. To protect the TOE against DoS attacks, log in into \[TOE-234\] through the web interface and follow the next steps: 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 38/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 1. Go to Firewall → Settings → Advanced and mark the “Disable anti-lockout” option. 2. Go to Firewall → Rules → LAN and create a new rule for allowing a maximum of 100 simultaneous connections to the Firewall administration web page. 3. Create another with the same parameters, but only allowing as source address. 4. Select both rules in the top and click on “Apply changes”. Finally, it is recommended to install a digital certificate signed by a trusted CA. However, a self-signed certificate generated by \[TOE-234\] itself is used in this evaluation, as it does not imply a degradation in the quality level at the functionality or testing of \[TOE-234\]. This matter is taken into account by the evaluator when conducting the testing. 6.3.2 WEB INTERFACE TLS CIPHER SUITES CONFIGURATION In order to meet the cryptographic requirements and conform \[CCN-STIC-807\], it is required to configure accepted cipher suites for TLS through the web interface. This configuration affects the web portal used to manage and administrate \[TOE-234\]. The steps below are followed: 1. Log in through the web interface for \[TOE-234\] with the root user. 2. Navigate to System → Settings → Administration. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 39/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 3. In the Web GUI section, use the dropdown menu for “SSL Ciphers” to select valid cipher suites. TLS\_AES\_128\_GCM\_SHA256 TLS\_AES\_256\_GCM\_SHA384 TLS\_CHACHA20\_POLY1305\_SHA256 TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256 4. Scroll down and click Save. 6.3.3 SSH CRYPTOGRAPHIC PARAMETERS CONFIGURATION In order to meet the cryptographic requirements and conform \[CCN-STIC-807\], it is required to configure accepted cryptographic parameters for SSH through the web interface. This configuration affects the SSH connections that users establish with \[TOE- 234\]. The steps below are followed: 1. Log in through the web interface for \[TOE-234\] with the root user. 2. Navigate to System → Settings → Administration. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 40/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 3. In the Secure Shell section, use the dropdown menu for “Key exchange algorithms”, “Ciphers”, “MACs” and “Public key signature algorithms” to select valid cryptographic parameters. a. Key exchange algorithms: i. diffie-hellman-group14-sha256 ii. diffie-hellman-group16-sha512 iii. diffie-hellman-group18-sha512 iv. ecdh-sha2-nistp256 v. ecdh-sha2-nistp384 vi. ecdh-sha2-nistp521 b. Ciphers: i. aes128-gcm@openssh.com ii. aes256-gcm@openssh.com c. MACs: i. hmac-sha2-256 ii. hmac-sha2-512 d. Public key signature algorithms: i. ecdsa-sha2-nistp256 ii. ecdsa-sha2-nistp385 iii. ecdsa-sha2-nistp521 e. Host key algorithms: i. ecdsa-sha2-nistp256 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 41/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 4. Scroll down and click Save. 6.3.4 SYSLOG CLIENT TLS CIPHER SUITES CONFIGURATION In order to meet the cryptographic requirements and conform \[CCN-STIC-807\], it is required to configure accepted cipher suites through the local command line interface. This configuration affects the TLS connections when \[TOE-234\] communicates with a remote syslog server. The steps below are followed: 1. Log in through the local command line for \[TOE-234\] and select the Shell option. 2. Edit the file /etc/local/opnsense/service/templates/OPNsense/Syslog/sysl og-ng-destinations.conf 3. In the network parameters, inside the TLS parameters, add the following lines: ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11) cipher-suite("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA- AES128-GCM- SHA256:TLS\_AES\_128\_GCM\_SHA256:TLS\_AES\_128\_GCM\_SHA256:TLS\_C HACHA20\_POLY1305\_SHA256:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256- CCM:ECDHE-ECDSA-AES128-CCM") 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 42/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 4. Save the file. 6.4 USED INSTALLATION OPTIONS The selection of different installation options in order to achieve the secure configuration was not considered or required. 6.5 RESULTS ID Non-conformity State N/A None. N/A ID Comments State N/A None. N/A 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 43/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 7 CONFORMITY ASSESSMENT 7.1 DOCUMENTATION ANALYSIS Documents analyzed \[OPNSENSE-LINCE-ST16\] \[DOC-74b13d1\] Evaluator JEC Days required 1 days. Results of the evaluator's work PASS 7.1.1 EVALUATION ACTIVITIES The information presented in this section covers the requirements of the standard, in section 4.3 of \[CCN-STIC-2002\], with respect to the evaluation activities on documentation analysis. TE.3.1. The evaluator shall list the analyzed documents. PASS The list of analyzed documents is presented in the row Documents analyzed of the table in the 7.1 Documentation analysis. TE.3.2. The evaluator shall check that the provided information meets the requirements related to content and presentation (section 3 of \[CCN-STIC-2002\]), providing a verdict about its completeness and legibility. If there is a big a volume of information to be reviewed, the evaluator may, after notifying the Certification Body, implement a sampling strategy in accordance to the following priorities: o The Security Target provided by the manufacturer; o TOE preparative and operative guidance; PASS The documentation provided by the manufacturer complies with section 3 of \[CCN-STIC-2002\]. TE.3.3. The evaluator shall register every non-conformity in regards to any deviation of the evaluated documentation. PASS The results of the analysis of the documentation provided by the manufacturer are reflected in the section 7.1.2 Results. 7.1.2 RESULTS ID Non-conformity State N/A None. N/A 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 44/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. ID Comments State N/A None. N/A 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 45/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 7.2 FUNCTIONAL TESTS Evaluator JEC Days required 1 day. Results of the evaluator's work PASS 7.2.1 EVALUATION ACTIVITIES The information presented in this section covers the result of carrying out the evaluation activities specified in section 4.4 of \[CCN-STIC-2002\], with regard to functional testing of the TOE. TE.4.1. The evaluator shall check and test the product’s security functions and mechanisms to a level of detail that allows checking that the declared security functionality has been correctly implemented in the product. If the tests are not complete, the evaluator shall provide a rationale regarding the used sampling strategy. PASS Information concerning this task of the evaluator can be found in the section 7.2.2 List of functional tests. This information is presented in more detail in the section 13 Annex B: Functional test plan and report. TE.4.2. The evaluator shall register every non-conformity in regards to any test performed. PASS Information concerning this task of the evaluator can be found in the section 7.2.3 Results. 7.2.2 LIST OF FUNCTIONAL TESTS The evaluator has sampled the tests performed in the previous LINCE evaluation and has determined a set of tests to repeat for the Business edition. Security functionality Test identifier Objective of the test Verdict SF. Trusted administration ADM.1 \[STIC\_OPNSENSE\_CQ- TST-1000\] Verify that \[TOE-234\] allows to differentiate between users with administrative privileges and users with no administrative privileges. PASS SF. Trusted administration ADM.2 SF. Identification and authentication \[STIC\_OPNSENSE\_CQ- TST-1100\] Verify that \[TOE-234\] allows to set a session termination by inactivity time in the Web Interface. PASS 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 46/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. IAU.5 SF. Trusted administration ADM.2 SF. Identification and authentication IAU.5 \[STIC\_OPNSENSE\_CQ- TST-1101\] Verify that \[TOE-234\] allows to set a session termination by inactivity time in the SSH server PASS SF. Trusted administration ADM.2 \[STIC\_OPNSENSE\_CQ- TST-1102\] Verify that \[TOE-234\] allows to configure the following parameters in the Web Interface: • Protocols • SSL Certificate • SSL Ciphers • TCP Port • Alternate Hostnames • Listen Interfaces • HTTP Compression PASS SF. Trusted administration ADM.2 \[STIC\_OPNSENSE\_CQ- TST-1103\] Verify that \[TOE-234\] allows to configure the following parameters for SSH server: • Enable secure shell • Login group • Permit root user login • Permit password login • SSH Port • Listen interfaces PASS SF. Identification and authentication IAU.1 \[STIC\_OPNSENSE\_CQ- TST-2000\] Verify that \[TOE-234\] does not allow to perform any action that modify its configuration to users that have been not identified and authenticated in the Web Interface. PASS SF. Identification and authentication IAU.3 \[STIC\_OPNSENSE\_CQ- TST-2200\] Verify that \[TOE-234\] does not allow an authenticated user without enough permissions to modify PASS 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 47/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. the credentials of another user. SF. Identification and authentication IAU.4 \[STIC\_OPNSENSE\_CQ- TST-2300\] Verify that \[TOE-234\] allows to set a password policy for password minimum length of at least 9 characters. PASS SF. Identification and authentication IAU.4 \[STIC\_OPNSENSE\_CQ- TST-2301\] Verify that \[TOE-234\] does not allow to configure passwords that does not comply with complexity checks. PASS SF. Identification and authentication IAU.4 \[STIC\_OPNSENSE\_CQ- TST-2302\] Verify that \[TOE-234\] admits the declared special characters (“!”, “@”, “#”, “$”, “%”, “&”, “^”, “\*”, “(”, “)”, “\[”, “\]”) in the user passwords. PASS SF. Reliable communication channels COM.1 COM.2 SF. Cryptographic requirements CIF.1 \[STIC\_OPNSENSE\_CQ- TST-3000\] Verify that \[TOE-234\] establishes a secure channel via SSH when exchanging information with authorized users in console using functions, mechanisms and protocols that are in accordance with \[CCN- STIC-807\]. PASS SF. Reliable communication channels COM.1 COM.2 SF. Cryptographic requirements CIF.1 \[STIC\_OPNSENSE\_CQ- TST-3001\] Verify that \[TOE-234\] establishes a secure channel via TLSv1.2 or higher when exchanging information with the administrative user using functions, mechanisms and protocols that are in accordance with \[CCN- STIC-807\]. PASS SF. Reliable installation and upgrades ACT.1 \[STIC\_OPNSENSE\_CQ- TST-4000\] Verify that \[TOE-234\] allows to check its current version of the firmware/software. PASS SF. Reliable installation and upgrades ACT.2 \[STIC\_OPNSENSE\_CQ- TST-4100\] Verify that \[TOE-234\] uses mechanisms to verify and authenticate updates before installing them in accordance to PASS 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 48/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. the cryptography agreed in the ENS SF. Reliable installation and upgrades ACT.3 ACT.4 \[STIC\_OPNSENSE\_CQ- TST-4200\] Verify that \[TOE-234\] only allows administrators to perform an update. PASS SF. Reliable installation and upgrades ACT.4 \[STIC\_OPNSENSE\_CQ- TST-4300\] Verify that \[TOE-234\] allows to start updates manually and to check if there are new updates available. PASS SF. Audit AUD.1 AUD.2 \[STIC\_OPNSENSE\_CQ- TST-5000\] Verify that \[TOE-234\] generates audit data for login and logout of registered users and contains at least date and time of the event, type of event identified, result of the event and user producing the event. PASS SF. Audit AUD.1 AUD.2 \[STIC\_OPNSENSE\_CQ- TST-5001\] Verify that \[TOE-234\] generates audit data when the user credentials are modified and contains at least date and time of the event, type of event identified, result of the event and user producing the event. PASS SF. Audit AUD.1 AUD.2 \[STIC\_OPNSENSE\_CQ- TST-5002\] Verify that \[TOE-234\] generates audit data when the configuration is modified and contains at least date and time of the event, type of event identified, result of the event and user producing the event. PASS SF. Audit AUD.1 AUD.2 \[STIC\_OPNSENSE\_CQ- TST-5003\] Verify that the \[TOE- 2304\] generates audit data for generation, import, change or deletion of cryptographic keys and contains at least PASS 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 49/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. date and time of the event, type of event identified, result of the event and user producing the event. SF. Audit AUD.1 AUD.2 \[STIC\_OPNSENSE\_CQ- TST-5004\] Verify that \[TOE-234\] generates audit data for events related to product functionality and contains at least date and time of the event, type of event identified, result of the event and user producing the event PASS SF. Audit AUD.3 \[STIC\_OPNSENSE\_CQ- TST-5200\] Verify that administrative users can read the logs and delete them, but cannot modified them in \[TOE- 234\]. PASS SF. Audit AUD.3 \[STIC\_OPNSENSE\_CQ- TST-5201\] Verify that non- authorized users cannot read the logs from \[TOE- 234\]. PASS SF. Firewall FW.1 \[STIC\_OPNSENSE\_CQ- TST-7000\] Verify that \[TOE-234\] allows to set traffic filtering rules that are defined by network protocols (TCP/UDP). PASS SF. Firewall FW.1 \[STIC\_OPNSENSE\_CQ- TST-7001\] Verify that \[TOE-234\] allows to set traffic filtering rules that are defined by network protocols (ICMPv4/ICMPv6). PASS SF. Firewall FW.2 \[STIC\_OPNSENSE\_CQ- TST-7100\] Verify that \[TOE-234\] allows the modification of the Action parameter (permit or block) when defining a new firewall filtering rule with the capacity to log the operation. PASS SF. Firewall FW.3 \[STIC\_OPNSENSE\_CQ- TST-7200\] Verify that \[TOE-234\] allows to assign firewall PASS 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 50/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. filtering rules to distinct network interfaces. SF. Firewall FW.7 \[STIC\_OPNSENSE\_CQ- TST-7600\] Verify that TOE denies packets by default. PASS 7.2.3 RESULTS ID Non-conformity State OR02.NC01 \[STIC\_OPNSENSE\_CQ-TST-2020\] \[STIC\_OPNSENSE\_CQ-TST-2021\] \[TOE-234\] is not properly providing brute force protection. It seems that \[TOE-234\] is not killing the current state when the maximum limit of attempts is reached by the same connection. Moreover, SSH login protection seems insufficient as the lockout is only working if the username is also being brute forced. Password failed login attempts for an existing user does seem to be properly monitored. The developer implemented changes in the lockout handler and the protection is now being provided as expected. CLOSED ID Comments State N/A None. N/A 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 51/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 8 VULNERABILITY ANALYSIS Evaluator JEC Days required 2 days. Results of the evaluator's work PASS 8.1 EVALUATION ACTIVITIES The information presented in this section covers the result of carrying out the Evaluation activities specified in section 4.5 of \[CCN-STIC-2002\], with regard to the analysis of vulnerabilities present in the TOE. TE.5.1. The evaluator shall perform a methodic vulnerability analysis by using any means within their technical competence. PASS The TOE vulnerability analysis is described in the 8.3 TOE vulnerability del TOE. The result of this analysis is detailed in the section TE.5.2 The evaluator shall document the devised vulnerability analysis methodology. PASS The method followed to carry out the vulnerability analysis is described in the section 8.2 Methodology used for the analysis. TE.5.3. The evaluator shall document every identified potential vulnerability applicable to the TOE scope. PASS Information concerning this task of the evaluator can be found in the section 8.4 List of potential vulnerabilities. This information is described in more detail in the section 14 Annex C: Vulnerability analysis. TE.5.4. The evaluator shall compute the attack potential for every potential vulnerability in accordance to the punctuation system presented in the section 4.5.1 of \[CCN-STIC-2002\]. PASS Information concerning this task of the evaluator can be found in the section 8.4 List of potential vulnerabilities. This information is described in more detail in the section 14 Annex C: Vulnerability analysis.. 8.2 METHODOLOGY USED FOR THE ANALYSIS The methodology used follows the spirit of the Common Criteria \[CC\] methodology for vulnerability analysis \[CEM\]. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 52/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. Firstly, a survey of the TOE information available has been carried out to identify potential vulnerabilities that can be exploited by an attacker with low attack potential. An extensive analysis of the state of the art regarding the different vectors of attack on TOE-like tools has been carried out from different points of view. Based on the results of these tools and the analysis of the most common weaknesses of this type of tools, the vulnerabilities of the TOE have been identified. Next, an assessment and analysis of the vulnerabilities found has been made by performing tests that provide more information on the vulnerabilities and give rise to more sophisticated attacks. In a third step, penetration tests have been carried out based on the vulnerabilities found to check the degree of exploitability of the vulnerabilities. Finally, comprehensive and more complex penetration tests on the exploitable vulnerabilities present in the TOE have been developed as proofs of concept to illustrate the possibilities of an attacker exploiting these vulnerabilities. To calculate the distribution of the time dedicated to each vulnerability, it has been done taking into account the degree of difficulty to be exploited, as well as the severity for the integrity of the TOE that a successful attack would entail. 8.3 TOE VULNERABILITY ANALYSIS The vulnerability analysis process involves checking all security features declared in the TOE, identifying potential TOE vulnerabilities. The analysis process continues with the clear definition of the context of vulnerability to serve as a basis for understanding its severity and subsequent consideration. On the basis of this information, the different routes of attack on the vulnerable element are established, which, if appropriate, will be tested for penetration later. The tools used in the identification of the vulnerabilities present in the TOE are developed from information present in the TOE are developed from public information always under the requirements of time and effort marked by the methodology and developing small scripts from public information and based on the functional tests performed in the previous stage. 8.4 LIST OF POTENTIAL VULNERABILITIES Code Resistance level \[STIC\_OPNSENSE\_CQ-VUL-1010\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-1020\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-1030\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-1050\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-1060\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-1120\] BASIC 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 53/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. \[STIC\_OPNSENSE\_CQ-VUL-1130\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-2010\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-2030\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-2040\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-3010\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-3020\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-3030\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-4010\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-5010\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-6010\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-7010\] BASIC \[STIC\_OPNSENSE\_CQ-VUL-8010\] BASIC 8.5 RESULTS ID Non-conformity State N/A None. N/A ID Comments State N/A None. N/A 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 54/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 9 TOE PENETRATION TESTS This section presents a summary of the tests carried out and the results obtained. Evaluator JEC Days required 2 days. Results of the evaluator's work PASS 9.1 EVALUATION ACTIVITIES The information presented in this section covers the result of carrying out the evaluation activities specified in section 4.6 of \[CCN-STIC-2002\], with regard to the TOE penetration tests. TE.6.1. The evaluator shall provide a list with all the penetration tests performed on the TOE including, at least, the required steps to reproduce each test, the expected result, the actual result and whether the attack is successful or not. PASS The list of penetration tests performed can be found summarized in the section 9.2 List of penetration tests and described in more detail and with the information indicating the evaluator's task in the section 15 Annex D: Penetration test plan and report. TE.6.2. The evaluator shall document all non-conformities related to any successful attack. PASS The results of the penetration tests are collected on the basis of the non- conformities and comments in the section 9.3 Results. 9.2 LIST OF PENETRATION TESTS Penetration tests are performed from the perspective of a potential attacker and, based on the vulnerabilities found in the TOE, aim to cover the most relevant and promising attack vectors. Time constraints mean that the methodology used in penetration testing is focused on determining whether the objective established in each test is feasible, thus determining the severity of the identified vulnerabilities. Some tests were not identified during the preliminary vulnerability analysis and are the result of the creativity of the evaluator, who looks for new possible attacks in an exploratory way based on the knowledge gained during the tests. For these tests it will be necessary to create an applicable vulnerability and calculate the attack potential. The PASS/FAIL criteria for establishing the result of the penetration tests will be that if a FAIL penetration test is performed because the TOE does not behave safely according 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 55/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. to the security functionality and assets declared by the manufacturer in his Security Target. For those penetration tests whose objective is not directly the violation of the security properties of the TOE but rather the collection of information for further testing or that by their characteristics do not violate any asset or contradict the security functionality declared by the manufacturer in an evident way, the verdict will be assigned to PASS. In those cases where the TOE presents vulnerabilities that are not exploitable in the operational environment of the TOE, either because of the action of the environmental hypotheses or because the time or capabilities required to exploit them exceed the time and effort restrictions of this certification, a PASS result will be established and the verdict of the PASS will be justified, creating a comment that will allow the manufacturer to improve the security of the product if he so wishes. Security function Test code Objective Result SF. Reliable Administration \[STIC\_OPNSENSE\_CQ- PT-1010\] Verify that \[TOE-234\] does not allow non-privileged users to perform privileged users’ actions with specified URLs. PASS SF. Reliable Administration \[STIC\_OPNSENSE\_CQ- PT-1020\] Verify that \[TOE-234\] does not allow to gain access to the management interfaces with the default credentials. PASS SF. Reliable Administration \[STIC\_OPNSENSE\_CQ- PT-1030\] Verify that the \[TOE-234\] is not vulnerable to SQL injection. PASS SF. Reliable Administration \[STIC\_OPNSENSE\_CQ- PT-1050\] Verify that \[TOE-234\] does not allow user enumeration by Web Interface messages. PASS SF. Reliable Administration \[STIC\_OPNSENSE\_CQ- PT-1060\] Verify that the \[TOE-234\] is not vulnerable to directory traversal. PASS SF. Reliable Administration \[STIC\_OPNSENSE\_CQ- PT-1120\] Verify that the user root is not allowed to manage the \[TOE-234\] via SSH. PASS SF. Reliable Administration \[STIC\_OPNSENSE\_CQ- PT-1130\] Verify that \[TOE-234\] does not allow non-privileged user to access through SSH. PASS SF. Reliable Administration \[STIC\_OPNSENSE\_CQ- PT-2010\] Verify that the \[TOE-234\] does not allow bypassing of password policies. PASS 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 56/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. SF. Identification and authentication \[STIC\_OPNSENSE\_CQ- PT-2030\] Verify that \[TOE-234\] does not store password in plain-text. PASS SF. Identification and authentication \[STIC\_OPNSENSE\_CQ- PT-2040\] Verify that \[TOE-234\] does not allow an attacker to block the root account by brute-force in the Web Interface. PASS SF. Reliable communication channels \[STIC\_OPNSENSE\_CQ- PT-3010\] Verify that \[TOE-234\] does not allow to downgrade HTTPS to HTTP. PASS SF. Reliable Communications channels \[STIC\_OPNSENSE\_CQ- PT-3020\] Verify that the \[TOE-234\] does not allow to establish a SSH connection with insecure SSH versions. PASS SF. Reliable communication channels \[STIC\_OPNSENSE\_CQ- PT-3030\] Verify if \[TOE-234\] authenticates the external syslog server. PASS SF. Reliable communication channels \[STIC\_OPNSENSE\_CQ- PT-3032\] Verify if it is possible to exploit a XSS vulnerability by indicating the payload in the fields from a certificate of a remote syslog server. PASS SF. Reliable communication channels SF. Cryptographic requirements \[STIC\_OPNSENSE\_CQ- PT-3033\] Verify that \[TOE-234\] does not allow to use TLS versions lower than TLSv1.2 in the communication with an external syslog server. PASS SF. Reliable communication channels SF. Reliable installation and upgrades \[STIC\_OPNSENSE\_CQ- PT-4010\] Verify if an attacker is able to spoof the update server when \[TOE-234\] is checking for updates. PASS SF. Audit \[STIC\_OPNSENSE\_CQ- PT-5010\] Verify that it is not possible to inject fake audit events in the \[TOE-234\] log file or modify it. PASS SF. Firewall \[STIC\_OPNSENSE\_CQ- PT-7010\] Verify that \[TOE-234\] correctly applies filtering rules on boot. PASS SF. Firewall \[STIC\_OPNSENSE\_CQ- PT-7012\] Verify that \[TOE-234\] does not allow rule bypassing PASS 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 57/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. when packets are fragmented. All security functions \[STIC\_OPNSENSE\_CQ- PT-8010\] Verify that \[TOE-234\] does not present exploitable vulnerabilities identified performing a scan with the tool Nessus. PASS 9.3 RESULTS ID Non-conformity State N/A None N/A ID Comments State N/A None. N/A 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 58/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 10 REFERENCES \[CC\] Common Criteria for Information Technology Security Evaluation. The last approved version must be considered which is published in the website of the Certification Body. (https://oc.ccn.cni.es). \[CCN-STIC-2001\] Definition of the National Essential Security Certification (LINCE), version 0.1. January 2020. \[CCN-STIC-2002\] Evaluation Methodology for the National Essential Security Certification (LINCE), version 0.1. January 2020 \[CCN-STIC-2003\] Template for the Security Target of the National Essential Security Certification (LINCE), version 0.1. January 2020 \[CCN-STIC-807\] Use of cryptology within the National Security Scheme (Esquema Nacional de Seguridad). Mayo 2022. \[CEM\] Common Methodology for Information Technology Security Evaluation: Evaluation Methodology. The last approved version must be considered which is published in the website of the Certification Body. (https://oc.ccn.cni.es). \[OPNSENSE-LINCE-ST16\] LINCE Security Target v1.6. \[OPNSENSE-IAR-10\] Impact analysis report v1.0 for \[TOE-224\]. \[OPNSENSE-IAR-20\] Impact analysis report v2.0 for \[TOE-2210\]. \[OPNSENSE-IAR-30\] Impact analysis report v2.0 for \[TOE-234\]. \[listado\_de\_evidencias\] List of evidence in which are included the reference, title, version, path and SHA-256 hash of the different evidence provided by the manufacturer for the evaluation. 10.1 DEVELOPER EVIDENCES The applicable developer evidence is listed in the latest version of the attached document \[listado\_de\_evidencias\]. 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 59/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. 11 ACRONYMS CBS Basic Security Certification CCN Centro Criptológico Nacional CNI Centro Nacional de Inteligencia ENS Esquema Nacional de Seguridad LINCE National Essential Security Certification MCF Source Code Module MEC Cryptographic Evaluation Module TIC Information and Communications Technology TOE Target Of Evaluation LAN Local Area Network WAN Wide Area Network IP Internet Protocol TCP Transmission Control Protocol UDP User Datagram Protocol ICMP Internet Control Message Protocol TLS Transport Layer Security SSH Secure Shell UFS Unix File System NTP Network Time Protocol HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure DoS Denial of Service CA Certification Authority GUI Graphical User Interface CLI Command Line Interface 0 STIC ETR CUA-2022-46 STIC\_OPNSENSE\_CQ STIC Evaluation Technical Report 60/60 jtsec Beyond IT Security SL Uncontrolled copy if printed. SSL Secure Sockets Layer MAC Message Authentication Code
---
# Unknown
STIC Evaluation Technical Report STIC\_OPNSENSE\_HIGH-2404 (CUA-2023-118) 1.0 2025/01/28 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 2/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. CHANGELOG Version Date Author Reason Changes 1.0 2025/01/28 DAT Document creation. First version. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 3/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. INDEX 1 Introduction .............................................................................................................. 5 1.1 Evaluation Technical Report information ......................................................... 5 1.2 TOE developer information .............................................................................. 5 2 TOE description ........................................................................................................ 6 2.1 Functional description of the TOE .................................................................... 6 2.2 Inventory of security functions ........................................................................ 7 2.2.1 Collaborative Protection Profile for Network Devices ............................. 8 2.2.2 PP-Module for Stateful Traffic Filter Firewalls ....................................... 27 3 Operational environment ....................................................................................... 31 3.1 Description of the operational environment ................................................. 31 3.2 Operational environment assumptions ......................................................... 32 4 Executive summary of the evaluation .................................................................... 33 5 Verdict of the evaluation ........................................................................................ 37 6 TOE installation and review of the installation, configuration and operation guides 38 6.1 Evaluation activities ........................................................................................ 38 6.2 Detailed configuration of the operational environment................................ 39 6.3 Description of the installation and configuration of the TOE ........................ 39 6.3.1 Setting a subscription key ....................................................................... 47 6.3.2 Updating to version 24.10.1 ................................................................... 48 6.3.3 Enabling access logs ................................................................................ 48 6.3.4 Change shell type and inactivity timeout ............................................... 49 6.3.5 Change permissions of /conf/config.xml ................................................ 49 6.3.6 Defining a password policy ..................................................................... 49 6.3.7 Add a read-only audit role ...................................................................... 50 6.3.8 Disable root user for SSH ........................................................................ 52 6.3.9 Configure system backups rotation ........................................................ 52 6.3.10 Configure two-factor authentication ..................................................... 53 6.3.11 Configuring configd access control ......................................................... 54 6.3.12 Web interface TLS cipher suites configuration ...................................... 55 6.3.13 SSH cryptographic parameters configuration ........................................ 55 6.3.14 Syslog client TLS cipher suites configuration .......................................... 56 6.3.15 Installing certificates from trustworthy CA ............................................ 57 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 4/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 6.3.16 Disabling NTP service .............................................................................. 57 6.3.17 Modifying Trust settings ......................................................................... 57 6.4 Verification of the installed TOE version ........................................................ 58 6.5 Used installation options ................................................................................ 59 6.6 Results............................................................................................................. 59 7 Conformity assessment .......................................................................................... 60 7.1 Functional tests .............................................................................................. 60 7.1.1 Evaluation activities ................................................................................ 60 7.1.2 List of functional tests ............................................................................ 60 7.1.3 Results..................................................................................................... 68 8 Vulnerability analysis .............................................................................................. 81 8.1 Evaluation activities ........................................................................................ 81 8.2 Methodology used for the analysis ................................................................ 82 8.3 TOE vulnerability analysis ............................................................................... 82 8.4 List of potential vulnerabilities ....................................................................... 83 8.5 Results............................................................................................................. 83 9 TOE penetration tests ............................................................................................. 84 9.1 Evaluation activities ........................................................................................ 84 9.2 List of penetration tests.................................................................................. 84 9.3 Results............................................................................................................. 85 10 References .......................................................................................................... 86 10.1 Developer Evidences ...................................................................................... 87 11 Acronyms ............................................................................................................ 88 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 5/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 1 INTRODUCTION This document is the National Essential Security Certification (LINCE) Evaluation Technical Report (ETR) for the TOE OPNsense Business Edition according to the method described in \[CCN-STIC-2001\] and \[CCN-STIC-2002\]. The results only affect the tested TOE, so they may not be representative of other manufacturer developments. No part of this report may be reproduced without the express permission of the laboratory. 1.1 EVALUATION TECHNICAL REPORT INFORMATION ETR reference STIC\_OPNSENSE\_HIGH-2404-ETR-v1.0 ETR version 1.0 Author or authors DAT Reviewer ACP Approved by JTG Start date of the works 2024/07/03 End date of the works 2025/01/28 CB dossier code CUA-2023-118 Laboratory project code STIC\_OPNSENSE\_HIGH-2404 Type of evaluation Complementary STIC Product Taxonomy N/A Evaluation Laboratory holding the accreditation jtsec Beyond IT Security SLU (ESB93551422) Laboratory address Avenida de la Constitución 20 Oficina 208. CP 18012 Granada, España. Address where the work is done Avenida de la Constitución 20 Oficina 208. CP 18012 Granada, España. 1.2 TOE DEVELOPER INFORMATION Applicant data Deciso B.V. Applicant’s contact information Ad Schellevis +31(0)187744020 a.a.schellevis@deciso.com Edison 43, 3241 LS Middelharnis, The Netherlands. Developer data Deciso B.V. TOE name OPNsense Business Edition TOE version 24.10.1 Operating manuals of the product \[OPNSENSE-DOCS-D971B9D\] 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 6/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 2 TOE DESCRIPTION The information in this section is provided by the manufacturer in the latest version of its Security Target. 2.1 FUNCTIONAL DESCRIPTION OF THE TOE OPNsense Business Edition, from now on referred as TOE, is a stateful software-based firewall. It is in charge of interconnecting two or more networks, channelling all communications between them through itself to examine each message and block those that do not meet the specified security criteria. The TOE includes both the firewall application and the platform/operating system on which it operates. The underlying operating system, based on FreeBSD, is an essential component of the TOE, as it provides the necessary capabilities for the secure execution of the TOE. The TOE is thus considered as an integrated solution comprising: 1. Firewall application: implements traffic filtering and security policy management functionality. 2. Platform/Operating System: FreeBSD, specifically configured to support the security operations required by the TOE. 3. Management Interface: Includes both the command line interface (CLI) and the graphical user interface (GUI), through which the administration of the TOE is performed. Although the TOE offers a wide range of additional functionalities, such as VPN, proxy, intrusion detection, among others, the scope of evaluation focuses on the firewall functionality (traffic filtering and policy management). In this context, the TOE interconnect two or more networks so that all communications between these networks pass through it, in order to examine each message and filtering those that do not meet the specified security criteria. Filtering is implemented at various levels within the layers defined by the Open Systems Interconnection model (ISO/IEC 7498-1), specifically addressing network (Layer 3) and transport (Layer 4). Regarding to the TOE management, the TOE can be managed by two different interfaces: • CLI interface: o Local access: Available directly on the machine where the TOE is installed, allowing administrators to perform the initial configuration, maintenance and management of the system without the need for a network connection. o Remote access: which allows remote TOE management via SSHv2. The use of this interface is not allowed to the root user. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 7/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. • GUI interface: it is a web interface which allows TOE management via HTTPS. 2.2 INVENTORY OF SECURITY FUNCTIONS For this evaluation, the defined security functions and the pool of security requirements are extracted from different protection profiles and taxonomies. These are \[cPP-ND- 30e\] and \[PPMOD-FW-14e\]. These supporting documents associated with these protection profiles (\[cPP-ND-30e-SD\] and \[PPMOD-FW-14e-SD\]) will be followed by the evaluator when conducting the tests, although they will not be followed strictly but rather as a guide to orientate the tests. It is worth noting that although the CPSTIC taxonomy \[CCN-STIC 140-D3\] refers to these taxonomies but to versions v2.2e and v1.3 respectively, the laboratory has decided to use the most up to date versions available. This evaluation takes as a baseline the LINCE evaluation carried out for the same TOE that is the subject of this STIC evaluation, OPNsense Business Edition. This LINCE evaluation, with CB dossier number 2024-13 and qualification dossier CUA-2023-118, has been carried out in accordance with the Security Target \[LINCE-ST-08\]. Given this, the evaluator has carried out an analysis of the requirements included in the protection profiles \[cPP-ND-30e\] and \[PPMOD-FW-14e\] with the purpose of determining and omitting for the present STIC evaluation those that are covered by the work carried out and requirements evaluated in the LINCE evaluation. In addition to this, the evaluator has considered the Impact Analysis Report \[IAR-10\] when defining the requirements to be tested in this evaluation. Those requirements that have been affected by changes in the product from the version evaluated in the LINCE to the initial version of this STIC evaluation will be retested. Therefore, for each protection profile: 1. A coverage analysis has been carried out, considering \[LINCE-ST-08\] and \[IAR-10\]. 2. The SFRs to be evaluated have been defined according to the TOE version of this assessment. These two points are included in the following sections, for each protection profile separately. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 8/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 2.2.1 COLLABORATIVE PROTECTION PROFILE FOR NETWORK DEVICES The following table includes the coverage analysis for the \[cPP-ND-30e\] Protection Profile: Requirement in \[cPP-ND-30e\] Covered? FAU\_GEN.1.1 Partially covered by the requirement AUD.1 included in the LINCE Security Target as some points defined in the requirement from the PP are mentioned in AUD.1 The audit features to test are defined in the SFR definition included after this table. FAU\_GEN.1.2 Partially covered by the requirement AUD.2 included in the LINCE Security Target. The audit features to test are defined in the SFR definition included after this table and are tied to the events declared in FAU\_GEN.1.1. FAU\_GEN.2.1 Partially covered by the requirement AUD.2 included in the LINCE Security Target. The audit features to test are verified alongside the tests related to FAU\_GEN.1.1 and FAU\_GEN.1.2. FAU\_STG\_EXT.1.1 Covered by AUD.4. FAU\_STG\_EXT.1.2 Covered by AUD.4. FAU\_STG\_EXT.1.3 Covered by AUD.4. FAU\_STG\_EXT.1.4 Not covered, SFR to test in the present STIC evaluation. Related requirement AUD.5 was evaluated in LINCE evaluation but changes (as indicated in \[IAR-10\]) introduced in the product affect such functionality; therefore, retesting is a necessity. FAU\_STG\_EXT.1.5 Not covered, SFR to test in the present STIC evaluation. Related requirement AUD.5 was evaluated in LINCE evaluation but changes (as indicated in \[IAR-10\]) introduced in the product affect such functionality; therefore, retesting is a necessity. FAU\_STG\_EXT.1.6 Covered by AUD.4. FCS\_CKM.1.1 Dismissed for the present STIC evaluation, will be covered in future evaluation rounds. FCS\_CKM.2.1 Dismissed for the present STIC evaluation, will be covered in future evaluation rounds. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 9/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. FCS\_CKM.4.1 Dismissed for the present STIC evaluation, will be covered in future evaluation rounds. FCS\_COP.1.1/DataEncryption Dismissed for the present STIC evaluation, will be covered in future evaluation rounds. FCS\_COP.1.1/SigGen Dismissed for the present STIC evaluation, will be covered in future evaluation rounds. FCS\_COP.1.1/Hash Dismissed for the present STIC evaluation, will be covered in future evaluation rounds. FCS\_COP.1.1/KeyedHash Dismissed for the present STIC evaluation, will be covered in future evaluation rounds. FCS\_RBG\_EXT.1.1 Dismissed for the present STIC evaluation, will be covered in future evaluation rounds. FCS\_RBG\_EXT.1.2 Dismissed for the present STIC evaluation, will be covered in future evaluation rounds. FIA\_UIA\_EXT.1.1 Not covered, SFR to test in the present STIC evaluation. FIA\_UIA\_EXT.1.2 Not covered, SFR to test in the present STIC evaluation. Functionality was evaluated in LINCE evaluation (IAU.1 requirement) but changes (as indicated in \[IAR-10\]) introduced in the product affect such functionality; therefore, retesting is a necessity. FIA\_UIA\_EXT.1.3 Not covered, SFR to test in the present STIC evaluation. Functionality was evaluated in LINCE evaluation (IAU.1 requirement) but changes (as indicated in \[IAR-10\]) introduced in the product affect such functionality; therefore, retesting is a necessity. FIA\_UIA\_EXT.1.4 Not covered, SFR to test in the present STIC evaluation. Functionality was evaluated in LINCE evaluation (IAU.1 requirement) but changes (as indicated in \[IAR-10\]) introduced in the product affect such functionality; therefore, retesting is a necessity. FMT\_MOF.1.1/ManualUpdate Covered by ADM.2, ADM.3 and ACT.3. FMT\_MTD.1.1/CoreData Covered by ADM.3. FMT\_SMF.1.1 Partially covered by the requirement ADM.2 included in the LINCE Security Target. The management features to test are defined in the SFR definition included after this table. FMT\_SMR.2.1 Covered by ADM.1. FMT\_SMR.2.2 Covered by ADM.1. FMT\_SMR.2.3 Covered by ADM.2. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 10/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. FPT\_SKP\_EXT.1.1 Covered by PSC.1. FPT\_STM\_EXT.1.1 Not covered, SFR to test in the present STIC evaluation. FPT\_STM\_EXT.1.2 Not covered, SFR to test in the present STIC evaluation. FPT\_TST\_EXT.1.1 Not covered, SFR to test in the present STIC evaluation. FPT\_TST\_EXT.1.2 Not covered, SFR to test in the present STIC evaluation. FPT\_TUD\_EXT.1.1 Covered by ACT.1. FPT\_TUD\_EXT.1.2 Covered by ACT.1. FPT\_TUD\_EXT.1.3 Covered by ACT.2. FTA\_SSL.3.1 Covered by IAU.4. FTA\_SSL.4.1 Covered by AUD.1 FTA\_TAB.1.1 Not covered, SFR to test in the present STIC evaluation. FTP\_ITC.1.1 Covered by COM.1 and COM.2. FTP\_ITC.1.2 Covered by COM.2. FTP\_ITC.1.3 Covered by COM.2. FTP\_TRP.1.1/Admin Covered by COM.4. FTP\_TRP.1.2/Admin Covered by COM.4. FTP\_TRP.1.3/Admin Covered by COM.4. FCS\_HTTPS\_EXT.1.1 Covered by COM.1 and COM.4. FCS\_HTTPS\_EXT.1.1 Covered by COM.1 and COM.4. FCS\_TLSS\_EXT.1.1 Covered by COM.4 and CIF.1. The only TOE HTTPS/TLS server is the web management interface. TLS protocol version and cipher suites were verified in tests for such requirements. FCS\_TLSS\_EXT.1.2 Covered by COM.3. The only TOE HTTPS/TLS server is the web management interface. The size of the key for the certificate in such HTTPS/TLS server was verified in the test related to such requirement. FCS\_TLSS\_EXT.1.3 Not covered, SFR to test in the present STIC evaluation. Curves are specified in COM.4 but retesting is considered just to determine if they remain the same and are suitable for HIGH category, this decision comes from detecting deviations after superficial testing. FCS\_TLSS\_EXT.1.4 Not covered, SFR to test in the present STIC evaluation. FCS\_TLSS\_EXT.1.5 Covered by installation/configuration process. The configuration of a specific set of cipher suites is indicated in the LINCE Security Target as part of the TOE configuration process. As it has been possible to exercise the functionality related to this 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 11/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. requirement through the installation, the requirement is considered fulfilled. FCS\_TLSS\_EXT.1.6 Not covered, SFR to test in the present STIC evaluation. FCS\_TLSS\_EXT.1.7 Functional testing not required as defined in the supporting document for \[cPP-ND-30e\], \[cPP-ND- 30e-SD\]. FCS\_TLSS\_EXT.1.8 Not covered, SFR to test in the present STIC evaluation. FCS\_SSH\_EXT.1.1 Covered by COM.4. Requirement from Functional Package \[PKG-SSH- 10\]. FCS\_SSH\_EXT.1.2 Covered by COM.4 and IAU.1. Requirement from Functional Package \[PKG-SSH- 10\]. FCS\_SSH\_EXT.1.3 Not covered, SFR to test in the present STIC evaluation. Requirement from Functional Package \[PKG-SSH- 10\]. FCS\_SSH\_EXT.1.4 Covered by COM.4. Requirement from Functional Package \[PKG-SSH- 10\]. FCS\_SSH\_EXT.1.5 Covered by COM.4. Requirement from Functional Package \[PKG-SSH- 10\]. FCS\_SSH\_EXT.1.6 Covered by COM.4. Requirement from Functional Package \[PKG-SSH- 10\]. FCS\_SSH\_EXT.1.7 Functional testing not required as defined in the supporting document for \[cPP-ND-30e\], \[cPP-ND- 30e-SD\]. FCS\_SSH\_EXT.1.8 Not covered, SFR to test in the present STIC evaluation. Requirement from Functional Package \[PKG-SSH- 10\]. FCS\_SSHS\_EXT.1.1 Covered by COM.4. FCS\_TLSC\_EXT.1.1 Covered by COM.1 and CIF.1. The TOE acts as a TLS client when establishing a connection with the syslog server and with the update repository. TLS protocol version and cipher suites were verified in 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 12/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. tests for such requirements for both communication channels. FCS\_TLSC\_EXT.1.2 Not covered, SFR to test in the present STIC evaluation. FCS\_TLSC\_EXT.1.3 Not covered, SFR to test in the present STIC evaluation. FCS\_TLSC\_EXT.1.4 Not covered, SFR to test in the present STIC evaluation. Curves are specified in COM.1 but retesting is considered just to determine if they remain the same and are suitable for HIGH category, this decision comes from detecting deviations after superficial testing. FCS\_TLSC\_EXT.1.5 Not covered, SFR to test in the present STIC evaluation. FCS\_TLSC\_EXT.1.6 Communication channel with the syslog server covered by installation/configuration process. The configuration of a specific set of cipher suites is indicated in the LINCE Security Target as part of the TOE configuration process. As it has been possible to exercise the functionality related to this requirement through the installation, the requirement is considered fulfilled. The communication channel with the update repository is not covered by that rationale. FCS\_TLSC\_EXT.1.7 Not covered, SFR to test in the present STIC evaluation. FCS\_TLSC\_EXT.1.8 Functional testing not required as defined in the supporting document for \[cPP-ND-30e\], \[cPP-ND- 30e-SD\]. FCS\_TLSC\_EXT.1.9 Not covered, SFR to test in the present STIC evaluation. FIA\_X509\_EXT.1.1/Rev Not covered, SFR to test in the present STIC evaluation. FIA\_X509\_EXT.1.2/Rev Not covered, SFR to test in the present STIC evaluation. FIA\_X509\_EXT.2.1 Not covered, SFR to test in the present STIC evaluation. FIA\_X509\_EXT.2.2 Not covered, SFR to test in the present STIC evaluation. FIA\_X509\_EXT.3.1 Not covered, SFR to test in the present STIC evaluation. FIA\_X509\_EXT.3.2 Not covered, SFR to test in the present STIC evaluation. FIA\_AFL.1.1 Covered by IAU.2, the configuration instructions included in the LINCE Security Target urge the user to configure a 2FA mechanism. This mechanism, 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 13/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. that was tested in the LINCE evaluation, is deemed valid to cover the SFR defined in the PP. FIA\_AFL.1.2 Covered by IAU.2, the configuration instructions included in the LINCE Security Target urge the user to configure a 2FA mechanism. This mechanism, that was tested in the LINCE evaluation, is deemed valid to cover the SFR defined in the PP. FIA\_UAU.7.1 Not covered, SFR to test in the present STIC evaluation. FIA\_PMG\_EXT.1.1 Covered by IAU.3. FPT\_APW\_EXT.1.1 Not covered, SFR to test in the present STIC evaluation. Functionality was evaluated in LINCE evaluation (PSC.1 requirement) but changes (as indicated in \[IAR-10\]) introduced in the product affect such functionality; therefore, retesting is a necessity. FPT\_APW\_EXT.1.2 Not covered, SFR to test in the present STIC evaluation. Functionality was evaluated in LINCE evaluation (PSC.1 requirement) but changes (as indicated in \[IAR-10\]) introduced in the product affect such functionality; therefore, retesting is a necessity. FMT\_MOF.1.1/Functions Not covered, SFR to test in the present STIC evaluation. FMT\_MTD.1.1/CryptoKeys Not covered, SFR to test in the present STIC evaluation. FTA\_SSL\_EXT.1.1 Covered by IAU.4. Therefore, given the previous analysis, the Security Functional Requirements to test from the PP \[cPP-ND-30e\] are the following: Requirement SFR PP Description Final description FAU\_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a. Start-up and shut-down of the audit functions; b. All auditable events for the not specified level of audit; and c. All administrative actions comprising: • Administrative login and logout (name of Administrator account shall The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shut- down of the audit functions; b) All administrative actions comprising: • Generating/import of, changing, or deleting of cryptographic keys (in 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 14/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. be logged if individual accounts are required for Administrators). • Changes to TSF data related to configuration changes (in addition to the information that a change occurred it shall be logged what has been changed). • Generating/import of, changing, or deleting of cryptographic keys (in addition to the action itself a unique key name or key reference shall be logged). • \[selection: Resetting passwords (name of related Administrator account shall be logged), no other actions, \[assignment: list of other uses of privileges\]\]; d. Specifically defined auditable events listed in Table 2. addition to the action itself a unique key name or key reference shall be logged). • \[selection: no other actions\]; c) Specifically defined auditable events: • Management of the TOE's trust store. • Discontinuous changes to time. • Initiation/termination/f ailure of the trusted channel with the remote audit server. FAU\_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the cPP/ST, information specified in column three of Table 2. Same description as in PP. FAU\_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. Same description as in PP. FAU\_STG\_EXT.1.4 The TSF shall be able to store \[selection: persistent, nonpersistent\] audit records The TSF shall be able to store \[selection: persistent\] audit records 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 15/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. locally with a minimum storage size of \[assignment: number of records and/or file/buffer size(s)\]. locally with a minimum storage size of \[assignment: maximum log file size \* number of logs to be kept as defined\]. FAU\_STG\_EXT.1.5 The TSF shall \[selection: drop new audit data, overwrite previous audit records according to the following rule: \[assignment: rule for overwriting previous audit records\], \[assignment: other action\]\] when the local storage space for audit data is full. The TSF shall \[selection: overwrite previous audit records according to the following rule: \[assignment: maximum log file size and number of logs to be kept as defined\]\] when the local storage space for audit data is full. FIA\_UIA\_EXT.1.1 The TSF shall allow the following actions prior to requiring the non- TOE entity to initiate the identification and authentication process: • Display the warning banner in accordance with FTA\_TAB.1; • \[selection: no other actions, automated generation of cryptographic keys, \[assignment: list of services, actions performed by the TSF in response to non-TOE requests\]\]. The TSF shall allow the following actions prior to requiring the non-TOE entity to initiate the identification and authentication process: • Display the warning banner in accordance with FTA\_TAB.1; • \[selection: no other actions\]. FIA\_UIA\_EXT.1.2 The TSF shall require each administrative user to be successfully identified and authenticated before allowing any other TSF-mediated actions on behalf of that administrative user. Same description as in PP. FIA\_UIA\_EXT.1.3 The TSF shall provide the following remote authentication mechanisms \[selection: Web GUI password, SSH password, SSH public key, X.509 certificate, \[assignment: other authentication mechanism\]\] and local authentication mechanisms \[selection: none, password-based, \[assignment: other authentication mechanism\]\]. The TSF shall provide the following remote authentication mechanisms \[selection: Web GUI password, SSH password\] and local authentication mechanisms \[selection: password-based\]. FIA\_UIA\_EXT.1.4 The TSF shall authenticate any administrative user’s claimed Same description as in PP. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 16/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. identity according to each authentication mechanism specified in FIA\_UIA\_EXT.1.3. FMT\_SMF.1.1 The TSF shall be capable of performing the following management functions: • Ability to administer the TOE remotely; • Ability to configure the access banner; • Ability to configure the remote session inactivity time before session termination; • Ability to update the TOE, and to verify the updates using digital signature capability prior to installing those updates; • \[selection: o Ability to start and stop services; o Ability to configure audit behaviour (e.g. changes to storage locations for audit; changes to behaviour when local audit storage space is full); o Ability to modify the behaviour of the transmission of audit data to an external IT entity; o Ability to configure the list of TOE-provided services available before an entity is identified and authenticated, as specified in FIA\_UIA\_EXT.1; o Ability to configure local audit behaviour (e.g. changes to storage locations for audit; changes to behaviour when local audit storage space is full, changes to local audit storage size); o Ability to manage the cryptographic keys; o Ability to configure the cryptographic functionality; The TSF shall be capable of performing the following management functions: • Ability to configure the access banner; • \[selection: o Ability to manage the cryptographic keys; o Ability to manage the TOE’s trust store and designate X509.v3 certificates as trust anchors; o Ability to set the time which is used for time- stamps; o Ability to modify the behaviour of the transmission of audit data to an external IT entity;\]. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 17/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. o Ability to configure thresholds for SSH rekeying; o Ability to configure the lifetime for IPsec SAs; o Ability to configure the list of supported (D)TLS ciphers; o Ability to configure the interaction between TOE components; o Ability to enable or disable automatic checking for updates or automatic updates; o Ability to re-enable an Administrator account; o Ability to set the time which is used for time-stamps; o Ability to configure NTP; o Ability to configure the reference identifier for the peer; o Ability to manage the TOE’s trust store and designate X509.v3 certificates as trust anchors; o Ability to generate Certificate Signing Request (CSR) and process CA certificate response; o Ability to administer the TOE locally; o Ability to configure the local session inactivity time before session termination or locking; o Ability to configure the authentication failure parameters for FIA\_AFL.1; o Ability to manage the trusted public keys database; o Ability to manage the public key or certificate used to validate the digital update; o No other capabilities\]. FPT\_STM\_EXT.1.1 The TSF shall be able to provide reliable time stamps for its own use. Same description as in PP. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 18/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. FPT\_STM\_EXT.1.2 The TSF shall \[selection: allow the Security Administrator to set the time, synchronise time with an NTP server, obtain time from the underlying virtualization system\]. The TSF shall \[selection: allow the Security Administrator to set the time\]. FTA\_TAB.1.1 Before establishing a an administrative user session the TSF shall display a Security Administrator-specified advisory notice and consent warning message regarding unauthorised use of the TOE. Before establishing an administrative user session the TSF shall display a Security Administrator-specified advisory notice and consent warning message regarding use of the TOE. FCS\_TLSS\_EXT.1.3 The TSF shall perform key exchange using: \[selection: • RSA key establishment with key size \[selection: 2048, 3072, 4096\] bits; • EC Diffie-Hellman key agreement over NIST curves \[selection: secp256r1, secp384r1, secp521r1\] and no other curves; • Diffie-Hellman parameters \[selection: of size 2048 bits, of size 3072 bits, of size 4096 bits, of size 6144 bits, of size 8192 bits, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192\] \]. The TSF shall perform key exchange using: \[selection: • EC Diffie-Hellman key agreement over NIST curves \[selection: secp256r1, secp384r1, secp521r1\], and no other curves x25519 and x448; \]. FCS\_TLSS\_EXT.1.4 The TSF shall support \[selection: no session resumption, session resumption based on session IDs according to RFC 5246 (TLS 1.2), session resumption based on session tickets according to RFC 5077 (TLS 1.2), session resumption according to RFC 8446 (TLS 1.3)\]. The TSF shall support \[selection: session resumption based on session tickets according to RFC 5077 (TLS 1.2), session resumption according to RFC 8446 (TLS 1.3)\]. FCS\_TLSS\_EXT.1.6 The TSF shall prohibit the use of the following extensions: • Early data extension Same description as in PP. FCS\_TLSS\_EXT.1.8 The TSF shall \[selection: support secure renegotiation in accordance with RFC 5746 by The TSF shall \[selection: support secure renegotiation in 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 19/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. always including the “renegotiation\_info” TLS extension in TLS 1.2 ServerHello messages, reject \[selection: TLS 1.2, TLS 1.3\] renegotiation attempts\]. accordance with RFC 5746 by always including the “renegotiation\_info” TLS extension in TLS 1.2 ServerHello messages, reject \[selection: TLS 1.3\] renegotiation attempts\]. FCS\_SSH\_EXT.1.3 The TSF shall ensure that, as described in RFC 4253, packets greater than \[assignment: number of bytes between 35,000 and 1 GB (inclusive)\] in an SSH transport connection are dropped. The TSF shall ensure that, as described in RFC 4253, packets greater than \[assignment: 262135 bytes\] in an SSH transport connection are dropped. FCS\_SSH\_EXT.1.8 The TSF shall ensure that \[selection: • a rekey of the session keys, • connection termination \] occurs when any of the following thresholds are met: • one hour connection time • no more than one gigabyte of transmitted data, or • no more than one gigabyte of received data. The TSF shall ensure that \[selection: • a rekey of the session keys \] occurs when any of the following thresholds are met: • one hour connection time • no more than one gigabyte of transmitted data, or • no more than one gigabyte of received data. FCS\_TLSC\_EXT.1.2 The TSF shall verify that the presented identifier matches \[selection: the reference identifier per RFC 6125 Section 6, IPv4 address in the CN or in the SAN, IPv6 address in the CN or in the SAN, IPv4 address in the SAN, IPv6 address in the SAN, the identifier per RFC 5280 Appendix A using \[selection: id-atcommonName, id- at-countryName, id-at- dnQualifier, id-at- generationQualifier, idat- givenName, id-at-initials, id-at- localityName, id-at-name, id- atorganizationalUnitName, id-at- organizationName, id-at- pseudonym, id-atserialNumber, id-at-stateOrProvinceName, id-at- The TSF shall verify that the presented identifier matches \[selection: the reference identifier per RFC 6125 Section 6, IPv4 address in the CN or in the SAN, and no other attribute types\]. NOTE: SFR tested for the communication channel of the TOE with the audit server and the update repository. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 20/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. surname, id-at-title\] and no other attribute types\]. FCS\_TLSC\_EXT.1.3 The TSF shall not establish a trusted channel if the server certificate is invalid \[selection: • without any administrator override mechanism • except with the following administrator override: If the TSF fails to determine the revocation status the TSF shall allow the administrator to provide override authorization to establish the connection on a per certificate basis. \]. The TSF shall not establish a trusted channel if the server certificate is invalid \[selection: • without any administrator override mechanism \]. NOTE: SFR tested for the communication channel of the TOE with the audit server and the update repository. FCS\_TLSC\_EXT.1.4 The TSF shall \[selection: not present the Supported Groups Extension, present the Supported Groups Extension with the following curves/groups: \[selection: secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192\] and no other curves/groups\] in the Client Hello. For the communication channel with the remote audit server: The TSF shall \[selection: present the Supported Groups Extension with the following curves/groups: \[selection: secp256r1, secp384r1, secp521r1\], and no other curves/groups x448 and x25519\] in the Client Hello. For the communication channel with the update repository: The TSF shall \[selection: present the Supported Groups Extension with the following curves/groups: \[selection: secp256r1, secp384r1, secp521r1\], and no other curves/groups x448 and x25519\] in the Client Hello. FCS\_TLSC\_EXT.1.5 The TSF shall \[selection: • present the signature\_algorithms For the communication channel with the audit server: The TSF shall \[selection: 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 21/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. extension with support for the following algorithms: o rsa\_pkcs1 with sha256(0x0401), o rsa\_pkcs1with sha384(0x0501), o rsa\_pkcs1 with sha512(0x0601), o ecdsa\_secp256r1 with sha256(0x0403), o ecdsa\_secp384r1 with sha384(0x0503), o ecdsa\_secp521r1 with sha512(0x0603), o rsa\_pss\_rsae with sha256(0x0804), o rsa\_pss\_rsae with sha384(0x0805), o rsa\_pss\_rsae with sha512(0x0806), o rsa\_pss\_pss with sha256(0x0809), o rsa\_pss\_pss with sha384(0x080a), o rsa\_pss\_pss with sha512(0x080b) o \] and no other algorithms; • present the signature\_algorithms extension with support for the following algorithms: \[selection: o ecdsa\_secp256r1 with sha256(0x0403), o ecdsa\_secp384r1 with sha384(0x0503), o ecdsa\_secp521r1 with sha512(0x0603), o rsa\_pss\_rsae with sha256(0x0804), o rsa\_pss\_rsae with sha384(0x0805), o rsa\_pss\_rsae with sha512(0x0806), o rsa\_pss\_pss with sha256(0x0809), o rsa\_pss\_pss with sha384(0x080a), o rsa\_pss\_pss with sha512(0x080b) o \] and no other algorithms; \]. For the communication channel with the update repository: The TSF shall \[selection: • present the signature\_algorithms extension with support for the following algorithms: \[selection: o ecdsa\_secp256r1 with sha256(0x0403), o ecdsa\_secp384r1 with sha384(0x0503), o ecdsa\_secp521r1 with sha512(0x0603), o rsa\_pss\_rsae with sha256(0x0804), o rsa\_pss\_rsae with sha384(0x0805), 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 22/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. o rsa\_pss\_rsae with sha512(0x0806), o rsa\_pss\_pss with sha256(0x0809), o rsa\_pss\_pss with sha384(0x080a), o rsa\_pss\_pss with sha512(0x080b) o \] and no other algorithms; \]. FCS\_TLSC\_EXT.1.6 The TSF \[selection: provides, does not provide\] the ability to configure the list of supported ciphersuites as defined in FCS\_TLSC\_EXT.1.1. The TSF \[selection: provides\] the ability to configure the list of supported ciphersuites as defined in FCS\_TLSC\_EXT.1.1. NOTE: SFR only tested for the communication channel with the update repository. Other TOE TLS client channel is considered covered. FCS\_TLSC\_EXT.1.7 The TSF shall prohibit the use of the following extensions: • Early data extension • Post-handshake client authentication according to RFC 8446, Section 4.2.6. Same description as in PP. NOTE: SFR tested for the communication channel of the TOE with the audit server and the update repository. FCS\_TLSC\_EXT.1.9 The TSF shall \[selection: support TLS 1.2 secure renegotiation through use of the “renegotiation\_info” TLS extension in accordance with RFC 5746, reject \[selection: TLS 1.2, TLS 1.3\] renegotiation attempts\]. For the communication channel with the remote audit server: The TSF shall \[selection: reject \[selection: TLS 1.3\] renegotiation attempts For the communication channel with the update repository: The TSF shall \[selection: reject \[selection: TLS 1.3\] renegotiation attempts\]. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 23/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. FIA\_X509\_EXT.1.1/ Rev The TSF shall validate certificates in accordance with the following rules: • RFC 5280 certificate validation and certification path validation supporting a minimum path length of three certificates. • The certification path must terminate with a trusted CA certificate designated as a trust anchor. • The TSF shall validate a certification path by ensuring that all CA certificates in the certification path contain the basicConstraints extension with the CA flag set to TRUE. • The TSF shall validate the revocation status of the certificate using \[selection: the Online Certificate Status Protocol (OCSP) as specified in RFC 6960, a Certificate Revocation List (CRL) as specified in RFC 5280 Section 6.3, Certificate Revocation List (CRL) as specified in RFC 5759 Section 5, no revocation method\]. • The TSF shall validate the extendedKeyUsage field according to the following rules: o Certificates used for trusted updates and executable code integrity verification shall have the Code Signing purpose (id-kp 3 with OID 1.3.6.1.5.5.7.3.3) in the extendedKeyUsage field. o Server certificates presented for DTLS/TLS shall have the Server Authentication purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the extendedKeyUsage field. The TSF shall validate certificates in accordance with the following rules: • RFC 5280 certificate validation and certification path validation supporting a minimum path length of three certificates. • The certification path must terminate with a trusted CA certificate designated as a trust anchor. • The TSF shall validate a certification path by ensuring that all CA certificates in the certification path contain the basicConstraints extension with the CA flag set to TRUE. • The TSF shall validate the revocation status of the certificate using \[selection: a Certificate Revocation List (CRL) as specified in RFC 5280 Section 6.3\]. • The TSF shall validate the extendedKeyUsage field according to the following rules: o Certificates used for trusted updates and executable code integrity verification shall have the Code Signing purpose (id-kp 3 with OID 1.3.6.1.5.5.7.3.3) in the extendedKeyUsage field. o Server certificates presented for 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 24/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. o Client certificates presented for DTLS/TLS shall have the Client Authentication purpose (id-kp 2 with OID 1.3.6.1.5.5.7.3.2) in the extendedKeyUsage field. o OCSP certificates presented for OCSP responses shall have the OCSP Signing purpose (id-kp 9 with OID 1.3.6.1.5.5.7.3.9) in the extendedKeyUsage field. DTLS/TLS shall have the Server Authentication purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the extendedKeyUsage field. o Client certificates presented for DTLS/TLS shall have the Client Authentication purpose (id-kp 2 with OID 1.3.6.1.5.5.7.3.2) in the extendedKeyUsage field. o OCSP certificates presented for OCSP responses shall have the OCSP Signing purpose (id-kp 9 with OID 1.3.6.1.5.5.7.3.9) in the extendedKeyUsage field. NOTE: SFR tested for the communication channel of the TOE with the audit server and the update repository. FIA\_X509\_EXT.1.2/ Rev The TSF shall only treat a certificate as a CA certificate if the basicConstraints extension is present and the CA flag is set to TRUE. Same description as in PP. NOTE: SFR tested for the communication channel of the TOE with the audit server and the update repository. FIA\_X509\_EXT.2.1 The TSF shall use X.509v3 certificates as defined by RFC 5280 to support authentication for \[selection: DTLS, HTTPS, IPsec, SSH, TLS, no protocols\] and The TSF shall use X.509v3 certificates as defined by RFC 5280 to support authentication for \[selection: HTTPS, TLS\] and 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 25/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. \[selection: code signing for system software updates \[assignment: other uses\], no additional uses\]. \[selection: no additional uses\]. NOTE: SFR tested for the communication channel of the TOE with the audit server and the update repository. FIA\_X509\_EXT.2.2 When the TSF cannot establish a connection to determine the validity of a certificate, the TSF shall \[selection: allow the Administrator to choose whether to accept the certificate in these cases, accept the certificate, not accept the certificate\]. When the TSF cannot establish a connection to determine the validity of a certificate, the TSF shall \[selection: accept the certificate\]. NOTE: SFR tested for the communication channel of the TOE with the audit server and the update repository. FIA\_X509\_EXT.3.1 The TSF shall generate a Certificate Request as specified by RFC 2986 and be able to provide the following information in the request: public key and \[selection: device-specific information, Common Name, Organization, Organizational Unit, Country\]. The TSF shall generate a Certificate Request as specified by RFC 2986 and be able to provide the following information in the request: public key and \[selection: Common Name, Organization, Organizational Unit, Country\]. FIA\_X509\_EXT.3.2 The TSF shall validate the chain of certificates from the Root CA upon receiving the CA Certificate Response. Same description as in PP. FIA\_UAU.7.1 The TSF shall provide only obscured feedback to the administrative user while the authentication is in progress at the local console. Same description as in PP. FPT\_APW\_EXT.1.1 The TSF shall store administrative passwords in non-plaintext form. Same description as in PP. FPT\_APW\_EXT.1.2 The TSF shall prevent the reading of plaintext administrative passwords. Same description as in PP. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 26/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. FMT\_MOF.1.1/Fun ctions The TSF shall restrict the ability to \[selection: determine the behaviour of, modify the behaviour of\] the functions \[selection: transmission of audit data to an external IT entity, handling of audit data, audit functionality when Local Audit Storage Space is full\] to Security Administrators. The TSF shall restrict the ability to \[selection: determine the behaviour of\] the functions \[selection: transmission of audit data to an external IT entity\] to Security Administrators and authorized users with the "System: Logging: Logging" privilege. FMT\_MTD.1.1/Cry ptoKeys The TSF shall restrict the ability to manage the cryptographic keys to Security Administrators. The TSF shall restrict the ability to manage the cryptographic keys to Security Administrators and authorized users with the "System: CA Manager" and "System: Certificate Manager" privileges. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 27/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 2.2.2 PP-MODULE FOR STATEFUL TRAFFIC FILTER FIREWALLS The following table includes the coverage analysis for the \[PPMOD-FW-14e\] Protection Profile: Requirement in \[PPMOD-FW-14e\] Covered? FAU\_GEN.1 Covered by AUD.1 and AUD.2. FDP\_RIP.2.1 Functional testing not required as defined in the supporting document for \[PPMOD-FW-14e\], \[PPMOD-FW-14e-SD\]. FFW\_RUL\_EXT.1.1 Covered by FWL.1. FFW\_RUL\_EXT.1.2 Covered by FWL.1 and FWL.2. FFW\_RUL\_EXT.1.3 Covered by FWL.2. FFW\_RUL\_EXT.1.4 Covered by FWL.1 and FWL.2. FFW\_RUL\_EXT.1.5 Covered by FWL.1 and FWL.4. FFW\_RUL\_EXT.1.6 Partially covered by penetration tests executed in the LINCE evaluation. Paragraphs a), b), e), h) are considered covered in the LINCE evaluation. The paragraphs c), d), f) and g) are tested in the present STIC evaluation. FFW\_RUL\_EXT.1.7 Not covered, SFR to test in the present STIC evaluation. FFW\_RUL\_EXT.1.8 Covered by FWL.2. FFW\_RUL\_EXT.1.9 Covered by FWL.3. FFW\_RUL\_EXT.1.10 Not covered, SFR to test in the present STIC evaluation. FMT\_SMF.1.1/FFW Covered by ADM.2, FWL.1 and FWL.2. Therefore, given the previous analysis, the Security Functional Requirements to test from this PP module \[PPMOD-FW-14e\] are the following: Requirement SFR PP Description Final description FFW\_RUL\_EXT.1.6 The TSF shall enforce the following default stateful traffic filtering rules on all network traffic: a) The TSF shall drop and be capable of \[selection: counting, logging\] packets which are invalid fragments; b) The TSF shall drop and be capable of \[selection: counting, logging\] fragmented packets The TSF shall enforce the following default stateful traffic filtering rules on all network traffic: c) The TSF shall drop and be capable of \[selection: logging\] packets where the source address of the network packet is defined as being on a broadcast network; d) The TSF shall drop and be capable of \[selection: logging\] packets where the source address of the network packet is defined as being on a multicast network; f) The TSF shall drop and be capable of \[selection: logging\] network packets where the source or 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 28/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. which cannot be re- assembled completely; c) The TSF shall drop and be capable of logging packets where the source address of the network packet is defined as being on a broadcast network; d) The TSF shall drop and be capable of logging packets where the source address of the network packet is defined as being on a multicast network; e) The TSF shall drop and be capable of logging network packets where the source address of the network packet is defined as being a loopback address; f) The TSF shall drop and be capable of logging network packets where the source or destination address of the network packet is defined as being unspecified (i.e. 0.0.0.0) or an address “reserved for future use” (i.e. 240.0.0.0/4) as specified in RFC 5735 for IPv4; g) The TSF shall drop and be capable of logging network packets where the source or destination destination address of the network packet is defined as being unspecified (i.e. 0.0.0.0) or an address “reserved for future use” (i.e. 240.0.0.0/4) as specified in RFC 5735 for IPv4; g) The TSF shall drop and be capable of \[selection: logging\] network packets where the source or destination address of the network packet is defined as an “unspecified address” or an address “reserved for future definition and use” (i.e. unicast addresses not in this address range: 2000::/3) as specified in RFC 3513 for IPv6; i) \[selection: no other rules\]. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 29/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. address of the network packet is defined as an “unspecified address” or an address “reserved for future definition and use” (i.e. unicast addresses not in this address range: 2000::/3) as specified in RFC 3513 for IPv6; h) The TSF shall drop and be capable of logging network packets with the IP options: Loose Source Routing, Strict Source Routing, or Record Route specified; and i) \[selection: \[assignment: other default rules enforced by the TOE\], no other rules\]. FFW\_RUL\_EXT.1.7 The TSF shall be capable of dropping and logging according to the following rules: a) The TSF shall drop and be capable of logging network packets where the source address of the network packet is equal to the address of the network interface where the network packet was received; b) The TSF shall drop and be capable of logging network packets where the source or destination address of the Same description as in PP. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 30/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. network packet is a link-local address; c) The TSF shall drop and be capable of logging network packets where the source address of the network packet does not belong to the networks associated with the network interface where the network packet was received. FFW\_RUL\_EXT.1.10 The TSF shall be capable of limiting an administratively defined number of half-open TCP connections. In the event that the configured limit is reached, new connection attempts shall be dropped and the drop event shall be \[selection: counted, logged\]. The TSF shall be capable of limiting an administratively defined number of half-open TCP connections. In the event that the configured limit is reached, new connection attempts shall be dropped and the drop event shall be \[selection: logged\]. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 31/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 3 OPERATIONAL ENVIRONMENT 3.1 DESCRIPTION OF THE OPERATIONAL ENVIRONMENT The following diagram shows the operational environment where the TOE is typically deployed: The main entities that compose the operational environment are described below: • Administrator: The Administrator user has the permissions to configure and manage the TOE. In order to access the GUI and CLI interfaces, the administrator's PC requires a web browser and a command prompt respectively. • Internal Network: This network contains several connected devices, such as computers, servers and other devices. The TOE protects this network by filtering the incoming and outgoing traffic. • External network: The set of networks and devices that communicate with the internal network in both directions (ingoing and outgoing). The incoming and outgoing traffic to the internal networks is filtered by the TOE. • External syslog server: This server receives and stores the log files generated by the TOE. • External update server: This server is listening for petitions from the TOE for updating purposes (requests to know if new updates are available, updates delivery...). Hardware requirements To install the TOE the virtual machine should have the following hardware prerequisites: • Minimum required RAM is 1GB 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 32/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. • Minimum recommended virtual disk size of 8 GB. 3.2 OPERATIONAL ENVIRONMENT ASSUMPTIONS This section contains the assumptions presented by the manufacturer in the latest version of his Security Target. They are described below: Assumption Description A.PHYSICAL PROTECTION The product shall be physically protected by its environment and not subject to physical attacks that could compromise its security or interfere with its proper operation. A.LIMITED FUNCTIONALITY The product shall only provide network access control functionality as its primary function and shall not provide any other functionality or service. A.TRUSTED ADMINISTRATOR Administrators shall be members of the organization who are fully trusted and have the best security interests for the organization. They shall be properly trained and shall be free of any malicious intent or conflict of interest in managing the product. A.PERIODIC UPDATES The software of the product is updated when new updates that fix known vulnerabilities appear. A.PROTECTION OF THE CREDENTIALS All credentials, especially the administrator's, must be properly protected by the organization using the product be properly protected by the organization. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 33/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 4 EXECUTIVE SUMMARY OF THE EVALUATION This is a STIC evaluation for the TOE OPNsense Business Edition, which has been evaluated previously with a LINCE evaluation as defined in the Security Target \[LINCE- ST-08\] provided by the manufacturer. The goal of the present evaluation is to conduct testing according to the HIGH category taxonomy \[CCN-STIC-140-D3\] which references the collaborative Protection Profile for Network Devices \[cPP-ND-30e\] and PP-Module for Stateful Traffic Filter Firewalls \[PPMOD-FW-14e\]. Since the TOE has undergone a LINCE evaluation, before starting the testing effort, the laboratory has analysed the requirements included in the LINCE evaluation to determine if there are any requirements from the aforementioned Protection Profiles that are already covered and therefore do not need to be tested. This analysis is depicted in section 2.2 Inventory of security functions. Because of the analysis, the laboratory concludes that, given \[LINCE-ST-08\], although some SFRs are covered, testing will still be done for most requirements. The version previously certified through the LINCE evaluation is 23.10.2. In the case of this evaluation, the version to be evaluated in the first instance is 24.4.1\_3. Given this, the laboratory has requested from the manufacturer the Impact Analysis Report \[IAR- 10\] in which the changes introduced in the product from the LINCE certified version up to the current one are analysed. The requirements from \[LINCE-ST-08\] affected by any of these changes will be tested again, this analysis complements the definition of requirements mentioned in the previous paragraph. This evaluation dismisses the analysis of the Security Target, as this STIC evaluation does not involves its own Security Target, and the sections related to such tasks are not included in the present report. The TOE was configured and prepared to conduct the functional testing effort according to the guides provided, which were analyzed too, this did not reveal any non- conformities related to the installation of the TOE and guidance documents. The execution of the functional tests for \[TOE-2441\_3\] revealed the following non- conformities: • When the date/time is manually changed by a user through the CLI making use of the "date" command, \[TOE-2441\_3\] registers the event in the Audit log with the following entry: "date set by root". The entry contains a timestamp, type of event and user associated with the user but not the old and new values for the time (OR01.NC01). • \[TOE-2441\_3\] stores administrative passwords in non-plaintext form and prevents its reading. The hash algorithm is identified as bcrypt which uses blowfish. This algorithm is not complied according to \[CCN-STIC-807\] (OR01.NC02). • \[TOE-2441\_3\] supports the finite field group ffdhe2048 in the TOE GUI interface, which is considered LEGACY by \[CCN-STIC-807\]; given this, it is deemed not 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 34/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. suitable for ENS HIGH category (OR01.NC03). This finite field group is also offered when establishing a connection with the remote audit server (OR01.NC06). • \[TOE-2441\_3\] does not seem to define a RekeyLimit for the SSH connections. After establishing the SSH connection and waiting for one hour, the rekey of the connection is not carried out by \[TOE-2441\_3\]. Furthermore, the rekey of the connection is also not carried out by \[TOE-2441\_3\] after having received or sent more than 1GB of data (OR01.NC04). • \[TOE-2441\_3\] fails to properly verify the reference identifier included in the certificate presented by the remote audit server when wildcards are included (OR01.NC05). • \[TOE-2441\_3\] offers signature algorithms when establishing a connection with the remote audit server that do not comply \[CCN-STIC-807\] ENS HIGH category (OR01.NC07). • \[TOE-2441\_3\], as a client, seems to support TLS renegotiation when establishing a connection with the remote audit server since it offers the suite TLS\_EMPTY\_RENEGOTIATION\_INFO\_SCSV (0x00ff). Despite this, it has been identified that the TOE ignores Hello Request messages sent by the server and renegotiation does not occur, the TOE continues to send data instead of sending a Client Hello message as a follow up to the Hello Request message and the connection is not renegotiated (OR01.NC08). • \[TOE-2441\_3\] does not properly handle certificate revocation lists (CRLs) when establishing a connection with the remote audit server (OR01.NC09, OR01.NC10, OR01.NC11). • \[TOE-2441\_3\] offers signature algorithms when establishing a connection with the update repository that do not comply \[CCN-STIC-807\] ENS HIGH category (OR01.NC12). • \[TOE-2441\_3\] does not properly handle certificate revocation lists (CRLs) when establishing a connection with the update repository (OR01.NC13, OR01.NC14, OR01.NC15). • \[TOE-2441\_3\] does not seem to validate the trustworthiness of the CSR response when it is uploaded and associated with its Certificate Signing Request in the System > Trust > Certificate menu. The CSR response is pasted and uploaded but no feedback is provided regarding its validity; therefore, it is not clear that \[TOE- 2441\_3\] is validating the trustworthiness of the CA that issued that response to the CSR (OR01.NC16). • \[TOE-2441\_3\] does not drop network packets: o whose source address is defined as a broadcast address (e.g.: 192.168.2.255 in a 192.168.2.0/24 network). The network packet is identified by \[TOE-2441\_3\] and transmitted to the destination (OR01.NC17). o where the source address of the network packet is defined as a multicast address (from 224.0.0.0 to 239.255.255.255). The network packet is identified by \[TOE-2441\_3\] and transmitted to the destination (OR01.NC18). 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 35/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. o whose source or destination address are defined as being unspecified (i.e. 0.0.0.0) or an address “reserved for future use” (i.e. 240.0.0.0/4) as specified in RFC 5735 for IPv4 (OR01.NC19). o whose source or destination address are defined as being “unspecified address” (0:0:0:0:0:0:0:0) or an address “reserved for future definition and use” (i.e. unicast addresses not in this address range: 2000::/3) as specified in RFC 3513 for IPv6 (OR01.NC20). o whose source address of the network packet is equal to the address of the network interface where the network packet was received (OR01.NC21). o whose source or destination address of the network packet is a IPv4 link- local address (169.254.0.0/16) (OR01.NC22). o whose source address of the network packet does not belong to the networks associated with the network interface where the network packet was received (OR01.NC23). • \[TOE-2441\_3\] provides the capability to limit the maximum number of states to an administratively defined number (Max states parameter available in the firewall rules), limiting the number of half-open connections that can be forwarded through the firewall. When such threshold is met, the remaining packets which are dropped and never reach their destination are not logged or counted. It is expected that \[TOE-2441\_3\] logs or counts the packets that are dropped after the maximum number of states is reached (OR01.NC24). After executing the functional tests, the vulnerability analysis was conducted. This phase mainly involves the review of public vulnerabilities related to the TOE and its third-party components or libraries. Some CVEs were identified as applicable but after further analysis and some testing these were deemed not exploitable, mainly because the affected code of the third-party libraries was not being used by the TOE. This analysis does not reveal public vulnerabilities (CVE) that could affect the TOE at the date this report is developed. It is worth noting that vulnerabilities and penetration tests related to the evaluated functionality have not been considered, given that most functionality remains the same as in the previous LINCE evaluation, which was recently executed. A dedicated effort to re-analyse the functionality of the TOE and re-testing has not been undertaken in the current evaluation but it is considered for future evaluation rounds agreed for the present year as part of the continuous qualification process. At this point, the non-conformities identified by the laboratory were registered and delivered to the manufacturer through \[OR01-10\]. After some time, the manufacturer provided the laboratory with \[TOE-24101\], which attempted to address most of the points identified throughout the evaluation. The tests related to functionality that was added or modified in \[TOE-24101\], the ones related to non-conformities, were repeated by the laboratory in order to verify the fixes developed by the manufacturer. In summary, this version of the TOE solved all non- 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 36/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. conformities identified in relation to the requirements of the \[cPP-ND-30e\]. Moreover, in order to address the non-conformities related to \[PPMOD-FW-14e\], the manufacturer introduced some changes in \[TOE-24101\] and provided instructions to configure filtering rules in order to perform the required traffic filtering; these were documented as part of the configuration of the TOE. After repeating the tests and reviewing the results carefully, the laboratory deems that there are a couple of small gaps related to the requirement FFW\_RUL\_EXT.1.6 from \[PPMOD-FW-14e\] that are not strictly met. • The laboratory identifies that \[TOE-24101\] successfully drops the network packets whose destination address is unspecified (0.0.0.0 / 0:0:0:0:0:0:0:0) but does not log the drop event; therefore, the non-conformities OR01.NC19 and OR01.NC20 are considered open. This is caused given that \[TOE-24101\] marks this type of packets as invalid and discards them before they are even evaluated by the filtering rules. In any case, since the product is properly dropping these packets, the non-conformity is not considered critical since the usage of these packets would not work in any scenarios since these are being discarded. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 37/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 5 VERDICT OF THE EVALUATION After analyzing the results of the evaluation, the laboratory determines that the verdict is FAIL. The non-conformities OR01.NC19 and OR01.NC20 identified through the functional tests are considered open since the requirement FFW\_RUL\_EXT.1.6 is not completely met. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 38/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 6 TOE INSTALLATION AND REVIEW OF THE INSTALLATION, CONFIGURATION AND OPERATION GUIDES Documents used during installation \[OPNSENSE-DOCS-D971B9D\] Evaluator DAT Days required 1 day. Date 2025/01/28 Results of the evaluator's work PASS 6.1 EVALUATION ACTIVITIES This section contains the evaluation activities defined in section 4.2 of \[CCN-STIC-2002\] as well as a brief description of the result of these tasks on the TOE and its documentation. TE.2.1. Verify that the applicant has provided the required test platform to perform the tests on the product. PASS The manufacturer has provided the evaluator with the platform required for testing, as well as the necessary documentation to make use of it within the conditions of the evaluation. TE.2.2. Check that the installation and operation guides describe the roles and privileges for the different user roles defined in the TOE that allow the TOE to be installed and operated in a secure manner. PASS The guides provided by the manufacturer clearly describe the roles and privileges of the various TOE users that allow the TOE to be installed and operated safely. TE.2.3. Check that, according to the product installation or configuration guides, it is possible to install the product according to the configuration(s) described in the Security Target. o In the case of products that can be installed on several operating system versions, the operating system used and its version must be indicated as precisely as possible (patch, service pack, etc.). o If the product allows several mounting/configuration (set-up) modes, the guides must clearly indicate which mode is evaluated. The identification of this mode shall be indicated in the Security Target. o If the product supports different settings in its configuration, the guides must clearly differentiate between those that are part of the scope of the evaluation and those that are not. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 39/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. o If the product requires installation, the product shall be installed in the configuration specified in the installation guide. Additionally, the applicant shall provide documentation related to the different configuration modes existing in the product. PASS The evaluator has been able to install the product exclusively following the contents of the manufacturer's documentation, provided through \[LINCE-ST-08\] and \[OPNSENSE-DOCS-D971B9D\]. TE.2.4. Check that the version of the TOE installed corresponds to the one declared in the Security Target and that the guides describe the TOE identification procedure to the TOE consumers. PASS The evaluator has followed the guidelines provided by the manufacturer and has been able to correctly verify that the version of the TOE installed corresponds to the version subject to the current evaluation as can be seen in 6.4 Verification of the installed TOE version. TE.2.5. The evaluator shall register the relevant information to successfully install the TOE. PASS The information necessary to carry out the complete installation of the product, under the same conditions as those used for this evaluation, can be found in the sections 6.2 Detailed configuration of the operational environment and 6.3 Description of the installation and configuration of the TOE. TE.2.6. The evaluator shall register all system’s configuration specific data when appropriate. PASS The specific data used during the TOE preparation and configuration process is reflected in the 6.5 Used installation options. TE.2.7. The evaluator shall register every non-conformity in regards to the installation and configuration of the TOE or the test environment. PASS No non-conformities were found regarding the installation process of the TOE and its documentation. The results are summarized in the section 6.6 Results. 6.2 DETAILED CONFIGURATION OF THE OPERATIONAL ENVIRONMENT The test scenarios are described in section 12 Annex A: Test scenarios. 6.3 DESCRIPTION OF THE INSTALLATION AND CONFIGURATION OF THE TOE To perform the installation, the steps needed are the following: 1. Open VMware and click on Create a new virtual machine. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 40/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 2. Select \[TOE-ISO-2410\] and click on “Next”. 3. Give a name to the virtual machine and click on “Next”. 4. Set 30GB as disk size. 5. Click on Customize Hardware → Memory and set 1GB of RAM memory. Add a network adapter and configure the virtual networks as shown (“Network Adapter” set to VMnet2 and “Network Adapter 2” set to VMnet8). 6. Press “Close”. 7. Click on “Finish”. 8. Wait for the TOE to boot up. 9. In order to install the TOE, log in with the user “installer” and authenticate with the password “opnsense”. 10. Select the keyboard layout. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 41/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 11. Indicate “Continue with...”. 12. Select “Install (ZFS)” and press Enter. 13. Select “stripe” and press Enter. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 42/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 14. Select the virtual disk and press OK. 15. Select Yes and press Enter. 16. Select “Change root password” and press OK. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 43/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 17. Define a new password for the root user. 18. Select “Complete Install” and press OK. 19. Wait for the TOE to reboot and navigate to the web interface. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 44/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 20. Access the LAN IP address through HTTPS using a web browser and log in with the root user credentials. 21. Follow the wizard setup, press Next. 22. Give a hostname and a domain to the TOE and press Next. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 45/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 23. Set NTP servers and the time zone. In this case the NTP servers configured are the ones offered by default. Press Next. 24. Leave the default configuration for the WAN interface and press Next. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 46/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 25. Leave the default configuration for the LAN interface and press Next. 26. Set a new root password if it was not changed before. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 47/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 27. Click on reload to apply the changes. 28. The TOE is now configured and ready. 6.3.1 SETTING A SUBSCRIPTION KEY The following steps are followed in order to configure a subscription key: 1. Log in through the TOE web interface with the root user. 2. Go to System → Firmware → Settings. 3. Indicate the Subscription key in the Subscription text box and click Save. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 48/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 6.3.2 UPDATING TO VERSION 24.10.1 The steps below are followed: 1. Log in through the TOE web interface with the root user. 2. Go to System → Firmware → Settings. 3. Toggle “Advanced mode”. 4. Indicate “/24.10/MINT/24.10.1/latest” in the Flavour parameter and click Save. 5. Go to the Status tab and click Check for updates. 6. Click Update. 7. Wait for the update to be installed. 6.3.3 ENABLING ACCESS LOGS After installing the TOE, given the indications in the Security Target, the following steps are required through the web interface: 1. Enable the access log parameter in the Settings menu. In the left panel go to System → Settings → Administration and select “Enable access log”. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 49/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 6.3.4 CHANGE SHELL TYPE AND INACTIVITY TIMEOUT For the inactivity session timeout to work, it is required to change the login shell assigned to the user as indicated in the Security Target. The Security Target also indicates to change the session/inactivity timeout to 5 minutes. The steps below are followed: 1. Log in through the TOE web interface with the root user. 2. Go to System → Access → Users. 3. For each user, change the Login shell assigned from /usr/local/sbin/opnsense- shell to /bin/csh. 4. Go to System → Settings → Administration. 5. Set the "Session Timeout" and "Inactivity timeout" parameters to 5 minutes in order to set the inactivity timeout for the GUI and CLI interfaces. 6.3.5 CHANGE PERMISSIONS OF /CONF/CONFIG.XML In order to prevent that any user is able to view the critical /conf/config.xml local file, as indicated in the Security Target, the steps below are followed: 1. Log in through the TOE CLI interface with the root user. 2. Execute the following command in order to change the permissions associated with the config.xml file: chmod 640 /conf/config.xml NOTE: Although this is included in the LINCE Security Target, these are deemed no longer necessary for the TOE version evaluated in the present report. The current version prevents non-administrative users from accessing the TOE locally. 6.3.6 DEFINING A PASSWORD POLICY 1. Log in through the TOE web interface with the root user. 2. Go to System → Access → Servers. 3. Edit the "Local Database" server. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 50/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 4. Enable “Password policy constraints”. Then, add a duration for passwords, the minimum length and enable complexity requirements. 5. Save the changes. 6.3.7 ADD A READ-ONLY AUDIT ROLE In order to prevent any user (other than the root user) with read access to audit records from deleting the logs, the following steps must be followed as described in the Security Target: 1. Create a new directory that will store the new ACL by executing this command in CLI interface. mkdir -p /usr/local/opnsense/mvc/app/models/security/security/ACL 2. Create the file ACL.xml with the following content in order to create the new read-only audit role. read only logs ui/diagnostics/log/core/configd api/diagnostics/log/core/configd api/diagnostics/log/core/configd/export\* 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 51/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. ui/diagnostics/log/core/audit api/diagnostics/log/core/audit api/diagnostics/log/core/audit/export\* ui/diagnostics/log/core/boot api/diagnostics/log/core/boot api/diagnostics/log/core/boot/export\* ui/diagnostics/log/core/system api/diagnostics/log/core/system api/diagnostics/log/core/system/export\* ui/diagnostics/log/core/lighttpd api/diagnostics/log/core/lighttpd api/diagnostics/log/core/lighttpd/export\* ui/diagnostics/log/core/firewall api/diagnostics/log/core/firewall api/diagnostics/log/core/firewall/export\* ui/diagnostics/firewall/log api/diagnostics/firewall/log/\* ui/diagnostics/firewall/stats api/diagnostics/firewall/stats\* ui/diagnostics/log/core/filter api/diagnostics/log/core/filter api/diagnostics/log/core/filter/export\* 3. Clear the cache to prevent old ACL-s still being used with the following command: rm /tmp/opnsense\_acl\_cache.json 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 52/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. After this, the new role shall appear when assigning privileges to a user or group. 6.3.8 DISABLE ROOT USER FOR SSH The Security Target indicates that it is required to disable root access to the CLI through SSH. The steps below are followed: 1. Log in through the TOE web interface with the root user. 2. Go to System → Settings → Administration → Secure Shell. 3. Uncheck the option "Permit root login". 6.3.9 CONFIGURE SYSTEM BACKUPS ROTATION The Security Target indicates that it is necessary to define a specific number of configuration backups to preserve. The steps below are followed: 1. Log in through the TOE web interface with the root user. 2. Go to System → Configuration → Backups. 3. Configure the "Backup Count" parameter to 5. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 53/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 6.3.10 CONFIGURE TWO-FACTOR AUTHENTICATION The Security Target indicates that it is required to configure a 2FA as part of the user configuration process. The steps below are followed: 1. Go to System → Access → Servers 2. Click Add server in the top right corner. 3. Create a new server with the following parameters. 4. Install a Google Authenticator compatible app on your device. 5. Go to System → Access → Users. 6. Edit the root user. 7. Select "Generate a new secret (160 bit)" in the OTP parameter and click Save 8. Edit again the root user to view the seed and QR, register such token or QR code in the Google Authenticator compatible app. 9. Go to System → Access → Tester. 10. Verify that the 2FA authentication is properly configured concatenating the authenticator code and the user password "". 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 54/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 11. Go to System → Settings → Administration. 12. Change the Authentication server by selecting the "2FA" server that was just created in the dropdown menu. Note: The 2FA is configured for each user. In this case, it was configured for the root user. The steps shall be repeated for each desired user to use 2FA. 6.3.11 CONFIGURING CONFIGD ACCESS CONTROL In order to prevent local non-authorized interaction with the configd backend service, the steps below are followed as described in the Security Target: 1. Log in through the TOE CLI interface with the root user. 2. Execute the following command to create a new directory: mkdir /usr/local/opnsense/service/conf/configd.conf.d 3. Add the file lockdown.conf in the previous directory with the following content: \[action\_defaults\] allowed\_groups = wheel 4. After the file is created, run the following command: service configd restart 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 55/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. NOTE: Although this is included in the LINCE Security Target, these are deemed no longer necessary for the TOE version evaluated in the present report. The current version prevents non-administrative users from accessing the TOE locally. 6.3.12 WEB INTERFACE TLS CIPHER SUITES CONFIGURATION In order to meet the cryptographic requirements and conform \[CCN-STIC-807\] as declared in the Security Target, it is required to configure accepted cipher suites for TLS through the web interface. This configuration affects the web portal used to manage and administrate the TOE. The steps below are followed: 1. Log in through the TOE web interface with the root user. 2. Navigate to System → Settings → Administration. 3. In the Web GUI section, use the dropdown menu for “SSL Ciphers” to select valid cipher suites. TLS\_AES\_128\_GCM\_SHA256 TLS\_AES\_256\_GCM\_SHA384 TLS\_CHACHA20\_POLY1305\_SHA256 TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256 4. Scroll down and click Save. 6.3.13 SSH CRYPTOGRAPHIC PARAMETERS CONFIGURATION In order to meet the cryptographic requirements and conform \[CCN-STIC-807\] as declared in the Security Target, it is required to configure accepted cryptographic parameters for SSH through the web interface. This configuration affects the SSH connections that users establish with the TOE. The steps below are followed: 1. Log in through the TOE web interface with the root user. 2. Navigate to System → Settings → Administration. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 56/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 3. In the Secure Shell section, use the dropdown menu for “Key exchange algorithms”, “Ciphers”, “MACs” and “Public key signature algorithms” to select valid cryptographic parameters. a. Key exchange algorithms: i. diffie-hellman-group16-sha512 ii. diffie-hellman-group18-sha512 iii. ecdh-sha2-nistp256 iv. ecdh-sha2-nistp384 v. ecdh-sha2-nistp521 b. Ciphers: i. aes128-ctr ii. aes192-ctr iii. aes256-ctr c. MACs: i. hmac-sha2-256 ii. hmac-sha2-512 d. Public key signature algorithms: i. ecdsa-sha2-nistp256 e. Rekey Limit: i. 1GB, 1 hour 2. Scroll down and click Save. 6.3.14 SYSLOG CLIENT TLS CIPHER SUITES CONFIGURATION In order to meet the cryptographic requirements and conform \[CCN-STIC-807\] as declared in the Security Target, it is required to configure accepted cipher suites through the local command line interface. This configuration affects the TLS connections when the TOE communicates with a remote syslog server. The steps below are followed: 1. Log in through the TOE local command line and select the Shell option. 2. Edit the file /usr/local/opnsense/service/templates/OPNsense/Syslog/sysl og-ng-destinations.conf 3. In the network parameters, inside the TLS parameters, add the following lines: ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11) cipher-suite("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA- AES128-GCM- SHA256:TLS\_AES\_128\_GCM\_SHA256:TLS\_AES\_128\_GCM\_SHA256:TLS\_C HACHA20\_POLY1305\_SHA256:ECDHE-ECDSA-AES128-GCM- 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 57/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256- CCM:ECDHE-ECDSA-AES128-CCM") 4. Save the file. NOTE: Although this is included in the LINCE Security Target, these are deemed no longer necessary for the TOE version evaluated in the present report. The current version allows to configure these parameters through the System > Trust > Settings menu. 6.3.15 INSTALLING CERTIFICATES FROM TRUSTWORTHY CA In the Security Target, it is recommended to install a digital certificate signed by a trusted CA. However, a self-signed certificate generated by \[TOE-2441\_3\] itself is used in this evaluation, as it does not imply a degradation in the quality level at the functionality or testing of \[TOE-2441\_3\]. This matter is considered by the evaluator when conducting the testing. 6.3.16 DISABLING NTP SERVICE The steps below are followed: 1. Log in through the TOE web interface with the root user. 2. Go to Services → Network Time → General. 3. Remove all the Time servers specified. 4. Click Save. 6.3.17 MODIFYING TRUST SETTINGS 1. Log in through the TOE web interface with the root user. 2. Go to System > Trust > Settings. 3. Enable the “Store CRL’s” and “Auto fetch CRL’s” checkboxes. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 58/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 4. Under Configuration constraints, select the Enable checkbox, which is disabled by default, uncheck the Enable Legacy option and indicate the following configuration: a. CipherString: TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_POLY1305\_SHA256, TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256, TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384, TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256 b. Ciphersuites: TLS\_AES\_128\_GCM\_SHA256, TLS\_AES\_256\_CGM\_SHA384, TLS\_CHACHA20\_POLY1305\_SHA256 c. SignatureAlgorithms: ECDSA+SHA256, ECDSA+SHA384, ECDSA+SHA512, rsa\_pss\_pss\_sha256, rsa\_pss\_pss\_sha384, rsa\_pss\_pss\_sha512, rsa\_pss\_rsae\_sha256, rsa\_pss\_rsae\_sha384, rsa\_pss\_rsae\_sha514. d. DHGroups / Curves: prime256v1, secp384r1, secp521r1, x448, x25519 e. MinProtocol: TLSv1.3 5. Save the changes and reboot the TOE. 6.4 VERIFICATION OF THE INSTALLED TOE VERSION In order to check the verification of the installed TOE version, the steps below are followed: 1. Log in through the TOE web interface with the root user. 2. Go to System → Firmware. 3. Check the version number identifier. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 59/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 6.5 USED INSTALLATION OPTIONS The selection of different installation options in order to achieve the secure configuration was not considered or required. 6.6 RESULTS ID Non-conformity State N/A None. N/A ID Comments State N/A None. N/A 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 60/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 7 CONFORMITY ASSESSMENT 7.1 FUNCTIONAL TESTS Evaluator DAT Days required 20 days. Date 2025/01/28 Results of the evaluator's work FAIL 7.1.1 EVALUATION ACTIVITIES The information presented in this section covers the result of carrying out the evaluation activities specified in section 4.3 of \[CCN-STIC-2002\], with regard to functional testing of the TOE. TE.4.1. The evaluator shall check and test the product’s security functions and mechanisms to a level of detail that allows checking that the declared security functionality has been correctly implemented in the product. The evaluator must justify the sample using as a reference Annex A.2 of \[CEM\]. PASS Information concerning this task of the evaluator can be found in the section 7.1.2 List of functional tests. This information is presented in more detail in the section 12 Annex B: Functional test plan and report. TE.4.2. The evaluator shall register every non-conformity in regards to any test performed. FAIL Information concerning this task of the evaluator can be found in the section 7.1.3 Results. 7.1.2 LIST OF FUNCTIONAL TESTS Security function Test code Objective Resu lt FAU\_GEN.1.1 FAU\_GEN.1.2 FAU\_GEN.2.1 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0010\] Verify that the TSF generates audit information for the declared events: • Start-up and shut- down of the audit functions. PASS FAU\_GEN.1.1 FAU\_GEN.1.2 FAU\_GEN.2.1 FMT\_SMF.1.1 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0011\] Verify that the TSF generates audit information for the declared events: PASS 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 61/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. • Generating/import of, changing, or deleting of cryptographic keys. • Management of the TOE's trust store. FAU\_GEN.1.1 FAU\_GEN.1.2 FAU\_GEN.2.1 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0013\] Verify that the TSF generates audit information for the declared events: • Discontinuous changes to time. PASS FAU\_GEN.1.1 FAU\_GEN.1.2 FAU\_GEN.2.1 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0014\] Verify that the TSF generates audit information for the declared events: • Initiation/termination/ failure of the trusted channel with the remote audit server. PASS FAU\_STG\_EXT.1.4 FAU\_STG\_EXT.1.5 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0020\] Verify that the TSF overwrites previous audit records according to the maximum log file size and number of logs to be kept defined. PASS FMT\_SMF.1.1 FIA\_UIA\_EXT.1.1 FTA\_TAB.1.1 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0030\] Verify that the TSF provides the ability to configure the access banner and that the banner is shown when initiating an identification and authentication process. PASS FMT\_SMF.1.1 FMT\_MOF.1.1/Functi ons \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0032\] Verify that the TSF provides the ability to modify the behaviour of the transmission of audit data to an external IT entity and that this is restricted to administrator users. PASS FMT\_SMF.1.1 FMT\_MTD.1.1/Crypto Keys \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0033\] Verify that the TSF provides the ability to manage the cryptographic keys and that this is restricted to the administrator users. PASS FMT\_SMF.1 FPT\_STM\_EXT.1.1 FPT\_STM\_EXT.1.2 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0034\] Verify that the TSF provides the ability to set the time which is used for time-stamps. PASS 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 62/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. FIA\_UIA\_EXT.1.2 FIA\_UIA\_EXT.1.3 FIA\_UIA\_EXT.1.4 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0035\] Verify that the TSF identifies and authenticates administrative users using Web GUI password, SSH password and local CLI password. PASS FIA\_UAU.7.1 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0040\] Verify that the TSF provides only obscured feedback to the administrative user while the authentication is in progress at the local console. PASS FPT\_APW\_EXT.1.1 FPT\_APW\_EXT.1.2 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0050\] Verify that the TSF stores administrative passwords in non-plaintext form and that it prevents reading. PASS FCS\_TLSS\_EXT.1.3 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0100\] Verify that the TSF performs key exchange using the declared curves for EC Diffie- Hellman and Diffie-Hellman parameters. PASS FCS\_TLSS\_EXT.1.4 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0110\] Verify that the TSF supports session resumption based on session tokens for TLSv1.2 according to RFC 5077 and does not support the early data extension. PASS FCS\_TLSS\_EXT.1.4 FCS\_TLSS\_EXT.1.6 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0120\] Verify that the TSF supports session resumption for TLSv1.3 according to RFC 8446 and does not support the early data extension. PASS FCS\_TLSS\_EXT.1.8 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0150\] Verify that the TSF supports secure renegotiation by including the "renegotiation\_info" extension for TLSv1.2 and that rejects TLSv1.3 renegotiation attempts. PASS FCS\_SSH\_EXT.1.3 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0200\] Verify that the TSF ensures that packets greater than 262135 bytes in an SSH transport connection are dropped. PASS FCS\_SSH\_EXT.1.8 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0202\] ify that the TSF ensures that a rekey of the session keys occurs when one hour connection time is reached, no PASS 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 63/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. more than one gigabyte of transmitted data or no more than one gigabyte of received data. FCS\_TLSC\_EXT.1.2 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0300\] Verify that the TSF verifies that the identifier provided by the remote audit server when establishing a connection matches the reference identifier defined. PASS FCS\_TLSC\_EXT.1.3 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0310\] Verify that the TSF does not establish a trusted channel with the remote audit server if the server certificate is deemed invalid and that the TSF does not implement any administrator override mechanism. PASS FCS\_TLSC\_EXT.1.4 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0320\] Verify that the TSF presents the Supported Groups Extension with the declared curves/groups when establishing a connection with the remote audit server. PASS FCS\_TLSC\_EXT.1.5 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0330\] Verify that the TSF offers the declared signature algorithms when establishing a connection with the remote audit server. PASS FCS\_TLSC\_EXT.1.7 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0350\] Verify that the TSF does not use the early data extension and post-handshake client authentication according to RFC 8446 when establishing a connection with the remote audit server. PASS FCS\_TLSC\_EXT.1.9 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0370\] Verify that the TSF supports secure renegotiation as declared when establishing a connection with the remote audit server. PASS FIA\_X509\_EXT.1.1/Re v FIA\_X509\_EXT.2.1 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0380\] Verify that the TSF properly validates the certificate trust chain of the certificate presented by the remote audit server and that does not PASS 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 64/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. establish a connection when this chain is broken. FIA\_X509\_EXT.1.1/Re v FIA\_X509\_EXT.2.1 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0381\] Verify that the TSF does not establish a connection with the remote audit server when an expired certificate is presented. PASS FIA\_X509\_EXT.1.1/Re v FIA\_X509\_EXT.2.1 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0382\] Verify that the TSF properly handles and verifies the revocation status of the certificate presented when establishing a connection with the remote audit server. PASS FIA\_X509\_EXT.1.1/Re v FIA\_X509\_EXT.2.1 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0383\] Verify that the TSF does not establish a connection with the remote audit server when the CRL involved in the communication channel is signed by a CA that does not includes cRLsign key usage. PASS FIA\_X509\_EXT.1.1/Re v \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0384\] Verify that the TSF does not establish a connection with the remote audit server when any byte of the in the first eight bytes of the certificate is modified. PASS FIA\_X509\_EXT.1.1/Re v \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0385\] Verify that the TSF does not establish a connection with the remote audit server when any byte of the signatureValue field of the certificate is modified. PASS FIA\_X509\_EXT.1.1/Re v \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0386\] Verify that the TSF does not establish a connection with the remote audit server when any byte of the public key of the certificate is modified. PASS FIA\_X509\_EXT.1.2/Re v \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0387\] Verify that the TSF does not establishes a connection with the remote audit server when the certificate chain presented includes a CA that does not contain the basicConstraints extension or it is included with a FALSE value. PASS 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 65/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. FIA\_X509\_EXT.2.2 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0390\] Verify that the TSF behaves as declared when establishing a connection with the remote audit server and it cannot to determine the revocation status of the presented certificate due to being unable to establish a connection with the endpoint that distributes the CRL. PASS FCS\_TLSC\_EXT.1.2 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0400\] Verify that the TSF verifies that the identifier provided by the update repository when establishing a connection matches the reference identifier defined. PASS FCS\_TLSC\_EXT.1.3 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0410\] Verify that the TSF does not establish a trusted channel with the update repository if the server certificate is deemed invalid and that the TSF does not implement any administrator override mechanism. PASS FCS\_TLSC\_EXT.1.4 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0420\] Verify that the TSF presents the Supported Groups Extension with the declared curves/groups when establishing a connection with the update repository. PASS FCS\_TLSC\_EXT.1.5 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0430\] Verify that the TSF offers the declared signature algorithms when establishing a connection with the update repository. PASS FCS\_TLSC\_EXT.1.6 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0440\] Verify that the TSF does not allow the configuration of the ciphersuites used when establishing a connection with the update repository. PASS FCS\_TLSC\_EXT.1.7 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0450\] Verify that the TSF does not use the early data extension and post-handshake client authentication according to RFC 8446 when establishing a connection with the update repository. PASS 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 66/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. FCS\_TLSC\_EXT.1.9 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0470\] Verify that the TSF rejects secure renegotiation for TLSv1.3 as declared when establishing a connection with the update repository. PASS FIA\_X509\_EXT.1.1/Re v FIA\_X509\_EXT.2.1 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0480\] Verify that the TSF properly validates the certificate trust chain of the certificate presented by the update repository and that does not establish a connection when this chain is broken. PASS FIA\_X509\_EXT.1.1/Re v FIA\_X509\_EXT.1.2/Re v \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0481\] Verify that the TSF does not establish a connection with the update repository when an expired certificate is presented. PASS FIA\_X509\_EXT.1.1/Re v FIA\_X509\_EXT.2.1 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0482\] Verify that the TSF properly handles and verifies the revocation status of the certificate presented when establishing a connection with the update repository. PASS FIA\_X509\_EXT.1.1/Re v FIA\_X509\_EXT.2.1 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0483\] Verify that the TSF does not establish a connection with the update repository the CRL involved in the communication channel is signed by a CA that does not includes cRLsign key usage. PASS FIA\_X509\_EXT.1.1/Re v \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0484\] Verify that the TSF does not establish a connection with the update repository when any byte of the in the first eight bytes of the certificate is modified. PASS FIA\_X509\_EXT.1.1/Re v \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0485\] Verify that the TSF does not establish a connection with the update repository when any byte of the signatureValue field of the certificate is modified. PASS FIA\_X509\_EXT.1.1/Re v \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0486\] Verify that the TSF does not establish a connection with the update repository when any byte of the public key of the certificate is modified. PASS 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 67/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. FIA\_X509\_EXT.1.2/Re v \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0487\] Verify that the TSF does not establishes a connection with the update repository when the certificate chain presented includes a CA that does not contain the basicConstraints extension or it is included with a FALSE value. PASS FIA\_X509\_EXT.2.2 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0490\] Verify that the TSF behaves as declared when establishing a connection with the update repository and it cannot to determine the revocation status of the presented certificate due to being unable to establish a connection with the endpoint that distributes the CRL. PASS FIA\_X509\_EXT.3.1 FIA\_X509\_EXT.3.2 \[STIC\_OPNSENSE\_H IGH-2404-TST-ND- 0500\] Verify that the TSF generates Certificate Requests including the public key, common name, organization, organizational unit and country and that properly validates the response to the Certificate Request. PASS FFW\_RUL\_EXT.1.6 \[STIC\_OPNSENSE\_H IGH-2404-TST-FW- 0100\] Verify that the TSF drops and is capable of logging packets where the source address of the network packet is defined as a broadcast network address. PASS FFW\_RUL\_EXT.1.6 \[STIC\_OPNSENSE\_H IGH-2404-TST-FW- 0101\] Verify that the TSF drops and be capable of logging packets where the source address of the network packet is defined as a multicast address. PASS FFW\_RUL\_EXT.1.6 \[STIC\_OPNSENSE\_H IGH-2404-TST-FW- 0102\] Verify that the TSF drops and is capable of logging network packets where the source or destination address of the network packet is defined as being unspecified (i.e. 0.0.0.0) or an address “reserved for future use” (i.e. 240.0.0.0/4) as specified in RFC 5735 for IPv4. FAIL 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 68/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. FFW\_RUL\_EXT.1.6 \[STIC\_OPNSENSE\_H IGH-2404-TST-FW- 0103\] Verify that the TSF drops and is capable of logging network packets where the source or destination address of the network packet is defined as an “unspecified address” or an address “reserved for future definition and use” (i.e. unicast addresses not in this address range: 2000::/3) as specified in RFC 3513 for IPv6. FAIL FFW\_RUL\_EXT.1.7 \[STIC\_OPNSENSE\_H IGH-2404-TST-FW- 0200\] Verify that the TSF drops and is capable of logging network packets where the source address of the network packet is equal to the address of the network interface where the network packet was received. PASS FFW\_RUL\_EXT.1.7 \[STIC\_OPNSENSE\_H IGH-2404-TST-FW- 0201\] Verify that the TSF drops and is capable of logging network packets where the source or destination address of the network packet is a link-local address. PASS FFW\_RUL\_EXT.1.7 \[STIC\_OPNSENSE\_H IGH-2404-TST-FW- 0202\] Verify that the TSF drops and is capable of logging network packets where the source address of the network packet does not belong to the networks associated with the network interface where the network packet was received. PASS FFW\_RUL\_EXT.1.10 \[STIC\_OPNSENSE\_H IGH-2404-TST-FW- 0300\] Verify that the TSF can limit an administratively defined number of half-open TCP connections and that after the limit is reached, new connections attempts are dropped and logged or counted PASS 7.1.3 RESULTS ID Non-conformity State OR01.NC01 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0013\] FAU\_GEN.1.1 FAU\_GEN.1.2 CLOSED 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 69/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. FAU\_GEN.2.1 When the date/time is manually changed by a user through the CLI making use of the "date" command, \[TOE- 2441\_3\] registers the event in the Audit log with the following entry: "date set by root". The entry contains a timestamp, type of event and user associated with the user. It is determined that, given the SFR FAU\_GEN.1.2 requirement from \[cPP-ND-30e\], this type of event is missing the following piece of information in the log entry: old and new values for the time. The manufacturer provided \[TOE-24101\]; after repeating the associated test it is deemed that the issue is fixed since the audit register related to changes in date/time properly includes the timestamps before and after the change. OR01.NC02 \[STIC\_OPNSENSE\_HIGH-2024-TST-ND-0050\] FPT\_APW\_EXT.1.1 FPT\_APW\_EXT.1.2 \[TOE-2441\_3\] stores administrative passwords in non- plaintext form and prevents its reading. The hash algorithm is identified as bcrypt which uses blowfish. This algorithm is not complied according to \[CCN-STIC-807\]. The manufacturer provides instructions to configure the usage of SHA-512 instead of blowfish. This option is available in the password policy menu, and it is verified in the associated functional test. CLOSED OR01.NC03 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0100\] FCS\_TLSS\_EXT.1.3 \[TOE-2441\_3\] supports the following elliptic curves and finite field groups in the TOE GUI interface: prime256v1 (also known as secp256r1), secp384r1, secp521r1, x25519, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192. The finite field group ffdhe2048 is considered LEGACY by \[CCN-STIC-807\]; given this, it is deemed not suitable for ENS HIGH category. Only cryptographic mechanisms identified as recommended by \[CCN-STIC-807\] shall be used for ENS HIGH category. CLOSED 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 70/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. The manufacturer provided \[TOE-24101\], after repeating the test associated with the non-conformity, it is revealed that only the elliptic curves are offered, not a single finite field group is supported; therefore, the issue is considered addressed and closed. OR01.NC04 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0202\] FCS\_SSH\_EXT.1.8 \[TOE-2441\_3\] does not seem to define a RekeyLimit for the SSH connections. After establishing the SSH connection and waiting for one hour, the rekey of the connection is not carried out by \[TOE-2441\_3\]. Furthermore, the rekey of the connection is also not carried out by \[TOE-2441\_3\] after having received or sent more than 1GB of data. \[TOE-2441\_3\] must rekey the connection when any of the following thresholds happen: one hour connection time, no more than one gigabyte of transmitted data, or no more than one gigabyte of received data. The manufacturer provided \[TOE-24101\]; after repeating the associated test it is deemed that the issue is fixed, the SSH service is properly configured to perform rekey after 1 hour of the creation of the session, after 1GB of data has been sent and after 1GB of data has been received. CLOSED OR01.NC05 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0300\] FCS\_TLSC\_EXT.1.2 \[TOE-2441\_3\] fails to properly verify the reference identifier included in the certificate presented by the remote audit server when wildcards are included. When using IP reference identifiers, \[TOE-2441\_3\] establishes a connection when the Common Name of the certificate includes a wildcard. For example, \[TOE-2441\_3\] is configured to connect to the remote audit server "192.168.1.2" and the CN of the certificate is "\*.168.1.2". It is expected that \[TOE-2441\_3\] differentiates between identifiers with and without wildcards and the connection is not established. When using a DNS identifier: • \[TOE-2441\_3\] establishes a connection when it is configured to connect to "foo.bar.example.com" and the remote audit server includes a wildcard not in the left- most position of the label (foo.\*.example.com). CLOSED 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 71/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. It is expected that \[TOE-2441\_3\] differentiates between identifiers with and without wildcards and the connection is not established. The manufacturer provided \[TOE-24101\]; after repeating the associated test it is deemed that the issue is fixed; the edge cases identified in the non-conformity are correctly addressed and the certificates are rejected and determined as invalid before establishing a connection. OR01.NC06 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0320\] FCS\_TLSC\_EXT.1.4 \[TOE-2441\_3\] offers the following group in the supported\_groups TLS extension included in the Client Hello message when establishing a connection with the remote audit server: ffdhe2048. Such group is considered a LEGACY cryptographic mechanism according to \[CCN- STIC-807\]. Legacy cryptographic mechanisms are not suitable for HIGH category. The manufacturer provided \[TOE-24101\], after repeating the test associated with the non-conformity, it is revealed that only the elliptic curves are offered, not a single finite field group is supported; therefore, the issue is considered addressed and closed. CLOSED OR01.NC07 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0330\] FCS\_TLSC\_EXT.1.5 \[TOE-2441\_3\] offers signature algorithms when establishing a connection with the remote audit server that do not comply \[CCN-STIC-807\] ENS HIGH category. rsa\_pkcs1\_sha256, rsa\_pkcs1\_sha384, rsa\_pkcs1\_sha512: RSASSA-PKCS1 signature scheme is considered legacy according to \[CCN-STIC-807\]. SHA224 ECDSA, SHA224 RSA, SHA224 DSA: SHA224 hashing algorithm is considered legacy according to \[CCN- STIC-807\]. LEGACY cryptographic mechanisms are not suitable for ENS HIGH category. The manufacturer provided \[TOE-24101\], after repeating the test associated with the non-conformity, it is revealed that the TOE only offers digital signature algorithms that CLOSED 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 72/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. comply with ENS high category; therefore, addressing the non-conformitiy. OR01.NC08 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0370\] FCS\_TLSC\_EXT.1.9 \[TOE-2441\_3\], as a client, seems to support TLS renegotiation when establishing a connection with the remote audit server since it offers the suite TLS\_EMPTY\_RENEGOTIATION\_INFO\_SCSV (0x00ff). Despite this, it has been identified that the TOE ignores Hello Request messages sent by the server and renegotiation does not occur, the TOE continues to send data instead of sending a Client Hello message as a follow up to the Hello Request message and the connection is not renegotiated. If TLS renegotiation is indeed supported in such communication channel, it is expected that Hello Request messages from the remote server are not ignored, and renegotiation shall occur. If TLS renegotiation is not supported, \[TOE-2441\_3\] must terminate the connection after receiving the Hello Request message. The manufacturer provided \[TOE-24101\], with instructions to configure TLSv1.3 through the new System > Trust > Settings. These settings were applied (and documented as part of the installation/configuration of the TOE) and the associated test was repeated; the issue is deemed addressed and the non-conformity is closed. CLOSED OR01.NC09 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0382\] FIA\_X509\_EXT.1.1/Rev FIA\_X509\_EXT.2.1 \[TOE-2441\_3\] does not properly handle certificate revocation lists (CRLs) when establishing a connection with the remote audit server. A certificate chain with a CA, an intermediate CA and a leaf certificate was generated. After revoking the intermediate CA and uploading the pertinent CRL file to System > Trust > Revocation, the connection is still established; \[TOE-2441\_3\] does not seem to identify that the certificate chain presented by the remote audit server includes a revoked certificate. It is expected that \[TOE-2441\_3\] verifies the revocation of certificates when establishing a connection with the remote audit server. CLOSED 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 73/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. The manufacturer provided \[TOE-24101\]; this version included new functionality that implemented the CRL handling and verification. The tests related to CRLs were repeated by the evaluator to properly verify the functionality, revealing that the tests passed; therefore, closing the non-conformity. OR01.NC10 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0383\] FIA\_X509\_EXT.1.1/Rev FIA\_X509\_EXT.2.1 \[TOE-2441\_3\] does not properly handle certificate revocation lists (CRLs) when establishing a connection with the remote audit server. A certificate chain with a CA, an intermediate CA without the cRLsign key usage and a leaf certificate were generated. After revoking the leaf certificate using the intermediate CA and uploading the pertinent CRL file to System > Trust > Revocation, the connection is still established. It is expected that \[TOE-2441\_3\] does not accept the certificate since the CRL was signed by a certificate that does not include the cRLsign key usage. Moreover, \[TOE-2441\_3\] does not establish a remote connection to retrieve the certificate revocation list. The manufacturer provided \[TOE-24101\]; this version included new functionality that implemented the CRL handling and verification. The tests related to CRLs were repeated by the evaluator to properly verify the functionality, revealing that the tests passed; therefore, closing the non-conformity. CLOSED OR01.NC11 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0390\] FIA\_X509\_EXT.2.2 \[TOE-2441\_3\] does not retrieve CRLs remotely, connections related to the CRL are not established; \[TOE- 2441\_3\] does not follow and query the CRL URI included in the certificate presented by the remote audit server. It is expected that \[TOE-2441\_3\] reaches an external entity to retrieve the CRL as part of the certificate revocation. A local revocation store can be used to verify and manage the revocation of certificates, but it shall not work as a replacement for remote retrieval of CRLs but an additional mechanism, this is indicated in the related SFR from the PP. CLOSED 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 74/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. The manufacturer provided \[TOE-24101\]; this version included new functionality that implemented the CRL handling and verification. The tests related to CRLs were repeated by the evaluator to properly verify the functionality, revealing that the tests passed; therefore, closing the non-conformity. OR01.NC12 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0430\] FCS\_TLSC\_EXT.1.5 \[TOE-2441\_3\] offers signature algorithms when establishing a connection with the update repository that do not comply \[CCN-STIC-807\] ENS HIGH category. • rsa\_pkcs1\_sha256, rsa\_pkcs1\_sha384, rsa\_pkcs1\_sha512: RSASSA-PKCS1 signature scheme is considered legacy. The manufacturer provided \[TOE-24101\], after repeating the test associated with the non-conformity, it is revealed that the TOE only offers digital signature algorithms that comply with ENS high category; therefore, addressing the non-conformitiy. CLOSED OR01.NC13 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0482\] FIA\_X509\_EXT.1.1/Rev FIA\_X509\_EXT.2.1 \[TOE-2441\_3\] does not properly handle certificate revocation lists (CRLs) when establishing a connection with the update repository. A certificate chain with a CA, an intermediate CA and a leaf certificate were generated. After revoking the intermediate CA and uploading the pertinent CRL file to System > Trust > Revocation, the connection is still established; \[TOE-2441\_3\] does not seem to identify that the certificate chain presented by the server includes a revoked certificate. It is expected that \[TOE-2441\_3\] verifies the revocation of certificates when establishing a connection with the update repository. The manufacturer provided \[TOE-24101\]; this version included new functionality that implemented the CRL handling and verification. The tests related to CRLs were repeated by the evaluator to properly verify the CLOSED 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 75/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. functionality, revealing that the tests passed; therefore, closing the non-conformity. OR01.NC14 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0483\] FIA\_X509\_EXT.1.1/Rev FIA\_X509\_EXT.2.1 \[TOE-2441\_3\] does not properly handle certificate revocation lists (CRLs) when establishing a connection with the update repository. A certificate chain with a CA, an intermediate CA without the cRLsign key usage and a leaf certificate were generated. After revoking the leaf certificate using the intermediate CA and uploading the pertinent CRL file to System > Trust > Revocation, the connection is still established. It is expected that \[TOE-2441\_3\] does not accept the certificate since the CRL was signed by a certificate that does not include the cRLsign key usage. Moreover, \[TOE-2441\_3\] does not establish a remote connection to retrieve the certificate revocation list. The manufacturer provided \[TOE-24101\]; this version included new functionality that implemented the CRL handling and verification. The tests related to CRLs were repeated by the evaluator to properly verify the functionality, revealing that the tests passed; therefore, closing the non-conformity. CLOSED OR01.NC15 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0490\] FIA\_X509\_EXT.2.2 \[TOE-2441\_3\] does not retrieve CRLs remotely, connections related to the CRL are not established; \[TOE- 2441\_3\] does not follow and query the CRL URI included in the certificate presented by the update repository. It is expected that \[TOE-2441\_3\] reaches an external entity to retrieve the CRL as part of the certificate revocation. A local revocation store can be used to verify and manage the revocation of certificates, but it shall not work as a replacement for remote retrieval of CRLs but an additional mechanism. The manufacturer provided \[TOE-24101\]; this version included new functionality that implemented the CRL handling and verification. The tests related to CRLs were repeated by the evaluator to properly verify the CLOSED 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 76/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. functionality, revealing that the tests passed; therefore, closing the non-conformity. OR01.NC16 \[STIC\_OPNSENSE\_HIGH-2404-TST-ND-0500\] FIA\_X509\_EXT.3.1 FIA\_X509\_EXT.3.2 \[TOE-2441\_3\] does not seem to validate the trustworthiness of the CSR response when it is uploaded and associated with its Certificate Signing Request in the System > Trust > Certificate menu. The CSR response is pasted and uploaded but no feedback is provided regarding its validity; therefore, it is not clear that \[TOE- 2441\_3\] is validating the trustworthiness of the CA that issued that response to the CSR. It is expected that \[TOE-2441\_3\] validates the response to the CSR and determines if the certification path of the response to the CSR is valid upon the upload by the user. The manufacturer provided \[TOE-24101\]; after repeating the associated test, it is deemed that the TOE includes the proper checks when validating a CSR response, rejecting responses that are signed by an unknown CA. Given this, the issue is considered addressed, and the non- conformity is closed. CLOSED OR01.NC17 \[STIC\_OPNSENSE\_HIGH-2404-TST-FW-0100\] FFW\_RUL\_EXT.1.6 \[TOE-2441\_3\] does not drop network packets whose source address is defined as a broadcast address (e.g.: 192.168.2.255 in a 192.168.2.0/24 network). The network packet is identified by \[TOE-2441\_3\] and transmitted to the destination. It is expected that \[TOE-2441\_3\] drops and logs (or counts) such type of network packets. The manufacturer delivered \[TOE-24101\] alongside instructions to configure filtering rules in the firewall to properly filter out and log the pertinent packets. The associated test was repeated to verify the fix, closing the present non-conformity. CLOSED OR01.NC18 \[STIC\_OPNSENSE\_HIGH-2404-TST-FW-0101\] FFW\_RUL\_EXT.1.6 \[TOE-2441\_3\] does not drop network packets where the source address of the network packet is defined as a CLOSED 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 77/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. multicast address (from 224.0.0.0 to 239.255.255.255). The network packet is identified by \[TOE-2441\_3\] and transmitted to the destination. It is expected that \[TOE-2441\_3\] drops and logs (or counts) such type of network packets. The manufacturer delivered \[TOE-24101\] alongside instructions to configure filtering rules in the firewall to properly filter out and log the pertinent packets. The associated test was repeated to verify the fix, closing the present non-conformity. OR01.NC19 \[STIC\_OPNSENSE\_HIGH-2404-TST-FW-0102\] FFW\_RUL\_EXT.1.6 \[TOE-2441\_3\] does not drop network packets whose source or destination address are defined as being unspecified (i.e. 0.0.0.0) or an address “reserved for future use” (i.e. 240.0.0.0/4) as specified in RFC 5735 for IPv4. It is expected that, in addition to dropping these types of network packets, the dropping action is logged or counted by \[TOE-2441\_3\]. The manufacturer delivered \[TOE-24101\] alongside instructions to configure filtering rules in the firewall to properly filter out the pertinent packets. The test was repeated revealing that: • Packets with a source or destination “reserved for future use” address are properly dropped, and the event is logged. • Packets with unspecified (0.0.0.0) source address are properly dropped and the event is logged. • Packets with unspecified (0.0.0.0) destination address are dropped but the event is NOT logged. Therefore, although most of the points identified in the description of the non-conformity are addressed, given that the drop of packets with unspecified destination address is not logged, the non-conformity remains open. OPEN OR01.NC20 \[STIC\_OPNSENSE\_HIGH-2404-TST-FW-0103\] FFW\_RUL\_EXT.1.6 \[TOE-2441\_3\] does not drop network packets whose source or destination address are defined as being “unspecified address” (0:0:0:0:0:0:0:0) or an address “reserved for future definition and use” (i.e. unicast OPEN 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 78/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. addresses not in this address range: 2000::/3) as specified in RFC 3513 for IPv6. It is expected that, in addition to dropping these types of network packets, the dropping action is logged or counted by \[TOE-2441\_3\]. The manufacturer delivered \[TOE-24101\] alongside instructions to configure filtering rules in the firewall to properly filter out the pertinent packets. The test was repeated revealing that: • Packets with a source or destination “reserved for future use” address are properly dropped, and the event is logged. • Packets with unspecified (0:0:0:0:0:0:0:0) source address are properly dropped, and the event is logged. • Packets with unspecified (0:0:0:0:0:0:0:0) destination address are dropped but the event is NOT logged. Therefore, although most of the points identified in the description of the non-conformity are addressed, given that the drop of packets with unspecified destination address is not logged, the non-conformity remains open. OR01.NC21 \[STIC\_OPNSENSE\_HIGH-2404-TST-FW-0200\] FFW\_RUL\_EXT.1.7 \[TOE-2441\_3\] does not drop network packets whose source address of the network packet is equal to the address of the network interface where the network packet was received. It is expected that, in addition to dropping these types of network packets, the dropping action is logged or counted by \[TOE-2441\_3\]. The manufacturer delivered \[TOE-24101\] alongside instructions to configure filtering rules in the firewall to properly filter out and log the pertinent packets. The associated test was repeated to verify the fix, closing the present non-conformity. CLOSED OR01.NC22 \[STIC\_OPNSENSE\_HIGH-2404-TST-FW-0201\] FFW\_RUL\_EXT.1.7 \[TOE-2441\_3\] does not drop network packets whose source or destination address of the network packet is a IPv4 link-local address (169.254.0.0/16). CLOSED 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 79/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. It is expected that, in addition to dropping these types of network packets, the dropping action is logged or counted by \[TOE-2441\_3\]. When the source address is a link-local address, \[TOE- 2441\_3\] filtering logs show that the packet is forwarded but somehow it does not reach the destination. In any case, network packet does not seem to be drop according to \[TOE-2441\_3\]. The manufacturer delivered \[TOE-24101\] alongside instructions to configure filtering rules in the firewall to properly filter out and log the pertinent packets. The associated test was repeated to verify the fix, closing the present non-conformity. OR01.NC23 \[STIC\_OPNSENSE\_HIGH-2404-TST-FW-0202\] FFW\_RUL\_EXT.1.7 \[TOE-2441\_3\] does not drop network packets whose source address of the network packet does not belong to the networks associated with the network interface where the network packet was received. It is expected that, in addition to dropping these types of network packets, the dropping action is logged or counted by \[TOE-2441\_3\]. The manufacturer delivered \[TOE-24101\] alongside instructions to configure filtering rules in the firewall to properly filter out and log the pertinent packets. The associated test was repeated to verify the fix, closing the present non-conformity. CLOSED OR01.NC24 \[STIC\_OPNSENSE\_HIGH-2404-TST-FW-0300\] FFW\_RUL\_EXT.1.10 \[TOE-2441\_3\] provides the capability to limit the maximum number of states to an administratively defined number (Max states parameter available in the firewall rules), limiting the number of half-open connections that can be forwarded through the firewall. When such threshold is met, the remaining packets which are dropped and never reach their destination are not logged or counted. It is expected that \[TOE-2441\_3\] logs or counts the packets that are dropped after the maximum number of states is reached. CLOSED 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 80/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. The manufacturer delivered \[TOE-24101\]. The associated test was repeated to verify the fix, closing the present non-conformity since it was verified that the packets are logged after the defined threshold is reached. ID Comments State N/A None. N/A 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 81/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 8 VULNERABILITY ANALYSIS Evaluator DAT Days required 2 days. Date 2025/01/28 Results of the evaluator's work PASS 8.1 EVALUATION ACTIVITIES The information presented in this section covers the result of carrying out the Evaluation activities specified in section 4.4 of \[CCN-STIC-2002\], with regard to the analysis of vulnerabilities present in the TOE. TE.5.1. The evaluator shall perform a methodic vulnerability analysis by using any means within their technical competence, using at least the following sources of information: a) Documentation provided by the applicant (e.g., Security Target, user's guides, etc.). b) Available information on the technology. c) Public vulnerability databases for the type of product taking into account in such analysis the relation of third-party libraries defined in the Security Target by the applicant. d) The product itself, which is installed on a test platform as representative as possible with respect to environment of the product. PASS The TOE vulnerability analysis is described in the 8.3 TOE vulnerability analysis. The result of this analysis is detailed in the section 13 Annex C: Vulnerability Analysis. TE.5.2 The evaluator shall document the devised vulnerability analysis methodology. PASS The method followed to carry out the vulnerability analysis is described in the section 8.2 Methodology used for the analysis. TE.5.3. Document all potential vulnerabilities found within the applicable attack potential and document possible attack scenarios based on those vulnerabilities. PASS Information regarding the vulnerabilities found is summarized in section 8.4 List of potential vulnerabilities and described in more detail in section 13 Annex C: Vulnerability Analysis. The scenarios are detailed in section 11 Annex A: Test scenarios. TE.5.4. Calculate the attack potential for each of the attack scenarios designed by the evaluator according to the scoring system described in section 4.4.1.1.1 Calculation of Attack Potential of \[CCN-STIC-2002\]. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 82/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. PASS Information concerning this task of the evaluator can be found in the section 8.4 List of potential vulnerabilities. This information is described in more detail in the section 13 Annex C: Vulnerability Analysis. TE.5.5. The evaluator shall register every non-conformity in relation to the Vulnerability Analysis. PASS Information regarding this task of the evaluator can be found in section 8.5 Results. 8.2 METHODOLOGY USED FOR THE ANALYSIS The methodology used follows the spirit of the Common Criteria \[CC\] methodology for vulnerability analysis \[CEM\]. Firstly, a survey of the TOE information available has been carried out to identify potential vulnerabilities that can be exploited by an attacker with low attack potential. An extensive analysis of the state of the art regarding the different vectors of attack on TOE-like tools has been carried out from different points of view. Based on the results of these tools and the analysis of the most common weaknesses of this type of tools, the vulnerabilities of the TOE have been identified. As part of this initial analysis, a search for public vulnerabilities in third-party components and in older versions of the TOE, if any, is performed. For each public vulnerability, its applicability is determined and a brief rationale is provided. If a public vulnerability is considered applicable, a calculation of the attack potential required to exploit the vulnerability will be performed. Next, an assessment and analysis of the vulnerabilities found has been made by performing tests that provide more information on the vulnerabilities and give rise to more sophisticated attacks. In a third step, penetration tests have been carried out based on the vulnerabilities found to check the degree of exploitability of the vulnerabilities. Finally, comprehensive and more complex penetration tests on the exploitable vulnerabilities present in the TOE have been developed as proofs of concept to illustrate the possibilities of an attacker exploiting these vulnerabilities. To calculate the distribution of the time dedicated to each vulnerability, it has been done taking into account the degree of difficulty to be exploited, as well as the severity for the integrity of the TOE that a successful attack would entail. 8.3 TOE VULNERABILITY ANALYSIS The vulnerability analysis process involves checking all security features declared in the TOE, identifying potential TOE vulnerabilities. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 83/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. The analysis process continues with the clear definition of the context of vulnerability to serve as a basis for understanding its severity and subsequent consideration. On the basis of this information, the different routes of attack on the vulnerable element are established, which, if appropriate, will be tested for penetration later. The tools used in the identification of the vulnerabilities present in the TOE are developed from information present in the TOE are developed from public information always under the requirements of time and effort marked by the methodology and developing small scripts from public information and based on the functional tests performed in the previous stage. All the security functions are analyzed, paying special attention to threats that could damage the communication between the TOE and other entities, the information stored in it and its ability to maintain the quality of its functionality in the face of attempts to circumvent the restrictions it places on the traffic. 8.4 LIST OF POTENTIAL VULNERABILITIES Code Attack potential \[STIC\_OPNSENSE\_HIGH-2404-VUL-0000\] 6 \[STIC\_OPNSENSE\_HIGH-2404-VUL-0001\] 6 \[STIC\_OPNSENSE\_HIGH-2404-VUL-0002\] 6 \[STIC\_OPNSENSE\_HIGH-2404-VUL-0003\] 30 8.5 RESULTS ID Non-conformity State N/A None. N/A ID Comments State N/A None. N/A 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 84/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 9 TOE PENETRATION TESTS This section presents a summary of the tests carried out and the results obtained. Evaluator DAT Days required 2 days. Date 2025/01/28 Results of the evaluator's work PASS 9.1 EVALUATION ACTIVITIES The information presented in this section covers the result of carrying out the evaluation activities specified in section 4.5 of \[CCN-STIC-2002\], with regard to the TOE penetration tests. TE.6.1. Provide a list of all penetration tests performed in the TOE, including at least the steps necessary to reproduce the test, the expected result, the result obtained, and whether the attack is successful or not. In addition, indicate to which of the vulnerabilities identified in the previous phase this penetration test is associated. PASS The list of penetration tests performed can be found summarized in the section 9.2 List of penetration tests and described in more detail and with the information indicating the evaluator's task in the section 15 Annex D: Penetration test plan and report. TE.6.2. The evaluator shall document all non-conformities related to any successful attack. PASS The results of the penetration tests are collected on the basis of the non- conformities and comments in the section 9.3 Results. 9.2 LIST OF PENETRATION TESTS Penetration tests are performed from the perspective of a potential attacker and, based on the vulnerabilities found in the TOE, aim to cover the most relevant and promising attack vectors. Time constraints mean that the methodology used in penetration testing is focused on determining whether the objective established in each test is feasible, thus determining the severity of the identified vulnerabilities. Some tests were not identified during the preliminary vulnerability analysis and are the result of the creativity of the evaluator, who looks for new possible attacks in an exploratory way based on the knowledge gained during the tests. For these tests it will be necessary to create an applicable vulnerability and calculate the attack potential. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 85/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. The PASS/FAIL criteria for establishing the result of the penetration tests will be that if a FAIL penetration test is performed because the TOE does not behave safely according to the security functionality and assets declared by the manufacturer in his Security Target. For those penetration tests whose objective is not directly the violation of the security properties of the TOE but rather the collection of information for further testing or that by their characteristics do not violate any asset or contradict the security functionality declared by the manufacturer in an evident way, the verdict will be assigned to PASS. In those cases where the TOE presents vulnerabilities that are not exploitable in the operational environment of the TOE, either because of the action of the environmental hypotheses or because the time or capabilities required to exploit them exceed the time and effort restrictions of this certification, a PASS result will be established and the verdict of the PASS will be justified, creating a comment that will allow the manufacturer to improve the security of the product if he so wishes. Security function Test code Objective Result All security functions \[STIC\_OPNSENSE\_HIG H-2404-PT-0000\] Verify if it is possible to exploit CVE-2024-11236 and CVE-2024-8932. PASS All security functions \[STIC\_OPNSENSE\_HIG H-2404-PT-0001\] Verify if it is possible to exploit CVE-2024-11234. PASS All security functions \[STIC\_OPNSENSE\_HIG H-2404-PT-0002\] Verify if it is possible to exploit CVE-2024-11233. PASS 9.3 RESULTS ID Non-conformity State N/A None. N/A ID Comments State N/A None. N/A 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 86/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 10 REFERENCES \[CC\] Common Criteria for Information Technology Security Evaluation. The last approved version must be considered which is published in the website of the Certification Body. (https://oc.ccn.cni.es). \[CCN-STIC-2001\] Definition of the National Essential Security Certification (LINCE), version 2.0. March 2022. \[CCN-STIC-2002\] Evaluation Methodology for the National Essential Security Certification (LINCE), version 2.0. March 2022. \[CCN-STIC-2003\] Template for the Security Target of the National Essential Security Certification (LINCE), version 2.0. March 2022. \[CCN-STIC-807\] Use of cryptology within the National Security Scheme (Esquema Nacional de Seguridad). May 2022. \[CEM\] Common Methodology for Information Technology Security Evaluation: Evaluation Methodology. The last approved version must be considered which is published in the website of the Certification Body. (https://oc.ccn.cni.es). \[listado\_de\_evidencias\] List of evidence in which are included the reference, title, version, path and SHA-256 hash of the different evidence provided by the manufacturer for the evaluation. \[CCN-STIC 140-D3\] Reference Taxonomy for ICT Security Products - Annex D.3: Firewall. 2020 August. \[cPP-ND-30e\] collaborative Protection Profile for Network Devices Version 3.0e \[cPP-ND-30e-SD\] Evaluation Activities for Network Device cPP Version 3.0e Supporting Document. \[PKG-SSH-10\] Functional Package for SSH Version 1.0 \[PKG-TLS-11\] Functional Package for TLS Version 1.1 \[PPMOD-FW-14e\] collaborative Protection Profile Module for Stateful Traffic Filter Firewalls v1.4 + Errata 20200625 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 87/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. \[PPMOD-FW-14e-SD\] collaborative Protection Profile Module for Stateful Traffic Filter Firewalls v1.4 + Errata 20200625 Supporting Document \[LINCE-ST-08\] OPNsense Business Edition Security Target version 0.7 (LINCE) \[IAR-10\] OPNsense Business Edition IAR version 1.0 10.1 DEVELOPER EVIDENCES The applicable developer evidence is listed in the latest version of the attached document \[listado\_de\_evidencias\]. 0 STIC ETR CUA-2023-118 STIC\_OPNSENSE\_HIGH-2404 STIC Evaluation Technical Report 88/88 jtsec Beyond IT Security SL Uncontrolled copy if printed. 11 ACRONYMS CCN Centro Criptológico Nacional CNI Centro Nacional de Inteligencia ENS Esquema Nacional de Seguridad LINCE National Essential Security Certification MCF Source Code Module MEB Biometric Evaluation Module MEC Cryptographic Evaluation Module TIC Information and Communications Technology TOE Target Of Evaluation SSH Secure Shell NTP Network Time Protocol TLS Transport Layer Security CLI Command Line Interface GUI Graphical User Interface CRL Certificate Revocation List CSR Certificate Signing Request CA Certification Authority CVE Common Vulnerabilities and Exposures
---