OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: franco on October 18, 2017, 09:41:22 am
-
Hi everyone,
Here is a frequently updated list of changes that have been made since 17.7 was released:
o Shared forwarding now works on IPv6, in conjunction with "tryforwarding" and better reply-to multi-WAN behaviour
o A potential fix for the high CPU load of the SNMP hostres module
o Realtek vendor NIC driver version 1.94
o FreeBSD 11.1
o SSH installer now works with single interface configurations
o Optional VHID to support alias IP on CARP
o Ability to lock vital interfaces to prevent reboot network recovery
o Better insight reporting and captive portal database corruption detection and repair
o Portable NAT before IPsec support
o Local group restriction feature in OpenVPN and IPsec
o Debug kernel support in updater
o Firmware improvements treat base and kernel sets like packages (lock, reinstall)
o Firmware package health audit from the GUI
o Support for switching the release type (development / production) from the UI
o Traffic mini graph additions
o PHP 7.1, jQuery 3 migration
o GeoIP alias UX improvements
o OpenVPN multi-remote support for clients
o Strict interface binding for SSH and web GUI
o Reworked session handling for snappier service management and backend interaction
o Improved MVC tab and general page layout
o Easy-to-use update cache support for Linux and Windows in web proxy
o Intrusion detection alert improvements and plugin support for new rulesets (ET Pro, Snort VRT)
o Revamped HAProxy plugin with introduction pages
o Support stateless DHCPv6 and router advertisements on attached virtual IPs
o User-based web GUI language setting
o Logic-based ACL usage and cache, UI menu cache
o Redirect-after-login support for MVC pages
o Moved interface selection to menu and quick search for firewall rules, DHCP and wireless status
o Alias rework for better maintainability / extendability
o Migration of system routes UI and backend to MVC (also available as API)
o Reverse DNS support for insight reporting (also available as API)
o Written from scratch firewall live log in MVC (also available as API)
o New plugins: zerotier, mdns-repeater, collectd, telegraf, clamav, c-icap, tor, siproxd, web-proxy-sso, web-proxy-useracl, postfix, rspamd, redis, iperf, arp-scan, zabbix-proxy, frr, nut
Cheers,
Franco
-
Pretty exciting list!!! I always look forward to OPNsense progression and you are doing a fantastic job Franco! What a great project!
-
Thanks, especially the plugins have been lucky to have active maintainers now. <3
Granted, most of these changes already hit 17.7.x, this list just keeps track of what has been done.
A 18.1-BETA CFT and road map will also be published within the next week.
Cheers,
Franco
-
Looking forward to testing. Hopefully the move to FreeBSD 11.1 might help solve my kernel panic issues when using VLANs
-
Up for 7 days no issues other than a few user errors which required a reboot. Currently running one VLAN for guest wireless access (GUESTNET) for UBNT access point. Currently in the process of configuring a couple plugins, specifically the antivirus for HTTP and HTTPS traffic using letsencrypt cert
Oooo the only error i saw in the logs is the error listed below
kernel: module_register_init: MOD_LOAD (vesa, 0xffffffff810a67e0, 0) error 19
Which seems to be a bug with the video driver which i honestly kinda don't care about
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213045
Device Model Running OPNSENSE: ZOTAC ZBOX CI323
-
The list was updated to reflect the current reality of 18.1-BETA. :)
-
I canĀ“t find where to enable reverse DNS support for insight reporting...
-
If you are on 17.7.x that is expected.
https://forum.opnsense.org/index.php?topic=3479.0 states:
With 16.7.1 and up, it's possible to switch to the development version by invoking this command on a shell:
# opnsense-update -t opnsense-devel
Switching back to the release version is done by typing the following instead:
# opnsense-update -t opnsense
Cheers,
Franco
-
Just curious ... once 18.1 comes out how much of the pfSense original code will be left in OPNsense?
-
It would depend heavily on who you ask and what your metrics are.
I've updated the gitstats graphs for a slight indication of what is going on in terms of activity:
https://pkg.opnsense.org/stats/core/index.html
It's also worth noting that "pfSense" was also a fair share of m0n0wall when we started researching features and looking for sensible replacements / improvements in various areas since 2014.
We've been over all files in UI design and code style updates / improvement / fixes, deleted the ones that were no longer necessary or were replaced by MVC/API equivalents. We've also rewritten the build tools because they were not available to us during the forking, introduced a real ports and source tree for FreeBSD.
The static page ratio vs. MVC/API is roughly 3 vs. 1 which is not where we hoped we would have ended up by now, but it's just a huge set of pages and people also constantly ask for improvements and we need to balance that. Furthermore, adding a firewall rules API requires all the rule generation code to be rewritten to make any sense at all. We're halfway there before we can think of building the API on top. But hopefully a progression is noticeable here for the mid and long-term.
The largest set of "intact" code is probably the /usr/local/etc/inc/* department, but that has also been taken apart by means of pluginification of the files and gradual improvements.
If you have more questions, please let me know. :)
Cheers,
Franco
-
Roughly between 5-10% of the code is still originating from either M0n0wall or pfSense, we reworked all the old pages to align user experience and improve code readability once we realised that portions of the code where likely staying with us for a larger timespan.
From time to time we still find dead code blocks, which have no functional reason to be there, but during the last 2 years the amount of dead code has declined rapidly.
Best regards,
Ad
-
Guys .... WOW !!!!!
Thanks for the information. Slowly, but surely ... out goes the old, in comes the new. <smile>
Being a convert of some 5+ months I can say I've thoroughly enjoyed my time with 17 and looking forward to 18 --- and beyond.
I've helped a couple friends that -were- running pfSense and are now running OPNsense. They have remarked they like the organization much better. All the help built in helps too.
Anyway, thanks again for the information.
-
Thanks <3
-
Hi,
My responsibility is to have a group-based web filtering feature I really want to use as it is in PFSense.
-
17.7.12 and 18.1-RC1 will both gain the os-web-proxy-useracl plugin: "Allow users and group-based policies in the web proxy."
Cheers,
Franco
-
Will LibreSSL also be updated in 18.1 or will it be sticking with 2.5.x?
-
It was updated to 2.6.4 6 days ago:
https://github.com/opnsense/ports/commit/2936f5e7a
We're still testing, best case this hits in 17.7.12, worst case some time in 18.1.x, depending on the issues.
So far it looks like a smooth ride to 17.7.12 tough. :)
Note that 2.5.5 is still supported so we don't need to act overly fast.
-
HI :)
UTM plugins: antivirus, antispam, mail, web proxy extensions .
I was very interested in this functionality. What exactly does this mean ?
-
We have a couple of new plugins. In detail...
Web proxy plugins:
security/clamav -- Antivirus engine for detecting malicious threats
www/c-icap -- c-icap connects your Proxy with a virus scanner
www/web-proxy-sso -- Kerberos authentication module
www/web-proxy-useracl -- Group and user ACL for the web proxy
Mail plugins:
mail/postfix -- SMTP mail relay
mail/rspamd -- Protect your network from spam
security/clamav -- Antivirus engine for detecting malicious threats
Cheers,
Franco
-
Hello,
i use OPNsense 18.1.2_2-amd64 / FreeBSD 11.1-RELEASE-p6 / OpenSSL 1.0.2n 7 Dec 2017
My security audit say:
***GOT REQUEST TO AUDIT SECURITY***
Fetching vuln.xml.bz2: .......... done
squid-3.5.27_2 is vulnerable:
squid -- Vulnerable to Denial of Service attack
CVE: CVE-2018-1000027
CVE: CVE-2018-1000024
WWW: https://vuxml.FreeBSD.org/freebsd/d5b6d151-1887-11e8-94f7-9c5c8e75236a.html
1 problem(s) in the installed packages found.
***DONE***
Is there any timeline to fix it?
Thanks.
-
18.1.3... this week...
Are you using the web proxy?
It's a DoS and for 98% one runs Squid internally so you trust your users, or at least you can slap them if they DoS. ;)
Cheers,
Franco