"
PS: That being said upgrade to any beta and update to RC1 works fine. ;)
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#8057
22.1 Legacy Series / Re: Upgrade to 22.1.r1 is not working
January 12, 2022, 05:10:53 PM
Hi Alex,
Don't do this...
> # opnsense-update -ur 22.1.r1
Upgrades will be shipped with the development version of 21.7.8 like we did with all the betas.
Or properly edit /usr/local/etc/opnsense-update.conf but please make sure to be on the latest DEVELOPMENT version.
Cheers,
Franco
Don't do this...
> # opnsense-update -ur 22.1.r1
Upgrades will be shipped with the development version of 21.7.8 like we did with all the betas.
Or properly edit /usr/local/etc/opnsense-update.conf but please make sure to be on the latest DEVELOPMENT version.
Cheers,
Franco
#8058
Announcements / OPNsense 22.1-RC1 released
January 12, 2022, 02:39:22 PM
Hi there,
For more than 7 years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.
We thank all of you for helping test, shape and contribute to the project!
We know it would not be the same without you. <3
Download links, an installation guide[1] and the checksums for the images
can be found below as well.
o Europe: https://opnsense.c0urier.net/releases/22.1/
o US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/22.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/22.1/
o South America: http://mirror.ueb.edu.ec/opnsense/releases/22.1/
o East Asia: https://mirror.ntct.edu.tw/opnsense/releases/22.1/
o Full mirror list: https://opnsense.org/download/
Here are the full patch notes against 21.7.7:
o system: improved visibility and flexibility of tunables
o system: create latest.log links for easier log consumption
o system: added opnsense-log utility to inspect logs on the console
o system: removed circular logging support
o system: background all cron backend command invokes
o system: unified cron start between legacy and MVC components
o system: improve the fallback after failing to look up specific IPv4 address match for dpinger
o system: default net.inet6.ip6.intr_queue_maxlen to 1000 like its IPv4 counterpart
o system: default net.inet6.ip6.redirect to off like its IPv4 counterpart
o system: fix potential issues with "search" syntax in resolv.conf
o system: make /var MFS work when /var directories are mount points, e.g. on ZFS
o system: optionally disconnect PPP interfaces when going into CARP backup mode
o system: add severity to syslog output and allow to filter for it
o system: no longer display duplicated mounted partitions on the dashboard
o interfaces: LAGG support in console port assignment (contributed by sarthurdev)
o interfaces: aligned the name and use of special /tmp files for internal interface handling
o interfaces: removed opportunistic functions find_interface_ip(), find_interface_ipv6() and find_interface_ipv6_ll()
o interfaces: get_interface_ip() and get_interface_ipv6() now return a valid IP address if one was given to support VIP aliases
o interfaces: interfaces_addresses() can now map a configuration interface to returned addresses to track its origin
o interfaces: VIPs now support the "no bind" option to exclude them from automatic service use when configured
o interfaces: interfaces_primary_address() is now being used like its IPv6 equivalent throughout the code
o interfaces: interfaces_primary_address6() is now considering addresses from tracking interfaces when needed
o interfaces: interfaces_scoped_address6() is now being used throughout the code
o interfaces: "tentative" state now leads to the address being ignored during configuration like "deprecated"
o interfaces: removed unmaintained 3G statistics gathering for Huawei modems that could lock up other modems
o interfaces: reworked interface creation on boot up
o interfaces: spoof MAC now only applies to actual interface and not all of its VLAN siblings or parent
o interfaces: added permanent promiscuous mode setting
o interfaces: add the interface description via ifconfig to its respective device
o interfaces: stop special treatment of bridge interfaces on linkup
o interfaces: correctly write nameserverv6 and searchdomainv6 information on dhcp6c lease acquire
o interfaces: background all interface reconfiguration script hooks
o interfaces: refactored linkup event handler to avoid unnecessary recursion in the code
o interfaces: make cache IP files exclusive to rc.newwan and rc.newwanv6 scripts to avoid missing IP changes
o interfaces: no longer allow and apply media configuration for non-parent devices
o interfaces: removed restriction from interfaces without configuration to not being able to hold VIPs
o firewall: properly kill all connections from and to a WAN IPv4 on an address change
o firewall: skip rule ID for NAT type log entries (contributed by kulikov-a)
o firewall: display interface descriptions on normalisation rules (contributed by vnxme)
o firewall: dynamic IPv6 host alias support (contributed by Team Rebellion)
o firewall: removed obsolete kill states option on gateway failure
o firewall: removed the $aliastable cache
o dhcp: allow for ARM architectures in network boot options (contributed by Keith Cirkel)
o dhcp: allow router advertisements to use a specific link-local VIP alias
o dhcp: refactor the IPv4 and IPv6 configuration pages and add minimal subnet size requirement hints
o dnsmasq: fix all-server overwriting strict-order configuration directive (contributed by Christian Tramnitz)
o firmware: add a "status_reboot" variable to API return data to make clear it belongs to the offered minor update or major upgrade
o firmware: add random delays to existing firmware cron jobs to avoid update server load spikes
o firmware: added an automatic cron job to fetch changelog daily to use it as a lightweight check for updates on the dashboard
o firmware: return product info for status endpoint even when no firmware check was done
o firmware: removed obsolete business repository fingerprints and added 22.1 fingerprint
o firmware: implement cross-ABI reinstall of all packages for future use
o installer: fix installation of rc.conf keymap setting selected earlier during installation
o installer: improve disk and ZFS pool scan and display
o installer: increase EFI partition size to 260 MB
o installer: add EFI partition as a default mount point
o ipsec: update security of default settings when creating new phase 1 and 2
o ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
o ipsec: migrated tunnel settings page to MVC
o lang: update translations for Chinese, French, German, Italian, Japanese, Norwegian, Spanish, and Turkish
o lang: demote Italian to development-only language due to lowered translation ratio
o monit: move logging to own target
o network time: add iburst option and stop using it by default (contributed by Patrick M. Hausen)
o openvpn: kill by common name when kill by address does not work
o unbound: disable do-not-query-localhost on local address server use
o unbound: update DNS with hostname-only static entries (contributed by Gareth Owen)
o update: opnsense-bootstrap: -z snapshot mode
o update: opnsense-bootstrap: improved type detection
o update: opnsense-code: -r for repository removal
o update: opnsense-fetch: emit error message of failed download
o update: opnsense-update: handle kernel debug directory like /boot/kernel
o update: opnsense-update: removed "firmware-upgrade" file support
o update: opnsense-verify: synced shared code with FreeBSD 13
o backend: unify use of configctl utility
o images: removed deprecated os-dyndns plugin from default installation
o mvc: emulation versioning empty nodes for the legacy configuration sections
o mvc: add getInterfaceConfig endpoint to interface API (contributed by Paolo Asperti)
o mvc: add hint support for text fields (contributed by agh1467)
o ui: add support for terabytes, and petabytes to format_bytes() (contributed by agh1467)
o ui: universal striping adjustment for MVC components (contributed by kulikov-a)
o src: FreeBSD 13-STABLE as of 4ee9fbcd853
o src: reworked shared forwarding
o src: migrated to LUA boot loader (contributed by Kyle Evans)
o plugins: os-acme-client 3.8[2]
o plugins: os-bind 1.20[3]
o plugins: os-frr 1.25[4]
o plugins: os-haproxy 3.9[5]
o plugins: os-nginx 1.25[6]
o plugins: os-openconnect 1.4.2[7]
o plugins: os-postfix 1.21[8]
o plugins: os-telegraf 1.12.4[9]
o plugins: os-zabbix-proxy 1.7[10]
o ports: expat 2.4.2[11]
o ports: filterlog 0.6[12]
o ports: flock 2.37.2
o ports: lighttpd 1.4.63[13]
o ports: nss 3.73.1[14]
o ports: openssl 1.1.1m[15]
o ports: openvpn 2.5.5[16]
o ports: phalcon 4.1.3[17]
o ports: php 7.4.27[18]
o ports: sqlite 3.37.1[19]
o ports: unbound 1.14.0[20]
Known issues and limitations:
o This release contains a new major operating system version and should be carried out with the necessary care. Despite extended test coverage changes made by FreeBSD may still affect operation without our knowledge.
o MAC spoofing now only pertains to the configured interface and not the VLAN siblings or parent interface. This can introduces unwanted configuration due to previous side effects in the code. Make sure to assign and set the spoofed MAC for all interfaces that require a spoofed MAC.
o Media settings are no longer shown for non-parent interfaces and need to be set individually to take effect. This can introduce unwanted configuration due to previous side effects in the code. If the parent interface was not previously assigned please assign it to reapply the required media settings.
o Router advertisement static mode option is still subject to change in this release candidate series.
o IPsec hash and cipher removals in FreeBSD 13 can affect existing setups as insecure cryptographic options have been removed upstream. For more information see the FreeBSD commit in question[21]. We will be adding an explict configuration check to 21.7 before its end of life.
o Circular logging support has been removed. No user interaction is required.
o The migration notes are subject to change and will be extended as needed in the upcoming weeks.
The public key for the 22.1 series is:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1o1Bk31AcX5xsqgVAoWQ
1fTDznz22ojsK+qCkhW7MKSWlCyEZYEueUtq7hOt/gqttc3qT0WgHjhjI/WE2RQ4
53yfSw/2DDdt3v2WRoupaMzu2Px6I0A+dzo/DM0UWHHsjUaa1HnTvrC14W2vy9wY
rdotDpp6vSA3WoBmpz+6cpAOlOMTboJouaZy2gSAAcFUmnmP6KDE+lQEqudENTpr
wb/tIILTE3s6HMBrnmyTNz3Oyy77qH0Xq4mU0r+GS3If0LN+zIr3evt/hhS80otG
4WA2ifFeoZVUC//ArAqRiuOJKWvDe5455W1tOuoLkVKVwWMUd1YjaLq8/SRNtTVT
jRWO6znUHJa7LKtwY7SJvJ8bl8kR8QnrEBRLqT3IA+FcRH+8RaeCivPV7oS1tMiV
7hUmu4yXkiMU9c/RrUj7UGZfPKa6K1yP2p3pRvHwCpMclhlVdaiAGNQ8X1GmUAmg
3hsoay1ximpj0Yzs+ynDdT1WPkjx8+mDWI08qTuVX+KN3xiohzjxUyD6kBbw2N4z
EkKTu36KLxo+Hs2iHh4iPWV+EZ5pBn/BseUeHha+V76xM/fPU3H2htwF6/lAz3KH
J6cevsMenCaYBAqpUsQMBjxhDgMmpCcjiZRPijFpe5zsNSUD1NJ8QMpecBZCE6Vt
YHWiWxZTN13z4mPqA4uebakCAwEAAQ==
-----END PUBLIC KEY-----
Please let us know about your experience!
Stay safe,
Your OPNsense team
--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/blob/stable/22.1/security/acme-client/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/22.1/dns/bind/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/22.1/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/22.1/net/haproxy/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/22.1/www/nginx/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/22.1/security/openconnect/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/22.1/mail/postfix/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/telegraf/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/zabbix-proxy/pkg-descr
[11] https://github.com/libexpat/libexpat/blob/R_2_4_2/expat/Changes
[12] https://github.com/opnsense/ports/commit/2e27655d84
[13] https://www.lighttpd.net/2021/12/4/1.4.63/
[14] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.73.1_release_notes
[15] https://www.openssl.org/news/openssl-1.1.1-notes.html
[16] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.5
[17] https://github.com/phalcon/cphalcon/releases/tag/v4.1.3
[18] https://www.php.net/ChangeLog-7.php#7.4.27
[19] https://sqlite.org/releaselog/3_37_1.html
[20] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-14-0
[21] https://github.com/opnsense/src/commit/16aabb761c0a
SHA256 (OPNsense-22.1.r1-OpenSSL-dvd-amd64.iso.bz2) = c6388b7960ec8e65a89dd8baf0a118410340f94b260bfea64faf3008c525376e
SHA256 (OPNsense-22.1.r1-OpenSSL-nano-amd64.img.bz2) = 10aa979b754c8d4b0ffdad4c8befa1ab3b0bb146981333d5731ffa5c7b99b9b3
SHA256 (OPNsense-22.1.r1-OpenSSL-serial-amd64.img.bz2) = e09addbab2a479cd5155926373c2bbe141d3f6aa057f044b43d9ad11fcc75e85
SHA256 (OPNsense-22.1.r1-OpenSSL-vga-amd64.img.bz2) = 7f02135fdddf6227fd1ef4bb3012ce83b622bf7ec18baadaf03105792a38576c
For more than 7 years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.
We thank all of you for helping test, shape and contribute to the project!
We know it would not be the same without you. <3
Download links, an installation guide[1] and the checksums for the images
can be found below as well.
o Europe: https://opnsense.c0urier.net/releases/22.1/
o US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/22.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/22.1/
o South America: http://mirror.ueb.edu.ec/opnsense/releases/22.1/
o East Asia: https://mirror.ntct.edu.tw/opnsense/releases/22.1/
o Full mirror list: https://opnsense.org/download/
Here are the full patch notes against 21.7.7:
o system: improved visibility and flexibility of tunables
o system: create latest.log links for easier log consumption
o system: added opnsense-log utility to inspect logs on the console
o system: removed circular logging support
o system: background all cron backend command invokes
o system: unified cron start between legacy and MVC components
o system: improve the fallback after failing to look up specific IPv4 address match for dpinger
o system: default net.inet6.ip6.intr_queue_maxlen to 1000 like its IPv4 counterpart
o system: default net.inet6.ip6.redirect to off like its IPv4 counterpart
o system: fix potential issues with "search" syntax in resolv.conf
o system: make /var MFS work when /var directories are mount points, e.g. on ZFS
o system: optionally disconnect PPP interfaces when going into CARP backup mode
o system: add severity to syslog output and allow to filter for it
o system: no longer display duplicated mounted partitions on the dashboard
o interfaces: LAGG support in console port assignment (contributed by sarthurdev)
o interfaces: aligned the name and use of special /tmp files for internal interface handling
o interfaces: removed opportunistic functions find_interface_ip(), find_interface_ipv6() and find_interface_ipv6_ll()
o interfaces: get_interface_ip() and get_interface_ipv6() now return a valid IP address if one was given to support VIP aliases
o interfaces: interfaces_addresses() can now map a configuration interface to returned addresses to track its origin
o interfaces: VIPs now support the "no bind" option to exclude them from automatic service use when configured
o interfaces: interfaces_primary_address() is now being used like its IPv6 equivalent throughout the code
o interfaces: interfaces_primary_address6() is now considering addresses from tracking interfaces when needed
o interfaces: interfaces_scoped_address6() is now being used throughout the code
o interfaces: "tentative" state now leads to the address being ignored during configuration like "deprecated"
o interfaces: removed unmaintained 3G statistics gathering for Huawei modems that could lock up other modems
o interfaces: reworked interface creation on boot up
o interfaces: spoof MAC now only applies to actual interface and not all of its VLAN siblings or parent
o interfaces: added permanent promiscuous mode setting
o interfaces: add the interface description via ifconfig to its respective device
o interfaces: stop special treatment of bridge interfaces on linkup
o interfaces: correctly write nameserverv6 and searchdomainv6 information on dhcp6c lease acquire
o interfaces: background all interface reconfiguration script hooks
o interfaces: refactored linkup event handler to avoid unnecessary recursion in the code
o interfaces: make cache IP files exclusive to rc.newwan and rc.newwanv6 scripts to avoid missing IP changes
o interfaces: no longer allow and apply media configuration for non-parent devices
o interfaces: removed restriction from interfaces without configuration to not being able to hold VIPs
o firewall: properly kill all connections from and to a WAN IPv4 on an address change
o firewall: skip rule ID for NAT type log entries (contributed by kulikov-a)
o firewall: display interface descriptions on normalisation rules (contributed by vnxme)
o firewall: dynamic IPv6 host alias support (contributed by Team Rebellion)
o firewall: removed obsolete kill states option on gateway failure
o firewall: removed the $aliastable cache
o dhcp: allow for ARM architectures in network boot options (contributed by Keith Cirkel)
o dhcp: allow router advertisements to use a specific link-local VIP alias
o dhcp: refactor the IPv4 and IPv6 configuration pages and add minimal subnet size requirement hints
o dnsmasq: fix all-server overwriting strict-order configuration directive (contributed by Christian Tramnitz)
o firmware: add a "status_reboot" variable to API return data to make clear it belongs to the offered minor update or major upgrade
o firmware: add random delays to existing firmware cron jobs to avoid update server load spikes
o firmware: added an automatic cron job to fetch changelog daily to use it as a lightweight check for updates on the dashboard
o firmware: return product info for status endpoint even when no firmware check was done
o firmware: removed obsolete business repository fingerprints and added 22.1 fingerprint
o firmware: implement cross-ABI reinstall of all packages for future use
o installer: fix installation of rc.conf keymap setting selected earlier during installation
o installer: improve disk and ZFS pool scan and display
o installer: increase EFI partition size to 260 MB
o installer: add EFI partition as a default mount point
o ipsec: update security of default settings when creating new phase 1 and 2
o ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
o ipsec: migrated tunnel settings page to MVC
o lang: update translations for Chinese, French, German, Italian, Japanese, Norwegian, Spanish, and Turkish
o lang: demote Italian to development-only language due to lowered translation ratio
o monit: move logging to own target
o network time: add iburst option and stop using it by default (contributed by Patrick M. Hausen)
o openvpn: kill by common name when kill by address does not work
o unbound: disable do-not-query-localhost on local address server use
o unbound: update DNS with hostname-only static entries (contributed by Gareth Owen)
o update: opnsense-bootstrap: -z snapshot mode
o update: opnsense-bootstrap: improved type detection
o update: opnsense-code: -r for repository removal
o update: opnsense-fetch: emit error message of failed download
o update: opnsense-update: handle kernel debug directory like /boot/kernel
o update: opnsense-update: removed "firmware-upgrade" file support
o update: opnsense-verify: synced shared code with FreeBSD 13
o backend: unify use of configctl utility
o images: removed deprecated os-dyndns plugin from default installation
o mvc: emulation versioning empty nodes for the legacy configuration sections
o mvc: add getInterfaceConfig endpoint to interface API (contributed by Paolo Asperti)
o mvc: add hint support for text fields (contributed by agh1467)
o ui: add support for terabytes, and petabytes to format_bytes() (contributed by agh1467)
o ui: universal striping adjustment for MVC components (contributed by kulikov-a)
o src: FreeBSD 13-STABLE as of 4ee9fbcd853
o src: reworked shared forwarding
o src: migrated to LUA boot loader (contributed by Kyle Evans)
o plugins: os-acme-client 3.8[2]
o plugins: os-bind 1.20[3]
o plugins: os-frr 1.25[4]
o plugins: os-haproxy 3.9[5]
o plugins: os-nginx 1.25[6]
o plugins: os-openconnect 1.4.2[7]
o plugins: os-postfix 1.21[8]
o plugins: os-telegraf 1.12.4[9]
o plugins: os-zabbix-proxy 1.7[10]
o ports: expat 2.4.2[11]
o ports: filterlog 0.6[12]
o ports: flock 2.37.2
o ports: lighttpd 1.4.63[13]
o ports: nss 3.73.1[14]
o ports: openssl 1.1.1m[15]
o ports: openvpn 2.5.5[16]
o ports: phalcon 4.1.3[17]
o ports: php 7.4.27[18]
o ports: sqlite 3.37.1[19]
o ports: unbound 1.14.0[20]
Known issues and limitations:
o This release contains a new major operating system version and should be carried out with the necessary care. Despite extended test coverage changes made by FreeBSD may still affect operation without our knowledge.
o MAC spoofing now only pertains to the configured interface and not the VLAN siblings or parent interface. This can introduces unwanted configuration due to previous side effects in the code. Make sure to assign and set the spoofed MAC for all interfaces that require a spoofed MAC.
o Media settings are no longer shown for non-parent interfaces and need to be set individually to take effect. This can introduce unwanted configuration due to previous side effects in the code. If the parent interface was not previously assigned please assign it to reapply the required media settings.
o Router advertisement static mode option is still subject to change in this release candidate series.
o IPsec hash and cipher removals in FreeBSD 13 can affect existing setups as insecure cryptographic options have been removed upstream. For more information see the FreeBSD commit in question[21]. We will be adding an explict configuration check to 21.7 before its end of life.
o Circular logging support has been removed. No user interaction is required.
o The migration notes are subject to change and will be extended as needed in the upcoming weeks.
The public key for the 22.1 series is:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1o1Bk31AcX5xsqgVAoWQ
1fTDznz22ojsK+qCkhW7MKSWlCyEZYEueUtq7hOt/gqttc3qT0WgHjhjI/WE2RQ4
53yfSw/2DDdt3v2WRoupaMzu2Px6I0A+dzo/DM0UWHHsjUaa1HnTvrC14W2vy9wY
rdotDpp6vSA3WoBmpz+6cpAOlOMTboJouaZy2gSAAcFUmnmP6KDE+lQEqudENTpr
wb/tIILTE3s6HMBrnmyTNz3Oyy77qH0Xq4mU0r+GS3If0LN+zIr3evt/hhS80otG
4WA2ifFeoZVUC//ArAqRiuOJKWvDe5455W1tOuoLkVKVwWMUd1YjaLq8/SRNtTVT
jRWO6znUHJa7LKtwY7SJvJ8bl8kR8QnrEBRLqT3IA+FcRH+8RaeCivPV7oS1tMiV
7hUmu4yXkiMU9c/RrUj7UGZfPKa6K1yP2p3pRvHwCpMclhlVdaiAGNQ8X1GmUAmg
3hsoay1ximpj0Yzs+ynDdT1WPkjx8+mDWI08qTuVX+KN3xiohzjxUyD6kBbw2N4z
EkKTu36KLxo+Hs2iHh4iPWV+EZ5pBn/BseUeHha+V76xM/fPU3H2htwF6/lAz3KH
J6cevsMenCaYBAqpUsQMBjxhDgMmpCcjiZRPijFpe5zsNSUD1NJ8QMpecBZCE6Vt
YHWiWxZTN13z4mPqA4uebakCAwEAAQ==
-----END PUBLIC KEY-----
Please let us know about your experience!
Stay safe,
Your OPNsense team
--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/blob/stable/22.1/security/acme-client/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/22.1/dns/bind/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/22.1/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/22.1/net/haproxy/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/22.1/www/nginx/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/22.1/security/openconnect/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/22.1/mail/postfix/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/telegraf/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/zabbix-proxy/pkg-descr
[11] https://github.com/libexpat/libexpat/blob/R_2_4_2/expat/Changes
[12] https://github.com/opnsense/ports/commit/2e27655d84
[13] https://www.lighttpd.net/2021/12/4/1.4.63/
[14] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.73.1_release_notes
[15] https://www.openssl.org/news/openssl-1.1.1-notes.html
[16] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.5
[17] https://github.com/phalcon/cphalcon/releases/tag/v4.1.3
[18] https://www.php.net/ChangeLog-7.php#7.4.27
[19] https://sqlite.org/releaselog/3_37_1.html
[20] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-14-0
[21] https://github.com/opnsense/src/commit/16aabb761c0a
SHA256 (OPNsense-22.1.r1-OpenSSL-dvd-amd64.iso.bz2) = c6388b7960ec8e65a89dd8baf0a118410340f94b260bfea64faf3008c525376e
SHA256 (OPNsense-22.1.r1-OpenSSL-nano-amd64.img.bz2) = 10aa979b754c8d4b0ffdad4c8befa1ab3b0bb146981333d5731ffa5c7b99b9b3
SHA256 (OPNsense-22.1.r1-OpenSSL-serial-amd64.img.bz2) = e09addbab2a479cd5155926373c2bbe141d3f6aa057f044b43d9ad11fcc75e85
SHA256 (OPNsense-22.1.r1-OpenSSL-vga-amd64.img.bz2) = 7f02135fdddf6227fd1ef4bb3012ce83b622bf7ec18baadaf03105792a38576c
#8059
21.7 Legacy Series / Re: 6rd Gateway monitoring
January 12, 2022, 02:33:55 PM
Nice thanks. I don't want to burden 21.7.x with side effects for this as it's already done on 22.1 and that will be out by the end of the month anyway.
Cheers,
Franco
Cheers,
Franco
#8060
21.7 Legacy Series / Re: Strange behavior when editing Gateways
January 12, 2022, 09:51:06 AM
Hi there,
When you save automatic gateways they become manual gateways. When you delete them they become automatic gateways again.
In a nutshell you can't delete them and there is no point in doing so.
Cheers,
Franco
When you save automatic gateways they become manual gateways. When you delete them they become automatic gateways again.
In a nutshell you can't delete them and there is no point in doing so.
Cheers,
Franco
#8061
22.1 Legacy Series / Re: 22.1.r1
January 12, 2022, 09:32:49 AM
We need room for RC2 and 22.1 release :D
Images are also available if you like to try https://pkg.opnsense.org/releases/22.1/
And now you can switch back to community release type.
Cheers,
Franco
Images are also available if you like to try https://pkg.opnsense.org/releases/22.1/
And now you can switch back to community release type.
Cheers,
Franco
#8062
General Discussion / Re: Update from 20.1.9 to newer
January 12, 2022, 08:46:38 AM
20.9.1 is suspicious... since you didn't post version information I'm guessing you have i386 (32 bit) installed but you really want amd64 (64 bit). 32 bit was discontinued and cannot update anymore.
Cheers,
Franco
Cheers,
Franco
#8063
22.1 Legacy Series / Re: 22.1.r1
January 12, 2022, 08:45:03 AM
Clever, but you could have waited a few more hours until actual release :)
I'm working on it.
Cheers,
Franco
I'm working on it.
Cheers,
Franco
#8064
21.7 Legacy Series / Re: 6rd Gateway monitoring
January 11, 2022, 08:13:26 PM
Hmm, I wasn't expecting (1) but it seems like the easiest one to fix if I understand correctly:
https://github.com/opnsense/core/commit/9ac916cdc30c
# opnsense-patch 9ac916cdc30c
Incidentially, the code for 22.1was already changed in this way while I was reworking the interface function... find_interface_ip*() variants are particularly untrustworthy.
Fingers crossed :)
Cheers,
Franco
https://github.com/opnsense/core/commit/9ac916cdc30c
# opnsense-patch 9ac916cdc30c
Incidentially, the code for 22.1was already changed in this way while I was reworking the interface function... find_interface_ip*() variants are particularly untrustworthy.
Fingers crossed :)
Cheers,
Franco
#8065
21.7 Legacy Series / Re: OPNsense Security vulnerabilities site
January 11, 2022, 08:04:46 PM
We just use the FreeBSD package vulnerability database via pkg-audit utility which matches against the installed packages. It's run by FreeBSD and tailored for their ports. Sometimes there are (human) errors in these reports, but overall it works really well.
Cheers,
Franco
Cheers,
Franco
#8066
21.7 Legacy Series / Re: Is there a procedure to downgrade OPNsense OS
January 11, 2022, 04:57:01 PM
Downgrades are generally dangerous due to the OS trying to provide "forward" compatibility but always removing functionality from "backward" releases. You may not be able to boot a system you're trying to downgrade.
ZFS snapshots / boot environments are one newer way to deal with this, but the classic way has always been trying the live image feature with an early configuration import. This will give you a full system on the new version with your actual configuration but without clobbering the disk until you think it's ok to reinstall in place with your settings intact.
Of course always make sure to back up your config.xml somewhere else just in case.
Cheers,
Franco
ZFS snapshots / boot environments are one newer way to deal with this, but the classic way has always been trying the live image feature with an early configuration import. This will give you a full system on the new version with your actual configuration but without clobbering the disk until you think it's ok to reinstall in place with your settings intact.
Of course always make sure to back up your config.xml somewhere else just in case.
Cheers,
Franco
#8067
21.7 Legacy Series / Re: disable "Dynamic state reset" for VPN
January 11, 2022, 10:53:50 AM
So working on the release notes what changed is the following:
The kill state on gateway failure option is no longer available due to heavy-handed disruption of the implementation leading to a number of support issues over the years. It was since switched to disabled by default, but we haven't seen a good use case for it so now it will be removed for good. The GUI IP change full state killing doing the same thing when a WAN IPv4 changes, however, will remain for the time being.
On the other hand, the default state killing on a WAN IPv4 change when said option is not enabled will change as follows:
1. The cache file used to determine which address was previously configured is now exclusive to the script handling the address change meaning it will never miss an address change which was previously possible. This already helps in some cases to make it function properly.
2. In addition to killing all states from said cached address the default function will now also kill all states with the address as the destination, which should fix cases where the state kill triggered but wasn't working for incoming connections which led to use of the IP address change GUI option which kills every state of the firewall (also not optimal obviously).
Cheers,
Franco
The kill state on gateway failure option is no longer available due to heavy-handed disruption of the implementation leading to a number of support issues over the years. It was since switched to disabled by default, but we haven't seen a good use case for it so now it will be removed for good. The GUI IP change full state killing doing the same thing when a WAN IPv4 changes, however, will remain for the time being.
On the other hand, the default state killing on a WAN IPv4 change when said option is not enabled will change as follows:
1. The cache file used to determine which address was previously configured is now exclusive to the script handling the address change meaning it will never miss an address change which was previously possible. This already helps in some cases to make it function properly.
2. In addition to killing all states from said cached address the default function will now also kill all states with the address as the destination, which should fix cases where the state kill triggered but wasn't working for incoming connections which led to use of the IP address change GUI option which kills every state of the firewall (also not optimal obviously).
Cheers,
Franco
#8068
21.7 Legacy Series / Re: 6rd Gateway monitoring
January 11, 2022, 08:18:37 AM
Thanks for the info... I'm assuming this is 21.7.7... Let's see our possibilities:
1. Either ping doesn't work for any address or just the gateway IP, confirm by using 2001:4860:4860::8888 manually as monitor address.
2. Maybe the gateway doesn't respond to ping as per ISP configuration. You can confirm this by doing a packet capture on WAN to see if ping packets to gateway address leave correctly, but do not return.
3. The firewall might block these responses due to bogons or default configuration. Enabling default block logging under System: Settings: Logging might reveal this in live view.
4. The routes are not set up correctly for direct traffic to gateway IP at least from the IPv6 side. Depending on the network length being delegated this could happen due to confusion about the assigned subnet for WAN and LAN. It sort of circles back to point 1 too. "netstat -nr" would help shed a bit of light on this.
Cheers,
Franco
1. Either ping doesn't work for any address or just the gateway IP, confirm by using 2001:4860:4860::8888 manually as monitor address.
2. Maybe the gateway doesn't respond to ping as per ISP configuration. You can confirm this by doing a packet capture on WAN to see if ping packets to gateway address leave correctly, but do not return.
3. The firewall might block these responses due to bogons or default configuration. Enabling default block logging under System: Settings: Logging might reveal this in live view.
4. The routes are not set up correctly for direct traffic to gateway IP at least from the IPv6 side. Depending on the network length being delegated this could happen due to confusion about the assigned subnet for WAN and LAN. It sort of circles back to point 1 too. "netstat -nr" would help shed a bit of light on this.
Cheers,
Franco
#8069
General Discussion / Re: DEC690 Hardware High Tempurature
January 10, 2022, 07:31:54 PM
Hi there,
Had to divert this through engineering and here is the response:
The issue is because the sensor of the CPU report on a scale with an offset of 10 degrees.
So, the CPU is 55C, this is a normal CPU core temperature for that device.
In previous models we would set the offset by default in the config, but with current models that is not the case.
One can set the following tuneable to correct the issue:
"dev.amdtemp.0.sensor_offset" with value "-10".
Cheers,
Franco
Had to divert this through engineering and here is the response:
The issue is because the sensor of the CPU report on a scale with an offset of 10 degrees.
So, the CPU is 55C, this is a normal CPU core temperature for that device.
In previous models we would set the offset by default in the config, but with current models that is not the case.
One can set the following tuneable to correct the issue:
"dev.amdtemp.0.sensor_offset" with value "-10".
Cheers,
Franco
#8070
21.7 Legacy Series / Re: 6rd Gateway monitoring
January 10, 2022, 07:28:25 PM
That may be true depending on your version and ISP. I don't know either and it would be nice to know this to start with.
As for getting traceable clues your contents of /tmp/wan_stf_routerv6 is actually "2602::205.171.2.64" ?
The line of code referenced does not exist on the development version and what is to become 22.1 since:
https://github.com/opnsense/core/commit/65779b80bb1ae7
indicating that no address could be found to begin with. But this isn't the gateway IP, it's the interface IP for the gateway to reach. And if you use a GUA for monitoring you can't get away with a link local interface address. It's all a bit tricky this IPv6...
The following would help too:
# ifconfig wan_sft
Cheers,
Franco
As for getting traceable clues your contents of /tmp/wan_stf_routerv6 is actually "2602::205.171.2.64" ?
The line of code referenced does not exist on the development version and what is to become 22.1 since:
https://github.com/opnsense/core/commit/65779b80bb1ae7
indicating that no address could be found to begin with. But this isn't the gateway IP, it's the interface IP for the gateway to reach. And if you use a GUA for monitoring you can't get away with a link local interface address. It's all a bit tricky this IPv6...
The following would help too:
# ifconfig wan_sft
Cheers,
Franco
