OPNsense announced the release of OPNsense 21.1, also known as Marvelous Meerkat. The latest release comes with new and improved firewall rules and NAT categories, the traffic graphs supporting IPv6 along with a visual refresh, intrusion detection rule management by policies, an alias for MAC addresses, and NAT over IPsec. The company also announced that the WireGuard plugin is still available and receives continuous improvements from its maintainer and users. Dnsmasq has been switched to a pluggable file-based approach with Unbound to follow in the upcoming 21.7 series. To download the latest version, you can visit the full mirror list.
Patch notes against 20.7.8:
- system: use authentication factory for web GUI login
- system: allow case-insensitive matching for LDAP user authentication
- system: removed unused gateway API dashboard feed
- system: removed spurious comma from certificate subject print and unified underlying code
- system: harden web GUI defaults to TLS 1.2 minimum and strong ciphers
- system: generate a better self-signed certificate for web GUI default
- system: allow self-signed renew for web GUI default (using “configctl webgui restart renew”)
- system: allow subdirectories in NextCloud backup (contributed by Lorenzo Milesi)
- system: first backup is same as current so ignore it on GUI and console
- system: optionally allow TOTP users to regenerate a token from the password page
- system: set hw.uart.console appropriately
- system: reconfigure routes on bootup
- system: relax gateway name validation
- system: ignore disabled gateways in dpinger services
- system: choose a better bind candidate for IPv4 in dpinger
- interfaces: defer IPv6 disable in interface code to ensure PPP interfaces do exist
- interfaces: no longer assume configuration-less interfaces can reach static setup code
- interfaces: fix PPP links not linking to its advanced configuration page
- interfaces: read deprecated flag, allow family spec in (-)alias calls
- interfaces: fix address removal in IPv6 CARP case
- interfaces: pick proper route for 6RD and 6to4 tunnels
- interfaces: support 6RD with single /64 prefix (contributed by Marcel Hofer)
- firewall: support category filters for firewall and NAT rules (sponsored by Modirum)
- firewall: add live log “host”, “port” and “not” filters
- firewall: create an appropriate max-mss scrub rule for IPv6
- firewall: fix anti-spoof option for separate bridge interfaces
- firewall: display zeros and sort columns in pfTables (contributed by kulikov-a)
- firewall: relax schedule name validation