July 28, 2022
OPNsense software version 22.7 is now available. Name code Powerful Panther.
In this article, we take a look at the highlights of this update.
At a Glance
The key information of this update are the following:
- switch from FreeBSD 13.0 to 13.1;
- switch to PHP 8.0;
- switch to Phalcon 5 (phalcon is the PHP framework used by OPNsense);
- improved support for stacked VLANs and Intel QuickAssist (QAT);
- improved protection against DDOS attacks;
- integration of new plugins: APCUPSD and the very trendy CrowdSec.
This is probably the last version of OPNsense with LibreSSL. The following versions will most likely offer only OpenSSL.
In the following article, we will present the changes and new features in more detail.
The memory management has been revised. The objective is to avoid RAM saturation by some processes.
The main changes are the following:
- the /tmp MFS partition can now use up to 50% of RAM; this setting can be adjusted if needed.
- the /var MFS partition becomes /var/log MFS and can also use a maximum of 50% of RAM; this parameter can also be adjusted.
- several improvements to prevent the syslog-ng process from being impacted by “out-of-memory kills”. When the RAM is full, the “Out-of-memory Killer” or “OOM-Killer” process is activated: it’s purpose is to prevent the system crash, or Kernel Panic, by killing processes that are too greedy. These protection mechanisms are also found on all GNU/Linux distributions.
Several improvements in the management and access to log files:
- The widget for viewing logs (on the dashboard) has been modify to add a filter.
- Added support for logging NTP (Network Time Protocol) rules
- Added support about the use of aliases
Diffie-Hellman keys that were considered not robust enough have been removed. This is a good thing from a security perspective.
On the IDS/IPS side, McAfee rules that pointed to dead links have been removed.
Several slight changes or improvements in IPsec management:
- Adding “IPv4+6” choice for phase 1 configuration for mobile IPsec
- Used API for the connections, SPD and SAD pages
- Some other ux tweaks on the IPsec connections status page
Bugs / Improvements
Some other main improvements or changes:
- Improved support for some Intel wifi cards (those using the iwlwifi driver)
- Improved performance on port aliases
- Performance improvement on live view logs
- DHCP server: it is now possible to launch the DHCP Relay service on bridge interfaces.
- Translation: Italian is back in the list of available translations. Italian had been removed from OPNsense 22.1 because its level of translation was considered too low. Translations for other languages have been updated to their latest available versions. We should notice that the quality of the OPNsense translation is very good compared to pfSense (which is particularly poor).
- Crowdsec 1.0 plugin is released
- The os-nginx and os-postfix plugins have been updated to add missing Diffie Hellman parameters.
- os-tayga: updated to version 1.2
- os-apcupsd: updated to version 1.0
- os-tor is no longer available with LibreSSL due to incompatibilities with the latest Tor versions.
- os-web-proxy-useracl has been removed: there was no update since 2017.
- os-boot-delay has also been removed.
Known issues and limitations
The Diffie-Hellman setting has been removed from OpenVPN, in accordance with RFC 7919. The only real impact is for the less powerful machines, on which smaller keys were configured. Need to change your firewall? Take a look at our online store 😉
The os-dyndns plugin is still available (there was some talk of removing it), but it might disappear in future releases as it relies on the ddclient package which doesn’t seem to be updated for a while. So, finally nothing changed for OPNsense 22.7, but it is possible that the plugin will be removed in the future.
If you update your firewall from command line, the changelog will be display from now on. Just use the arrow key to scroll or press “q” to exit and return to the usual update process.
The DHCPv6 server on an interface configured in tracking mode requires that the range of addresses to be used be set (a bit like its counterpart for an interface configured with a static IPv6 address). Also, if you use the tracking mode on an interface with a /64 or lower, it will generate an alert. It is possible that the DHCPv6 service refuses to start. In this case, you just have to adapt or correct the configuration and it should solve the problem.
Finally, four bugs have been reported and have already been fixed with a hotfix. If you have already upgraded your OPNsense to version 22.7, it may be worthwhile to check again to make sure you have this latest patch.
As usual, if you have not applied the latest OPNsense updates, you will need to update your OPNsense to the latest available version (i.e. 22.1.10) before you can update to this new version (22.7).
This update is available for upgrade or new install.
In any case, remember to make a backup before launching the upgrade, and follow our complete tutorial: [pfSense] Upgrading pfSense (how-to).
Finally, you can consult the complete list of changes by visiting the following page: OPNsense 22.7 released.